first policy run

Yuriy Bezsonov · Yuriy Bezsonov · commit 5e07960a6595 · 2025-12-29T16:01:04.000+01:00
diff --git a/infra/cdk/src/main/java/sample/com/constructs/ThreadAnalysis.java b/infra/cdk/src/main/java/sample/com/constructs/ThreadAnalysis.java
@@ -174,10 +174,14 @@ public ThreadAnalysis(final Construct scope, final String id, final ThreadAnalys
             .build();
 
         // Add permission for Lambda to invoke itself (async pattern)
-        threadDumpLambda.addToRolePolicy(PolicyStatement.Builder.create()
+        // Use constructed ARN to avoid circular dependency (Lambda -> Role Policy -> Lambda)
+        String lambdaArn = "arn:aws:lambda:" + software.amazon.awscdk.Stack.of(this).getRegion()
+            + ":" + software.amazon.awscdk.Stack.of(this).getAccount()
+            + ":function:" + prefix + "-thread-dump-lambda";
+        lambdaRole.addToPolicy(PolicyStatement.Builder.create()
             .effect(Effect.ALLOW)
             .actions(List.of("lambda:InvokeFunction"))
-            .resources(List.of(threadDumpLambda.getFunctionArn()))
+            .resources(List.of(lambdaArn))
             .build());
 
         // Create Function URL (replaces API Gateway + VPC Endpoint)
diff --git a/infra/cfn/base-stack.yaml b/infra/cfn/base-stack.yaml
@@ -686,8 +686,19 @@ Resources:
             - Fn::GetAtt:
                 - IdeInternalSecurityGroupB0A5D76B
                 - GroupId
-      ImageId:
-        Ref: SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61x8664C96584B6F00A464EAD1953AFF4B05118Parameter
+      SubnetIds:
+        Fn::Join:
+          - ""
+          - - Ref: VpcPublicSubnet1Subnet8E8DEDC0
+            - ","
+            - Ref: VpcPublicSubnet2SubnetA811849C
+      VolumeSize: "50"
+      IamInstanceProfileArn:
+        Fn::GetAtt:
+          - IdeInstanceProfile61B92038
+          - Arn
+      InstanceName: ide
+      InstanceTypes: m6a.xlarge,m7a.xlarge
       UserData:
         Fn::Base64:
           Fn::Join:
@@ -824,19 +835,8 @@ Resources:
                 "
                     exit 1
                 fi
-      InstanceTypes: m6a.xlarge,m7a.xlarge
-      InstanceName: ide
-      IamInstanceProfileArn:
-        Fn::GetAtt:
-          - IdeInstanceProfile61B92038
-          - Arn
-      VolumeSize: "50"
-      SubnetIds:
-        Fn::Join:
-          - ""
-          - - Ref: VpcPublicSubnet1Subnet8E8DEDC0
-            - ","
-            - Ref: VpcPublicSubnet2SubnetA811849C
+      ImageId:
+        Ref: SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61x8664C96584B6F00A464EAD1953AFF4B05118Parameter
     UpdateReplacePolicy: Delete
     DeletionPolicy: Delete
   IdeEipAssociationDFF81215:
diff --git a/infra/cfn/java-ai-agents-stack.yaml b/infra/cfn/java-ai-agents-stack.yaml
@@ -761,13 +761,6 @@ Resources:
         Fn::GetAtt:
           - IdeInstanceLauncherFunction803C5A2A
           - Arn
-      VolumeSize: "50"
-      SubnetIds:
-        Fn::Join:
-          - ""
-          - - Ref: VpcPublicSubnet1Subnet8E8DEDC0
-            - ","
-            - Ref: VpcPublicSubnet2SubnetA811849C
       SecurityGroupIds:
         Fn::Join:
           - ""
@@ -922,6 +915,13 @@ Resources:
         Fn::GetAtt:
           - IdeInstanceProfile61B92038
           - Arn
+      VolumeSize: "50"
+      SubnetIds:
+        Fn::Join:
+          - ""
+          - - Ref: VpcPublicSubnet1Subnet8E8DEDC0
+            - ","
+            - Ref: VpcPublicSubnet2SubnetA811849C
     UpdateReplacePolicy: Delete
     DeletionPolicy: Delete
   IdeEipAssociationDFF81215:
diff --git a/infra/cfn/java-on-amazon-eks-stack.yaml b/infra/cfn/java-on-amazon-eks-stack.yaml
@@ -781,28 +781,6 @@ Resources:
         Fn::GetAtt:
           - IdeInstanceLauncherFunction803C5A2A
           - Arn
-      SecurityGroupIds:
-        Fn::Join:
-          - ""
-          - - Fn::GetAtt:
-                - IdeSecurityGroup73B02454
-                - GroupId
-            - ","
-            - Fn::GetAtt:
-                - IdeInternalSecurityGroupB0A5D76B
-                - GroupId
-      SubnetIds:
-        Fn::Join:
-          - ""
-          - - Ref: VpcPublicSubnet1Subnet8E8DEDC0
-            - ","
-            - Ref: VpcPublicSubnet2SubnetA811849C
-      VolumeSize: "50"
-      IamInstanceProfileArn:
-        Fn::GetAtt:
-          - IdeInstanceProfile61B92038
-          - Arn
-      InstanceName: ide
       InstanceTypes: m6a.xlarge,m7a.xlarge
       UserData:
         Fn::Base64:
@@ -942,6 +920,28 @@ Resources:
                 fi
       ImageId:
         Ref: SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61x8664C96584B6F00A464EAD1953AFF4B05118Parameter
+      SecurityGroupIds:
+        Fn::Join:
+          - ""
+          - - Fn::GetAtt:
+                - IdeSecurityGroup73B02454
+                - GroupId
+            - ","
+            - Fn::GetAtt:
+                - IdeInternalSecurityGroupB0A5D76B
+                - GroupId
+      SubnetIds:
+        Fn::Join:
+          - ""
+          - - Ref: VpcPublicSubnet1Subnet8E8DEDC0
+            - ","
+            - Ref: VpcPublicSubnet2SubnetA811849C
+      VolumeSize: "50"
+      IamInstanceProfileArn:
+        Fn::GetAtt:
+          - IdeInstanceProfile61B92038
+          - Arn
+      InstanceName: ide
     UpdateReplacePolicy: Delete
     DeletionPolicy: Delete
   IdeEipAssociationDFF81215:
@@ -1530,12 +1530,12 @@ Resources:
       Description: workshop-setup build complete
       EventPattern:
         detail:
-          project-name:
-            - Ref: CodeBuildProjectA0FF5539
           build-status:
             - SUCCEEDED
             - FAILED
             - STOPPED
+          project-name:
+            - Ref: CodeBuildProjectA0FF5539
         detail-type:
           - CodeBuild Build State Change
         source:
@@ -1573,7 +1573,7 @@ Resources:
           - Arn
       ProjectName:
         Ref: CodeBuildProjectA0FF5539
-      ContentHash: "1767018258469"
+      ContentHash: "1767020408395"
     DependsOn:
       - CodeBuildCompleteRuleAllowEventRuleWorkshopStackCodeBuildReportLambdaFunctionD77C60919E0B0C89
       - CodeBuildCompleteRuleEE9277E8
@@ -1910,7 +1910,7 @@ Resources:
             - Ref: AWS::AccountId
             - "-"
             - Ref: AWS::Region
-            - "-20251229152418"
+            - "-20251229160008"
       PublicAccessBlockConfiguration:
         BlockPublicAcls: true
         BlockPublicPolicy: true
@@ -2101,9 +2101,13 @@ Resources:
           - Action: lambda:InvokeFunction
             Effect: Allow
             Resource:
-              Fn::GetAtt:
-                - ThreadAnalysisLambda3EE9B29D
-                - Arn
+              Fn::Join:
+                - ""
+                - - "arn:aws:lambda:"
+                  - Ref: AWS::Region
+                  - ":"
+                  - Ref: AWS::AccountId
+                  - :function:workshop-thread-dump-lambda
         Version: "2012-10-17"
       PolicyName: ThreadAnalysisLambdaRoleDefaultPolicyC7AD40BA
       Roles:
@@ -2173,12 +2177,12 @@ Resources:
               }
       Environment:
         Variables:
-          S3_THREAD_DUMPS_PREFIX: thread-dumps/
-          S3_BUCKET_NAME:
-            Ref: WorkshopBucketFD5BC43F
           EKS_CLUSTER_NAME:
             Ref: EksClusterB2BDED5B
           SECRET_NAME: workshop-ide-password
+          S3_THREAD_DUMPS_PREFIX: thread-dumps/
+          S3_BUCKET_NAME:
+            Ref: WorkshopBucketFD5BC43F
       FunctionName: workshop-thread-dump-lambda
       Handler: index.lambda_handler
       MemorySize: 512
diff --git a/infra/cfn/java-on-aws-immersion-day-stack.yaml b/infra/cfn/java-on-aws-immersion-day-stack.yaml
@@ -781,6 +781,28 @@ Resources:
         Fn::GetAtt:
           - IdeInstanceLauncherFunction803C5A2A
           - Arn
+      InstanceName: ide
+      IamInstanceProfileArn:
+        Fn::GetAtt:
+          - IdeInstanceProfile61B92038
+          - Arn
+      VolumeSize: "50"
+      SubnetIds:
+        Fn::Join:
+          - ""
+          - - Ref: VpcPublicSubnet1Subnet8E8DEDC0
+            - ","
+            - Ref: VpcPublicSubnet2SubnetA811849C
+      SecurityGroupIds:
+        Fn::Join:
+          - ""
+          - - Fn::GetAtt:
+                - IdeSecurityGroup73B02454
+                - GroupId
+            - ","
+            - Fn::GetAtt:
+                - IdeInternalSecurityGroupB0A5D76B
+                - GroupId
       ImageId:
         Ref: SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61x8664C96584B6F00A464EAD1953AFF4B05118Parameter
       UserData:
@@ -920,28 +942,6 @@ Resources:
                     exit 1
                 fi
       InstanceTypes: m6a.xlarge,m7a.xlarge
-      InstanceName: ide
-      IamInstanceProfileArn:
-        Fn::GetAtt:
-          - IdeInstanceProfile61B92038
-          - Arn
-      VolumeSize: "50"
-      SubnetIds:
-        Fn::Join:
-          - ""
-          - - Ref: VpcPublicSubnet1Subnet8E8DEDC0
-            - ","
-            - Ref: VpcPublicSubnet2SubnetA811849C
-      SecurityGroupIds:
-        Fn::Join:
-          - ""
-          - - Fn::GetAtt:
-                - IdeSecurityGroup73B02454
-                - GroupId
-            - ","
-            - Fn::GetAtt:
-                - IdeInternalSecurityGroupB0A5D76B
-                - GroupId
     UpdateReplacePolicy: Delete
     DeletionPolicy: Delete
   IdeEipAssociationDFF81215:
@@ -1320,12 +1320,12 @@ Resources:
       Environment:
         ComputeType: BUILD_GENERAL1_MEDIUM
         EnvironmentVariables:
-          - Name: GIT_BRANCH
-            Type: PLAINTEXT
-            Value: new-ws-infra
           - Name: TEMPLATE_TYPE
             Type: PLAINTEXT
             Value: java-on-aws-immersion-day
+          - Name: GIT_BRANCH
+            Type: PLAINTEXT
+            Value: new-ws-infra
         Image: aws/codebuild/amazonlinux2-x86_64-standard:5.0
         ImagePullCredentialsType: CODEBUILD
         PrivilegedMode: false
@@ -1530,12 +1530,12 @@ Resources:
       Description: workshop-setup build complete
       EventPattern:
         detail:
+          project-name:
+            - Ref: CodeBuildProjectA0FF5539
           build-status:
             - SUCCEEDED
             - FAILED
             - STOPPED
-          project-name:
-            - Ref: CodeBuildProjectA0FF5539
         detail-type:
           - CodeBuild Build State Change
         source:
@@ -1567,13 +1567,13 @@ Resources:
         Fn::GetAtt:
           - CodeBuildStartLambdaFunction8349284F
           - Arn
-      ContentHash: "1767018250950"
       ProjectName:
         Ref: CodeBuildProjectA0FF5539
       CodeBuildIamRoleArn:
         Fn::GetAtt:
           - CodeBuildRoleE9A44575
           - Arn
+      ContentHash: "1767020399733"
     DependsOn:
       - CodeBuildCompleteRuleAllowEventRuleWorkshopStackCodeBuildReportLambdaFunctionD77C60919E0B0C89
       - CodeBuildCompleteRuleEE9277E8
@@ -1910,7 +1910,7 @@ Resources:
             - Ref: AWS::AccountId
             - "-"
             - Ref: AWS::Region
-            - "-20251229152411"
+            - "-20251229160000"
       PublicAccessBlockConfiguration:
         BlockPublicAcls: true
         BlockPublicPolicy: true
@@ -2101,9 +2101,13 @@ Resources:
           - Action: lambda:InvokeFunction
             Effect: Allow
             Resource:
-              Fn::GetAtt:
-                - ThreadAnalysisLambda3EE9B29D
-                - Arn
+              Fn::Join:
+                - ""
+                - - "arn:aws:lambda:"
+                  - Ref: AWS::Region
+                  - ":"
+                  - Ref: AWS::AccountId
+                  - :function:workshop-thread-dump-lambda
         Version: "2012-10-17"
       PolicyName: ThreadAnalysisLambdaRoleDefaultPolicyC7AD40BA
       Roles:
@@ -2173,12 +2177,12 @@ Resources:
               }
       Environment:
         Variables:
+          S3_THREAD_DUMPS_PREFIX: thread-dumps/
           SECRET_NAME: workshop-ide-password
           EKS_CLUSTER_NAME:
             Ref: EksClusterB2BDED5B
           S3_BUCKET_NAME:
             Ref: WorkshopBucketFD5BC43F
-          S3_THREAD_DUMPS_PREFIX: thread-dumps/
       FunctionName: workshop-thread-dump-lambda
       Handler: index.lambda_handler
       MemorySize: 512
