Thread dump analysis lab - cleanup

Author: Yuriy Bezsonov

infrastructure/cdk/src/main/java/com/unicorn/IdeStack.java

@@ -22,7 +22,7 @@ public class IdeStack extends Stack {
     private final String bootstrapScript = """
         date
 
-        echo '=== Clone Git repository ==='bash
+        echo '=== Clone Git repository ==='
         sudo -H -u ec2-user bash -c "git clone https://github.com/aws-samples/java-on-aws ~/java-on-aws/"
         # sudo -H -u ec2-user bash -c "cd ~/java-on-aws && git checkout refactoring"
 

infrastructure/cdk/src/main/java/com/unicorn/UnicornStoreStack.java

@@ -8,28 +8,37 @@
 import com.unicorn.constructs.CodeBuildResource;
 import com.unicorn.constructs.CodeBuildResource.CodeBuildResourceProps;
 import com.unicorn.constructs.EksCluster;
-import com.unicorn.core.*;
-
-import software.amazon.awscdk.*;
+import com.unicorn.core.InfrastructureCore;
+import com.unicorn.core.InfrastructureContainers;
+import com.unicorn.core.InfrastructureEks;
+import com.unicorn.core.InfrastructureMonitoringJVM;
+import com.unicorn.core.DatabaseSetup;
+import com.unicorn.core.UnicornStoreSpringLambda;
+
+import software.amazon.awscdk.Stack;
+import software.amazon.awscdk.StackProps;
 import software.amazon.awscdk.services.ec2.InstanceClass;
 import software.amazon.awscdk.services.ec2.InstanceSize;
 import software.amazon.awscdk.services.ec2.InstanceType;
 import software.amazon.awscdk.services.iam.ManagedPolicy;
 import software.constructs.Construct;
 
+import software.amazon.awscdk.DefaultStackSynthesizer;
+import software.amazon.awscdk.DefaultStackSynthesizerProps;
+
 public class UnicornStoreStack extends Stack {
 
     private final String bootstrapScript = """
         date
 
-        echo '=== Clone Git repository ===\n'
+        echo '=== Clone Git repository ==='
         sudo -H -u ec2-user bash -c "git clone https://github.com/aws-samples/java-on-aws ~/java-on-aws/"
-        sudo -H -u ec2-user bash -c "cd ~/java-on-aws && git checkout bedrock-tda"
+        # sudo -H -u ec2-user bash -c "cd ~/java-on-aws && git checkout refactoring"
 
-        echo '=== Setup IDE ===\n'
+        echo '=== Setup IDE ==='
         sudo -H -i -u ec2-user bash -c "~/java-on-aws/infrastructure/scripts/setup/ide.sh"
 
-        echo '=== Additional Setup ===\n'
+        echo '=== Additional Setup ==='
         sudo -H -i -u ec2-user bash -c "~/java-on-aws/infrastructure/scripts/setup/app.sh"
         sudo -H -i -u ec2-user bash -c "~/java-on-aws/infrastructure/scripts/setup/eks.sh"
 
@@ -66,7 +75,7 @@ public UnicornStoreStack(final Construct scope, final String id) {
         // Create VPC
         var vpc = new WorkshopVpc(this, "UnicornStoreVpc", "unicornstore-vpc").getVpc();
 
-        // Create VSCode IDE
+        // Create Workshop IDE
         var ideProps = new VSCodeIdeProps();
             ideProps.setBootstrapScript(bootstrapScript);
             ideProps.setVpc(vpc);
@@ -83,11 +92,6 @@ public UnicornStoreStack(final Construct scope, final String id) {
         var ideRole = ideProps.getRole();
         var ideInternalSecurityGroup = ide.getIdeInternalSecurityGroup();
 
-        // Create EKS cluster for the workshop
-        var eksCluster = new EksCluster(this, "UnicornStoreEksCluster", "unicorn-store", "1.33",
-                vpc, ideInternalSecurityGroup);
-        eksCluster.createAccessEntry(ideRole.getRoleArn(), "unicorn-store", "unicornstore-ide-user");
-
         // Create Core infrastructure
         var infrastructureCore = new InfrastructureCore(this, "InfrastructureCore", vpc);
         // var accountId = Stack.of(this).getAccount();
@@ -96,6 +100,11 @@ public UnicornStoreStack(final Construct scope, final String id) {
         new InfrastructureContainers(this, "InfrastructureContainers", infrastructureCore);
         new InfrastructureEks(this, "InfrastructureEks", infrastructureCore);
 
+        // Create EKS cluster for the workshop
+        var eksCluster = new EksCluster(this, "UnicornStoreEksCluster", "unicorn-store", "1.33",
+            vpc, ideInternalSecurityGroup);
+        eksCluster.createAccessEntry(ideRole.getRoleArn(), "unicorn-store", "unicornstore-ide-user");
+
         // Create JVM monitoring infrastructure with Lambda thread dump
         new InfrastructureMonitoringJVM(this, "InfrastructureMonitoringJVM", infrastructureCore.getWorkshopBucket(), eksCluster, vpc);
 

infrastructure/cdk/src/main/java/com/unicorn/constructs/EksCluster.java

@@ -1,6 +1,7 @@
 package com.unicorn.constructs;
 
-import software.amazon.awscdk.services.ec2.*;
+import software.amazon.awscdk.services.ec2.IVpc;
+import software.amazon.awscdk.services.ec2.SecurityGroup;
 import software.amazon.awscdk.services.eks.CfnCluster;
 import software.amazon.awscdk.services.eks.CfnCluster.LoggingProperty;
 import software.amazon.awscdk.services.eks.CfnCluster.ClusterLoggingProperty;
@@ -17,6 +18,12 @@
 import software.amazon.awscdk.services.eks.CfnAccessEntry.AccessScopeProperty;
 import software.amazon.awscdk.services.eks.CfnAccessEntry.AccessPolicyProperty;
 import software.amazon.awscdk.services.eks.CfnPodIdentityAssociation;
+// import software.amazon.awscdk.services.eks.OpenIdConnectProvider;
+// import software.amazon.awscdk.ResolutionTypeHint;
+import software.amazon.awscdk.services.ec2.SubnetType;
+import software.amazon.awscdk.services.ec2.SubnetSelection;
+import software.amazon.awscdk.services.ec2.ISubnet;
+import software.amazon.awscdk.services.ec2.ISecurityGroup;
 import software.amazon.awscdk.services.iam.ManagedPolicy;
 import software.amazon.awscdk.services.iam.Role;
 import software.amazon.awscdk.services.iam.ServicePrincipal;
@@ -185,11 +192,6 @@ public void createPodIdentity(final String principalArn, final String clusterNam
         podIdentityAssociation.getNode().addDependency(cluster);
     }
 
-    // Get the default cluster security group
-    public String getClusterSecurityGroupId() {
-        return cluster.getAttrClusterSecurityGroupId();
-    }
-
     // Get the default cluster security group as ISecurityGroup
     public ISecurityGroup getClusterSecurityGroup() {
         return SecurityGroup.fromSecurityGroupId(

infrastructure/cdk/src/main/java/com/unicorn/constructs/VSCodeIde.java

@@ -1,6 +1,11 @@
 package com.unicorn.constructs;
 
-import software.amazon.awscdk.*;
+import software.amazon.awscdk.CfnWaitCondition;
+import software.amazon.awscdk.CfnWaitConditionHandle;
+import software.amazon.awscdk.CustomResource;
+import software.amazon.awscdk.Duration;
+import software.amazon.awscdk.Fn;
+import software.amazon.awscdk.RemovalPolicy;
 // import software.amazon.awscdk.services.cloudfront.AddBehaviorOptions;
 import software.amazon.awscdk.services.cloudfront.AllowedMethods;
 import software.amazon.awscdk.services.cloudfront.BehaviorOptions;
@@ -31,7 +36,13 @@
 import software.amazon.awscdk.services.ec2.SecurityGroup;
 import software.amazon.awscdk.services.ec2.SubnetSelection;
 import software.amazon.awscdk.services.ec2.SubnetType;
-import software.amazon.awscdk.services.iam.*;
+import software.amazon.awscdk.services.iam.IManagedPolicy;
+import software.amazon.awscdk.services.iam.InstanceProfile;
+import software.amazon.awscdk.services.iam.ManagedPolicy;
+import software.amazon.awscdk.services.iam.PolicyDocument;
+import software.amazon.awscdk.services.iam.PolicyStatement;
+import software.amazon.awscdk.services.iam.Role;
+import software.amazon.awscdk.services.iam.ServicePrincipal;
 import software.amazon.awscdk.services.lambda.Code;
 import software.amazon.awscdk.services.lambda.Function;
 import software.amazon.awscdk.services.lambda.Runtime;
@@ -40,6 +51,7 @@
 import software.amazon.awscdk.services.secretsmanager.Secret;
 import software.amazon.awscdk.services.secretsmanager.SecretStringGenerator;
 import software.amazon.awscdk.services.ssm.CfnDocument;
+import software.amazon.awscdk.CfnOutput;
 
 import software.constructs.Construct;
 import org.json.JSONObject;
@@ -169,23 +181,13 @@ public VSCodeIde(final Construct scope, final String id, final VSCodeIdeProps pr
         props.getRole().addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName("AmazonSSMManagedInstanceCore"));
 
         var filePath = props.getAdditionalIamPolicyPath();
-        try {
-            var policyPath = Path.of(getClass().getResource(filePath).toURI());
-            if (Files.exists(policyPath)) {
-                var jsonPolicy = loadFile(filePath);
-                // AccountId dynamisch einsetzen
-                String accountId = Stack.of(this).getAccount();
-                String replaced = jsonPolicy.replace("{{.AccountId}}", accountId);
-                var policyDoc = new JSONObject(replaced).toMap();
-
-                CfnManagedPolicy.Builder.create(this, "WorkshopIdeUserPolicy")
-                        .policyDocument(policyDoc)
-                        .managedPolicyName("WorkshopIdeUserPolicy")
-                        .roles(List.of(props.getRole().getRoleName()))
-                        .build();
-            }
-        } catch (Exception e) {
-            throw new RuntimeException("Failed to read or parse IAM policy file: " + filePath, e);
+        if (Files.exists(Path.of(getClass().getResource(filePath).getPath()))) {
+            var policyDocumentJson = loadFile(filePath);
+            var policyDocument = PolicyDocument.fromJson(new JSONObject(policyDocumentJson).toMap());
+            var policy = ManagedPolicy.Builder.create(this, "WorkshopIdeUserPolicy")
+                .document(policyDocument)
+                .build();
+                props.getRole().addManagedPolicy(policy);
         }
 
         DateTimeFormatter formatter = DateTimeFormatter.ofPattern("yyyyMMdd-HHmmss");

infrastructure/cdk/src/main/java/com/unicorn/core/InfrastructureContainers.java

@@ -20,7 +20,7 @@ public class InfrastructureContainers extends Construct {
     private final InfrastructureCore infrastructureCore;
 
     public InfrastructureContainers(final Construct scope, final String id,
-                                    final InfrastructureCore infrastructureCore) {
+        final InfrastructureCore infrastructureCore) {
         super(scope, id);
 
         // Get previously created infrastructure construct
@@ -34,68 +34,77 @@ public InfrastructureContainers(final Construct scope, final String id,
 
     private Repository createUnicornStoreSpringEcr() {
         return Repository.Builder.create(this, "UnicornStoreSpringEcr")
-                .repositoryName("unicorn-store-spring")
-                .imageScanOnPush(false)
-                .removalPolicy(RemovalPolicy.DESTROY)
-                .emptyOnDelete(true)  // This will force delete all images when repository is deleted
-                .build();
+            .repositoryName("unicorn-store-spring")
+            .imageScanOnPush(false)
+            .removalPolicy(RemovalPolicy.DESTROY)
+            .emptyOnDelete(true)  // This will force delete all images when repository is deleted
+            .build();
     }
 
     private void createVpcConnector() {
         VpcConnector.Builder.create(this, "UnicornStoreVpcConnector")
-                .vpc(infrastructureCore.getVpc())
-                .vpcSubnets(SubnetSelection.builder()
-                        .subnetType(SubnetType.PRIVATE_WITH_EGRESS)
-                        .build())
-                .vpcConnectorName("unicornstore-vpc-connector")
-                .build();
+            .vpc(infrastructureCore.getVpc())
+            .vpcSubnets(SubnetSelection.builder()
+                .subnetType(SubnetType.PRIVATE_WITH_EGRESS)
+                .build())
+            .vpcConnectorName("unicornstore-vpc-connector")
+            .build();
     }
 
     private void createRolesAppRunner() {
         var unicornStoreApprunnerRole = Role.Builder.create(this, "UnicornStoreApprunnerRole")
-                .roleName("unicornstore-apprunner-role")
-                .assumedBy(new ServicePrincipal("tasks.apprunner.amazonaws.com")).build();
+            .roleName("unicornstore-apprunner-role")
+            .assumedBy(new ServicePrincipal("tasks.apprunner.amazonaws.com")).build();
         unicornStoreApprunnerRole.addToPolicy(PolicyStatement.Builder.create()
-                .actions(List.of("xray:PutTraceSegments"))
-                .resources(List.of("*"))
-                .build());
+            .actions(List.of("xray:PutTraceSegments"))
+            .resources(List.of("*"))
+            .build());
         infrastructureCore.getEventBridge().grantPutEventsTo(unicornStoreApprunnerRole);
         infrastructureCore.getDatabaseSecret().grantRead(unicornStoreApprunnerRole);
         infrastructureCore.getSecretPassword().grantRead(unicornStoreApprunnerRole);
         infrastructureCore.getParamDBConnectionString().grantRead(unicornStoreApprunnerRole);
 
         var appRunnerECRAccessRole = Role.Builder.create(this, "UnicornStoreApprunnerEcrAccessRole")
-                .roleName("unicornstore-apprunner-ecr-access-role")
-                .assumedBy(new ServicePrincipal("build.apprunner.amazonaws.com")).build();
+            .roleName("unicornstore-apprunner-ecr-access-role")
+            .assumedBy(new ServicePrincipal("build.apprunner.amazonaws.com")).build();
         appRunnerECRAccessRole.addManagedPolicy(ManagedPolicy.fromManagedPolicyArn(this,
-                "UnicornStoreApprunnerEcrAccessRole-" + "AWSAppRunnerServicePolicyForECRAccess",
-                "arn:aws:iam::aws:policy/service-role/AWSAppRunnerServicePolicyForECRAccess"));
+            "UnicornStoreApprunnerEcrAccessRole-" + "AWSAppRunnerServicePolicyForECRAccess",
+            "arn:aws:iam::aws:policy/service-role/AWSAppRunnerServicePolicyForECRAccess"));
+
+        // // Create the App Runner service-linked role
+        // Long tsLong = System.currentTimeMillis()/1000;
+        // String timestamp = tsLong.toString();
+        // CfnServiceLinkedRole appRunnerServiceLinkedRole = CfnServiceLinkedRole.Builder.create(this, "AppRunnerServiceLinkedRole")
+        //     .awsServiceName("apprunner.amazonaws.com")
+        //     .description("Service-linked role for AWS App Runner service")
+        //     .customSuffix(timestamp)
+        //     .build();
     }
 
     private void createRolesEcs() {
         var AWSOpenTelemetryPolicy = PolicyStatement.Builder.create()
-                .effect(Effect.ALLOW)
-                .actions(List.of("logs:PutLogEvents", "logs:CreateLogGroup", "logs:CreateLogStream",
-                        "logs:DescribeLogStreams", "logs:DescribeLogGroups",
-                        "logs:PutRetentionPolicy", "xray:PutTraceSegments",
-                        "xray:PutTelemetryRecords", "xray:GetSamplingRules",
-                        "xray:GetSamplingTargets", "xray:GetSamplingStatisticSummaries",
-                        "cloudwatch:PutMetricData", "ssm:GetParameters"))
-                .resources(List.of("*")).build();
+            .effect(Effect.ALLOW)
+            .actions(List.of("logs:PutLogEvents", "logs:CreateLogGroup", "logs:CreateLogStream",
+                    "logs:DescribeLogStreams", "logs:DescribeLogGroups",
+                    "logs:PutRetentionPolicy", "xray:PutTraceSegments",
+                    "xray:PutTelemetryRecords", "xray:GetSamplingRules",
+                    "xray:GetSamplingTargets", "xray:GetSamplingStatisticSummaries",
+                    "cloudwatch:PutMetricData", "ssm:GetParameters"))
+            .resources(List.of("*")).build();
 
         var unicornStoreEscTaskRole = Role.Builder.create(this, "UnicornStoreEcsTaskRole")
-                .roleName("unicornstore-ecs-task-role")
-                .assumedBy(new ServicePrincipal("ecs-tasks.amazonaws.com")).build();
+            .roleName("unicornstore-ecs-task-role")
+            .assumedBy(new ServicePrincipal("ecs-tasks.amazonaws.com")).build();
         unicornStoreEscTaskRole.addToPolicy(PolicyStatement.Builder.create()
-                .actions(List.of("xray:PutTraceSegments"))
-                .resources(List.of("*"))
-                .build());
+            .actions(List.of("xray:PutTraceSegments"))
+            .resources(List.of("*"))
+            .build());
         unicornStoreEscTaskRole.addManagedPolicy(ManagedPolicy.fromManagedPolicyArn(this,
-                "UnicornStoreEcsTaskRole-" + "CloudWatchLogsFullAccess",
-                "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess"));
+            "UnicornStoreEcsTaskRole-" + "CloudWatchLogsFullAccess",
+            "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess"));
         unicornStoreEscTaskRole.addManagedPolicy(ManagedPolicy.fromManagedPolicyArn(this,
-                "UnicornStoreEcsTaskRole-" + "AmazonSSMReadOnlyAccess",
-                "arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess"));
+            "UnicornStoreEcsTaskRole-" + "AmazonSSMReadOnlyAccess",
+            "arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess"));
         unicornStoreEscTaskRole.addToPolicy(AWSOpenTelemetryPolicy);
 
         infrastructureCore.getEventBridge().grantPutEventsTo(unicornStoreEscTaskRole);
@@ -104,21 +113,21 @@ private void createRolesEcs() {
         infrastructureCore.getParamDBConnectionString().grantRead(unicornStoreEscTaskRole);
 
         Role unicornStoreEscTaskExecutionRole = Role.Builder.create(this, "UnicornStoreEcsTaskExecutionRole")
-                .roleName("unicornstore-ecs-task-execution-role")
-                .assumedBy(new ServicePrincipal("ecs-tasks.amazonaws.com")).build();
+            .roleName("unicornstore-ecs-task-execution-role")
+            .assumedBy(new ServicePrincipal("ecs-tasks.amazonaws.com")).build();
         unicornStoreEscTaskExecutionRole.addToPolicy(PolicyStatement.Builder.create()
-                .actions(List.of("logs:CreateLogGroup"))
-                .resources(List.of("*"))
-                .build());
+            .actions(List.of("logs:CreateLogGroup"))
+            .resources(List.of("*"))
+            .build());
         unicornStoreEscTaskExecutionRole.addManagedPolicy(ManagedPolicy.fromManagedPolicyArn(this,
-                "UnicornStoreEcsTaskExecutionRole-" + "AmazonECSTaskExecutionRolePolicy",
-                "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"));
+            "UnicornStoreEcsTaskExecutionRole-" + "AmazonECSTaskExecutionRolePolicy",
+            "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"));
         unicornStoreEscTaskExecutionRole.addManagedPolicy(ManagedPolicy.fromManagedPolicyArn(this,
-                "UnicornStoreEcsTaskExecutionRole-" + "CloudWatchLogsFullAccess",
-                "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess"));
+            "UnicornStoreEcsTaskExecutionRole-" + "CloudWatchLogsFullAccess",
+            "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess"));
         unicornStoreEscTaskExecutionRole.addManagedPolicy(ManagedPolicy.fromManagedPolicyArn(this,
-                "UnicornStoreEcsTaskExecutionRole-" + "AmazonSSMReadOnlyAccess",
-                "arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess"));
+            "UnicornStoreEcsTaskExecutionRole-" + "AmazonSSMReadOnlyAccess",
+            "arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess"));
         unicornStoreEscTaskExecutionRole.addToPolicy(AWSOpenTelemetryPolicy);
 
         infrastructureCore.getEventBridge().grantPutEventsTo(unicornStoreEscTaskExecutionRole);

infrastructure/cdk/src/main/java/com/unicorn/core/InfrastructureEks.java

@@ -44,21 +44,6 @@ private void createRolesEks() {
             "UnicornStoreEksPodRole-" + "AmazonBedrockLimitedAccess",
             "arn:aws:iam::aws:policy/AmazonBedrockLimitedAccess"));
 
-        // unicornStoreEksPodRole.addToPolicy(PolicyStatement.Builder.create()
-        //         .effect(Effect.ALLOW)
-        //         .actions(List.of(
-        //                 "ecs:ListTasks",
-        //                 "ecs:DescribeTasks",
-        //                 "ecs:ListServices",
-        //                 "ecs:DescribeServices",
-        //                 "ecs:ListClusters",
-        //                 "ecs:DescribeClusters",
-        //                 "ecs:ListContainerInstances",
-        //                 "ecs:DescribeContainerInstances"
-        //         ))
-        //         .resources(List.of("*"))
-        //         .build());
-
         infrastructureCore.getEventBridge().grantPutEventsTo(unicornStoreEksPodRole);
         infrastructureCore.getDatabaseSecret().grantRead(unicornStoreEksPodRole);
         infrastructureCore.getParamDBConnectionString().grantRead(unicornStoreEksPodRole);