feat(java-on-aws-infra): update IAM policies and add EC2 network permissions

Author: Yuriy Bezsonov

infra/README.md

@@ -6,7 +6,7 @@ CDK project for generating CloudFormation templates for AWS workshops. Uses a un
 
 ```bash
 # Generate all CloudFormation templates
-npm run generate
+npm run gen
 
 # Sync templates to workshop directories
 npm run sync

infra/cdk/README.md

@@ -6,7 +6,7 @@ CDK project for generating CloudFormation templates for AWS workshops.
 
 ```bash
 # Generate all CloudFormation templates
-npm run generate
+npm run gen
 
 # Sync templates to workshop directories
 npm run sync

infra/cdk/src/main/resources/iam-policy.json

@@ -111,7 +111,8 @@
 			],
 			"Resource": [
 				"arn:aws:iam::{{.AccountId}}:role/aiagent*",
-				"arn:aws:iam::{{.AccountId}}:role/mcp*"
+				"arn:aws:iam::{{.AccountId}}:role/mcp*",
+				"arn:aws:iam::{{.AccountId}}:role/backoffice*"
 			],
 			"Condition": {
 				"StringEquals": {

infra/cdk/src/main/resources/workshop-boundary.json

@@ -14,6 +14,12 @@
 				"cloudfront:*",
 				"cloudwatch:*",
 				"dynamodb:*",
+				"ec2:CreateNetworkInterface",
+				"ec2:DeleteNetworkInterface",
+				"ec2:DescribeNetworkInterfaces",
+				"ec2:DescribeSecurityGroups",
+				"ec2:DescribeSubnets",
+				"ec2:DescribeVpcs",
 				"ecr:*",
 				"lambda:InvokeFunction",
 				"logs:*",

infra/cfn/java-ai-agents-stack.yaml

@@ -378,7 +378,7 @@ Resources:
         Fn::GetAtt:
           - CodeBuildRoleE9A44575
           - Arn
-      ContentHash: "1769679323540"
+      ContentHash: "1769949962117"
       ProjectName:
         Ref: CodeBuildProjectA0FF5539
       ServiceToken:
@@ -1707,6 +1707,7 @@ Resources:
             Effect: Allow
             Resource:
               - !Sub arn:aws:iam::${AWS::AccountId}:role/aiagent*
+              - !Sub arn:aws:iam::${AWS::AccountId}:role/backoffice*
               - !Sub arn:aws:iam::${AWS::AccountId}:role/mcp*
             Sid: AiAgentCreateRoles
           - Action: iam:PassRole
@@ -1781,6 +1782,12 @@ Resources:
               - cloudwatch:*
               - cognito-idp:*
               - dynamodb:*
+              - ec2:CreateNetworkInterface
+              - ec2:DeleteNetworkInterface
+              - ec2:DescribeNetworkInterfaces
+              - ec2:DescribeSecurityGroups
+              - ec2:DescribeSubnets
+              - ec2:DescribeVpcs
               - ecr:*
               - lambda:InvokeFunction
               - logs:*
@@ -2039,7 +2046,7 @@ Resources:
             - Ref: AWS::AccountId
             - "-"
             - Ref: AWS::Region
-            - "-20260129103523"
+            - "-20260201134602"
       PublicAccessBlockConfiguration:
         BlockPublicAcls: true
         BlockPublicPolicy: true

infra/package.json

@@ -3,7 +3,7 @@
   "version": "1.0.0",
   "description": "Unified AWS workshop infrastructure",
   "scripts": {
-    "generate": "./scripts/cfn/generate.sh",
+    "gen": "./scripts/cfn/generate.sh",
     "sync": "./scripts/cfn/sync.sh"
   },
   "author": "",