Refactoring CDK

Yuriy Bezsonov · Yuriy Bezsonov · commit 731cb610714a · 2025-12-25T13:38:16.000+01:00
diff --git a/apps/java25/jvm-ai-analyzer/pom.xml b/apps/java25/jvm-ai-analyzer/pom.xml
@@ -23,7 +23,6 @@
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
         <spring-ai.version>1.1.1</spring-ai.version>
         <testcontainers.version>2.0.3</testcontainers.version>
-        <resilience4j.version>2.3.0</resilience4j.version>
     </properties>
 
     <dependencyManagement>
@@ -87,13 +86,6 @@
             </exclusions>
         </dependency>
 
-        <!-- Resilience4j for retry -->
-        <dependency>
-            <groupId>io.github.resilience4j</groupId>
-            <artifactId>resilience4j-spring-boot3</artifactId>
-            <version>${resilience4j.version}</version>
-        </dependency>
-
         <!-- Observability -->
         <dependency>
             <groupId>io.micrometer</groupId>
diff --git a/apps/java25/jvm-ai-analyzer/src/main/java/com/unicorn/jvm/AnalyzerService.java b/apps/java25/jvm-ai-analyzer/src/main/java/com/unicorn/jvm/AnalyzerService.java
@@ -1,6 +1,5 @@
 package com.unicorn.jvm;
 
-import io.github.resilience4j.retry.annotation.Retry;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Value;
@@ -66,20 +65,18 @@ private void processAlert(AlertWebhookRequest.Alert alert) {
         }
     }
 
-    @Retry(name = "threadDump", fallbackMethod = "getThreadDumpFallback")
     String getThreadDump(String podIp) {
         var url = threadDumpUrlTemplate.replace("{podIp}", podIp);
         logger.info("Fetching thread dump from: {}", url);
 
-        return restClient.get()
-            .uri(url)
-            .retrieve()
-            .body(String.class);
-    }
-
-    @SuppressWarnings("unused") // Used by Resilience4j
-    String getThreadDumpFallback(String podIp, Exception ex) {
-        logger.warn("Failed to get thread dump for pod IP {} after retries: {}", podIp, ex.getMessage());
-        return "Failed to retrieve thread dump: " + ex.getMessage();
+        try {
+            return restClient.get()
+                .uri(url)
+                .retrieve()
+                .body(String.class);
+        } catch (Exception e) {
+            logger.warn("Failed to get thread dump for pod IP {}: {}", podIp, e.getMessage());
+            return "Failed to retrieve thread dump: " + e.getMessage();
+        }
     }
 }
diff --git a/apps/java25/jvm-ai-analyzer/src/test/java/com/unicorn/jvm/integration/TestInfrastructureInitializer.java b/apps/java25/jvm-ai-analyzer/src/test/java/com/unicorn/jvm/integration/TestInfrastructureInitializer.java
@@ -32,6 +32,7 @@ public void beforeAll(final ExtensionContext context) {
         }
     }
 
+    @SuppressWarnings("resource")
     private void initializeTestcontainers() {
         try {
             if (localstack == null) {
diff --git a/apps/java25/unicorn-store-spring/src/test/java/com/unicorn/store/integration/TestInfrastructureInitializer.java b/apps/java25/unicorn-store-spring/src/test/java/com/unicorn/store/integration/TestInfrastructureInitializer.java
@@ -32,6 +32,7 @@ public void beforeAll(final ExtensionContext context) {
         }
     }
 
+    @SuppressWarnings("resource")
     private void initializeTestcontainers() {
         try {
             // Start PostgreSQL container with reuse for faster tests
diff --git a/infra/cdk/src/main/java/sample/com/WorkshopStack.java b/infra/cdk/src/main/java/sample/com/WorkshopStack.java
@@ -58,7 +58,6 @@ public WorkshopStack(final Construct scope, final String id, final StackProps pr
             .vpc(vpc.getVpc())
             .gitBranch(gitBranch)
             .templateType(templateType)
-            .ideArch(Ide.IdeArch.X86_64)
             .build();
         Ide ide = new Ide(this, "Ide", ideProps);
 
diff --git a/infra/cdk/src/main/java/sample/com/constructs/CodeBuild.java b/infra/cdk/src/main/java/sample/com/constructs/CodeBuild.java
@@ -172,22 +172,6 @@ public CodeBuild(final Construct scope, final String id, final CodeBuildProps pr
         this.customResource.getNode().addDependency(reportBuildFunction);
     }
 
-    private String calculateMd5(String input) {
-        try {
-            MessageDigest md = MessageDigest.getInstance("MD5");
-            byte[] hash = md.digest(input.getBytes("UTF-8"));
-            StringBuilder hexString = new StringBuilder();
-            for (byte b : hash) {
-                String hex = Integer.toHexString(0xff & b);
-                if (hex.length() == 1) hexString.append('0');
-                hexString.append(hex);
-            }
-            return hexString.toString();
-        } catch (Exception e) {
-            throw new RuntimeException(e);
-        }
-    }
-
     public Project getCodeBuildProject() {
         return this.codebuildProject;
     }
diff --git a/infra/cdk/src/main/java/sample/com/constructs/Database.java b/infra/cdk/src/main/java/sample/com/constructs/Database.java
@@ -1,8 +1,6 @@
 package sample.com.constructs;
 
 import software.amazon.awscdk.RemovalPolicy;
-import software.amazon.awscdk.SecretValue;
-import software.amazon.awscdk.SecretsManagerSecretOptions;
 import software.amazon.awscdk.services.ec2.IVpc;
 import software.amazon.awscdk.services.ec2.Port;
 import software.amazon.awscdk.services.ec2.Peer;
@@ -21,7 +19,6 @@
 
 import software.amazon.awscdk.services.ssm.ParameterTier;
 import software.amazon.awscdk.services.ssm.StringParameter;
-import software.amazon.awscdk.services.secretsmanager.Secret;
 import software.constructs.Construct;
 
 import java.util.List;
@@ -37,7 +34,6 @@ public class Database extends Construct {
     private final ISecurityGroup databaseSecurityGroup;
 
     private final StringParameter paramDBConnectionString;
-    private final Secret secretPassword;
 
     public static class DatabaseProps {
         private String prefix = "workshop";
@@ -110,13 +106,6 @@ public Database(final Construct scope, final String id, final DatabaseProps prop
             .removalPolicy(RemovalPolicy.DESTROY)
             .build();
 
-        // Create separate password secret for services that need plain password
-        secretPassword = Secret.Builder.create(this, "PasswordSecret")
-            .secretName(prefix + "-db-password-secret")
-            .secretStringValue(SecretValue.secretsManager(databaseSecret.getSecretName(),
-                SecretsManagerSecretOptions.builder().jsonField("password").build()))
-            .build();
-
         // Create parameter store entry for connection string
         paramDBConnectionString = StringParameter.Builder.create(this, "ConnectionString")
             .allowedPattern(".*")
@@ -148,10 +137,6 @@ public StringParameter getParamDBConnectionString() {
         return paramDBConnectionString;
     }
 
-    public Secret getSecretPassword() {
-        return secretPassword;
-    }
-
     public String getDatabaseSecretString() {
         return databaseSecret.secretValueFromJson("password").toString();
     }
diff --git a/infra/cdk/src/main/java/sample/com/constructs/Ide.java b/infra/cdk/src/main/java/sample/com/constructs/Ide.java
@@ -86,7 +86,7 @@ public static class IdeProps {
         private String instanceName = "ide";
         private int diskSize = 50;
         private IVpc vpc;
-        private IdeArch ideArch = IdeArch.ARM64;
+        private IdeArch ideArch = IdeArch.X86_64;
         private IdeType ideType = IdeType.CODE_EDITOR;
         private List<ISecurityGroup> additionalSecurityGroups = new ArrayList<>();
         private int bootstrapTimeoutMinutes = 30;
@@ -99,8 +99,6 @@ public static class IdeProps {
             Arrays.asList("m7g.xlarge", "m6g.xlarge", "c7g.xlarge", "t4g.xlarge");
         private static final List<String> X86_64_INSTANCE_TYPES =
             Arrays.asList("m6i.xlarge", "m5.xlarge", "m6a.xlarge", "m7i-flex.xlarge", "m7a.xlarge", "t3.xlarge");
-        // Old instance list (x86_64) for reference:
-        // Arrays.asList("m7i-flex.xlarge", "m7a.xlarge", "m6i.xlarge", "m6a.xlarge", "m5.xlarge", "t3.xlarge");
 
         public static IdeProps.Builder builder() { return new Builder(); }
 
diff --git a/infra/cdk/src/main/java/sample/com/constructs/Unicorn.java b/infra/cdk/src/main/java/sample/com/constructs/Unicorn.java
@@ -5,6 +5,7 @@
 import software.amazon.awscdk.RemovalPolicy;
 import software.amazon.awscdk.services.ecr.Repository;
 import software.amazon.awscdk.services.ecr.TagMutability;
+import software.amazon.awscdk.services.events.EventBus;
 import software.amazon.awscdk.services.iam.*;
 import software.amazon.awscdk.services.lambda.Code;
 import software.amazon.awscdk.services.lambda.Function;
@@ -24,19 +25,27 @@
  *
  * Contains:
  * - ECR repository (unicorn-store-spring)
+ * - EventBus (unicorns)
  * - EKS Pod Identity role (unicornstore-eks-pod-role)
- * - ECS task roles (unicornstore-ecs-task-role, unicornstore-ecs-task-execution-role)
+ * - ECS Express Mode roles:
+ *   - Infrastructure role (unicornstore-ecs-infrastructure-role)
+ *   - Task execution role (unicornstore-ecs-task-execution-role)
+ *   - Task role (unicornstore-ecs-task-role)
  * - Database schema setup (unicorns table)
  */
 public class Unicorn extends Construct {
 
     // ECR Repository
     private Repository ecrRepository;
 
+    // EventBus
+    private EventBus eventBus;
+
     // EKS Roles
     private Role eksPodRole;
 
     // ECS Roles
+    private Role ecsInfrastructureRole;
     private Role ecsTaskRole;
     private Role ecsTaskExecutionRole;
 
@@ -55,6 +64,11 @@ public Unicorn(final Construct scope, final String id, final UnicornProps props)
             .emptyOnDelete(true)
             .build();
 
+        // === EVENTBUS ===
+        this.eventBus = EventBus.Builder.create(this, "UnicornEventBus")
+            .eventBusName("unicorns")
+            .build();
+
         // === EKS ROLES ===
         if (props.isEksRolesEnabled()) {
             createEksRoles(props);
@@ -115,9 +129,9 @@ private String loadFile(String filePath) {
      * Creates EKS Pod Identity role with permissions for:
      * - X-Ray tracing
      * - CloudWatch metrics
-     * - Bedrock AI access
      * - S3 bucket access
      * - Database secrets access
+     * - EventBridge PutEvents
      */
     private void createEksRoles(UnicornProps props) {
         ServicePrincipal eksPods = ServicePrincipal.Builder.create("pods.eks.amazonaws.com")
@@ -149,9 +163,6 @@ private void createEksRoles(UnicornProps props) {
         // CloudWatch Agent
         eksPodRole.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName("CloudWatchAgentServerPolicy"));
 
-        // Bedrock AI access
-        eksPodRole.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName("AmazonBedrockLimitedAccess"));
-
         // S3 bucket access (if provided)
         if (props.getWorkshopBucket() != null) {
             eksPodRole.addToPolicy(PolicyStatement.Builder.create()
@@ -169,91 +180,91 @@ private void createEksRoles(UnicornProps props) {
             props.getDatabase().getDatabaseSecret().grantRead(eksPodRole);
             props.getDatabase().getParamDBConnectionString().grantRead(eksPodRole);
         }
+
+        // EventBridge access
+        eventBus.grantPutEventsTo(eksPodRole);
     }
 
     /**
-     * Creates ECS task roles with permissions for:
-     * - X-Ray tracing
-     * - CloudWatch logs
-     * - SSM parameter access
-     * - Database secrets access
+     * Creates ECS roles for Express Mode (Fargate):
+     * - Infrastructure role: manages ALB, security groups, auto scaling
+     * - Task execution role: pulls images, writes logs, injects secrets
+     * - Task role: app runtime permissions (X-Ray, EventBridge)
      */
     private void createEcsRoles(UnicornProps props) {
-        ServicePrincipal ecsTasks = ServicePrincipal.Builder.create("ecs-tasks.amazonaws.com")
-            .build();
+        // === ECS Infrastructure Role (for Express Mode) ===
+        ServicePrincipal ecsService = ServicePrincipal.Builder.create("ecs.amazonaws.com").build();
 
-        // OpenTelemetry policy for observability
-        PolicyStatement otelPolicy = PolicyStatement.Builder.create()
-            .effect(Effect.ALLOW)
-            .actions(List.of(
-                "logs:PutLogEvents", "logs:CreateLogGroup", "logs:CreateLogStream",
-                "logs:DescribeLogStreams", "logs:DescribeLogGroups", "logs:PutRetentionPolicy",
-                "xray:PutTraceSegments", "xray:PutTelemetryRecords",
-                "xray:GetSamplingRules", "xray:GetSamplingTargets", "xray:GetSamplingStatisticSummaries",
-                "cloudwatch:PutMetricData", "ssm:GetParameters"
-            ))
-            .resources(List.of("*"))
+        this.ecsInfrastructureRole = Role.Builder.create(this, "UnicornStoreEcsInfrastructureRole")
+            .roleName("unicornstore-ecs-infrastructure-role")
+            .assumedBy(ecsService)
+            .description("ECS infrastructure role for Express Mode services")
             .build();
 
-        // ECS Task Role
-        this.ecsTaskRole = Role.Builder.create(this, "UnicornStoreEcsTaskRole")
-            .roleName("unicornstore-ecs-task-role")
+        ecsInfrastructureRole.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(
+            "service-role/AmazonECSInfrastructureRoleforExpressGatewayServices"));
+
+        // === ECS Task Execution Role ===
+        ServicePrincipal ecsTasks = ServicePrincipal.Builder.create("ecs-tasks.amazonaws.com").build();
+
+        this.ecsTaskExecutionRole = Role.Builder.create(this, "UnicornStoreEcsTaskExecutionRole")
+            .roleName("unicornstore-ecs-task-execution-role")
             .assumedBy(ecsTasks)
-            .description("ECS task role for Unicorn Store application")
+            .description("ECS task execution role for pulling images and injecting secrets")
             .build();
 
-        ecsTaskRole.addToPolicy(PolicyStatement.Builder.create()
+        // Base permissions: ECR pull + CloudWatch logs
+        ecsTaskExecutionRole.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(
+            "service-role/AmazonECSTaskExecutionRolePolicy"));
+
+        // Allow creating log groups (not in managed policy)
+        ecsTaskExecutionRole.addToPolicy(PolicyStatement.Builder.create()
             .effect(Effect.ALLOW)
-            .actions(List.of("xray:PutTraceSegments"))
+            .actions(List.of("logs:CreateLogGroup"))
             .resources(List.of("*"))
             .build());
 
-        ecsTaskRole.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName("CloudWatchLogsFullAccess"));
-        ecsTaskRole.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName("AmazonSSMReadOnlyAccess"));
-        ecsTaskRole.addToPolicy(otelPolicy);
-
-        // Database secrets access (if provided)
+        // Database secrets injection at container startup (scoped)
         if (props.getDatabase() != null) {
-            props.getDatabase().getDatabaseSecret().grantRead(ecsTaskRole);
-            props.getDatabase().getSecretPassword().grantRead(ecsTaskRole);
-            props.getDatabase().getParamDBConnectionString().grantRead(ecsTaskRole);
+            props.getDatabase().getDatabaseSecret().grantRead(ecsTaskExecutionRole);
+            props.getDatabase().getParamDBConnectionString().grantRead(ecsTaskExecutionRole);
         }
 
-        // ECS Task Execution Role
-        this.ecsTaskExecutionRole = Role.Builder.create(this, "UnicornStoreEcsTaskExecutionRole")
-            .roleName("unicornstore-ecs-task-execution-role")
+        // === ECS Task Role (app runtime permissions) ===
+        this.ecsTaskRole = Role.Builder.create(this, "UnicornStoreEcsTaskRole")
+            .roleName("unicornstore-ecs-task-role")
             .assumedBy(ecsTasks)
-            .description("ECS task execution role for Unicorn Store application")
+            .description("ECS task role for application runtime permissions")
             .build();
 
-        ecsTaskExecutionRole.addToPolicy(PolicyStatement.Builder.create()
+        // X-Ray tracing
+        ecsTaskRole.addToPolicy(PolicyStatement.Builder.create()
             .effect(Effect.ALLOW)
-            .actions(List.of("logs:CreateLogGroup"))
+            .actions(List.of("xray:PutTraceSegments"))
             .resources(List.of("*"))
             .build());
 
-        ecsTaskExecutionRole.addManagedPolicy(
-            ManagedPolicy.fromAwsManagedPolicyName("service-role/AmazonECSTaskExecutionRolePolicy"));
-        ecsTaskExecutionRole.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName("CloudWatchLogsFullAccess"));
-        ecsTaskExecutionRole.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName("AmazonSSMReadOnlyAccess"));
-        ecsTaskExecutionRole.addToPolicy(otelPolicy);
-
-        // Database secrets access for execution role (if provided)
-        if (props.getDatabase() != null) {
-            props.getDatabase().getDatabaseSecret().grantRead(ecsTaskExecutionRole);
-            props.getDatabase().getSecretPassword().grantRead(ecsTaskExecutionRole);
-        }
+        // EventBridge access
+        eventBus.grantPutEventsTo(ecsTaskRole);
     }
 
     // Getters
     public Repository getEcrRepository() {
         return ecrRepository;
     }
 
+    public EventBus getEventBus() {
+        return eventBus;
+    }
+
     public Role getEksPodRole() {
         return eksPodRole;
     }
 
+    public Role getEcsInfrastructureRole() {
+        return ecsInfrastructureRole;
+    }
+
     public Role getEcsTaskRole() {
         return ecsTaskRole;
     }

Original file line number	Diff line number	Diff line change
`@@ -32,6 +32,7 @@ public void beforeAll(final ExtensionContext context) {`
`32`	`32`	`}`
`33`	`33`	`}`
`34`	`34`
	`35`	`+ @SuppressWarnings("resource")`
`35`	`36`	`private void initializeTestcontainers() {`
`36`	`37`	`try {`
`37`	`38`	`if (localstack == null) {`