Refactor infra

Yuriy Bezsonov · Yuriy Bezsonov · commit 12f7b6df3ece · 2025-12-25T18:55:04.000+01:00
diff --git a/infra/cdk/src/main/java/sample/com/WorkshopStack.java b/infra/cdk/src/main/java/sample/com/WorkshopStack.java
@@ -111,9 +111,9 @@ public WorkshopStack(final Construct scope, final String id, final StackProps pr
                     .workshopBucket(workshopBucket.getBucket())
                     .build());
 
-            // JVM Analysis (Pod Identity role for jvm-analysis-service)
-            JvmAnalysis jvmAnalysis = new JvmAnalysis(this, "JvmAnalysis",
-                JvmAnalysis.JvmAnalysisProps.builder()
+            // JVM AI Analyzer (Pod Identity role for jvm-ai-analyzer)
+            JvmAiAnalyzer jvmAiAnalyzer = new JvmAiAnalyzer(this, "JvmAiAnalyzer",
+                JvmAiAnalyzer.JvmAiAnalyzerProps.builder()
                     .workshopBucket(workshopBucket.getBucket())
                     .build());
 
diff --git a/infra/cdk/src/main/java/sample/com/constructs/JvmAiAnalyzer.java b/infra/cdk/src/main/java/sample/com/constructs/JvmAiAnalyzer.java
@@ -7,59 +7,59 @@
 import java.util.List;
 
 /**
- * JvmAnalysis construct for JVM profiling analysis.
- * Creates Pod Identity role for jvm-analysis-service.
+ * JvmAiAnalyzer construct for JVM profiling analysis.
+ * Creates Pod Identity role for jvm-ai-analyzer.
  * Uses app-specific naming (no prefix) for workshop content compatibility.
  *
- * Note: ECR repository (jvm-analysis-service) is now created automatically via
+ * Note: ECR repository (jvm-ai-analyzer) is now created automatically via
  * ECR Repository Creation Template (create-on-push) instead of explicit definition.
  */
-public class JvmAnalysis extends Construct {
+public class JvmAiAnalyzer extends Construct {
 
-    private final Role jvmAnalysisServiceRole;
+    private final Role jvmAiAnalyzerRole;
 
-    public static class JvmAnalysisProps {
+    public static class JvmAiAnalyzerProps {
         private Bucket workshopBucket;
 
-        public static JvmAnalysisProps.Builder builder() { return new Builder(); }
+        public static JvmAiAnalyzerProps.Builder builder() { return new Builder(); }
 
         public static class Builder {
-            private JvmAnalysisProps props = new JvmAnalysisProps();
+            private JvmAiAnalyzerProps props = new JvmAiAnalyzerProps();
 
             public Builder workshopBucket(Bucket workshopBucket) { props.workshopBucket = workshopBucket; return this; }
-            public JvmAnalysisProps build() { return props; }
+            public JvmAiAnalyzerProps build() { return props; }
         }
 
         public Bucket getWorkshopBucket() { return workshopBucket; }
     }
 
-    public JvmAnalysis(final Construct scope, final String id) {
-        this(scope, id, JvmAnalysisProps.builder().build());
+    public JvmAiAnalyzer(final Construct scope, final String id) {
+        this(scope, id, JvmAiAnalyzerProps.builder().build());
     }
 
-    public JvmAnalysis(final Construct scope, final String id, final JvmAnalysisProps props) {
+    public JvmAiAnalyzer(final Construct scope, final String id, final JvmAiAnalyzerProps props) {
         super(scope, id);
 
-        // Note: ECR repository (jvm-analysis-service) is created automatically via
+        // Note: ECR repository (jvm-ai-analyzer) is created automatically via
         // ECR Repository Creation Template when images are pushed
 
-        // Create Pod Identity role for jvm-analysis-service (app-specific naming, no prefix)
+        // Create Pod Identity role for jvm-ai-analyzer (app-specific naming, no prefix)
         // Pod Identity requires both sts:AssumeRole and sts:TagSession
         CompositePrincipal podIdentityPrincipal = new CompositePrincipal(
             ServicePrincipal.Builder.create("pods.eks.amazonaws.com").build()
         );
 
-        this.jvmAnalysisServiceRole = Role.Builder.create(this, "ServiceRole")
-            .roleName("jvm-analysis-service-eks-pod-role")
+        this.jvmAiAnalyzerRole = Role.Builder.create(this, "ServiceRole")
+            .roleName("jvm-ai-analyzer-eks-pod-role")
             .assumedBy(podIdentityPrincipal)
-            .description("Role for jvm-analysis-service EKS pod to access Bedrock and S3")
+            .description("Role for jvm-ai-analyzer EKS pod to access Bedrock and S3")
             .managedPolicies(List.of(
                 ManagedPolicy.fromAwsManagedPolicyName("AmazonBedrockLimitedAccess")
             ))
             .build();
 
         // Add sts:TagSession to the assume role policy for Pod Identity
-        PolicyDocument assumeRolePolicy = jvmAnalysisServiceRole.getAssumeRolePolicy();
+        PolicyDocument assumeRolePolicy = jvmAiAnalyzerRole.getAssumeRolePolicy();
         if (assumeRolePolicy != null) {
             assumeRolePolicy.addStatements(
                 PolicyStatement.Builder.create()
@@ -72,7 +72,7 @@ public JvmAnalysis(final Construct scope, final String id, final JvmAnalysisProp
 
         // Add S3 permissions for profiling data
         if (props.getWorkshopBucket() != null) {
-            jvmAnalysisServiceRole.addToPolicy(PolicyStatement.Builder.create()
+            jvmAiAnalyzerRole.addToPolicy(PolicyStatement.Builder.create()
                 .effect(Effect.ALLOW)
                 .actions(List.of(
                     "s3:ListBucket",
@@ -88,7 +88,7 @@ public JvmAnalysis(final Construct scope, final String id, final JvmAnalysisProp
     }
 
     // Getters
-    public Role getJvmAnalysisServiceRole() {
-        return jvmAnalysisServiceRole;
+    public Role getJvmAiAnalyzerRole() {
+        return jvmAiAnalyzerRole;
     }
 }
diff --git a/infra/cdk/src/main/java/sample/com/constructs/Unicorn.java b/infra/cdk/src/main/java/sample/com/constructs/Unicorn.java
@@ -197,6 +197,7 @@ private void createEcsRoles(UnicornProps props) {
 
         this.ecsInfrastructureRole = Role.Builder.create(this, "UnicornStoreEcsInfrastructureRole")
             .roleName("unicornstore-ecs-infrastructure-role")
+            .path("/service-role/")
             .assumedBy(ecsService)
             .description("ECS infrastructure role for Express Mode services")
             .build();
@@ -209,6 +210,7 @@ private void createEcsRoles(UnicornProps props) {
 
         this.ecsTaskExecutionRole = Role.Builder.create(this, "UnicornStoreEcsTaskExecutionRole")
             .roleName("unicornstore-ecs-task-execution-role")
+            .path("/service-role/")
             .assumedBy(ecsTasks)
             .description("ECS task execution role for pulling images and injecting secrets")
             .build();
@@ -233,6 +235,7 @@ private void createEcsRoles(UnicornProps props) {
         // === ECS Task Role (app runtime permissions) ===
         this.ecsTaskRole = Role.Builder.create(this, "UnicornStoreEcsTaskRole")
             .roleName("unicornstore-ecs-task-role")
+            .path("/service-role/")
             .assumedBy(ecsTasks)
             .description("ECS task role for application runtime permissions")
             .build();
diff --git a/infra/cdk/src/main/resources/iam-policy.json b/infra/cdk/src/main/resources/iam-policy.json
@@ -27,9 +27,11 @@
 			"Action": [
 				"aws-marketplace:Unsubscribe",
 				"aws-marketplace:ViewSubscriptions",
+				"acm:*",
 				"bedrock:*",
 				"bedrock-agentcore:*",
 				"apigateway:*",
+				"application-autoscaling:*",
 				"application-signals:*",
 				"cloudformation:*",
 				"cloudwatch:*",
@@ -61,7 +63,8 @@
 			],
 			"Resource": [
 				"arn:aws:iam::{{.AccountId}}:role/unicorn*",
-				"arn:aws:iam::{{.AccountId}}:role/jvm-analysis-service*"
+				"arn:aws:iam::{{.AccountId}}:role/service-role/unicorn*",
+				"arn:aws:iam::{{.AccountId}}:role/jvm-ai-analyzer*"
 			]
 		},
 		{
diff --git a/infra/cdk/src/test/java/sample/com/constructs/IdePropsTest.java b/infra/cdk/src/test/java/sample/com/constructs/IdePropsTest.java
@@ -101,14 +101,14 @@ void x86_64ReturnsIntelAmdInstanceTypes() {
     }
 
     /**
-     * Unit test: Default architecture is ARM64
+     * Unit test: Default architecture is X86_64
      */
     @Test
-    void defaultArchitectureIsArm64() {
+    void defaultArchitectureIsX86_64() {
         IdeProps props = IdeProps.builder().build();
 
-        assertEquals(IdeArch.ARM64, props.getIdeArch());
-        // Should return ARM64 instance types by default
-        assertTrue(props.getInstanceTypes().contains("m7g.xlarge"));
+        assertEquals(IdeArch.X86_64, props.getIdeArch());
+        // Should return X86_64 instance types by default
+        assertTrue(props.getInstanceTypes().contains("m7i-flex.xlarge"));
     }
 }
diff --git a/infra/cfn/base-stack.yaml b/infra/cfn/base-stack.yaml
@@ -676,6 +676,16 @@ Resources:
         Fn::GetAtt:
           - IdeInstanceLauncherFunction803C5A2A
           - Arn
+      SecurityGroupIds:
+        Fn::Join:
+          - ""
+          - - Fn::GetAtt:
+                - IdeSecurityGroup73B02454
+                - GroupId
+            - ","
+            - Fn::GetAtt:
+                - IdeInternalSecurityGroupB0A5D76B
+                - GroupId
       SubnetIds:
         Fn::Join:
           - ""
@@ -827,16 +837,6 @@ Resources:
                 fi
       ImageId:
         Ref: SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61x8664C96584B6F00A464EAD1953AFF4B05118Parameter
-      SecurityGroupIds:
-        Fn::Join:
-          - ""
-          - - Fn::GetAtt:
-                - IdeSecurityGroup73B02454
-                - GroupId
-            - ","
-            - Fn::GetAtt:
-                - IdeInternalSecurityGroupB0A5D76B
-                - GroupId
     UpdateReplacePolicy: Delete
     DeletionPolicy: Delete
   IdeEipAssociationDFF81215:
diff --git a/infra/cfn/java-ai-agents-stack.yaml b/infra/cfn/java-ai-agents-stack.yaml
@@ -355,7 +355,9 @@ Resources:
             Resource: "*"
             Sid: MarketplaceSubscribeClaude45Opus45Sonnet4Sonnet
           - Action:
+              - acm:*
               - apigateway:*
+              - application-autoscaling:*
               - application-signals:*
               - aws-marketplace:Unsubscribe
               - aws-marketplace:ViewSubscriptions
@@ -386,7 +388,8 @@ Resources:
           - Action: iam:PassRole
             Effect: Allow
             Resource:
-              - !Sub arn:aws:iam::${AWS::AccountId}:role/jvm-analysis-service*
+              - !Sub arn:aws:iam::${AWS::AccountId}:role/jvm-ai-analyzer*
+              - !Sub arn:aws:iam::${AWS::AccountId}:role/service-role/unicorn*
               - !Sub arn:aws:iam::${AWS::AccountId}:role/unicorn*
             Sid: PassRole
           - Action: ec2:RunInstances
@@ -757,8 +760,6 @@ Resources:
         Fn::GetAtt:
           - IdeInstanceLauncherFunction803C5A2A
           - Arn
-      ImageId:
-        Ref: SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61x8664C96584B6F00A464EAD1953AFF4B05118Parameter
       UserData:
         Fn::Base64:
           Fn::Join:
@@ -918,6 +919,8 @@ Resources:
             - Fn::GetAtt:
                 - IdeInternalSecurityGroupB0A5D76B
                 - GroupId
+      ImageId:
+        Ref: SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61x8664C96584B6F00A464EAD1953AFF4B05118Parameter
     UpdateReplacePolicy: Delete
     DeletionPolicy: Delete
   IdeEipAssociationDFF81215:
diff --git a/infra/cfn/java-on-amazon-eks-stack.yaml b/infra/cfn/java-on-amazon-eks-stack.yaml
diff --git a/infra/cfn/java-on-aws-immersion-day-stack.yaml b/infra/cfn/java-on-aws-immersion-day-stack.yaml
diff --git a/infra/cfn/java-spring-ai-agents-stack.yaml b/infra/cfn/java-spring-ai-agents-stack.yaml

Original file line number	Diff line number	Diff line change
`@@ -101,14 +101,14 @@ void x86_64ReturnsIntelAmdInstanceTypes() {`
`101`	`101`	`}`
`102`	`102`
`103`	`103`	`/**`
`104`		`- * Unit test: Default architecture is ARM64`
	`104`	`+ * Unit test: Default architecture is X86_64`
`105`	`105`	`*/`
`106`	`106`	`@Test`
`107`		`- void defaultArchitectureIsArm64() {`
	`107`	`+ void defaultArchitectureIsX86_64() {`
`108`	`108`	`IdeProps props = IdeProps.builder().build();`
`109`	`109`
`110`		`- assertEquals(IdeArch.ARM64, props.getIdeArch());`
`111`		`- // Should return ARM64 instance types by default`
`112`		`- assertTrue(props.getInstanceTypes().contains("m7g.xlarge"));`
	`110`	`+ assertEquals(IdeArch.X86_64, props.getIdeArch());`
	`111`	`+ // Should return X86_64 instance types by default`
	`112`	`+ assertTrue(props.getInstanceTypes().contains("m7i-flex.xlarge"));`
`113`	`113`	`}`
`114`	`114`	`}`