aws-samples
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 29 additions & 4 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 29 additions & 4 deletions
diff --git a/‎.kiro/specs/infra/design.md‎
Lines changed: 78 additions & 20 deletions b/‎.kiro/specs/infra/design.md‎
Lines changed: 78 additions & 20 deletions
diff --git a/‎.kiro/specs/infra/requirements.md‎
Lines changed: 23 additions & 0 deletions b/‎.kiro/specs/infra/requirements.md‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎.kiro/specs/infra/tasks.md‎
Lines changed: 51 additions & 0 deletions b/‎.kiro/specs/infra/tasks.md‎
Lines changed: 51 additions & 0 deletions
diff --git a/‎.kiro/specs/java25-spring-modernization/requirements.md‎
Lines changed: 14 additions & 1 deletion b/‎.kiro/specs/java25-spring-modernization/requirements.md‎
Lines changed: 14 additions & 1 deletion
@@ -14,7 +14,7 @@ on:
     branches: [ "main" ]
 
 jobs:
-  build:
+  build-java21:
     runs-on: ubuntu-latest
     env:
       AWS_REGION: 'us-east-1'
@@ -28,7 +28,6 @@ jobs:
         cache: maven
     - name: Java version
       run: java --version
-      working-directory: ./apps/unicorn-store-spring/
     - name: Build unicorn-store-spring with Maven
       run: mvn -B clean package --file pom.xml --no-transfer-progress
       working-directory: ./apps/unicorn-store-spring/
@@ -37,10 +36,8 @@ jobs:
       working-directory: ./apps/unicorn-spring-ai-agent/
     - name: Install AWS CDK
       run: npm install -g aws-cdk
-      working-directory: ./infrastructure/cdk/
     - name: AWS CDK version
       run: cdk version
-      working-directory: ./infrastructure/cdk/
     - name: Build CDK Immersion Day infrastructure
       run: mvn clean package --no-transfer-progress
       working-directory: ./infrastructure/cdk/
@@ -57,6 +54,34 @@ jobs:
       run: docker build -t unicorn-store-javax:latest .
       working-directory: ./apps/unicorn-store-javax/
 
+  build-java25:
+    runs-on: ubuntu-latest
+    env:
+      AWS_REGION: 'us-east-1'
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up JDK 25
+      uses: actions/setup-java@v4
+      with:
+        distribution: 'corretto'
+        java-version: 25
+        cache: maven
+    - name: Java version
+      run: java --version
+    - name: Build unicorn-store-spring-java25 with Maven
+      run: mvn -B clean package --file pom.xml --no-transfer-progress
+      working-directory: ./apps/unicorn-store-spring-java25/
+    - name: Install AWS CDK
+      run: npm install -g aws-cdk
+    - name: AWS CDK version
+      run: cdk version
+    - name: Build infra CDK
+      run: mvn clean package --no-transfer-progress
+      working-directory: ./infra/cdk/
+    - name: CDK Synth infra
+      run: cdk synth
+      working-directory: ./infra/cdk/
+
 #    - name: Submit Dependency Snapshot
 #      uses: advanced-security/maven-dependency-submission-action@v4
 #      with:
 
@@ -52,7 +52,8 @@ infra/
 │   └── java-spring-ai-agents-stack.yaml
 ├── scripts/
 │   ├── ide/                     # IDE setup scripts
-│   │   ├── bootstrap.sh         # Full bootstrap orchestration
+│   │   ├── functions.sh         # Shared helper functions (retry, logging, install)
+│   │   ├── bootstrap.sh         # Full bootstrap orchestration (jq, Docker, AWS CLI, env vars)
 │   │   ├── vscode.sh            # VS Code Server installation
 │   │   ├── code-editor.sh       # AWS Code Editor installation
 │   │   ├── tools.sh             # Base development tools
@@ -339,7 +340,8 @@ infra/cdk/src/main/resources/
 └── userdata.sh           # Minimal UserData script with CloudWatch logging
 
 infra/scripts/ide/
-├── bootstrap.sh          # Full bootstrap orchestration
+├── functions.sh          # Shared helper functions (retry_command, install_with_version, log_info)
+├── bootstrap.sh          # Full bootstrap orchestration (jq, Docker, AWS CLI, environment setup)
 ├── vscode.sh             # VS Code Server installation and configuration
 ├── code-editor.sh        # AWS Code Editor installation
 ├── tools.sh              # Base development tools (Java, Node.js, kubectl, etc.)
@@ -355,25 +357,43 @@ infra/scripts/templates/
 └── java-spring-ai-agents.sh      # Java-Spring-AI-Agents workshop post-deploy (same as base)
 ```
 
+#### Shared Functions Architecture
+All IDE scripts source `functions.sh` for consistent helper functions:
+- `retry_command(attempts, delay, fail_mode, tool_name, cmd)`: Retry with configurable failure handling
+- `retry_critical(tool_name, cmd)`: Retry with exit on failure (5 attempts, 5s delay)
+- `retry_optional(tool_name, cmd)`: Retry with warning on failure (continues execution)
+- `install_with_version(tool_name, install_cmd, version_cmd, fail_mode)`: Install and log version
+- `log_info(message)`: Timestamped logging
+- `download_and_verify(url, output, description)`: Download with retry
+
 #### Bootstrap Flow
 ```
 userdata.sh → bootstrap.sh → {IDE_TYPE}.sh → tools.sh → templates/{TEMPLATE_TYPE}.sh
 ```
 
 Where:
 - `userdata.sh`: Minimal UserData script that clones repo and runs bootstrap.sh with CloudWatch logging
-- `bootstrap.sh`: Full system setup, environment variables, calls IDE setup and template script
-- `{IDE_TYPE}.sh`: IDE-specific setup (vscode.sh or code-editor.sh)
-- `tools.sh`: Base development tools installation (Java, Node.js, kubectl, Helm, etc.)
+- `bootstrap.sh`: System setup (jq, Docker, AWS CLI), environment variables in `/etc/profile.d/workshop.sh`, calls IDE setup and template script
+- `{IDE_TYPE}.sh`: IDE-specific setup (vscode.sh or code-editor.sh), sources functions.sh
+- `tools.sh`: Base development tools installation (Java, Node.js, kubectl, Helm, etc.), sources functions.sh and workshop.sh
 - `templates/{TEMPLATE_TYPE}.sh`: Workshop-specific post-deploy (EKS setup, monitoring, analysis)
 
+#### Environment Variables
+Scripts source `/etc/profile.d/workshop.sh` instead of re-fetching AWS variables. This file is created by bootstrap.sh and contains:
+- `AWS_REGION`, `AWS_DEFAULT_REGION`: AWS region from instance metadata
+- `ACCOUNT_ID`, `AWS_ACCOUNT_ID`: AWS account ID from STS
+- `EC2_PRIVATE_IP`, `EC2_DOMAIN`, `EC2_URL`: Instance networking
+- `IDE_DOMAIN`, `IDE_URL`, `IDE_PASSWORD`: IDE access
+- `JAVA_HOME`, `M2_HOME`: Development tool paths
+
 #### Workshop Orchestration Pattern
 Workshop scripts follow a layered approach:
-1. **IDE Layer**: `bootstrap.sh` calls IDE setup (`vscode.sh` or `code-editor.sh`) and `tools.sh`
-2. **Tools Layer**: `tools.sh` provides foundational development tools (Java, Node.js, kubectl, Helm, etc.)
-3. **Workshop Layer**: Template scripts in `templates/` folder add workshop-specific setup (EKS, monitoring, analysis)
-4. **Error Handling**: Each layer implements proper error handling and progress feedback
-5. **Verification**: Final verification ensures all tools and services are operational
+1. **Bootstrap Layer**: `bootstrap.sh` installs jq, Docker, AWS CLI, creates `/etc/profile.d/workshop.sh` with all environment variables
+2. **IDE Layer**: `bootstrap.sh` calls IDE setup (`vscode.sh` or `code-editor.sh`) which sources `functions.sh`
+3. **Tools Layer**: `tools.sh` sources `functions.sh` and `workshop.sh`, provides foundational development tools
+4. **Workshop Layer**: Template scripts in `templates/` folder add workshop-specific setup (EKS, monitoring, analysis)
+5. **Error Handling**: Each layer implements proper error handling via shared `functions.sh`
+6. **Verification**: Final verification ensures all tools and services are operational
 
 #### Configuration
 - **Template Type**: Configurable via `TEMPLATE_TYPE` environment variable (defaults to `base`)
@@ -388,6 +408,14 @@ Workshop scripts follow a layered approach:
 - `STACK_NAME` - AWS stack name
 - `TEMPLATE_TYPE` - template type
 - `GIT_BRANCH` - git branch (hardcoded to "main")
+- `PREFIX` - resource naming prefix (defaults to "workshop")
+
+**Created by bootstrap.sh in `/etc/profile.d/workshop.sh`:**
+- `AWS_REGION`, `AWS_DEFAULT_REGION` - AWS region
+- `ACCOUNT_ID`, `AWS_ACCOUNT_ID` - AWS account ID
+- `EC2_PRIVATE_IP`, `EC2_DOMAIN`, `EC2_URL` - Instance networking
+- `IDE_DOMAIN`, `IDE_URL`, `IDE_PASSWORD` - IDE access
+- `JAVA_HOME`, `M2_HOME` - Development tool paths
 
 #### Tool Version Management
 The system uses a hybrid approach for tool versions:
@@ -418,25 +446,36 @@ The system uses a hybrid approach for tool versions:
 - jq, Docker, git, Caddy: latest available in package repositories
 
 #### Script Architecture
-Scripts are organized with helper functions and consistent error handling:
-
-**Bootstrap Script (`ide-bootstrap.sh`):**
+Scripts are organized with shared helper functions and consistent error handling:
+
+**Shared Functions (`functions.sh`):**
+- Central location for all helper functions used across IDE scripts
+- `retry_command()`: Configurable retry with attempts, delay, and failure mode
+- `retry_critical()`: Retry with exit on failure (5 attempts, 5s delay)
+- `retry_optional()`: Retry with warning on failure (continues execution)
+- `install_with_version()`: Install tool and log version in consistent format
+- `log_info()`: Timestamped logging
+- `download_and_verify()`: Download with retry and verification
+
+**Bootstrap Script (`bootstrap.sh`):**
+- Sources functions.sh for shared helpers
+- Installs jq and Docker before IDE setup (services inherit docker group)
+- Creates `/etc/profile.d/workshop.sh` with all environment variables
 - Standardized on `dnf` package manager
-- Added error handling for critical operations (AWS CLI, git clone, CloudFront)
-- Improved logging and comments
+- Error handling with CloudFormation signaling
 
 **VS Code Script (`vscode.sh`):**
+- Sources functions.sh for shared helpers
 - Helper functions eliminate repetitive `sudo -u ec2-user` patterns
 - `setup_user_file()` function for clean file creation
 - `run_as_user()` function for user command execution
 - Uses latest VS Code version by default
 
-**IDE Script (`ide.sh`):**
+**Tools Script (`tools.sh`):**
+- Sources functions.sh and `/etc/profile.d/workshop.sh`
 - Function-based organization by tool category
-- Comprehensive logging with timestamps (`log_info()`)
-- Error handling and download verification (`handle_error()`, `download_and_verify()`)
-- Consistent output handling and cleanup
-- Removed redundant operations (multiple `java -version` calls)
+- Uses shared retry and install functions
+- No redundant AWS variable fetching
 
 ### Build Automation
 
@@ -960,3 +999,22 @@ if ("java-on-aws-immersion-day".equals(templateType) || "java-on-amazon-eks".equ
 #### Property 34: Construct Simplification
 *For any* Unicorn or JvmAnalysis construct, it should not create explicit ECR repositories when EcrRegistry is present
 **Validates: Requirements 28.1, 28.2, 28.3**
+
+
+### Correctness Properties for Shared Functions
+
+#### Property 35: Shared Functions Sourcing
+*For any* IDE script (bootstrap.sh, vscode.sh, code-editor.sh, tools.sh), it should source functions.sh for shared helper functions
+**Validates: Requirements 30.1**
+
+#### Property 36: Environment Variable Sourcing
+*For any* script that needs AWS variables (AWS_REGION, ACCOUNT_ID), it should source /etc/profile.d/workshop.sh instead of re-fetching from metadata or API
+**Validates: Requirements 30.4, 31.1, 31.2**
+
+#### Property 37: Docker Installation Timing
+*For any* bootstrap execution, Docker should be installed before IDE setup so that IDE services inherit docker group membership without requiring restart
+**Validates: Requirements 30.5**
+
+#### Property 38: Consistent Variable Naming
+*For any* script referencing AWS region, it should use AWS_REGION variable name (not REGION) for consistency
+**Validates: Requirements 31.1, 31.3**
@@ -383,3 +383,26 @@ This document specifies the requirements for creating a new AWS workshop infrast
 
 1. THE Repository_Creation_Template SHALL apply an "Environment" tag with value "workshop" to all created repositories
 2. THE Repository_Creation_Template SHALL apply a "ManagedBy" tag with value "ecr-create-on-push" to all created repositories
+
+
+### Requirement 30
+
+**User Story:** As a workshop developer, I want shared helper functions across all IDE scripts, so that I can maintain consistent error handling, logging, and retry logic without code duplication.
+
+#### Acceptance Criteria
+
+1. WHEN IDE scripts execute, THE system SHALL source a shared functions.sh file for common helper functions
+2. WHEN retry operations are needed, THE system SHALL use retry_command with configurable attempts, delay, and failure mode
+3. WHEN tools are installed, THE system SHALL use install_with_version to log tool name and version consistently
+4. WHEN AWS variables are needed, THE system SHALL source /etc/profile.d/workshop.sh instead of re-fetching from metadata/API
+5. WHEN Docker is installed, THE system SHALL install it in bootstrap.sh before IDE setup so services inherit docker group membership
+
+### Requirement 31
+
+**User Story:** As a workshop developer, I want consistent AWS variable naming across all scripts, so that I can avoid confusion between different variable names for the same values.
+
+#### Acceptance Criteria
+
+1. WHEN AWS region is referenced, THE system SHALL use AWS_REGION variable name consistently (not REGION)
+2. WHEN AWS account ID is referenced, THE system SHALL use ACCOUNT_ID variable name consistently
+3. WHEN workshop.sh is created, THE system SHALL set AWS_REGION, AWS_DEFAULT_REGION, ACCOUNT_ID, and AWS_ACCOUNT_ID for compatibility
@@ -927,3 +927,54 @@
   - Runs after VPC endpoints are deleted (security groups depend on endpoints) ✅
   - Added ec2:DescribeSecurityGroups and ec2:DeleteSecurityGroup permissions ✅
   - _Requirements: 5.6_
+
+
+## Script Refactoring and Shared Functions (1400.x)
+
+- [x] 1400.1 Create shared functions.sh helper file
+  - Created infra/scripts/ide/functions.sh with shared helper functions ✅
+  - Implemented retry_command(attempts, delay, fail_mode, tool_name, cmd) for configurable retry ✅
+  - Implemented retry_critical and retry_optional convenience wrappers ✅
+  - Implemented install_with_version for install + version logging ✅
+  - Implemented log_info for timestamped logging ✅
+  - Implemented download_and_verify for downloads with retry ✅
+  - _Requirements: 6.6, 6.7_
+
+- [x] 1400.2 Move Docker and jq installation to bootstrap.sh
+  - Moved jq and Docker installation from tools.sh to bootstrap.sh ✅
+  - Docker installed before IDE setup so service inherits docker group membership ✅
+  - Eliminates need to restart IDE service after Docker installation ✅
+  - _Requirements: 6.1, 6.7_
+
+- [x] 1400.3 Update bootstrap.sh to source functions.sh
+  - Added source of functions.sh at start of bootstrap.sh ✅
+  - Removed duplicate function definitions ✅
+  - Uses shared install_with_version for AWS CLI installation ✅
+  - _Requirements: 6.6_
+
+- [x] 1400.4 Update tools.sh to source functions.sh and workshop.sh
+  - Added source of functions.sh at start of tools.sh ✅
+  - Sources /etc/profile.d/workshop.sh for AWS_REGION instead of re-fetching ✅
+  - Removed duplicate retry_command, log_info, download_and_verify definitions ✅
+  - Removed redundant jq installation (now in bootstrap.sh) ✅
+  - Fixed Kiro CLI sudo nesting issue ✅
+  - _Requirements: 6.6, 6.7_
+
+- [x] 1400.5 Update code-editor.sh to source functions.sh
+  - Added source of functions.sh at start of code-editor.sh ✅
+  - Removed duplicate function definitions ✅
+  - _Requirements: 6.6_
+
+- [x] 1400.6 Update vscode.sh to source functions.sh
+  - Added source of functions.sh at start of vscode.sh ✅
+  - Removed duplicate function definitions ✅
+  - Extracted Caddy installation to function matching code-editor.sh structure ✅
+  - _Requirements: 6.6_
+
+- [x] 1400.7 Consolidate AWS variable sourcing across setup scripts
+  - Updated eks.sh to source /etc/profile.d/workshop.sh instead of re-fetching ACCOUNT_ID, AWS_REGION ✅
+  - Updated unicorn-store-spring.sh to source workshop.sh ✅
+  - Updated analysis.sh to source workshop.sh ✅
+  - Updated monitoring.sh to source workshop.sh ✅
+  - Standardized on AWS_REGION variable name (not REGION) ✅
+  - _Requirements: 6.6_
@@ -229,7 +229,20 @@ When a Java/Spring developer sees this application, they should think:
 6. THE pom.xml SHALL be organized with sortpom plugin for consistent dependency ordering
 7. THE application.yaml SHALL be organized with logical sections and explanatory comments
 
-### Requirement 19: Clean Configuration for Microservices
+### Requirement 19: Standardized Container Base Images
+
+**User Story:** As a workshop attendee, I want consistent container base images across all Dockerfiles, so that I can fairly compare optimization techniques and have predictable behavior.
+
+#### Acceptance Criteria
+
+1. ALL Dockerfiles SHALL use `public.ecr.aws/docker/library/maven:3-amazoncorretto-25-al2023` as the builder image
+2. ALL Dockerfiles SHALL use `public.ecr.aws/docker/library/amazoncorretto:25-al2023` as the runner image
+3. THE Jib plugin in pom.xml SHALL use `public.ecr.aws/docker/library/amazoncorretto:25-al2023` as the base image
+4. WHEN CRaC is used, THE Dockerfile SHALL use `azul/zulu-openjdk:25-jdk-crac-latest` (exception - CRaC requires special JVM)
+5. WHEN GraalVM native image is built, THE Dockerfile SHALL use Mandrel builder image (exception - native compilation)
+6. THE standardization SHALL enable fair comparison of image sizes across optimization techniques
+
+### Requirement 20: Clean Configuration for Microservices
 
 **User Story:** As a workshop attendee, I want to see production-ready microservice configuration, so that I can understand best practices for containerized Java applications.