feat(java-on-aws-infra): enhance ECR login resilience and add deployment dependencies

Yuriy Bezsonov · Yuriy Bezsonov · commit 977b4af0da28 · 2026-01-25T08:42:44.000+01:00
diff --git a/infra/cdk/src/main/java/sample/com/WorkshopStack.java b/infra/cdk/src/main/java/sample/com/WorkshopStack.java
@@ -90,7 +90,7 @@ public WorkshopStack(final Construct scope, final String id, final StackProps pr
                 .build());
 
         // ECR Registry settings (Repository Creation Template for create-on-push)
-        new EcrRegistry(this, "EcrRegistry",
+        EcrRegistry ecrRegistry = new EcrRegistry(this, "EcrRegistry",
             EcrRegistry.EcrRegistryProps.builder()
                 .prefix(prefix)
                 .build());
@@ -247,8 +247,23 @@ public WorkshopStack(final Construct scope, final String id, final StackProps pr
                       build:
                         commands:
                           - |
+                            set -e
                             ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
-                            aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com
+                            ECR_REGISTRY=$ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com
+
+                            # ECR login with retry (network can be slow on first attempt)
+                            for i in 1 2 3; do
+                              echo "ECR login attempt $i..."
+                              if aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $ECR_REGISTRY; then
+                                echo "ECR login successful"
+                                break
+                              fi
+                              if [ $i -eq 3 ]; then
+                                echo "ECR login failed after 3 attempts"
+                                exit 1
+                              fi
+                              sleep 10
+                            done
 
                             # Create placeholder Dockerfile
                             cat > /tmp/Dockerfile << 'EOF'
@@ -261,8 +276,8 @@ public WorkshopStack(final Construct scope, final String id, final StackProps pr
 
                             # Build and push placeholder image (create-on-push creates repo)
                             docker build -t placeholder /tmp
-                            docker tag placeholder $ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/aiagent:latest
-                            docker push $ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/aiagent:latest
+                            docker tag placeholder $ECR_REGISTRY/aiagent:latest
+                            docker push $ECR_REGISTRY/aiagent:latest
                     """;
 
                 CodeBuild placeholderImageBuild = new CodeBuild(this, "PlaceholderImageBuild",
@@ -273,6 +288,10 @@ public WorkshopStack(final Construct scope, final String id, final StackProps pr
                         .environmentVariables(Map.of(
                             "TEMPLATE_TYPE", templateType))
                         .buildSpec(placeholderBuildSpec)
+                        .dependencies(java.util.List.of(
+                            vpc.getConcreteVpc(),  // Ensures NAT Gateway is ready
+                            ecrRegistry.getRepositoryCreationTemplate()  // Ensures ECR create-on-push is configured
+                        ))
                         .build());
 
                 // ECS Express Service for AI Agent
diff --git a/infra/cdk/src/main/java/sample/com/constructs/CodeBuild.java b/infra/cdk/src/main/java/sample/com/constructs/CodeBuild.java
@@ -32,6 +32,7 @@ public static class CodeBuildProps {
         private IVpc vpc;
         private Map<String, String> environmentVariables;
         private String buildSpec;
+        private List<software.constructs.IDependable> dependencies;
 
         public static CodeBuildProps.Builder builder() { return new Builder(); }
 
@@ -46,6 +47,7 @@ public static class Builder {
             public Builder vpc(IVpc vpc) { props.vpc = vpc; return this; }
             public Builder environmentVariables(Map<String, String> environmentVariables) { props.environmentVariables = environmentVariables; return this; }
             public Builder buildSpec(String buildSpec) { props.buildSpec = buildSpec; return this; }
+            public Builder dependencies(List<software.constructs.IDependable> dependencies) { props.dependencies = dependencies; return this; }
 
             public CodeBuildProps build() { return props; }
         }
@@ -59,6 +61,7 @@ public static class Builder {
         public IVpc getVpc() { return vpc; }
         public Map<String, String> getEnvironmentVariables() { return environmentVariables; }
         public String getBuildSpec() { return buildSpec; }
+        public List<software.constructs.IDependable> getDependencies() { return dependencies; }
     }
 
     public CodeBuild(final Construct scope, final String id, final IVpc vpc, final Map<String, String> environmentVariables, final String buildSpec) {
@@ -164,6 +167,13 @@ public CodeBuild(final Construct scope, final String id, final CodeBuildProps pr
 
         this.customResource.getNode().addDependency(buildCompleteRule);
         this.customResource.getNode().addDependency(reportBuildFunction);
+
+        // Add external dependencies (e.g., NAT Gateway, ECR Registry)
+        if (props.getDependencies() != null) {
+            for (software.constructs.IDependable dep : props.getDependencies()) {
+                this.customResource.getNode().addDependency(dep);
+            }
+        }
     }
 
     public Project getCodeBuildProject() {
diff --git a/infra/cdk/src/main/java/sample/com/constructs/Vpc.java b/infra/cdk/src/main/java/sample/com/constructs/Vpc.java
@@ -6,7 +6,7 @@
 import java.util.List;
 
 public class Vpc extends Construct {
-    private final IVpc vpc;
+    private final software.amazon.awscdk.services.ec2.Vpc vpc;
 
     public static class VpcProps {
         private String prefix = "workshop";
@@ -64,4 +64,11 @@ public Vpc(final Construct scope, final String id, final VpcProps props) {
     public IVpc getVpc() {
         return vpc;
     }
+
+    /**
+     * Returns the concrete VPC (not interface) to access NAT gateways for dependencies.
+     */
+    public software.amazon.awscdk.services.ec2.Vpc getConcreteVpc() {
+        return vpc;
+    }
 }
diff --git a/infra/cfn/java-spring-ai-agents-stack.yaml b/infra/cfn/java-spring-ai-agents-stack.yaml
@@ -714,7 +714,7 @@ Resources:
         Fn::GetAtt:
           - CodeBuildRoleE9A44575
           - Arn
-      ContentHash: "1769285698737"
+      ContentHash: "1769326880641"
       ProjectName:
         Ref: CodeBuildProjectA0FF5539
       ServiceToken:
@@ -801,12 +801,12 @@ Resources:
       Environment:
         ComputeType: BUILD_GENERAL1_MEDIUM
         EnvironmentVariables:
-          - Name: GIT_BRANCH
-            Type: PLAINTEXT
-            Value: main
           - Name: TEMPLATE_TYPE
             Type: PLAINTEXT
             Value: java-spring-ai-agents
+          - Name: GIT_BRANCH
+            Type: PLAINTEXT
+            Value: main
         Image: aws/codebuild/amazonlinux2-x86_64-standard:5.0
         ImagePullCredentialsType: CODEBUILD
         PrivilegedMode: false
@@ -2398,15 +2398,37 @@ Resources:
   PlaceholderImageBuild084DA641:
     DeletionPolicy: Delete
     DependsOn:
+      - EcrRegistryTemplateD54113AB
       - PlaceholderImageBuildCompleteRuleAllowEventRuleWorkshopStackPlaceholderImageBuildReportLambdaFunction17D5E0E6696B4706
       - PlaceholderImageBuildCompleteRuleD3DA254B
       - PlaceholderImageBuildReportLambdaFunctionD1A0B620
+      - VpcIGW488B0FEB
+      - VpcPrivateSubnet1DefaultRouteF704DE9F
+      - VpcPrivateSubnet1RouteTable901BAEEE
+      - VpcPrivateSubnet1RouteTableAssociation2BC202CB
+      - VpcPrivateSubnet1Subnet67A4DBCB
+      - VpcPrivateSubnet2DefaultRoute5FAC9901
+      - VpcPrivateSubnet2RouteTable1EA00C9D
+      - VpcPrivateSubnet2RouteTableAssociationFA51927B
+      - VpcPrivateSubnet2SubnetC8EB537D
+      - VpcPublicSubnet1DefaultRoute0F5C6C43
+      - VpcPublicSubnet1EIP2293BAA3
+      - VpcPublicSubnet1NATGateway8185E366
+      - VpcPublicSubnet1RouteTable431DD755
+      - VpcPublicSubnet1RouteTableAssociationBBCB7AA1
+      - VpcPublicSubnet1Subnet8E8DEDC0
+      - VpcPublicSubnet2DefaultRouteD629179A
+      - VpcPublicSubnet2RouteTable77FB35FC
+      - VpcPublicSubnet2RouteTableAssociation3AFE92E6
+      - VpcPublicSubnet2SubnetA811849C
+      - VpcC3027511
+      - VpcVPCGW42EC8516
     Properties:
       CodeBuildIamRoleArn:
         Fn::GetAtt:
           - PlaceholderImageBuildRole66BA72FE
           - Arn
-      ContentHash: "1769285699069"
+      ContentHash: "1769326881001"
       ProjectName:
         Ref: PlaceholderImageBuildProjectC08F4D66
       ServiceToken:
@@ -2514,8 +2536,23 @@ Resources:
             build:
               commands:
                 - |
+                  set -e
                   ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
-                  aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com
+                  ECR_REGISTRY=$ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com
+
+                  # ECR login with retry (network can be slow on first attempt)
+                  for i in 1 2 3; do
+                    echo "ECR login attempt $i..."
+                    if aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $ECR_REGISTRY; then
+                      echo "ECR login successful"
+                      break
+                    fi
+                    if [ $i -eq 3 ]; then
+                      echo "ECR login failed after 3 attempts"
+                      exit 1
+                    fi
+                    sleep 10
+                  done
 
                   # Create placeholder Dockerfile
                   cat > /tmp/Dockerfile << 'EOF'
@@ -2528,8 +2565,8 @@ Resources:
 
                   # Build and push placeholder image (create-on-push creates repo)
                   docker build -t placeholder /tmp
-                  docker tag placeholder $ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/aiagent:latest
-                  docker push $ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/aiagent:latest
+                  docker tag placeholder $ECR_REGISTRY/aiagent:latest
+                  docker push $ECR_REGISTRY/aiagent:latest
         Type: NO_SOURCE
       TimeoutInMinutes: 30
       VpcConfig:
@@ -3558,7 +3595,7 @@ Resources:
             - Ref: AWS::AccountId
             - "-"
             - Ref: AWS::Region
-            - "-20260124211458"
+            - "-20260125084120"
       PublicAccessBlockConfiguration:
         BlockPublicAcls: true
         BlockPublicPolicy: true
diff --git a/infra/scripts/templates/java-ai-agents.sh b/infra/scripts/templates/java-ai-agents.sh
