fix(plugin): add X-Ray resource policy to /setup and least-privilege ref to /deploy

scottschreckengaust · claude · scottschreckengaust · commit 903fa5f2a635 · 2026-04-23T20:32:14.000Z
The /setup skill's Phase 3 only ran `aws xray update-trace-segment-destination`
which fails with AccessDeniedException on fresh accounts. Added the prerequisite
`aws logs put-resource-policy` command.

Added a "Least-Privilege Deployment" section to the /deploy skill linking to
DEPLOYMENT_ROLES.md with the re-bootstrap command for scoped execution policies.

Updated CLAUDE.md to reference the abca-plugin and its available skills so
Claude Code sessions discover the guided workflows without requiring
--plugin-dir.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -1 +1,3 @@
 @AGENTS.md
+
+See also [README.md](./README.md) for the Claude Code plugin (`docs/abca-plugin/`), which provides interactive guided workflows for setup, deployment, repository onboarding, task submission, and troubleshooting via `/setup`, `/deploy`, `/onboard-repo`, `/submit-task`, `/status`, and `/troubleshoot` skills. Run Claude Code with `claude --plugin-dir docs/abca-plugin` to activate it.
diff --git a/docs/abca-plugin/skills/deploy/SKILL.md b/docs/abca-plugin/skills/deploy/SKILL.md
@@ -81,3 +81,14 @@ After a successful deploy, remind the user to:
 - Store/update the GitHub PAT in Secrets Manager if this is a fresh deployment
 - Onboard repositories via Blueprint constructs if needed
 - Run a smoke test: `curl -s -H "Authorization: $TOKEN" $API_URL/tasks`
+
+## Least-Privilege Deployment
+
+By default, CDK bootstrap grants `AdministratorAccess` to the CloudFormation execution role. For production or security-sensitive accounts, re-bootstrap with a scoped execution policy:
+
+```bash
+cdk bootstrap aws://ACCOUNT/REGION \
+  --cloudformation-execution-policies "arn:aws:iam::ACCOUNT:policy/IaCRole-ABCA-Policy"
+```
+
+See [DEPLOYMENT_ROLES.md](../../design/DEPLOYMENT_ROLES.md) for the complete least-privilege IAM policy, trust policy, runtime role inventory, and iterative tightening recommendations.
diff --git a/docs/abca-plugin/skills/setup/SKILL.md b/docs/abca-plugin/skills/setup/SKILL.md
@@ -52,11 +52,17 @@ If `mise run install` fails with "yarn: command not found", Corepack wasn't acti
 
 ## Phase 3: One-Time AWS Setup
 
+On a fresh AWS account, X-Ray needs a CloudWatch Logs resource policy before it can write spans. Run both commands — the first creates the policy, the second sets the destination:
+
 ```bash
+ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+aws logs put-resource-policy \
+  --policy-name xray-spans-policy \
+  --policy-document "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"XRaySpansAccess\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"xray.amazonaws.com\"},\"Action\":[\"logs:PutLogEvents\",\"logs:CreateLogGroup\",\"logs:CreateLogStream\"],\"Resource\":\"*\"}]}"
 aws xray update-trace-segment-destination --destination CloudWatchLogs
 ```
 
-This must be run once per AWS account before first deployment.
+These must be run once per AWS account before first deployment. If the `put-resource-policy` step is skipped, the `update-trace-segment-destination` command fails with `AccessDeniedException`.
 
 ## Phase 4: First Deployment
 

Original file line number	Diff line number	Diff line change
`@@ -1 +1,3 @@`
`1`	`1`	`@AGENTS.md`
	`2`	`+`
	`3`	+See also [README.md](./README.md) for the Claude Code plugin (`docs/abca-plugin/`), which provides interactive guided workflows for setup, deployment, repository onboarding, task submission, and troubleshooting via `/setup`, `/deploy`, `/onboard-repo`, `/submit-task`, `/status`, and `/troubleshoot` skills. Run Claude Code with `claude --plugin-dir docs/abca-plugin` to activate it.