Skip to content

Commit 5d64b0d

Browse files
authored
Merge branch 'main' into feat/96-linear-prefix-routing
2 parents 059450e + bb7876a commit 5d64b0d

5 files changed

Lines changed: 136 additions & 6 deletions

File tree

.github/workflows/deploy.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ jobs:
2222
run_id: ${{ github.event.workflow_run.id }}
2323
steps:
2424
- name: Download deploy intent
25-
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
25+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
2626
with:
2727
name: deploy-intent
2828
run-id: ${{ github.event.workflow_run.id }}
@@ -145,7 +145,7 @@ jobs:
145145
persist-credentials: false
146146

147147
- name: Download CDK artifact (${{ matrix.compute_type }})
148-
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
148+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
149149
with:
150150
name: cdk-${{ matrix.compute_type }}-out
151151
path: cdk/
@@ -220,7 +220,7 @@ jobs:
220220
persist-credentials: false
221221

222222
- name: Download CDK artifact (${{ matrix.compute_type }})
223-
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
223+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
224224
with:
225225
name: cdk-${{ matrix.compute_type }}-out
226226
path: cdk/

agent/pyproject.toml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,11 @@ dependencies = [
3636
"cedarpy==4.8.0", #https://github.com/k9securityio/cedar-py — EXACT pin (no ^/~), parity with @cedar-policy/cedar-wasm@4.10.0
3737
]
3838

39+
[tool.uv]
40+
constraint-dependencies = [
41+
"pyjwt>=2.13.0", # PYSEC-2026-175/177/178/179 — transitive via mcp; remove when mcp bumps floor (#267)
42+
]
43+
3944
[tool.bandit]
4045
exclude_dirs = ["tests", ".venv"]
4146
skips = [

agent/uv.lock

Lines changed: 6 additions & 3 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

docs/guides/DEPLOYMENT_GUIDE.md

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -161,6 +161,67 @@ Triggers via `workflow_run` when `build.yml` completes successfully. The pipelin
161161
- **Allowlist compute types**: Edit `ALLOWED_COMPUTE_TYPES` in `deploy.yml`.
162162
- **Deploy via PR label**: Add the `deploy:<type>` label to a PR (e.g., `deploy:agentcore`).
163163

164+
## Known deployment issues
165+
166+
### DNS Query Log Config replacement cascade (upgrading from pre-v0.5)
167+
168+
**Affects:** Stacks deployed *before* the tag-exclusion fix ([#222](https://github.com/aws-samples/sample-autonomous-cloud-coding-agents/pull/222)). Stacks created after this fix are not affected.
169+
170+
**Symptom:** `UPDATE_FAILED` on `AWS::Route53Resolver::ResolverQueryLoggingConfigAssociation` with error `InvalidRequest: Cannot create association — one already exists for this VPC`.
171+
172+
**Root cause:** The `ResolverQueryLoggingConfig` resource is *create-only* in CloudFormation — any property change (including Tags) triggers a full replacement. Pre-fix stacks have `github:sha` and other tags on this resource. Although the new code excludes it from future tag applications, CloudFormation still attempts to *remove* the now-excluded tags from the existing resource during the update, triggering the replacement cascade:
173+
174+
1. Config is replaced → new physical resource ID
175+
2. Association detects `ResolverQueryLogConfigId` changed → triggers its own replacement
176+
3. CloudFormation attempts Create-before-Delete on the association → Route53 Resolver rejects (one association per VPC) → `InvalidRequest`
177+
178+
**Resolution — choose one:**
179+
180+
#### Option A: AWS CLI disassociation (recommended)
181+
182+
Fastest, scriptable, no console access required. Replace `<vpc-id>` with the agent VPC ID and `<region>` with your stack's region.
183+
184+
1. List the association for your VPC to get the `ResolverQueryLogConfigId`:
185+
```bash
186+
aws route53resolver list-resolver-query-log-config-associations \
187+
--region <region> \
188+
--query "ResolverQueryLogConfigAssociations[?ResourceId=='<vpc-id>']"
189+
```
190+
2. Disassociate using the `Id` from step 1:
191+
```bash
192+
aws route53resolver disassociate-resolver-query-log-config \
193+
--resolver-query-log-config-id <rqlc-id> \
194+
--resource-id <vpc-id> \
195+
--region <region>
196+
```
197+
3. Run `mise //cdk:deploy` — CloudFormation recreates both the config and association without the orphan tags. The pre-existing `ResolverQueryLoggingConfig` is replaced as part of the same update, so an explicit `delete-resolver-query-log-config` is not required.
198+
199+
#### Option B: Two-phase deploy (comment-out / re-add)
200+
201+
1. In `cdk/src/stacks/agent.ts`, comment out the `DnsFirewall` construct instantiation (~line 197):
202+
```typescript
203+
// new DnsFirewall(this, 'DnsFirewall', {
204+
// vpc: agentVpc.vpc,
205+
// additionalAllowedDomains: additionalDomains,
206+
// observationMode: true,
207+
// });
208+
```
209+
2. Deploy: `mise //cdk:deploy` — this deletes the query log config, association, firewall rules, and related resources
210+
3. Uncomment the `DnsFirewall` block
211+
4. Deploy again: `mise //cdk:deploy` — resources are recreated cleanly without tags
212+
213+
Option B is more disruptive (two deploys, brief DNS logging gap) but requires no AWS API access beyond `cdk deploy`.
214+
215+
#### Option C: Manual disassociation via AWS Console
216+
217+
For users without AWS CLI access.
218+
219+
1. Open the [Route 53 Resolver console](https://console.aws.amazon.com/route53resolver/home#/query-logging)
220+
2. Select the query logging configuration named `agent-dns-query-log`
221+
3. Under **Associated VPCs**, disassociate the VPC
222+
4. Delete the query logging configuration
223+
5. Run `mise //cdk:deploy` (or `cdk deploy`) — CloudFormation will recreate both resources without tags
224+
164225
## Related docs
165226

166227
- [Quick start](./QUICK_START.md) -- Zero-to-first-PR in 6 steps.

docs/src/content/docs/getting-started/Deployment-guide.md

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -165,6 +165,67 @@ Triggers via `workflow_run` when `build.yml` completes successfully. The pipelin
165165
- **Allowlist compute types**: Edit `ALLOWED_COMPUTE_TYPES` in `deploy.yml`.
166166
- **Deploy via PR label**: Add the `deploy:<type>` label to a PR (e.g., `deploy:agentcore`).
167167

168+
## Known deployment issues
169+
170+
### DNS Query Log Config replacement cascade (upgrading from pre-v0.5)
171+
172+
**Affects:** Stacks deployed *before* the tag-exclusion fix ([#222](https://github.com/aws-samples/sample-autonomous-cloud-coding-agents/pull/222)). Stacks created after this fix are not affected.
173+
174+
**Symptom:** `UPDATE_FAILED` on `AWS::Route53Resolver::ResolverQueryLoggingConfigAssociation` with error `InvalidRequest: Cannot create association — one already exists for this VPC`.
175+
176+
**Root cause:** The `ResolverQueryLoggingConfig` resource is *create-only* in CloudFormation — any property change (including Tags) triggers a full replacement. Pre-fix stacks have `github:sha` and other tags on this resource. Although the new code excludes it from future tag applications, CloudFormation still attempts to *remove* the now-excluded tags from the existing resource during the update, triggering the replacement cascade:
177+
178+
1. Config is replaced → new physical resource ID
179+
2. Association detects `ResolverQueryLogConfigId` changed → triggers its own replacement
180+
3. CloudFormation attempts Create-before-Delete on the association → Route53 Resolver rejects (one association per VPC) → `InvalidRequest`
181+
182+
**Resolution — choose one:**
183+
184+
#### Option A: AWS CLI disassociation (recommended)
185+
186+
Fastest, scriptable, no console access required. Replace `<vpc-id>` with the agent VPC ID and `<region>` with your stack's region.
187+
188+
1. List the association for your VPC to get the `ResolverQueryLogConfigId`:
189+
```bash
190+
aws route53resolver list-resolver-query-log-config-associations \
191+
--region <region> \
192+
--query "ResolverQueryLogConfigAssociations[?ResourceId=='<vpc-id>']"
193+
```
194+
2. Disassociate using the `Id` from step 1:
195+
```bash
196+
aws route53resolver disassociate-resolver-query-log-config \
197+
--resolver-query-log-config-id <rqlc-id> \
198+
--resource-id <vpc-id> \
199+
--region <region>
200+
```
201+
3. Run `mise //cdk:deploy` — CloudFormation recreates both the config and association without the orphan tags. The pre-existing `ResolverQueryLoggingConfig` is replaced as part of the same update, so an explicit `delete-resolver-query-log-config` is not required.
202+
203+
#### Option B: Two-phase deploy (comment-out / re-add)
204+
205+
1. In `cdk/src/stacks/agent.ts`, comment out the `DnsFirewall` construct instantiation (~line 197):
206+
```typescript
207+
// new DnsFirewall(this, 'DnsFirewall', {
208+
// vpc: agentVpc.vpc,
209+
// additionalAllowedDomains: additionalDomains,
210+
// observationMode: true,
211+
// });
212+
```
213+
2. Deploy: `mise //cdk:deploy` — this deletes the query log config, association, firewall rules, and related resources
214+
3. Uncomment the `DnsFirewall` block
215+
4. Deploy again: `mise //cdk:deploy` — resources are recreated cleanly without tags
216+
217+
Option B is more disruptive (two deploys, brief DNS logging gap) but requires no AWS API access beyond `cdk deploy`.
218+
219+
#### Option C: Manual disassociation via AWS Console
220+
221+
For users without AWS CLI access.
222+
223+
1. Open the [Route 53 Resolver console](https://console.aws.amazon.com/route53resolver/home#/query-logging)
224+
2. Select the query logging configuration named `agent-dns-query-log`
225+
3. Under **Associated VPCs**, disassociate the VPC
226+
4. Delete the query logging configuration
227+
5. Run `mise //cdk:deploy` (or `cdk deploy`) — CloudFormation will recreate both resources without tags
228+
168229
## Related docs
169230

170231
- [Quick start](/getting-started/quick-start) -- Zero-to-first-PR in 6 steps.

0 commit comments

Comments
 (0)