new infra

Author: Yuriy Bezsonov

.kiro/specs/infra/deployment-guide.md

@@ -88,8 +88,9 @@ public WorkshopStack(final Construct scope, final String id, final StackProps pr
                     .profilingAnalysisEnabled(true)
                     .build());
 
-            // Unicorn construct: ECR + Roles (uses unicorn* naming for workshop content compatibility)
+            // Unicorn construct: ECR + Roles + DB Setup (uses unicorn* naming for workshop content compatibility)
             Unicorn unicorn = new Unicorn(this, "Unicorn", Unicorn.UnicornProps.builder()
+                .vpc(vpc.getVpc())
                 .eksRolesEnabled(true)
                 .ecsRolesEnabled(false)
                 .database(database)

.kiro/specs/infra/java-on-aws-workshop-architecture.png

@@ -1,20 +1,15 @@
 package sample.com.constructs;
 
-import software.amazon.awscdk.Duration;
 import software.amazon.awscdk.RemovalPolicy;
 import software.amazon.awscdk.SecretValue;
 import software.amazon.awscdk.SecretsManagerSecretOptions;
-import software.amazon.awscdk.CustomResource;
 import software.amazon.awscdk.services.ec2.IVpc;
 import software.amazon.awscdk.services.ec2.Port;
 import software.amazon.awscdk.services.ec2.Peer;
 import software.amazon.awscdk.services.ec2.SecurityGroup;
 import software.amazon.awscdk.services.ec2.SubnetSelection;
 import software.amazon.awscdk.services.ec2.SubnetType;
 import software.amazon.awscdk.services.ec2.ISecurityGroup;
-import software.amazon.awscdk.services.lambda.Code;
-import software.amazon.awscdk.services.lambda.Function;
-import software.amazon.awscdk.services.lambda.Runtime;
 import software.amazon.awscdk.services.rds.AuroraPostgresClusterEngineProps;
 import software.amazon.awscdk.services.rds.ServerlessV2ClusterInstanceProps;
 import software.amazon.awscdk.services.rds.AuroraPostgresEngineVersion;
@@ -29,12 +24,12 @@
 import software.amazon.awscdk.services.secretsmanager.Secret;
 import software.constructs.Construct;
 
-import java.io.IOException;
-import java.nio.file.Files;
-import java.nio.file.Path;
 import java.util.List;
-import java.util.Map;
 
+/**
+ * Database construct for workshop infrastructure.
+ * Creates Aurora PostgreSQL Serverless v2 cluster with supporting resources.
+ */
 public class Database extends Construct {
 
     private final DatabaseSecret databaseSecret;
@@ -43,7 +38,6 @@ public class Database extends Construct {
 
     private final StringParameter paramDBConnectionString;
     private final Secret secretPassword;
-    private final CustomResource databaseSetupResource;
 
     public Database(final Construct scope, final String id, final IVpc vpc) {
         super(scope, id);
@@ -67,8 +61,6 @@ public Database(final Construct scope, final String id, final IVpc vpc) {
             Port.tcp(5432),
             "Allow Database Traffic from local network");
 
-
-
         // Create Aurora PostgreSQL cluster with universal naming
         database = DatabaseCluster.Builder.create(this, "Cluster")
             .engine(DatabaseClusterEngine.auroraPostgres(
@@ -108,39 +100,6 @@ public Database(final Construct scope, final String id, final IVpc vpc) {
             .stringValue(getConnectionString())
             .tier(ParameterTier.STANDARD)
             .build();
-
-        // Create database setup Lambda function
-        Function databaseSetupFunction = Function.Builder.create(this, "SetupFunction")
-            .code(Code.fromInline(loadFile("/lambda/database-setup.py")))
-            .handler("index.lambda_handler")
-            .runtime(Runtime.PYTHON_3_13)
-            .functionName("workshop-database-setup")
-            .timeout(Duration.minutes(3))
-            .vpc(vpc)
-            .securityGroups(List.of(databaseSecurityGroup))
-            .build();
-
-        // Grant permissions to setup function
-        databaseSecret.grantRead(databaseSetupFunction);
-        database.grantDataApiAccess(databaseSetupFunction);
-
-        // Create custom resource for database setup
-        databaseSetupResource = CustomResource.Builder.create(this, "SetupResource")
-            .serviceToken(databaseSetupFunction.getFunctionArn())
-            .properties(Map.of(
-                "SecretName", databaseSecret.getSecretName(),
-                "SqlStatements", loadFile("/schema.sql")
-            ))
-            .build();
-        databaseSetupResource.getNode().addDependency(database);
-    }
-
-    private String loadFile(String filePath) {
-        try {
-            return Files.readString(Path.of(getClass().getResource(filePath).getPath()));
-        } catch (IOException e) {
-            throw new RuntimeException("Failed to load file " + filePath, e);
-        }
     }
 
     public String getConnectionString() {

infra/cdk/src/main/java/sample/com/WorkshopStack.java

@@ -63,7 +63,6 @@ public PerformanceAnalysis(final Construct scope, final String id, final Perform
             .bucketName(String.format("workshop-%s-%s-%s", Aws.ACCOUNT_ID, Aws.REGION, timestamp))
             .blockPublicAccess(BlockPublicAccess.BLOCK_ALL)
             .removalPolicy(RemovalPolicy.DESTROY)
-            .autoDeleteObjects(true)
             .build();
 
         // Create SSM parameter for bucket name discovery
@@ -97,6 +96,13 @@ public PerformanceAnalysis(final Construct scope, final String id, final Perform
             ))
             .build());
 
+        // Add Secrets Manager permission for IDE password (webhook auth)
+        lambdaBedrockRole.addToPolicy(PolicyStatement.Builder.create()
+            .effect(Effect.ALLOW)
+            .actions(List.of("secretsmanager:GetSecretValue"))
+            .resources(List.of("arn:aws:secretsmanager:*:*:secret:workshop-ide-password*"))
+            .build());
+
         // Add EKS access permissions
         lambdaBedrockRole.addToPolicy(PolicyStatement.Builder.create()
             .effect(Effect.ALLOW)
@@ -180,7 +186,8 @@ private void createThreadAnalysis(PerformanceAnalysisProps props) {
                 "S3_THREAD_DUMPS_PREFIX", "thread-dumps/",
                 "APP_LABEL", "unicorn-store-spring",
                 "KUBERNETES_AUTH_TYPE", "aws",
-                "K8S_NAMESPACE", "unicorn-store-spring"
+                "K8S_NAMESPACE", "unicorn-store-spring",
+                "SECRET_NAME", "workshop-ide-password"
             ))
             .build();
 
@@ -219,6 +226,9 @@ private void createThreadAnalysis(PerformanceAnalysisProps props) {
                 .build())
             .build();
 
+        // Remove auto-generated endpoint output
+        threadDumpApi.getNode().tryRemoveChild("Endpoint");
+
         // Add POST method to root
         LambdaIntegration lambdaIntegration = LambdaIntegration.Builder.create(threadDumpLambda)
             .build();

infra/cdk/src/main/java/sample/com/constructs/Database.java

@@ -1,12 +1,21 @@
 package sample.com.constructs;
 
+import software.amazon.awscdk.CustomResource;
+import software.amazon.awscdk.Duration;
 import software.amazon.awscdk.RemovalPolicy;
 import software.amazon.awscdk.services.ecr.Repository;
 import software.amazon.awscdk.services.iam.*;
+import software.amazon.awscdk.services.lambda.Code;
+import software.amazon.awscdk.services.lambda.Function;
+import software.amazon.awscdk.services.lambda.Runtime;
 import software.amazon.awscdk.services.s3.IBucket;
 import software.constructs.Construct;
 
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
 import java.util.List;
+import java.util.Map;
 
 /**
  * Unicorn construct for workshop-specific resources.
@@ -16,6 +25,7 @@
  * - ECR repository (unicorn-store-spring)
  * - EKS Pod Identity role (unicornstore-eks-pod-role)
  * - ECS task roles (unicornstore-ecs-task-role, unicornstore-ecs-task-execution-role)
+ * - Database schema setup (unicorns table)
  */
 public class Unicorn extends Construct {
 
@@ -29,6 +39,9 @@ public class Unicorn extends Construct {
     private Role ecsTaskRole;
     private Role ecsTaskExecutionRole;
 
+    // Database Setup
+    private CustomResource databaseSetupResource;
+
     public Unicorn(final Construct scope, final String id, final UnicornProps props) {
         super(scope, id);
 
@@ -49,6 +62,51 @@ public Unicorn(final Construct scope, final String id, final UnicornProps props)
         if (props.isEcsRolesEnabled()) {
             createEcsRoles(props);
         }
+
+        // === DATABASE SETUP ===
+        if (props.getDatabase() != null) {
+            createDatabaseSetup(props);
+        }
+    }
+
+    /**
+     * Creates database setup Lambda and custom resource to initialize unicorns table.
+     */
+    private void createDatabaseSetup(UnicornProps props) {
+        Database database = props.getDatabase();
+
+        // Create database setup Lambda function
+        Function databaseSetupFunction = Function.Builder.create(this, "DatabaseSetupFunction")
+            .code(Code.fromInline(loadFile("/lambda/database-setup.py")))
+            .handler("index.lambda_handler")
+            .runtime(Runtime.PYTHON_3_13)
+            .functionName("unicornstore-database-setup")
+            .timeout(Duration.minutes(3))
+            .vpc(props.getVpc())
+            .securityGroups(List.of(database.getDatabaseSecurityGroup()))
+            .build();
+
+        // Grant permissions to setup function
+        database.getDatabaseSecret().grantRead(databaseSetupFunction);
+        database.getDatabase().grantDataApiAccess(databaseSetupFunction);
+
+        // Create custom resource for database setup
+        this.databaseSetupResource = CustomResource.Builder.create(this, "DatabaseSetupResource")
+            .serviceToken(databaseSetupFunction.getFunctionArn())
+            .properties(Map.of(
+                "SecretName", database.getDatabaseSecret().getSecretName(),
+                "SqlStatements", loadFile("/unicorns.sql")
+            ))
+            .build();
+        databaseSetupResource.getNode().addDependency(database.getDatabase());
+    }
+
+    private String loadFile(String filePath) {
+        try {
+            return Files.readString(Path.of(getClass().getResource(filePath).getPath()));
+        } catch (IOException e) {
+            throw new RuntimeException("Failed to load file " + filePath, e);
+        }
     }
 
     /**
@@ -208,12 +266,14 @@ public static class UnicornProps {
         private final boolean ecsRolesEnabled;
         private final Database database;
         private final IBucket workshopBucket;
+        private final software.amazon.awscdk.services.ec2.IVpc vpc;
 
         private UnicornProps(Builder builder) {
             this.eksRolesEnabled = builder.eksRolesEnabled;
             this.ecsRolesEnabled = builder.ecsRolesEnabled;
             this.database = builder.database;
             this.workshopBucket = builder.workshopBucket;
+            this.vpc = builder.vpc;
         }
 
         public static Builder builder() {
@@ -236,11 +296,16 @@ public IBucket getWorkshopBucket() {
             return workshopBucket;
         }
 
+        public software.amazon.awscdk.services.ec2.IVpc getVpc() {
+            return vpc;
+        }
+
         public static class Builder {
             private boolean eksRolesEnabled = false;
             private boolean ecsRolesEnabled = false;
             private Database database;
             private IBucket workshopBucket;
+            private software.amazon.awscdk.services.ec2.IVpc vpc;
 
             public Builder eksRolesEnabled(boolean eksRolesEnabled) {
                 this.eksRolesEnabled = eksRolesEnabled;
@@ -262,6 +327,11 @@ public Builder workshopBucket(IBucket workshopBucket) {
                 return this;
             }
 
+            public Builder vpc(software.amazon.awscdk.services.ec2.IVpc vpc) {
+                this.vpc = vpc;
+                return this;
+            }
+
             public UnicornProps build() {
                 return new UnicornProps(this);
             }

infra/cdk/src/main/java/sample/com/constructs/PerformanceAnalysis.java

@@ -2,7 +2,7 @@
 	"Version": "2012-10-17",
 	"Statement": [
 		{
-			"Sid": "MarketplaceSubscribe_Claude45Opus_Claude45Sonnet_Claude4Sonnet",
+			"Sid": "MarketplaceSubscribeClaude45Opus45Sonnet4Sonnet",
             "Effect": "Allow",
             "Action": [
                 "aws-marketplace:Subscribe"

infra/cdk/src/main/java/sample/com/constructs/Unicorn.java

@@ -1,2 +1,2 @@
 CREATE TABLE IF NOT EXISTS unicorns(id TEXT DEFAULT gen_random_uuid() PRIMARY KEY, name TEXT, age TEXT, size TEXT, type TEXT);
-CREATE EXTENSION IF NOT EXISTS vector;
+CREATE EXTENSION IF NOT EXISTS vector;