feat(infra): Add IAM role for ECR repository creation template

Author: Yuriy Bezsonov

infra/cdk/src/main/java/sample/com/constructs/EcrRegistry.java

@@ -2,6 +2,9 @@
 
 import software.amazon.awscdk.CfnTag;
 import software.amazon.awscdk.services.ecr.CfnRepositoryCreationTemplate;
+import software.amazon.awscdk.services.iam.Role;
+import software.amazon.awscdk.services.iam.ServicePrincipal;
+import software.amazon.awscdk.services.iam.PolicyStatement;
 import software.constructs.Construct;
 
 import java.util.List;
@@ -69,12 +72,28 @@ public EcrRegistry(final Construct scope, final String id, final EcrRegistryProp
             }
             """;
 
+        // Create IAM role for ECR repository creation template
+        Role ecrTemplateRole = Role.Builder.create(this, "TemplateRole")
+            .roleName(prefix + "-ecr-template-role")
+            .assumedBy(new ServicePrincipal("ecr.amazonaws.com"))
+            .build();
+
+        ecrTemplateRole.addToPolicy(PolicyStatement.Builder.create()
+            .actions(List.of(
+                "ecr:CreateRepository",
+                "ecr:TagResource",
+                "ecr:PutLifecyclePolicy"
+            ))
+            .resources(List.of("*"))
+            .build());
+
         // Create Repository Creation Template
         this.repositoryCreationTemplate = CfnRepositoryCreationTemplate.Builder.create(this, "Template")
             .prefix("ROOT")  // Applies to all repositories
             .appliedFor(List.of("CREATE_ON_PUSH", "REPLICATION"))
             .imageTagMutability("MUTABLE")
             .lifecyclePolicy(lifecyclePolicyJson)
+            .customRoleArn(ecrTemplateRole.getRoleArn())
             .resourceTags(List.of(
                 CfnTag.builder()
                     .key("Environment")

infra/scripts/ide/bootstrap.sh

@@ -144,6 +144,7 @@ EOF
 source /etc/profile.d/workshop.sh
 
 echo "export ACCOUNT_ID=$(aws sts get-caller-identity --output text --query Account)" | tee -a /etc/profile.d/workshop.sh
+echo "export AWS_ACCOUNT_ID=\$ACCOUNT_ID" | tee -a /etc/profile.d/workshop.sh
 source /etc/profile.d/workshop.sh
 
 echo "Setting PS1..."

infra/scripts/setup/unicorn-store-spring.sh

@@ -10,12 +10,12 @@ source "$SCRIPT_DIR/../lib/common.sh"
 log_info "Setting up Unicorn Store Spring application..."
 
 # Get AWS account and region
-AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
-AWS_REGION=$(aws configure get region)
-ECR_REGISTRY="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com"
+ACCOUNT_ID=${ACCOUNT_ID:-$(aws sts get-caller-identity --query Account --output text)}
+AWS_REGION=${AWS_REGION:-$(aws configure get region)}
+ECR_REGISTRY="${ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com"
 IMAGE_NAME="unicorn-store-spring"
 
-log_info "AWS Account: $AWS_ACCOUNT_ID"
+log_info "AWS Account: $ACCOUNT_ID"
 log_info "AWS Region: $AWS_REGION"
 log_info "ECR Registry: $ECR_REGISTRY"
 
@@ -34,6 +34,11 @@ log_success "Copied unicorn-store-spring to ~/environment (tests removed)"
 # Change to the app directory
 cd ~/environment/unicorn-store-spring
 
+# Build the application with Maven
+log_info "Building application with Maven..."
+mvn clean package -DskipTests -ntp
+log_success "Maven build completed"
+
 # Login to ECR
 log_info "Logging in to ECR..."
 aws ecr get-login-password --region "$AWS_REGION" | docker login --username AWS --password-stdin "$ECR_REGISTRY"