aws-samples
diff --git a/‎infrastructure/cdk/src/main/java/com/unicorn/constructs/VSCodeIde.java‎
Lines changed: 1 addition & 1 deletion b/‎infrastructure/cdk/src/main/java/com/unicorn/constructs/VSCodeIde.java‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎infrastructure/cdk/src/main/java/com/unicorn/core/InfrastructureMonitoringJVM.java‎
Lines changed: 58 additions & 53 deletions b/‎infrastructure/cdk/src/main/java/com/unicorn/core/InfrastructureMonitoringJVM.java‎
Lines changed: 58 additions & 53 deletions
diff --git a/‎infrastructure/cfn/ide-gitea-stack.yaml‎
Lines changed: 57 additions & 57 deletions b/‎infrastructure/cfn/ide-gitea-stack.yaml‎
Lines changed: 57 additions & 57 deletions
@@ -81,7 +81,7 @@ public static class VSCodeIdeProps {
         private String availabilityZone;
         private IMachineImage machineImage = MachineImage.latestAmazonLinux2023();
         private InstanceType instanceType = InstanceType.of(InstanceClass.T3, InstanceSize.MEDIUM);
-        private String codeServerVersion = "4.101.2";
+        private String codeServerVersion = "4.103.1";
         private List<IManagedPolicy> additionalIamPolicies = new ArrayList<>();
         private List<ISecurityGroup> additionalSecurityGroups = new ArrayList<>();
         private int bootstrapTimeoutMinutes = 30;
 
@@ -2,16 +2,13 @@
 
 import com.unicorn.constructs.EksCluster;
 import software.amazon.awscdk.*;
+import software.amazon.awscdk.services.apigateway.*;
 import software.amazon.awscdk.services.ec2.*;
 import software.amazon.awscdk.services.iam.*;
 import software.amazon.awscdk.services.lambda.*;
 import software.amazon.awscdk.services.logs.LogGroup;
 import software.amazon.awscdk.services.logs.RetentionDays;
 import software.amazon.awscdk.services.s3.Bucket;
-import software.amazon.awscdk.services.sns.Topic;
-import software.amazon.awscdk.services.sns.TopicPolicy;
-import software.amazon.awscdk.services.sns.subscriptions.LambdaSubscription;
-import software.amazon.awscdk.services.eks.CfnCluster;
 import software.constructs.Construct;
 
 import java.util.List;
@@ -23,11 +20,8 @@ public class InfrastructureMonitoringJVM extends Construct {
     public InfrastructureMonitoringJVM(Construct scope, String id, Bucket s3Bucket, EksCluster eksCluster, IVpc vpc) {
         super(scope, id);
 
-        // Create Lambda function first (from InfrastructureLambdaBedrock)
-        Function threadDumpFunction = createThreadDumpLambda(s3Bucket, eksCluster, vpc);
-
-        // Create monitoring infrastructure (from MonitoringConstruct)
-        createMonitoringInfrastructure(vpc, eksCluster.getCluster(), threadDumpFunction);
+        // Create Lambda function
+        createThreadDumpLambda(s3Bucket, eksCluster, vpc);
     }
 
     private Function createThreadDumpLambda(Bucket s3Bucket, EksCluster eksCluster, IVpc vpc) {
@@ -62,17 +56,20 @@ private Function createThreadDumpLambda(Bucket s3Bucket, EksCluster eksCluster,
                 "Allow Lambda access to Kubernetes API"
         );
 
-        // IAM Role for Bedrock
-        Role bedrockRole = Role.Builder.create(this, "BedrockAccessRole")
-                .assumedBy(new ServicePrincipal("bedrock.amazonaws.com"))
-                .description("Role for Bedrock Claude 3.7 access")
+        // Create separate security group for VPC endpoint
+        SecurityGroup vpcEndpointSg = SecurityGroup.Builder.create(this, "VpcEndpointSecurityGroup")
+                .vpc(vpc)
+                .securityGroupName("unicornstore-apigw-vpce-sg")
+                .description("Security group for API Gateway VPC endpoint")
+                .allowAllOutbound(true)
                 .build();
 
-        bedrockRole.addToPolicy(PolicyStatement.Builder.create()
-                .effect(Effect.ALLOW)
-                .actions(List.of("bedrock:InvokeModel", "bedrock:ListFoundationModels"))
-                .resources(List.of("arn:aws:bedrock:*:*:inference-profile/us.anthropic.claude-3-7-sonnet-20250219-v1:0"))
-                .build());
+        // Allow VPC traffic to access API Gateway via VPC endpoint
+        vpcEndpointSg.addIngressRule(
+                Peer.ipv4(vpc.getVpcCidrBlock()),
+                Port.tcp(443),
+                "Allow VPC traffic to API Gateway VPC endpoint"
+        );
 
         // IAM Role for Lambda
         Role lambdaRole = Role.Builder.create(this, "LambdaBedrockRole")
@@ -90,12 +87,12 @@ private Function createThreadDumpLambda(Bucket s3Bucket, EksCluster eksCluster,
             .effect(Effect.ALLOW)
             .actions(List.of(
                 "logs:CreateLogGroup",
-                "logs:CreateLogStream", 
+                "logs:CreateLogStream",
                 "logs:PutLogEvents"
             ))
             .resources(List.of(
-                String.format("arn:aws:logs:%s:%s:log-group:/aws/lambda/unicornstore-thread-dump-lambda*", 
-                    Stack.of(this).getRegion(), 
+                String.format("arn:aws:logs:%s:%s:log-group:/aws/lambda/unicornstore-thread-dump-lambda*",
+                    Stack.of(this).getRegion(),
                     Stack.of(this).getAccount())
             ))
             .build());
@@ -108,7 +105,9 @@ private Function createThreadDumpLambda(Bucket s3Bucket, EksCluster eksCluster,
                 "bedrock:InvokeModelWithResponseStream"
             ))
             .resources(List.of(
-                "arn:aws:bedrock:*:*:inference-profile/us.anthropic.claude-3-7-sonnet-20250219-v1:0"
+                "arn:aws:bedrock:*:*:inference-profile/us.anthropic.claude-3-7-sonnet-20250219-v1:0",
+		"arn:aws:bedrock:*:*:foundation-model/anthropic.claude-3-7-sonnet-20250219-v1:0",
+		"arn:aws:bedrock:*:*:foundation-model/openai.gpt-oss-120b-1:0"
             ))
             .build());
 
@@ -204,44 +203,50 @@ private Function createThreadDumpLambda(Bucket s3Bucket, EksCluster eksCluster,
                 .removalPolicy(RemovalPolicy.DESTROY)
                 .build();
 
-        FunctionUrl.Builder.create(this, "ThreadDumpFunctionUrl")
-                .function(threadDumpFunction)
-                .authType(FunctionUrlAuthType.NONE)
+        // Create VPC endpoint for API Gateway
+        InterfaceVpcEndpoint apiGatewayVpcEndpoint = InterfaceVpcEndpoint.Builder.create(this, "ApiGatewayVpcEndpoint")
+                .vpc(vpc)
+                .service(InterfaceVpcEndpointAwsService.APIGATEWAY)
+                .subnets(SubnetSelection.builder()
+                        .subnetType(SubnetType.PRIVATE_WITH_EGRESS)
+                        .build())
+                .privateDnsEnabled(true)
+                .securityGroups(List.of(lambdaSg))
+                .build();
+
+        // Create private API Gateway
+        RestApi api = RestApi.Builder.create(this, "ThreadDumpApi")
+                .restApiName("unicornstore-thread-dump-api")
+                .endpointConfiguration(EndpointConfiguration.builder()
+                        .types(List.of(EndpointType.PRIVATE))
+                        .vpcEndpoints(List.of(apiGatewayVpcEndpoint))
+                        .build())
+                .policy(PolicyDocument.Builder.create()
+                        .statements(List.of(
+                                PolicyStatement.Builder.create()
+                                        .effect(Effect.ALLOW)
+                                        .principals(List.of(new AnyPrincipal()))
+                                        .actions(List.of("execute-api:Invoke"))
+                                        .resources(List.of("*"))
+                                        .conditions(Map.of(
+                                                "StringEquals", Map.of(
+                                                        "aws:SourceVpce", apiGatewayVpcEndpoint.getVpcEndpointId()
+                                                )
+                                        ))
+                                        .build()
+                        ))
+                        .build())
                 .build();
 
-        threadDumpFunction.addPermission("AllowPublicInvocation",
-                software.amazon.awscdk.services.lambda.Permission.builder()
-                        .principal(new AnyPrincipal())
-                        .action("lambda:InvokeFunctionUrl")
-                        .functionUrlAuthType(FunctionUrlAuthType.NONE)
-                        .build());
+        // Add Lambda integration
+        LambdaIntegration integration = new LambdaIntegration(threadDumpFunction);
+        api.getRoot().addMethod("POST", integration);
+        api.getRoot().addProxy();
 
         if (eksCluster != null) {
             eksCluster.createAccessEntry(lambdaRole.getRoleArn(), eksCluster.getCluster().getName(), "lambda-eks-access-role");
         }
 
         return threadDumpFunction;
     }
-
-    private void createMonitoringInfrastructure(IVpc vpc, CfnCluster eksCluster, Function alertHandlerLambda) {
-        Topic alarmTopic = Topic.Builder.create(this, "AlarmTopic")
-                .topicName("UnicornStoreAlarms")
-                .displayName("Unicorn Store Alarms")
-                .build();
-
-        TopicPolicy.Builder.create(this, "AlarmTopicPolicy")
-                .topics(List.of(alarmTopic))
-                .build()
-                .getDocument()
-                .addStatements(PolicyStatement.Builder.create()
-                        .effect(Effect.DENY)
-                        .actions(List.of("sns:Publish"))
-                        .principals(List.of(new AnyPrincipal()))
-                        .resources(List.of(alarmTopic.getTopicArn()))
-                        .conditions(Map.of("Bool", Map.of("aws:SecureTransport", "false")))
-                        .build());
-
-        alarmTopic.addSubscription(new LambdaSubscription(alertHandlerLambda));
-    }
-
 }
@@ -447,7 +447,7 @@ Resources:
   VSCodeIdeGiteaIdeLogGroupCD76FEFA:
     Type: AWS::Logs::LogGroup
     Properties:
-      LogGroupName: ide-bootstrap-log-20250729-054247
+      LogGroupName: ide-bootstrap-log-20250825-200750
       RetentionInDays: 7
     UpdateReplacePolicy: Retain
     DeletionPolicy: Retain
@@ -879,9 +879,9 @@ Resources:
         description: Bootstrap IDE
         parameters:
           BootstrapScript:
-            default: ""
-            description: (Optional) Custom bootstrap script to run.
             type: String
+            description: (Optional) Custom bootstrap script to run.
+            default: ""
         mainSteps:
           - inputs:
               runCommand:
@@ -1142,16 +1142,56 @@ Resources:
                       /opt/aws/bin/cfn-signal -e $exit_code '${waitConditionHandleUrl}'
 
                       exit $exit_code
-                    - splashUrl: ""
-                      instanceIamRoleArn:
+                    - instanceIamRoleArn:
                         Fn::GetAtt:
                           - VSCodeIdeGiteaIdeRole90308F47
                           - Arn
-                      readmeUrl: ""
-                      waitConditionHandleUrl:
-                        Ref: VSCodeIdeGiteaIdeBootstrapWaitConditionHandle78036ED5
-                      extensions: ms-kubernetes-tools.vscode-kubernetes-tools,ms-azuretools.vscode-docker
-                      domain: ""
+                      splashUrl: ""
+                      instanceIamRoleName:
+                        Ref: VSCodeIdeGiteaIdeRole90308F47
+                      codeServerVersion: 4.103.1
+                      customBootstrapScript: |
+                        date
+
+                        echo '=== Clone Git repository ==='
+                        sudo -H -u ec2-user bash -c "git clone https://github.com/aws-samples/java-on-aws ~/java-on-aws/"
+                        # sudo -H -u ec2-user bash -c "cd ~/java-on-aws && git checkout refactoring"
+
+                        echo '=== Setup IDE ==='
+                        sudo -H -i -u ec2-user bash -c "~/java-on-aws/infrastructure/scripts/setup/ide.sh"
+                        sudo -H -i -u ec2-user bash -c "~/java-on-aws/infrastructure/scripts/setup/idp.sh"
+                      passwordName:
+                        Fn::Join:
+                          - "-"
+                          - - Fn::Select:
+                                - 0
+                                - Fn::Split:
+                                    - "-"
+                                    - Fn::Select:
+                                        - 6
+                                        - Fn::Split:
+                                            - ":"
+                                            - Ref: VSCodeIdeGiteaIdePasswordSecretD25F73F4
+                            - Fn::Select:
+                                - 1
+                                - Fn::Split:
+                                    - "-"
+                                    - Fn::Select:
+                                        - 6
+                                        - Fn::Split:
+                                            - ":"
+                                            - Ref: VSCodeIdeGiteaIdePasswordSecretD25F73F4
+                            - Fn::Select:
+                                - 2
+                                - Fn::Split:
+                                    - "-"
+                                    - Fn::Select:
+                                        - 6
+                                        - Fn::Split:
+                                            - ":"
+                                            - Ref: VSCodeIdeGiteaIdePasswordSecretD25F73F4
+                      environmentContentsZip: ""
+                      terminalOnStartup: "true"
                       installGitea: |
                         dnf install -y nerdctl cni-plugins
                         mkdir -p /gitea/config /gitea/data
@@ -1344,51 +1384,11 @@ Resources:
                         EOF
 
                         source /etc/profile.d/gitea.sh
-                      terminalOnStartup: "true"
-                      environmentContentsZip: ""
-                      passwordName:
-                        Fn::Join:
-                          - "-"
-                          - - Fn::Select:
-                                - 0
-                                - Fn::Split:
-                                    - "-"
-                                    - Fn::Select:
-                                        - 6
-                                        - Fn::Split:
-                                            - ":"
-                                            - Ref: VSCodeIdeGiteaIdePasswordSecretD25F73F4
-                            - Fn::Select:
-                                - 1
-                                - Fn::Split:
-                                    - "-"
-                                    - Fn::Select:
-                                        - 6
-                                        - Fn::Split:
-                                            - ":"
-                                            - Ref: VSCodeIdeGiteaIdePasswordSecretD25F73F4
-                            - Fn::Select:
-                                - 2
-                                - Fn::Split:
-                                    - "-"
-                                    - Fn::Select:
-                                        - 6
-                                        - Fn::Split:
-                                            - ":"
-                                            - Ref: VSCodeIdeGiteaIdePasswordSecretD25F73F4
-                      customBootstrapScript: |
-                        date
-
-                        echo '=== Clone Git repository ==='
-                        sudo -H -u ec2-user bash -c "git clone https://github.com/aws-samples/java-on-aws ~/java-on-aws/"
-                        # sudo -H -u ec2-user bash -c "cd ~/java-on-aws && git checkout refactoring"
-
-                        echo '=== Setup IDE ==='
-                        sudo -H -i -u ec2-user bash -c "~/java-on-aws/infrastructure/scripts/setup/ide.sh"
-                        sudo -H -i -u ec2-user bash -c "~/java-on-aws/infrastructure/scripts/setup/idp.sh"
-                      codeServerVersion: 4.101.2
-                      instanceIamRoleName:
-                        Ref: VSCodeIdeGiteaIdeRole90308F47
+                      domain: ""
+                      extensions: ms-kubernetes-tools.vscode-kubernetes-tools,ms-azuretools.vscode-docker
+                      waitConditionHandleUrl:
+                        Ref: VSCodeIdeGiteaIdeBootstrapWaitConditionHandle78036ED5
+                      readmeUrl: ""
             name: IdeBootstrapFunction
             action: aws:runShellScript
       DocumentFormat: YAML
@@ -1528,10 +1528,10 @@ Resources:
           - Arn
       InstanceId:
         Ref: VSCodeIdeGiteaIdeEC2Instance51274E6D
-      LogGroupName:
-        Ref: VSCodeIdeGiteaIdeLogGroupCD76FEFA
       SsmDocument:
         Ref: VSCodeIdeGiteaIdeBootstrapDocument7FC8732A
+      LogGroupName:
+        Ref: VSCodeIdeGiteaIdeLogGroupCD76FEFA
     UpdateReplacePolicy: Delete
     DeletionPolicy: Delete
 Outputs: