feat(java-on-aws-infra): add AI agents support and infrastructure enhancements

Author: Yuriy Bezsonov

infra/cdk/pom.xml

@@ -11,7 +11,7 @@
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <maven.compiler.source>25</maven.compiler.source>
         <maven.compiler.target>25</maven.compiler.target>
-        <cdk.version>2.233.0</cdk.version>
+        <cdk.version>2.235.0</cdk.version>
         <constructs.version>10.4.2</constructs.version>
         <cdknag.version>2.36.2</cdknag.version>
         <junit.version>5.11.3</junit.version>

infra/cdk/src/main/java/sample/com/WorkshopStack.java

@@ -4,6 +4,7 @@
 import software.amazon.awscdk.Stack;
 import software.amazon.awscdk.StackProps;
 import software.amazon.awscdk.services.ecr.Repository;
+import software.amazon.awscdk.services.iam.ManagedPolicy;
 import software.constructs.Construct;
 import sample.com.constructs.*;
 import sample.com.constructs.Ide.IdeProps;
@@ -69,19 +70,54 @@ public WorkshopStack(final Construct scope, final String id, final StackProps pr
             .build();
         Ide ide = new Ide(this, "Ide", ideProps);
 
+        // CodeBuild for workshop setup (service-linked role creation)
+        new CodeBuild(this, "CodeBuild",
+            CodeBuild.CodeBuildProps.builder()
+                .projectName(prefix + "-setup")
+                .vpc(vpc.getVpc())
+                .environmentVariables(Map.of(
+                    "TEMPLATE_TYPE", templateType,
+                    "GIT_BRANCH", gitBranch))
+                .buildSpec(buildSpec)
+                .build());
+
+        // Shared workshop bucket
+        WorkshopBucket workshopBucket = new WorkshopBucket(this, "WorkshopBucket",
+            WorkshopBucket.WorkshopBucketProps.builder()
+                .prefix(prefix)
+                .build());
+
+        // ECR Registry settings (Repository Creation Template for create-on-push)
+        new EcrRegistry(this, "EcrRegistry",
+            EcrRegistry.EcrRegistryProps.builder()
+                .prefix(prefix)
+                .build());
+
+        // Bedrock logging role (for model invocation logging to CloudWatch)
+        software.amazon.awscdk.services.iam.Role.Builder.create(this, "BedrockLoggingRole")
+            .roleName(prefix + "-bedrock-logging-role")
+            .assumedBy(software.amazon.awscdk.services.iam.ServicePrincipal.Builder.create("bedrock.amazonaws.com")
+                .conditions(java.util.Map.of(
+                    "StringEquals", java.util.Map.of("aws:SourceAccount", this.getAccount()),
+                    "ArnLike", java.util.Map.of("aws:SourceArn", "arn:aws:bedrock:" + this.getRegion() + ":" + this.getAccount() + ":*")
+                ))
+                .build())
+            .description("Role for Bedrock model invocation logging to CloudWatch")
+            .inlinePolicies(java.util.Map.of("BedrockLogging",
+                software.amazon.awscdk.services.iam.PolicyDocument.Builder.create()
+                    .statements(java.util.List.of(
+                        software.amazon.awscdk.services.iam.PolicyStatement.Builder.create()
+                            .effect(software.amazon.awscdk.services.iam.Effect.ALLOW)
+                            .actions(java.util.List.of("logs:CreateLogStream", "logs:PutLogEvents"))
+                            .resources(java.util.List.of("arn:aws:logs:" + this.getRegion() + ":" + this.getAccount() + ":log-group:/aws/bedrock/*"))
+                            .build()
+                    ))
+                    .build()
+            ))
+            .build();
+
         // Full template resources (java-on-aws-immersion-day, java-on-amazon-eks, java-spring-ai-agents)
         if (isFullTemplate) {
-            // CodeBuild for workshop setup (service-linked role creation)
-            new CodeBuild(this, "CodeBuild",
-                CodeBuild.CodeBuildProps.builder()
-                    .projectName(prefix + "-setup")
-                    .vpc(vpc.getVpc())
-                    .environmentVariables(Map.of(
-                        "TEMPLATE_TYPE", templateType,
-                        "GIT_BRANCH", gitBranch))
-                    .buildSpec(buildSpec)
-                    .build());
-
             // Database
             Database database = new Database(this, "Database", Database.DatabaseProps.builder()
                 .prefix(prefix)
@@ -96,18 +132,6 @@ public WorkshopStack(final Construct scope, final String id, final StackProps pr
                 .ideInternalSecurityGroup(ide.getIdeInternalSecurityGroup())
                 .build());
 
-            // Shared workshop bucket
-            WorkshopBucket workshopBucket = new WorkshopBucket(this, "WorkshopBucket",
-                WorkshopBucket.WorkshopBucketProps.builder()
-                    .prefix(prefix)
-                    .build());
-
-            // ECR Registry settings (Repository Creation Template for create-on-push)
-            new EcrRegistry(this, "EcrRegistry",
-                EcrRegistry.EcrRegistryProps.builder()
-                    .prefix(prefix)
-                    .build());
-
             // Unicorn construct: EventBus, Roles, DB Setup (uses unicorn* naming for workshop content compatibility)
             Unicorn unicorn = new Unicorn(this, "Unicorn", Unicorn.UnicornProps.builder()
                 .vpc(vpc.getVpc())
@@ -144,6 +168,40 @@ public WorkshopStack(final Construct scope, final String id, final StackProps pr
 
             // java-spring-ai-agents specific resources
             if (isSpringAi) {
+                // AI Agent EKS Pod Identity role with Bedrock access
+                software.amazon.awscdk.services.iam.Role aiAgentEksRole = software.amazon.awscdk.services.iam.Role.Builder.create(this, "AiAgentEksRole")
+                    .roleName("ai-agent-eks-pod-role")
+                    .assumedBy(software.amazon.awscdk.services.iam.ServicePrincipal.Builder.create("pods.eks.amazonaws.com").build())
+                    .description("EKS Pod Identity role for AI Agent with Bedrock access")
+                    .managedPolicies(java.util.List.of(
+                        ManagedPolicy.fromAwsManagedPolicyName("AmazonBedrockFullAccess")
+                    ))
+                    .build();
+                // Add sts:TagSession for Pod Identity
+                aiAgentEksRole.getAssumeRolePolicy().addStatements(
+                    software.amazon.awscdk.services.iam.PolicyStatement.Builder.create()
+                        .effect(software.amazon.awscdk.services.iam.Effect.ALLOW)
+                        .principals(java.util.List.of(software.amazon.awscdk.services.iam.ServicePrincipal.Builder.create("pods.eks.amazonaws.com").build()))
+                        .actions(java.util.List.of("sts:TagSession"))
+                        .build()
+                );
+                // Grant DB secrets access (same as unicornstore-eks-pod-role)
+                database.grantSecretsRead(aiAgentEksRole);
+
+                // AI Agent Lambda execution role with Bedrock access
+                software.amazon.awscdk.services.iam.Role aiAgentLambdaRole = software.amazon.awscdk.services.iam.Role.Builder.create(this, "AiAgentLambdaRole")
+                    .roleName("ai-agent-lambda-role")
+                    .assumedBy(software.amazon.awscdk.services.iam.ServicePrincipal.Builder.create("lambda.amazonaws.com").build())
+                    .description("Lambda execution role for AI Agent with Bedrock access")
+                    .managedPolicies(java.util.List.of(
+                        ManagedPolicy.fromAwsManagedPolicyName("service-role/AWSLambdaBasicExecutionRole"),
+                        ManagedPolicy.fromAwsManagedPolicyName("service-role/AWSLambdaVPCAccessExecutionRole"),
+                        ManagedPolicy.fromAwsManagedPolicyName("AmazonBedrockFullAccess")
+                    ))
+                    .build();
+                // Grant DB secrets access
+                database.grantSecretsRead(aiAgentLambdaRole);
+
                 // CodeBuild to push placeholder images (ECS Express needs images at deploy time)
                 // ECR repos are created automatically via create-on-push (EcrRegistry)
                 String placeholderBuildSpec = """
@@ -168,10 +226,10 @@ public WorkshopStack(final Construct scope, final String id, final StackProps pr
 
                             # Build and push placeholder to both repos (create-on-push creates repos)
                             docker build -t placeholder /tmp
-                            docker tag placeholder $ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/unicorn-spring-ai-agent:latest
-                            docker tag placeholder $ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/unicorn-store-spring:latest
-                            docker push $ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/unicorn-spring-ai-agent:latest
-                            docker push $ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/unicorn-store-spring:latest
+                            for REPO in ai-agent mcp-server1; do
+                              docker tag placeholder $ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$REPO:latest
+                              docker push $ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$REPO:latest
+                            done
                     """;
 
                 CodeBuild placeholderImageBuild = new CodeBuild(this, "PlaceholderImageBuild",
@@ -184,23 +242,24 @@ public WorkshopStack(final Construct scope, final String id, final StackProps pr
                         .buildSpec(placeholderBuildSpec)
                         .build());
 
-                // ECS Express Service for Spring AI Agent
-                new EcsExpressService(this, "SpringAiAgent",
+                // ECS Express Service for AI Agent
+                new EcsExpressService(this, "AiAgent",
                     EcsExpressService.EcsExpressServiceProps.builder()
-                        .appName("unicorn-spring-ai-agent")
+                        .appName("ai-agent")
                         .vpc(vpc.getVpc())
                         .database(database)
-                        .unicorn(unicorn)
+                        .configureTaskRole(role ->
+                            role.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName("AmazonBedrockFullAccess")))
                         .dependsOn(placeholderImageBuild.getCustomResource())
                         .build());
 
                 // ECS Express Service for MCP Server
                 new EcsExpressService(this, "McpServer",
                     EcsExpressService.EcsExpressServiceProps.builder()
-                        .appName("unicorn-store-spring")
+                        .appName("mcp-server1")
                         .vpc(vpc.getVpc())
                         .database(database)
-                        .unicorn(unicorn)
+                        .configureTaskRole(role -> unicorn.getEventBus().grantPutEventsTo(role))
                         .dependsOn(placeholderImageBuild.getCustomResource())
                         .build());
             }

infra/cdk/src/main/java/sample/com/constructs/Database.java

@@ -8,6 +8,7 @@
 import software.amazon.awscdk.services.ec2.SubnetSelection;
 import software.amazon.awscdk.services.ec2.SubnetType;
 import software.amazon.awscdk.services.ec2.ISecurityGroup;
+import software.amazon.awscdk.services.iam.IGrantable;
 import software.amazon.awscdk.services.rds.AuroraPostgresClusterEngineProps;
 import software.amazon.awscdk.services.rds.ServerlessV2ClusterInstanceProps;
 import software.amazon.awscdk.services.rds.AuroraPostgresEngineVersion;
@@ -140,4 +141,13 @@ public StringParameter getParamDBConnectionString() {
     public String getDatabaseSecretString() {
         return databaseSecret.secretValueFromJson("password").toString();
     }
+
+    /**
+     * Grants read access to database secrets (secret + connection string parameter).
+     * Use for ECS task execution roles that need to inject secrets at container startup.
+     */
+    public void grantSecretsRead(IGrantable grantee) {
+        databaseSecret.grantRead(grantee);
+        paramDBConnectionString.grantRead(grantee);
+    }
 }

infra/cdk/src/main/java/sample/com/constructs/EcsExpressService.java

@@ -7,29 +7,81 @@
 import software.amazon.awscdk.services.ec2.SubnetType;
 import software.amazon.awscdk.services.ecs.CfnExpressGatewayService;
 import software.amazon.awscdk.services.ecs.Cluster;
+import software.amazon.awscdk.services.iam.Effect;
 import software.amazon.awscdk.services.iam.ManagedPolicy;
+import software.amazon.awscdk.services.iam.PolicyStatement;
 import software.amazon.awscdk.services.iam.Role;
+import software.amazon.awscdk.services.iam.ServicePrincipal;
 import software.amazon.awscdk.services.logs.LogGroup;
 import software.constructs.Construct;
 import software.constructs.IDependable;
 
 import java.util.List;
+import java.util.function.Consumer;
 
 /**
- * ECS Express Mode service construct for Spring AI agents.
- * Creates ECS cluster and ECS Express Gateway Service with ALB.
- * ECR repos are created via create-on-push (EcrRegistry construct).
- * Reuses Unicorn's ECS roles and adds Bedrock access for AI capabilities.
+ * Self-contained ECS Express Mode service construct.
+ * Creates ECS cluster, IAM roles, and ECS Express Gateway Service with ALB.
+ * ECR repos are created via create-on-push.
+ *
+ * All resources use appName as prefix for consistent naming.
+ *
+ * Task role has base permissions (CloudWatch, X-Ray) and can be customized
+ * via configureTaskRole callback for app-specific permissions (Bedrock, EventBridge, etc.)
  */
 public class EcsExpressService extends Construct {
 
     private final Cluster ecsCluster;
     private final CfnExpressGatewayService expressService;
+    private final Role infrastructureRole;
+    private final Role taskExecutionRole;
+    private final Role taskRole;
 
     public EcsExpressService(final Construct scope, final String id, final EcsExpressServiceProps props) {
         super(scope, id);
 
         String appName = props.getAppName();
+        ServicePrincipal ecsService = ServicePrincipal.Builder.create("ecs.amazonaws.com").build();
+        ServicePrincipal ecsTasks = ServicePrincipal.Builder.create("ecs-tasks.amazonaws.com").build();
+
+        // === Infrastructure Role (for Express Mode) ===
+        this.infrastructureRole = Role.Builder.create(this, "InfrastructureRole")
+            .roleName(appName + "-ecs-infrastructure-role")
+            .path("/service-role/")
+            .assumedBy(ecsService)
+            .description("ECS infrastructure role for Express Mode")
+            .build();
+        infrastructureRole.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(
+            "service-role/AmazonECSInfrastructureRoleforExpressGatewayServices"));
+
+        // === Task Execution Role ===
+        this.taskExecutionRole = Role.Builder.create(this, "TaskExecutionRole")
+            .roleName(appName + "-ecs-task-execution-role")
+            .path("/service-role/")
+            .assumedBy(ecsTasks)
+            .description("ECS task execution role for pulling images and injecting secrets")
+            .build();
+        taskExecutionRole.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(
+            "service-role/AmazonECSTaskExecutionRolePolicy"));
+        taskExecutionRole.addToPolicy(PolicyStatement.Builder.create()
+            .effect(Effect.ALLOW)
+            .actions(List.of("logs:CreateLogGroup"))
+            .resources(List.of("*"))
+            .build());
+        props.getDatabase().grantSecretsRead(taskExecutionRole);
+
+        // === Task Role (app runtime permissions) ===
+        this.taskRole = Role.Builder.create(this, "TaskRole")
+            .roleName(appName + "-ecs-task-role")
+            .path("/service-role/")
+            .assumedBy(ecsTasks)
+            .description("ECS task role for application runtime permissions")
+            .build();
+        taskRole.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName("CloudWatchAgentServerPolicy"));
+        taskRole.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName("AWSXrayWriteOnlyAccess"));
+        if (props.getConfigureTaskRole() != null) {
+            props.getConfigureTaskRole().accept(taskRole);
+        }
 
         // Build ECR image URI (repos created via create-on-push)
         String imageUri = Fn.sub("${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/" + appName + ":latest");
@@ -46,10 +98,6 @@ public EcsExpressService(final Construct scope, final String id, final EcsExpres
             .removalPolicy(RemovalPolicy.DESTROY)
             .build();
 
-        // Add Bedrock access to task role for AI capabilities
-        Role taskRole = props.getUnicorn().getEcsTaskRole();
-        taskRole.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName("AmazonBedrockFullAccess"));
-
         // Get PUBLIC subnets for the service (Express Mode uses public subnets with ALB)
         List<String> publicSubnetIds = props.getVpc().selectSubnets(SubnetSelection.builder()
             .subnetType(SubnetType.PUBLIC)
@@ -62,8 +110,8 @@ public EcsExpressService(final Construct scope, final String id, final EcsExpres
         this.expressService = CfnExpressGatewayService.Builder.create(this, "ExpressService")
             .serviceName(appName)
             .cluster(ecsCluster.getClusterName())
-            .infrastructureRoleArn(props.getUnicorn().getEcsInfrastructureRole().getRoleArn())
-            .executionRoleArn(props.getUnicorn().getEcsTaskExecutionRole().getRoleArn())
+            .infrastructureRoleArn(infrastructureRole.getRoleArn())
+            .executionRoleArn(taskExecutionRole.getRoleArn())
             .taskRoleArn(taskRole.getRoleArn())
             .primaryContainer(CfnExpressGatewayService.ExpressGatewayContainerProperty.builder()
                 .image(imageUri)
@@ -116,20 +164,32 @@ public CfnExpressGatewayService getExpressService() {
         return expressService;
     }
 
+    public Role getInfrastructureRole() {
+        return infrastructureRole;
+    }
+
+    public Role getTaskExecutionRole() {
+        return taskExecutionRole;
+    }
+
+    public Role getTaskRole() {
+        return taskRole;
+    }
+
     // Props class
     public static class EcsExpressServiceProps {
         private final String appName;
         private final IVpc vpc;
         private final Database database;
-        private final Unicorn unicorn;
         private final IDependable dependsOn;
+        private final Consumer<Role> configureTaskRole;
 
         private EcsExpressServiceProps(Builder builder) {
             this.appName = builder.appName;
             this.vpc = builder.vpc;
             this.database = builder.database;
-            this.unicorn = builder.unicorn;
             this.dependsOn = builder.dependsOn;
+            this.configureTaskRole = builder.configureTaskRole;
         }
 
         public static Builder builder() {
@@ -139,21 +199,21 @@ public static Builder builder() {
         public String getAppName() { return appName; }
         public IVpc getVpc() { return vpc; }
         public Database getDatabase() { return database; }
-        public Unicorn getUnicorn() { return unicorn; }
         public IDependable getDependsOn() { return dependsOn; }
+        public Consumer<Role> getConfigureTaskRole() { return configureTaskRole; }
 
         public static class Builder {
             private String appName;
             private IVpc vpc;
             private Database database;
-            private Unicorn unicorn;
             private IDependable dependsOn;
+            private Consumer<Role> configureTaskRole;
 
             public Builder appName(String appName) { this.appName = appName; return this; }
             public Builder vpc(IVpc vpc) { this.vpc = vpc; return this; }
             public Builder database(Database database) { this.database = database; return this; }
-            public Builder unicorn(Unicorn unicorn) { this.unicorn = unicorn; return this; }
             public Builder dependsOn(IDependable dependsOn) { this.dependsOn = dependsOn; return this; }
+            public Builder configureTaskRole(Consumer<Role> configureTaskRole) { this.configureTaskRole = configureTaskRole; return this; }
 
             public EcsExpressServiceProps build() {
                 return new EcsExpressServiceProps(this);