feat(infra): add ECS Express Service construct for Spring AI agents deployment

Author: Yuriy Bezsonov

infra/README.md

@@ -32,8 +32,9 @@ infra/
 │   │       ├── WorkshopBucket.java   # Shared S3 bucket + SSM parameter
 │   │       ├── ThreadAnalysis.java   # Thread dump Lambda + API Gateway
 │   │       ├── AiJvmAnalyzer.java    # Pod Identity for AI analyzer
-│   │       ├── Unicorn.java          # ECR + IAM roles for workshop apps
+│   │       ├── Unicorn.java          # EventBus + IAM roles for workshop apps
 │   │       ├── EcrRegistry.java      # ECR create-on-push template
+│   │       ├── EcsExpressService.java # ECS Express Mode service for AI agents
 │   │       └── CfnPreDeleteCleanup.java  # Stack cleanup Lambda
 │   ├── src/main/resources/
 │   │   ├── userdata.sh               # EC2 UserData bootstrap script
@@ -74,7 +75,10 @@ infra/
 │   │   ├── eks.sh                    # EKS cluster configuration
 │   │   ├── monitoring.sh             # Prometheus + Grafana
 │   │   ├── analysis.sh               # Thread dump + profiling
-│   │   └── unicorn-store-spring.sh   # Spring app deployment
+│   │   ├── unicorn-store-spring.sh   # Spring app deployment
+│   │   └── java-spring-ai-agents/    # Spring AI agents setup
+│   │       ├── build-and-push.sh     # Build and push images to ECR
+│   │       └── Dockerfile            # Placeholder container image
 │   ├── lib/                          # Common utilities
 │   │   ├── common.sh                 # Emoji logging, error handling
 │   │   └── wait-for-resources.sh     # EKS/RDS readiness checking
@@ -92,9 +96,9 @@ infra/
 | Template Type | Resources Created |
 |---------------|-------------------|
 | `base` | VPC, IDE |
-| `java-on-aws-immersion-day` | VPC, IDE, CodeBuild, Database, EKS, WorkshopBucket, EcrRegistry, ThreadAnalysis, AiJvmAnalyzer, Unicorn |
+| `java-on-aws-immersion-day` | VPC, IDE, CodeBuild, Database, EKS, WorkshopBucket, EcrRegistry, Unicorn, ECR (unicorn-store-spring), ThreadAnalysis, AiJvmAnalyzer |
 | `java-on-amazon-eks` | Same as java-on-aws-immersion-day |
-| `java-spring-ai-agents` | Same as java-on-aws-immersion-day |
+| `java-spring-ai-agents` | VPC, IDE, CodeBuild, Database, EKS, WorkshopBucket, EcrRegistry, Unicorn, 2x EcsExpressService (unicorn-spring-ai-agent, unicorn-store-spring) |
 
 ---
 
@@ -171,16 +175,34 @@ public WorkshopStack(...) {
     String prefix = "workshop";
     String templateType = getContext("template.type"); // defaults to "base"
 
+    boolean isImmersionDay = "java-on-aws-immersion-day".equals(templateType);
+    boolean isEks = "java-on-amazon-eks".equals(templateType);
+    boolean isSpringAi = "java-spring-ai-agents".equals(templateType);
+    boolean isFullTemplate = isImmersionDay || isEks || isSpringAi;
+
     // Always created
     Vpc vpc = new Vpc(this, "Vpc", ...);
     Ide ide = new Ide(this, "Ide", ...);
 
-    // Conditionally created for java-on-aws-immersion-day, java-on-amazon-eks, and java-spring-ai-agents
-    if ("java-on-aws-immersion-day".equals(templateType) || "java-on-amazon-eks".equals(templateType) || "java-spring-ai-agents".equals(templateType)) {
-        new CodeBuild(this, "CodeBuild", ...);
-        new Database(this, "Database", ...);
-        new Eks(this, "Eks", ...);
-        // ... additional constructs
+    // Full template resources (all 3 workshop types)
+    if (isFullTemplate) {
+        new CodeBuild(...);
+        Database database = new Database(...);
+        Eks eks = new Eks(...);
+        Unicorn unicorn = new Unicorn(...);  // EventBus, EKS/ECS roles, DB setup
+
+        // java-on-aws-immersion-day & java-on-amazon-eks only
+        if (isImmersionDay || isEks) {
+            new Repository("unicorn-store-spring");  // ECR for manual deployment
+            new ThreadAnalysis(...);
+            new AiJvmAnalyzer(...);
+        }
+
+        // java-spring-ai-agents only
+        if (isSpringAi) {
+            new EcsExpressService("unicorn-spring-ai-agent", unicorn);  // ECR + ECS + ALB
+            new EcsExpressService("unicorn-store-spring", unicorn);     // ECR + ECS + ALB
+        }
     }
 }
 ```

infra/cdk/src/main/java/sample/com/WorkshopStack.java

@@ -1,7 +1,9 @@
 package sample.com;
 
+import software.amazon.awscdk.RemovalPolicy;
 import software.amazon.awscdk.Stack;
 import software.amazon.awscdk.StackProps;
+import software.amazon.awscdk.services.ecr.Repository;
 import software.constructs.Construct;
 import sample.com.constructs.*;
 import sample.com.constructs.Ide.IdeProps;
@@ -47,6 +49,12 @@ public WorkshopStack(final Construct scope, final String id, final StackProps pr
             gitBranch = "main"; // fallback
         }
 
+        // Template type flags
+        boolean isImmersionDay = "java-on-aws-immersion-day".equals(templateType);
+        boolean isEks = "java-on-amazon-eks".equals(templateType);
+        boolean isSpringAi = "java-spring-ai-agents".equals(templateType);
+        boolean isFullTemplate = isImmersionDay || isEks || isSpringAi;
+
         // Core infrastructure (always created)
         Vpc vpc = new Vpc(this, "Vpc", Vpc.VpcProps.builder()
             .prefix(prefix)
@@ -61,8 +69,8 @@ public WorkshopStack(final Construct scope, final String id, final StackProps pr
             .build();
         Ide ide = new Ide(this, "Ide", ideProps);
 
-        // java-on-aws-immersion-day, java-on-amazon-eks, and java-spring-ai-agents specific resources (CodeBuild for service-linked roles)
-        if ("java-on-aws-immersion-day".equals(templateType) || "java-on-amazon-eks".equals(templateType) || "java-spring-ai-agents".equals(templateType)) {
+        // Full template resources (java-on-aws-immersion-day, java-on-amazon-eks, java-spring-ai-agents)
+        if (isFullTemplate) {
             // CodeBuild for workshop setup (service-linked role creation)
             new CodeBuild(this, "CodeBuild",
                 CodeBuild.CodeBuildProps.builder()
@@ -75,7 +83,7 @@ public WorkshopStack(final Construct scope, final String id, final StackProps pr
                     .buildSpec(buildSpec)
                     .build());
 
-            // Database, EKS, PerformanceAnalysis, Unicorn
+            // Database
             Database database = new Database(this, "Database", Database.DatabaseProps.builder()
                 .prefix(prefix)
                 .vpc(vpc.getVpc())
@@ -89,7 +97,7 @@ public WorkshopStack(final Construct scope, final String id, final StackProps pr
                 .ideInternalSecurityGroup(ide.getIdeInternalSecurityGroup())
                 .build());
 
-            // Shared workshop bucket for thread dumps and profiling data
+            // Shared workshop bucket
             WorkshopBucket workshopBucket = new WorkshopBucket(this, "WorkshopBucket",
                 WorkshopBucket.WorkshopBucketProps.builder()
                     .prefix(prefix)
@@ -101,29 +109,61 @@ public WorkshopStack(final Construct scope, final String id, final StackProps pr
                     .prefix(prefix)
                     .build());
 
-            // Thread Analysis (thread dump Lambda + API Gateway)
-            new ThreadAnalysis(this, "ThreadAnalysis",
-                ThreadAnalysis.ThreadAnalysisProps.builder()
-                    .prefix(prefix)
-                    .vpc(vpc.getVpc())
-                    .eksCluster(eks.getCluster())
-                    .eksClusterName(eks.getClusterName())
-                    .workshopBucket(workshopBucket.getBucket())
-                    .build());
-
-            // AI JVM Analyzer (Pod Identity role for ai-jvm-analyzer)
-            new AiJvmAnalyzer(this, "AiJvmAnalyzer",
-                AiJvmAnalyzer.AiJvmAnalyzerProps.builder()
-                    .workshopBucket(workshopBucket.getBucket())
-                    .build());
-
-            // Unicorn construct: Roles + DB Setup (uses unicorn* naming for workshop content compatibility)
-            new Unicorn(this, "Unicorn", Unicorn.UnicornProps.builder()
+            // Unicorn construct: EventBus, Roles, DB Setup (uses unicorn* naming for workshop content compatibility)
+            Unicorn unicorn = new Unicorn(this, "Unicorn", Unicorn.UnicornProps.builder()
                 .vpc(vpc.getVpc())
                 .database(database)
                 .workshopBucket(workshopBucket.getBucket())
                 .build());
 
+            // java-on-aws-immersion-day & java-on-amazon-eks specific resources
+            if (isImmersionDay || isEks) {
+                // ECR repository for unicorn-store-spring (manual ECS Express deployment)
+                Repository.Builder.create(this, "UnicornStoreSpringEcr")
+                    .repositoryName("unicorn-store-spring")
+                    .imageScanOnPush(true)
+                    .removalPolicy(RemovalPolicy.DESTROY)
+                    .emptyOnDelete(true)
+                    .build();
+
+                // Thread Analysis (thread dump Lambda + API Gateway)
+                new ThreadAnalysis(this, "ThreadAnalysis",
+                    ThreadAnalysis.ThreadAnalysisProps.builder()
+                        .prefix(prefix)
+                        .vpc(vpc.getVpc())
+                        .eksCluster(eks.getCluster())
+                        .eksClusterName(eks.getClusterName())
+                        .workshopBucket(workshopBucket.getBucket())
+                        .build());
+
+                // AI JVM Analyzer (Pod Identity role for ai-jvm-analyzer)
+                new AiJvmAnalyzer(this, "AiJvmAnalyzer",
+                    AiJvmAnalyzer.AiJvmAnalyzerProps.builder()
+                        .workshopBucket(workshopBucket.getBucket())
+                        .build());
+            }
+
+            // java-spring-ai-agents specific resources
+            if (isSpringAi) {
+                // ECS Express Service for Spring AI Agent
+                new EcsExpressService(this, "SpringAiAgent",
+                    EcsExpressService.EcsExpressServiceProps.builder()
+                        .appName("unicorn-spring-ai-agent")
+                        .vpc(vpc.getVpc())
+                        .database(database)
+                        .unicorn(unicorn)
+                        .build());
+
+                // ECS Express Service for MCP Server
+                new EcsExpressService(this, "McpServer",
+                    EcsExpressService.EcsExpressServiceProps.builder()
+                        .appName("unicorn-store-spring")
+                        .vpc(vpc.getVpc())
+                        .database(database)
+                        .unicorn(unicorn)
+                        .build());
+            }
+
             // Pre-delete cleanup (removes VPC endpoints, CloudWatch logs, S3 contents before stack deletion)
             new CfnPreDeleteCleanup(this, "CfnPreDeleteCleanup",
                 CfnPreDeleteCleanup.CfnPreDeleteCleanupProps.builder()

infra/cdk/src/main/java/sample/com/constructs/EcsExpressService.java

@@ -0,0 +1,156 @@
+package sample.com.constructs;
+
+import software.amazon.awscdk.RemovalPolicy;
+import software.amazon.awscdk.services.ec2.IVpc;
+import software.amazon.awscdk.services.ec2.SubnetSelection;
+import software.amazon.awscdk.services.ec2.SubnetType;
+import software.amazon.awscdk.services.ecr.Repository;
+import software.amazon.awscdk.services.ecs.CfnExpressGatewayService;
+import software.amazon.awscdk.services.iam.ManagedPolicy;
+import software.amazon.awscdk.services.iam.Role;
+import software.constructs.Construct;
+
+import java.util.List;
+import java.util.Map;
+
+/**
+ * ECS Express Mode service construct for Spring AI agents.
+ * Creates an ECR repository and ECS Express Gateway Service with ALB.
+ * Reuses Unicorn's ECS roles and adds Bedrock access for AI capabilities.
+ */
+public class EcsExpressService extends Construct {
+
+    private final Repository ecrRepository;
+    private final CfnExpressGatewayService expressService;
+
+    public EcsExpressService(final Construct scope, final String id, final EcsExpressServiceProps props) {
+        super(scope, id);
+
+        String appName = props.getAppName();
+
+        // Create ECR Repository
+        this.ecrRepository = Repository.Builder.create(this, "EcrRepository")
+            .repositoryName(appName)
+            .imageScanOnPush(false)
+            .removalPolicy(RemovalPolicy.DESTROY)
+            .emptyOnDelete(true)
+            .build();
+
+        // Add Bedrock access to task role for AI capabilities
+        Role taskRole = props.getUnicorn().getEcsTaskRole();
+        taskRole.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName("AmazonBedrockFullAccess"));
+
+        // Get private subnets for the service
+        List<String> privateSubnetIds = props.getVpc().selectSubnets(SubnetSelection.builder()
+            .subnetType(SubnetType.PRIVATE_WITH_EGRESS)
+            .build()).getSubnetIds();
+
+        // Create ECS Express Gateway Service
+        this.expressService = CfnExpressGatewayService.Builder.create(this, "ExpressService")
+            .serviceName(appName)
+            .infrastructureRoleArn(props.getUnicorn().getEcsInfrastructureRole().getRoleArn())
+            .executionRoleArn(props.getUnicorn().getEcsTaskExecutionRole().getRoleArn())
+            .taskRoleArn(taskRole.getRoleArn())
+            .primaryContainer(CfnExpressGatewayService.ExpressGatewayContainerProperty.builder()
+                .image(ecrRepository.getRepositoryUri() + ":latest")
+                .containerPort(8080)
+                .secrets(List.of(
+                    CfnExpressGatewayService.SecretProperty.builder()
+                        .name("SPRING_DATASOURCE_URL")
+                        .valueFrom(props.getDatabase().getParamDBConnectionString().getParameterArn())
+                        .build(),
+                    CfnExpressGatewayService.SecretProperty.builder()
+                        .name("SPRING_DATASOURCE_PASSWORD")
+                        .valueFrom(props.getDatabase().getDatabaseSecret().getSecretArn() + ":password::")
+                        .build()
+                ))
+                .build())
+            .cpu("1024")
+            .memory("2048")
+            .healthCheckPath("/actuator/health")
+            .networkConfiguration(CfnExpressGatewayService.ExpressGatewayServiceNetworkConfigurationProperty.builder()
+                .subnets(privateSubnetIds)
+                .build())
+            .scalingTarget(CfnExpressGatewayService.ExpressGatewayScalingTargetProperty.builder()
+                .minTaskCount(1)
+                .maxTaskCount(4)
+                .autoScalingMetric("CPU")
+                .autoScalingTargetValue(70)
+                .build())
+            .build();
+    }
+
+    public Repository getEcrRepository() {
+        return ecrRepository;
+    }
+
+    public CfnExpressGatewayService getExpressService() {
+        return expressService;
+    }
+
+    // Props class
+    public static class EcsExpressServiceProps {
+        private final String appName;
+        private final IVpc vpc;
+        private final Database database;
+        private final Unicorn unicorn;
+
+        private EcsExpressServiceProps(Builder builder) {
+            this.appName = builder.appName;
+            this.vpc = builder.vpc;
+            this.database = builder.database;
+            this.unicorn = builder.unicorn;
+        }
+
+        public static Builder builder() {
+            return new Builder();
+        }
+
+        public String getAppName() {
+            return appName;
+        }
+
+        public IVpc getVpc() {
+            return vpc;
+        }
+
+        public Database getDatabase() {
+            return database;
+        }
+
+        public Unicorn getUnicorn() {
+            return unicorn;
+        }
+
+        public static class Builder {
+            private String appName;
+            private IVpc vpc;
+            private Database database;
+            private Unicorn unicorn;
+
+            public Builder appName(String appName) {
+                this.appName = appName;
+                return this;
+            }
+
+            public Builder vpc(IVpc vpc) {
+                this.vpc = vpc;
+                return this;
+            }
+
+            public Builder database(Database database) {
+                this.database = database;
+                return this;
+            }
+
+            public Builder unicorn(Unicorn unicorn) {
+                this.unicorn = unicorn;
+                return this;
+            }
+
+            public EcsExpressServiceProps build() {
+                return new EcsExpressServiceProps(this);
+            }
+        }
+    }
+}