Update infra WIP

Author: Yuriy Bezsonov

infra/cdk/src/main/java/sample/com/WorkshopStack.java

@@ -145,13 +145,53 @@ public WorkshopStack(final Construct scope, final String id, final StackProps pr
 
             // java-spring-ai-agents specific resources
             if (isSpringAi) {
+                // CodeBuild to push placeholder images (ECS Express needs images at deploy time)
+                // ECR repos are created automatically via create-on-push (EcrRegistry)
+                String placeholderBuildSpec = """
+                    version: 0.2
+                    env:
+                      shell: bash
+                    phases:
+                      build:
+                        commands:
+                          - |
+                            ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+                            aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com
+
+                            # Create placeholder Dockerfile
+                            cat > /tmp/Dockerfile << 'EOF'
+                            FROM public.ecr.aws/nginx/nginx:stable-alpine
+                            RUN echo 'server { listen 8080; location /actuator/health { return 200 "OK"; } location / { return 200 "Placeholder"; } }' > /etc/nginx/conf.d/default.conf
+                            EXPOSE 8080
+                            EOF
+
+                            # Build and push placeholder to both repos (create-on-push creates repos)
+                            docker build -t placeholder /tmp
+                            docker tag placeholder $ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/unicorn-spring-ai-agent:latest
+                            docker tag placeholder $ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/unicorn-store-spring:latest
+                            docker push $ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/unicorn-spring-ai-agent:latest
+                            docker push $ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/unicorn-store-spring:latest
+                    """;
+
+                CodeBuild placeholderImageBuild = new CodeBuild(this, "PlaceholderImageBuild",
+                    CodeBuild.CodeBuildProps.builder()
+                        .prefix(prefix)
+                        .projectName(prefix + "-placeholder-images")
+                        .vpc(vpc.getVpc())
+                        .privilegedMode(true)
+                        .environmentVariables(Map.of(
+                            "TEMPLATE_TYPE", templateType))
+                        .buildSpec(placeholderBuildSpec)
+                        .build());
+
                 // ECS Express Service for Spring AI Agent
                 new EcsExpressService(this, "SpringAiAgent",
                     EcsExpressService.EcsExpressServiceProps.builder()
                         .appName("unicorn-spring-ai-agent")
                         .vpc(vpc.getVpc())
                         .database(database)
                         .unicorn(unicorn)
+                        .dependsOn(placeholderImageBuild.getCustomResource())
                         .build());
 
                 // ECS Express Service for MCP Server
@@ -161,6 +201,7 @@ public WorkshopStack(final Construct scope, final String id, final StackProps pr
                         .vpc(vpc.getVpc())
                         .database(database)
                         .unicorn(unicorn)
+                        .dependsOn(placeholderImageBuild.getCustomResource())
                         .build());
             }
 

infra/cdk/src/main/java/sample/com/constructs/EcsExpressService.java

@@ -1,64 +1,86 @@
 package sample.com.constructs;
 
+import software.amazon.awscdk.Fn;
 import software.amazon.awscdk.RemovalPolicy;
 import software.amazon.awscdk.services.ec2.IVpc;
 import software.amazon.awscdk.services.ec2.SubnetSelection;
 import software.amazon.awscdk.services.ec2.SubnetType;
-import software.amazon.awscdk.services.ecr.Repository;
 import software.amazon.awscdk.services.ecs.CfnExpressGatewayService;
+import software.amazon.awscdk.services.ecs.Cluster;
 import software.amazon.awscdk.services.iam.ManagedPolicy;
 import software.amazon.awscdk.services.iam.Role;
+import software.amazon.awscdk.services.logs.LogGroup;
 import software.constructs.Construct;
+import software.constructs.IDependable;
 
 import java.util.List;
-import java.util.Map;
 
 /**
  * ECS Express Mode service construct for Spring AI agents.
- * Creates an ECR repository and ECS Express Gateway Service with ALB.
+ * Creates ECS cluster and ECS Express Gateway Service with ALB.
+ * ECR repos are created via create-on-push (EcrRegistry construct).
  * Reuses Unicorn's ECS roles and adds Bedrock access for AI capabilities.
  */
 public class EcsExpressService extends Construct {
 
-    private final Repository ecrRepository;
+    private final Cluster ecsCluster;
     private final CfnExpressGatewayService expressService;
 
     public EcsExpressService(final Construct scope, final String id, final EcsExpressServiceProps props) {
         super(scope, id);
 
         String appName = props.getAppName();
 
-        // Create ECR Repository
-        this.ecrRepository = Repository.Builder.create(this, "EcrRepository")
-            .repositoryName(appName)
-            .imageScanOnPush(false)
+        // Build ECR image URI (repos created via create-on-push)
+        String imageUri = Fn.sub("${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/" + appName + ":latest");
+
+        // Create ECS Cluster
+        this.ecsCluster = Cluster.Builder.create(this, "EcsCluster")
+            .clusterName(appName)
+            .vpc(props.getVpc())
+            .build();
+
+        // Create CloudWatch Log Group
+        LogGroup logGroup = LogGroup.Builder.create(this, "LogGroup")
+            .logGroupName("/aws/ecs/" + appName)
             .removalPolicy(RemovalPolicy.DESTROY)
-            .emptyOnDelete(true)
             .build();
 
         // Add Bedrock access to task role for AI capabilities
         Role taskRole = props.getUnicorn().getEcsTaskRole();
         taskRole.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName("AmazonBedrockFullAccess"));
 
-        // Get private subnets for the service
-        List<String> privateSubnetIds = props.getVpc().selectSubnets(SubnetSelection.builder()
-            .subnetType(SubnetType.PRIVATE_WITH_EGRESS)
+        // Get PUBLIC subnets for the service (Express Mode uses public subnets with ALB)
+        List<String> publicSubnetIds = props.getVpc().selectSubnets(SubnetSelection.builder()
+            .subnetType(SubnetType.PUBLIC)
             .build()).getSubnetIds();
 
+        // Get DB security group ID for network access
+        String dbSecurityGroupId = props.getDatabase().getDatabaseSecurityGroup().getSecurityGroupId();
+
         // Create ECS Express Gateway Service
         this.expressService = CfnExpressGatewayService.Builder.create(this, "ExpressService")
             .serviceName(appName)
+            .cluster(ecsCluster.getClusterName())
             .infrastructureRoleArn(props.getUnicorn().getEcsInfrastructureRole().getRoleArn())
             .executionRoleArn(props.getUnicorn().getEcsTaskExecutionRole().getRoleArn())
             .taskRoleArn(taskRole.getRoleArn())
             .primaryContainer(CfnExpressGatewayService.ExpressGatewayContainerProperty.builder()
-                .image(ecrRepository.getRepositoryUri() + ":latest")
+                .image(imageUri)
                 .containerPort(8080)
+                .awsLogsConfiguration(CfnExpressGatewayService.ExpressGatewayServiceAwsLogsConfigurationProperty.builder()
+                    .logGroup(logGroup.getLogGroupName())
+                    .logStreamPrefix("ecs")
+                    .build())
                 .secrets(List.of(
                     CfnExpressGatewayService.SecretProperty.builder()
                         .name("SPRING_DATASOURCE_URL")
                         .valueFrom(props.getDatabase().getParamDBConnectionString().getParameterArn())
                         .build(),
+                    CfnExpressGatewayService.SecretProperty.builder()
+                        .name("SPRING_DATASOURCE_USERNAME")
+                        .valueFrom(props.getDatabase().getDatabaseSecret().getSecretArn() + ":username::")
+                        .build(),
                     CfnExpressGatewayService.SecretProperty.builder()
                         .name("SPRING_DATASOURCE_PASSWORD")
                         .valueFrom(props.getDatabase().getDatabaseSecret().getSecretArn() + ":password::")
@@ -69,19 +91,25 @@ public EcsExpressService(final Construct scope, final String id, final EcsExpres
             .memory("2048")
             .healthCheckPath("/actuator/health")
             .networkConfiguration(CfnExpressGatewayService.ExpressGatewayServiceNetworkConfigurationProperty.builder()
-                .subnets(privateSubnetIds)
+                .subnets(publicSubnetIds)
+                .securityGroups(List.of(dbSecurityGroupId))
                 .build())
             .scalingTarget(CfnExpressGatewayService.ExpressGatewayScalingTargetProperty.builder()
                 .minTaskCount(1)
                 .maxTaskCount(4)
-                .autoScalingMetric("CPU")
+                .autoScalingMetric("AVERAGE_CPU")
                 .autoScalingTargetValue(70)
                 .build())
             .build();
+
+        // Add dependency on CodeBuild (image must be pushed before service starts)
+        if (props.getDependsOn() != null) {
+            this.expressService.getNode().addDependency(props.getDependsOn());
+        }
     }
 
-    public Repository getEcrRepository() {
-        return ecrRepository;
+    public Cluster getEcsCluster() {
+        return ecsCluster;
     }
 
     public CfnExpressGatewayService getExpressService() {
@@ -94,59 +122,38 @@ public static class EcsExpressServiceProps {
         private final IVpc vpc;
         private final Database database;
         private final Unicorn unicorn;
+        private final IDependable dependsOn;
 
         private EcsExpressServiceProps(Builder builder) {
             this.appName = builder.appName;
             this.vpc = builder.vpc;
             this.database = builder.database;
             this.unicorn = builder.unicorn;
+            this.dependsOn = builder.dependsOn;
         }
 
         public static Builder builder() {
             return new Builder();
         }
 
-        public String getAppName() {
-            return appName;
-        }
-
-        public IVpc getVpc() {
-            return vpc;
-        }
-
-        public Database getDatabase() {
-            return database;
-        }
-
-        public Unicorn getUnicorn() {
-            return unicorn;
-        }
+        public String getAppName() { return appName; }
+        public IVpc getVpc() { return vpc; }
+        public Database getDatabase() { return database; }
+        public Unicorn getUnicorn() { return unicorn; }
+        public IDependable getDependsOn() { return dependsOn; }
 
         public static class Builder {
             private String appName;
             private IVpc vpc;
             private Database database;
             private Unicorn unicorn;
+            private IDependable dependsOn;
 
-            public Builder appName(String appName) {
-                this.appName = appName;
-                return this;
-            }
-
-            public Builder vpc(IVpc vpc) {
-                this.vpc = vpc;
-                return this;
-            }
-
-            public Builder database(Database database) {
-                this.database = database;
-                return this;
-            }
-
-            public Builder unicorn(Unicorn unicorn) {
-                this.unicorn = unicorn;
-                return this;
-            }
+            public Builder appName(String appName) { this.appName = appName; return this; }
+            public Builder vpc(IVpc vpc) { this.vpc = vpc; return this; }
+            public Builder database(Database database) { this.database = database; return this; }
+            public Builder unicorn(Unicorn unicorn) { this.unicorn = unicorn; return this; }
+            public Builder dependsOn(IDependable dependsOn) { this.dependsOn = dependsOn; return this; }
 
             public EcsExpressServiceProps build() {
                 return new EcsExpressServiceProps(this);

infra/cfn/base-stack.yaml

@@ -676,18 +676,6 @@ Resources:
         Fn::GetAtt:
           - IdeInstanceLauncherFunction803C5A2A
           - Arn
-      InstanceName: ide
-      IamInstanceProfileArn:
-        Fn::GetAtt:
-          - IdeInstanceProfile61B92038
-          - Arn
-      VolumeSize: "50"
-      SubnetIds:
-        Fn::Join:
-          - ""
-          - - Ref: VpcPublicSubnet1Subnet8E8DEDC0
-            - ","
-            - Ref: VpcPublicSubnet2SubnetA811849C
       SecurityGroupIds:
         Fn::Join:
           - ""
@@ -698,8 +686,19 @@ Resources:
             - Fn::GetAtt:
                 - IdeInternalSecurityGroupB0A5D76B
                 - GroupId
-      ImageId:
-        Ref: SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61x8664C96584B6F00A464EAD1953AFF4B05118Parameter
+      SubnetIds:
+        Fn::Join:
+          - ""
+          - - Ref: VpcPublicSubnet1Subnet8E8DEDC0
+            - ","
+            - Ref: VpcPublicSubnet2SubnetA811849C
+      VolumeSize: "50"
+      IamInstanceProfileArn:
+        Fn::GetAtt:
+          - IdeInstanceProfile61B92038
+          - Arn
+      InstanceName: ide
+      InstanceTypes: m6a.xlarge,m7a.xlarge
       UserData:
         Fn::Base64:
           Fn::Join:
@@ -836,7 +835,8 @@ Resources:
                 "
                     exit 1
                 fi
-      InstanceTypes: m6a.xlarge,m7a.xlarge
+      ImageId:
+        Ref: SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61x8664C96584B6F00A464EAD1953AFF4B05118Parameter
     UpdateReplacePolicy: Delete
     DeletionPolicy: Delete
   IdeEipAssociationDFF81215: