new infra

Yuriy Bezsonov · Yuriy Bezsonov · commit c71d5276d446 · 2025-12-19T19:20:22.000+01:00
diff --git a/.kiro/specs/infra/design.md b/.kiro/specs/infra/design.md
@@ -23,24 +23,45 @@ infra/
 │   │   │   ├── Database.java
 │   │   │   ├── CodeBuild.java
 │   │   │   ├── Lambda.java
-│   │   │   └── Roles.java
+│   │   │   ├── PerformanceAnalysis.java
+│   │   │   └── Unicorn.java      # ECR + IAM roles (uses unicorn* naming for workshop compatibility)
 │   │   ├── WorkshopStack.java    # Main stack
 │   │   └── WorkshopApp.java      # Main CDK application
 │   ├── src/main/resources/
-│   │   └── ec2-userdata.sh       # Minimal UserData script (embedded in CDK)
+│   │   ├── userdata.sh           # Minimal UserData script (embedded in CDK)
+│   │   └── lambda/               # Lambda function source files
+│   │       ├── ec2-launcher.py
+│   │       ├── codebuild-start.py
+│   │       ├── codebuild-report.py
+│   │       ├── password-exporter.py
+│   │       ├── database-setup.py
+│   │       ├── cloudfront-prefix-lookup.py
+│   │       └── thread-dump-lambda.py
 │   ├── pom.xml
 │   └── cdk.json
-├── workshop-template.yaml       # Generated unified CloudFormation template
+├── cfn/                         # Generated CloudFormation templates
+│   ├── base-stack.yaml
+│   └── java-on-aws-stack.yaml
 ├── scripts/
-│   ├── ide/                     # Modular IDE and workshop scripts
-│   │   ├── vscode.sh            # VS Code installation and configuration
-│   │   ├── base.sh              # Base development tools
-│   │   ├── java-on-aws.sh       # Java-on-AWS workshop setup
-│   │   ├── java-on-eks.sh       # Java-on-EKS workshop setup
-│   │   └── java-ai-agents.sh    # Java AI Agents workshop setup
-│   ├── lib/                     # Common utilities (actively used)
-│   │   ├── common.sh            # Emoji logging, error handling (used by generate.sh, sync.sh)
-│   │   └── wait-for-resources.sh # EKS/RDS readiness checking (used by setup scripts)
+│   ├── ide/                     # IDE setup scripts
+│   │   ├── bootstrap.sh         # Full bootstrap orchestration
+│   │   ├── vscode.sh            # VS Code Server installation
+│   │   ├── code-editor.sh       # AWS Code Editor installation
+│   │   ├── tools.sh             # Base development tools
+│   │   ├── settings.sh          # IDE settings configuration
+│   │   ├── shell.sh             # Shell UX (zsh + oh-my-zsh + p10k)
+│   │   └── shell-p10k.zsh       # Powerlevel10k configuration
+│   ├── templates/               # Workshop-specific post-deploy scripts
+│   │   ├── base.sh              # Base template (empty placeholder)
+│   │   └── java-on-aws.sh       # Java-on-AWS workshop setup
+│   ├── setup/                   # Infrastructure setup scripts
+│   │   ├── eks.sh               # EKS cluster configuration
+│   │   ├── monitoring.sh        # Prometheus + Grafana setup
+│   │   ├── analysis.sh          # Thread dump + profiling analysis
+│   │   └── deploy-spring-app.sh # Spring application deployment
+│   ├── lib/                     # Common utilities
+│   │   ├── common.sh            # Emoji logging, error handling
+│   │   └── wait-for-resources.sh # EKS/RDS readiness checking
 │   ├── cfn/                     # CloudFormation utilities
 │   │   ├── generate.sh
 │   │   └── sync.sh
@@ -86,10 +107,12 @@ public class WorkshopStack extends Stack {
 
 **Vpc**: Creates VPC with appropriate subnets and networking configuration
 **Ide**: Creates VS Code IDE environment with necessary permissions and security groups
-**Eks**: Creates EKS cluster with Auto Mode, v1.34, native add-ons (Secrets Store CSI, Mountpoint S3 CSI, Pod Identity Agent), Access Entries, and IDE security group integration
+**Eks**: Creates EKS cluster with Auto Mode, v1.34, native add-ons (Secrets Store CSI, Mountpoint S3 CSI, Pod Identity Agent), Access Entries for IDE instance role, and IDE security group integration
 **Database**: Configures RDS Aurora PostgreSQL cluster with universal "workshop-" naming convention
 **CodeBuild**: Creates CodeBuild project for AWS service-linked role creation
-**Roles**: Creates IAM roles and policies for workshop resources
+**Lambda**: Reusable construct for consistent Lambda function creation with inline Python code
+**PerformanceAnalysis**: Creates S3 bucket, Lambda functions, and API Gateway for thread dump and profiling analysis
+**Unicorn**: Creates ECR repository and IAM roles for workshop applications (uses unicorn* naming for workshop content compatibility)
 
 #### CDK Construct Naming Convention
 
@@ -164,10 +187,16 @@ The new design uses **external files** for all complex scripts and code, loaded
 ```
 infra/cdk/src/main/resources/
 ├── lambda/
-│   ├── ec2-launcher.py      # EC2 instance launching with multi-AZ/instance-type failover
-│   ├── codebuild-start.py   # CodeBuild project starter for workshop setup
-│   └── codebuild-report.py  # CodeBuild completion reporter via EventBridge
-└── ec2-userdata.sh          # Minimal UserData script (2.4KB) with CloudWatch logging
+│   ├── ec2-launcher.py           # EC2 instance launching with multi-AZ/instance-type failover
+│   ├── codebuild-start.py        # CodeBuild project starter for workshop setup
+│   ├── codebuild-report.py       # CodeBuild completion reporter via EventBridge
+│   ├── password-exporter.py      # Custom Resource for password output
+│   ├── database-setup.py         # Database schema initialization
+│   ├── cloudfront-prefix-lookup.py # CloudFront prefix list lookup
+│   └── thread-dump-lambda.py     # Thread dump collection and AI analysis
+├── userdata.sh                   # Minimal UserData script with CloudWatch logging
+├── iam-policy.json               # IAM policy for workshop participants
+└── unicorns.sql                  # Database schema SQL
 ```
 
 #### Reusable Lambda Construct
@@ -232,40 +261,45 @@ This integration ensures seamless access from the IDE to the EKS cluster without
 ### Script Organization
 
 #### Minimal UserData Architecture
-The new architecture uses minimal UserData (2.4KB) that downloads and executes a full bootstrap script, avoiding AWS UserData size limits:
+The new architecture uses minimal UserData that downloads and executes a full bootstrap script, avoiding AWS UserData size limits:
 
 ```
 infra/cdk/src/main/resources/
-└── ec2-userdata.sh       # Minimal UserData script (2.4KB)
+└── userdata.sh           # Minimal UserData script with CloudWatch logging
 
 infra/scripts/ide/
-├── bootstrap.sh          # Full bootstrap script (3.8KB)
-├── vscode.sh             # VS Code installation and configuration
-├── base.sh               # Base development tools (foundational for all workshops)
-├── java-on-aws.sh        # calls base.sh + EKS/DB setup
-├── java-on-eks.sh        # calls base.sh + EKS setup
-└── java-ai-agents.sh     # calls base.sh + AI setup
+├── bootstrap.sh          # Full bootstrap orchestration
+├── vscode.sh             # VS Code Server installation and configuration
+├── code-editor.sh        # AWS Code Editor installation
+├── tools.sh              # Base development tools (Java, Node.js, kubectl, etc.)
+├── settings.sh           # IDE settings configuration
+├── shell.sh              # Shell UX (zsh + oh-my-zsh + powerlevel10k)
+└── shell-p10k.zsh        # Powerlevel10k configuration
+
+infra/scripts/templates/
+├── base.sh               # Base template (empty placeholder)
+└── java-on-aws.sh        # Java-on-AWS workshop post-deploy
 ```
 
 #### Bootstrap Flow
 ```
-ec2-userdata.sh → bootstrap.sh → vscode.sh → {workshop}.sh
+userdata.sh → bootstrap.sh → {IDE_TYPE}.sh → tools.sh → templates/{TEMPLATE_TYPE}.sh
 ```
 
 Where:
-- `ec2-userdata.sh`: Minimal UserData script that downloads and runs bootstrap.sh with fallback URLs
-- `bootstrap.sh`: Full system setup, CloudWatch, environment variables, git clone, calls vscode.sh and template script
-- `vscode.sh`: Complete VS Code IDE setup (code-server, Caddy, configuration)
-- `base.sh`: Base development tools (for base template type)
-- `java-on-aws.sh`: Calls base.sh + EKS implementation (cluster setup, add-ons, storage classes)
-- Future template scripts will be added to `/ide` folder as needed
+- `userdata.sh`: Minimal UserData script that clones repo and runs bootstrap.sh with CloudWatch logging
+- `bootstrap.sh`: Full system setup, environment variables, calls IDE setup and template script
+- `{IDE_TYPE}.sh`: IDE-specific setup (vscode.sh or code-editor.sh)
+- `tools.sh`: Base development tools installation (Java, Node.js, kubectl, Helm, etc.)
+- `templates/{TEMPLATE_TYPE}.sh`: Workshop-specific post-deploy (EKS setup, monitoring, analysis)
 
 #### Workshop Orchestration Pattern
 Workshop scripts follow a layered approach:
-1. **Base Layer**: `base.sh` provides foundational development tools (Java, Node.js, kubectl, Helm, etc.)
-2. **Workshop Layer**: Workshop-specific scripts (e.g., `java-on-aws.sh`) call base.sh then add specialized setup
-3. **Error Handling**: Each layer implements proper error handling and progress feedback
-4. **Verification**: Final verification ensures all tools and services are operational
+1. **IDE Layer**: `bootstrap.sh` calls IDE setup (`vscode.sh` or `code-editor.sh`) and `tools.sh`
+2. **Tools Layer**: `tools.sh` provides foundational development tools (Java, Node.js, kubectl, Helm, etc.)
+3. **Workshop Layer**: Template scripts in `templates/` folder add workshop-specific setup (EKS, monitoring, analysis)
+4. **Error Handling**: Each layer implements proper error handling and progress feedback
+5. **Verification**: Final verification ensures all tools and services are operational
 
 #### Configuration
 - **Template Type**: Configurable via `TEMPLATE_TYPE` environment variable (defaults to `base`)
@@ -503,7 +537,7 @@ public class BuildConfig {
 **Validates: Requirements 12.1, 12.2, 12.3, 12.4, 12.5, 12.6**
 
 ### Property 19: EKS Access Entry Configuration
-*For any* EKS cluster created, it should include Access Entry for WSParticipantRole with cluster admin permissions
+*For any* EKS cluster created, it should include Access Entry for IDE instance role with cluster admin permissions
 **Validates: Requirements 13.8**
 
 ### Property 20: Workshop Script Orchestration
diff --git a/.kiro/specs/infra/requirements.md b/.kiro/specs/infra/requirements.md
@@ -193,7 +193,7 @@ This document specifies the requirements for creating a new AWS workshop infrast
 5. WHEN EKS cluster networking is configured, THE system SHALL place cluster in private subnets with public and private API access for security and flexibility
 6. WHEN EKS cluster logging is enabled, THE system SHALL activate all log types (api, audit, authenticator, controllerManager, scheduler) for comprehensive monitoring
 7. WHEN EKS cluster permissions are configured, THE system SHALL use Access Entries authentication mode instead of deprecated ConfigMap-based authentication
-8. WHEN EKS cluster access is configured, THE system SHALL create Access Entry for WSParticipantRole and IDE instance role with cluster admin permissions for workshop participant access
+8. WHEN EKS cluster access is configured, THE system SHALL create Access Entry for IDE instance role with cluster admin permissions for workshop participant access
 
 ### Requirement 14
 
@@ -219,7 +219,7 @@ This document specifies the requirements for creating a new AWS workshop infrast
 3. WHEN EKS cluster is configured for secrets management, THE system SHALL install AWS Secrets Store CSI Driver add-on for mounting database secrets as environment variables
 4. WHEN EKS cluster is configured for S3 access, THE system SHALL install AWS Mountpoint S3 CSI driver add-on for S3 bucket mounting capabilities
 5. WHEN EKS cluster is configured for authentication, THE system SHALL install EKS Pod Identity Agent add-on for modern IAM authentication with AWS services
-6. WHEN EKS cluster is configured for workshop access, THE system SHALL grant WSParticipantRole cluster admin permissions via Access Entries for workshop participant access
+6. WHEN EKS cluster is configured for workshop access, THE system SHALL grant IDE instance role cluster admin permissions via Access Entries for workshop participant access
 7. WHEN EKS cluster setup is complete, THE system SHALL verify all three add-ons (Secrets Store CSI Driver, Mountpoint S3 CSI Driver, Pod Identity Agent) are installed and functional before marking deployment as successful
 
 ### Requirement 16
diff --git a/.kiro/specs/infra/tasks.md b/.kiro/specs/infra/tasks.md
@@ -49,17 +49,17 @@
 ## Base IDE Stack (10.x)
 
 - [x] 10.1 Create core CDK constructs
-  - Create infra/cdk/src/main/java/sample/com/constructs/Roles.java for IAM roles and policies
-  - Create infra/cdk/src/main/java/sample/com/constructs/Vpc.java for VPC with 2 AZs and 1 NAT gateway
-  - Create infra/cdk/src/main/java/sample/com/constructs/Ide.java for VS Code IDE environment
-  - Create infra/cdk/src/main/java/sample/com/constructs/CodeBuild.java for workshop setup automation
+  - Created infra/cdk/src/main/java/sample/com/constructs/Vpc.java for VPC with 2 AZs and 1 NAT gateway ✅
+  - Created infra/cdk/src/main/java/sample/com/constructs/Ide.java for VS Code IDE environment ✅
+  - Created infra/cdk/src/main/java/sample/com/constructs/CodeBuild.java for workshop setup automation ✅
+  - Created infra/cdk/src/main/java/sample/com/constructs/Lambda.java for reusable Lambda function creation ✅
   - _Requirements: 1.1, 5.6_
 
-- [x] 10.2 Migrate and refactor Roles construct
-  - Copy infrastructure/cdk/src/main/java/com/unicorn/constructs/WorkshopFunction.java patterns for IAM setup
-  - Update package names from com.unicorn to sample.com
-  - Consolidate all IAM roles and policies into single Roles construct
-  - Include Bedrock permissions for AI workshops in the unified roles
+- [x] 10.2 Migrate and refactor IAM roles into Unicorn construct
+  - Replaced standalone Roles.java with Unicorn.java that combines ECR + IAM roles ✅
+  - IAM roles embedded in Unicorn construct for workshop content compatibility ✅
+  - Uses unicorn* naming convention for workshop application compatibility ✅
+  - Include Bedrock permissions for AI workshops in the unified roles ✅
   - _Requirements: 5.6_
 
 - [x] 10.3 Migrate and refactor Vpc construct
@@ -397,9 +397,9 @@
   - Created infra/cdk/src/main/java/sample/com/constructs/Eks.java using software.amazon.awscdk.services.eks.v2.alpha ✅
   - Configured workshop-eks with Auto Mode, version 1.34, system+general-purpose node pools ✅
   - Added 3 EKS add-ons: AWS Secrets Store CSI Driver, AWS Mountpoint S3 CSI Driver, EKS Pod Identity Agent ✅
-  - Created Access Entry for WSParticipantRole AND IDE instance role with cluster admin permissions ✅
+  - Created Access Entry for IDE instance role with cluster admin permissions ✅
+  - WSParticipantRole Access Entry removed after testing showed it's not needed ✅
   - Used Access Entries authentication mode instead of ConfigMap-based authentication ✅
-  - Enabled all log types (api, audit, authenticator, controllerManager, scheduler) for comprehensive monitoring ✅
   - EKS cluster depends only on VPC for parallel deployment with Database ✅
   - _Requirements: 13.1, 13.2, 13.3, 13.4, 13.7, 13.8, 15.3, 15.5, 15.6, 19.1_
 
@@ -507,21 +507,7 @@
     - java-on-aws.sh: "✅ Success: Java-on-AWS workshop template" ✅
   - _Requirements: 3.3, 3.7, 6.6_
 
-- [ ]* 100.7 Write property test for EKS Access Entry configuration
-  - **Property 19: EKS Access Entry Configuration**
-  - **Validates: Requirements 13.8**
 
-- [ ]* 100.8 Write property test for workshop script orchestration
-  - **Property 20: Workshop Script Orchestration**
-  - **Validates: Requirements 17.1, 17.2**
-
-- [ ]* 100.9 Write property test for workshop error handling
-  - **Property 21: Workshop Error Handling**
-  - **Validates: Requirements 17.3**
-
-- [ ]* 100.10 Write property test for workshop verification
-  - **Property 22: Workshop Verification**
-  - **Validates: Requirements 17.4**
 
 - [x] 100.11 Validate java-on-aws migration
   - Generated template with TEMPLATE_TYPE=java-on-aws and verified all EKS resources are present ✅
@@ -563,11 +549,11 @@
   - Verified all resources present in generated java-on-aws-stack.yaml ✅
   - _Requirements: 1.2, 1.3_
 
-- [ ] 100.16 Create thread-dump-lambda.py implementation
-  - Create infra/cdk/src/main/resources/lambda/thread-dump-lambda.py
-  - Implement EKS pod discovery and thread dump collection
-  - Add Bedrock integration for AI-powered thread analysis
-  - Store results in S3 bucket with proper prefixes
+- [x] 100.16 Create thread-dump-lambda.py implementation
+  - Created infra/cdk/src/main/resources/lambda/thread-dump-lambda.py ✅
+  - Implemented EKS pod discovery and thread dump collection ✅
+  - Added Bedrock integration for AI-powered thread analysis ✅
+  - Store results in S3 bucket with proper prefixes ✅
   - _Requirements: 5.6_
 
 - [x] 100.24 Create Unicorn construct with ECR and Roles
@@ -603,18 +589,3 @@
   - Validate template generation and workshop setup scripts
   - _Requirements: 5.4, 5.5_
 
-## Validation & Cleanup (1000.x)
-
-- [ ] 1000.1 Comprehensive testing
-  - Test template generation for all workshop types
-  - Validate sync scripts copy templates and policies correctly
-  - Test convention-based script discovery for all workshops
-  - Verify error handling and timeout behavior in setup scripts
-  - _Requirements: 3.4, 3.5, 4.5_
-
-- [ ] 1000.2 Documentation and final validation
-  - Update README with new infra/ usage instructions
-  - Document migration process and parallel operation approach
-  - Verify both infrastructure/ and infra/ systems can operate independently
-  - Create migration checklist for workshop maintainers
-  - _Requirements: 5.9_
diff --git a/infra/cdk/src/main/java/sample/com/constructs/Eks.java b/infra/cdk/src/main/java/sample/com/constructs/Eks.java
@@ -73,16 +73,8 @@ private void createAccessEntries(EksProps props) {
                 .build()
         );
 
-        // WSParticipantRole Access Entry - TEMPORARILY COMMENTED OUT FOR TESTING
-        // String wsParticipantRoleArn = String.format("arn:aws:iam::%s:role/WSParticipantRole", Aws.ACCOUNT_ID);
-        // AccessEntry.Builder.create(this, "WSParticipantAccessEntry")
-        //     .cluster(cluster)
-        //     .principal(wsParticipantRoleArn)
-        //     .accessEntryType(AccessEntryType.STANDARD)
-        //     .accessPolicies(List.of(clusterAdminPolicy))
-        //     .build();
-
         // IDE Instance Role Access Entry (if provided)
+        // This grants the IDE instance role cluster admin permissions for kubectl access
         if (props.getIdeInstanceRole() != null) {
             AccessEntry.Builder.create(this, "InstanceAccessEntry")
                 .cluster(cluster)
diff --git a/infra/cfn/base-stack.yaml b/infra/cfn/base-stack.yaml
diff --git a/infra/cfn/java-on-aws-stack.yaml b/infra/cfn/java-on-aws-stack.yaml
