Feature/private network codebuild support#290
Feature/private network codebuild support#290sirirako wants to merge 11 commits intoaws-solutions-library-samples:developfrom
Conversation
…ions-library-samples#285) Bumps [dompurify](https://github.com/cure53/DOMPurify) from 3.3.3 to 3.4.0. - [Release notes](https://github.com/cure53/DOMPurify/releases) - [Commits](cure53/DOMPurify@3.3.3...3.4.0) --- updated-dependencies: - dependency-name: dompurify dependency-version: 3.4.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
… registries - Dockerfile.optimized: parameterize FROM sources via ARG UV_IMAGE, ARG LAMBDA_BASE_IMAGE; add ARG/ENV UV_INDEX_URL for internal PyPI mirror - patterns/unified/buildspec.yml: add air-gapped pre_build logic for UV_IMAGE/LAMBDA_BASE_IMAGE fallback, Artifactory Docker login via Secrets Manager (credentials never hardcoded), UV_INDEX_URL passthrough to docker buildx --build-arg - patterns/unified/template.yaml: add 5 new CFN parameters (UvImage, LambdaBaseImage, UvIndexUrl, ArtifactoryDockerUrl, ArtifactoryCredentialsSecretArn), corresponding Conditions, CodeBuild EnvironmentVariables, and conditional IAM Secrets Manager grant on DockerBuildRole (scoped to exact secret ARN) - template.yaml: add matching 5 top-level CFN parameters and pass them through to PATTERNSTACK nested stack (fixes parameter passthrough gap); add Artifactory npm registry support in UICodeBuildProject BuildSpec with dual auth format (token + basic auth) via Secrets Manager - scripts/setup-airgapped-codebuild.sh: new helper script to pull public images, re-tag, and push to customer ECR; outputs ready-to-paste idp-cli deploy --parameters string - docs/artifactory-dependency-workaround.md: comprehensive guide for Artifactory/internal registry dependency resolution (Options 1-4) Fixes critical gap: air-gapped params were not passed from parent template.yaml to PATTERNSTACK, making idp-cli deploy --parameters UvImage=... silently ignored. Closes: private network CodeBuild support feature
…section - Add 'Air-gapped CodeBuild — Internal Container Registries' subsection in Step 1 explaining the two public images CodeBuild needs (uv, Lambda base) - Document setup-airgapped-codebuild.sh helper script usage with example output - Document UvImage, LambdaBaseImage, UvIndexUrl, ArtifactoryDockerUrl, and ArtifactoryCredentialsSecretArn deploy parameters - Add troubleshooting row for 'pull access denied / name unknown' CodeBuild error - Cross-link to docs/artifactory-dependency-workaround.md
Add UvImage, LambdaBaseImage, UvIndexUrl, ArtifactoryDockerUrl, and ArtifactoryCredentialsSecretArn to the key parameters table in Step 2 so users can see all available parameters in one place.
…ated manifest generation
- Dockerfile.optimized: explicit --index-url flag in uv pip install to prevent stale cache bypassing UV_INDEX_URL in air-gapped builds - patterns/unified/template.yaml: add NpmRegistryUrl, CodeBuildVpcId, CodeBuildSubnetIds, CodeBuildSecurityGroupId params; UseCodeBuildVpc condition; VpcConfig on DockerBuildProject; ec2 ENI perms on DockerBuildRole for VPC placement - template.yaml: same 4 new params with NoEcho on UvIndexUrl; pass all new params through to nested PATTERNSTACK; UICodeBuildProject gets NpmRegistryUrl env var + npm registry injection in buildspec - scripts/setup-airgapped-codebuild.sh: fix comment typo --account-id -> --account (match usage message) - scripts/deploy-vpc-endpoints.py: add ecr.api, ecr.dkr, codebuild endpoints for CodeBuild VPC placement; add --codebuild-endpoints flag and --security-group-id override arg - scripts/vpc-endpoints.yaml: add CreateEcrApiEndpoint, CreateEcrDkrEndpoint, CreateCodeBuildEndpoint parameters, conditions, and Interface endpoint resources (default false) - docs/deployment-private-network.md: fix --account-id -> --account; add NpmRegistryUrl + VPC params to table; add CodeBuild VPC placement section with endpoint instructions
Moving to a separate PR to keep this PR focused on the air-gapped CodeBuild infrastructure changes. The workaround guide is valuable but better reviewed independently.
…stack CommaDelimitedList parameters resolve to a list when referenced with !Ref, which is invalid for nested stack Parameters (must be plain strings). Fix: !Ref CodeBuildSubnetIds → !Join [",", !Ref CodeBuildSubnetIds] Matches the existing pattern used for LambdaSubnetIds and ALBSubnetIds. Verified: IDP-ALB stack deployed successfully with ECR images: - uv-0.9.6 pulled from 549366490058.dkr.ecr.us-east-1.amazonaws.com - lambda-python-3.12-arm64 pulled from 549366490058.dkr.ecr.us-east-1.amazonaws.com DockerBuild SUCCEEDED, stack reached UPDATE_COMPLETE.
|
Can you address the concerns raised in Claude's review below, @sirirako ? Thanks! My recommendation: NOT ready to merge. The direction and infrastructure work is solid, but there are several concrete quality and completeness issues the author should address first. 1. Scope & compositionThe PR does three logically separate things bundled together:
The commit history is messy:
2. Correctness / functional bugs🔴
|
| Area | Assessment |
|---|---|
| Problem worth solving | ✅ Yes — customers in private/air‑gapped VPCs have no existing path |
| Approach | ✅ Sound — optional params, backward compatible, secrets via Secrets Manager |
| Backward compatibility | ✅ Defaults preserve current behavior |
| Regression risk | 🟢 Low |
| Correctness — Docker/ECR path | 🟢 Looks good (and verified by author) |
| Correctness — UI/npm path | 🔴 NpmRegistryUrl not wired to UICodeBuildProject; no VpcConfig on UI build either |
| Security | 🟢 NoEcho on parent UvIndexUrl, scoped IAM; ⚠ mirror NoEcho in child template |
| CFN quality | 🟡 Missing Rules for co‑dependent params |
| Docs | 🔴 Broken links to deleted file; 🟡 PR description doesn't match implementation |
| Tests | 🟡 Only one happy‑path manual test; cfn-lint run unknown |
| History hygiene | 🟡 Author identity malformed; unrelated dompurify patches included |
Must‑fix before merge
- Wire
NpmRegistryUrlintoUICodeBuildProject(or explicitly scope it out and remove the param) — otherwise it's a broken promise. - Either also VpcConfig
UICodeBuildProjectunderUseCodeBuildVpc, or document clearly that UI build still needs internet. - Fix broken
./artifactory-dependency-workaround.mdlinks indocs/deployment-private-network.md. - Update PR description to match implemented parameter names.
- Add
NoEcho: trueonUvIndexUrlinpatterns/unified/template.yaml. - Fix author identity so commits are attributable.
Should‑fix before merge
- Add CFN
RulesenforcingCodeBuildVpcId↔CodeBuildSubnetIds/CodeBuildSecurityGroupIdandArtifactoryDockerUrl↔ArtifactoryCredentialsSecretArnco‑dependency. - Squash the two no‑op dompurify commits out of the branch (or rebase on current
develop). - Run
cfn-linton both templates and paste output. - Add a short integration test summary to the PR body (which scenarios were deployed and verified).
Nice‑to‑have
- Centralize the
uvversion string in one place. - Document the generated
airgapped-params-<region>.envfile in the script's docs section.
Once items 1–6 are addressed, this would be in good shape to review for merge. I'd be glad to help with any of the fixes — let me know and toggle to Act mode if you want me to push a commit against this branch (or draft a review comment for the PR).
Summary
Adds full support for deploying the IDP Accelerator in private network / air-gapped environments where CodeBuild cannot reach the internet and all dependencies must come from internal registries (Artifactory, private ECR, etc.).
Changes
Infrastructure (
template.yaml,patterns/unified/template.yaml)PrivateRegistryUrl,PrivateEcrRegistryUrl,AirgappedCodeBuild,CodeBuildVpcId,CodeBuildSubnetIds,CodeBuildSecurityGroupIdsAirgappedCodeBuild=true, CodeBuild runs inside the customer's VPC with access to internal registries onlyBuild (
Dockerfile.optimized,patterns/unified/buildspec.yml)Dockerfile.optimizedacceptsPRIVATE_REGISTRY_URLandPRIVATE_ECR_REGISTRY_URLbuild args, substitutingghcr.io/astral-sh/uvandpublic.ecr.aws/lambda/pythonwith internal equivalents when setbuildspec.ymlpasses private registry args to Docker and configurespip/uv/npmto use Artifactory whenPRIVATE_REGISTRY_URLis setSetup Script (
scripts/setup-airgapped-codebuild.sh)Documentation (
docs/deployment-private-network.md,docs/artifactory-dependency-workaround.md)deployment-private-network.md— new air-gapped CodeBuild section with step-by-step deployment instructions and full parameter reference tableartifactory-dependency-workaround.md— new Option 5: Automated Manifest Generation section documenting the approach proposed in PR Bump axios in /src/ui #1 (generate_lockfiles.py) as the recommended pre-step for seeding Artifactory; updated decision guide and quick referenceTest Plan
AirgappedCodeBuild=trueand valid VPC/subnet/SG IDs — verify CodeBuild runs inside VPCsetup-airgapped-codebuild.shon a bridge machine — verify Docker images and packages are uploaded to internal registriesdocs/artifactory-dependency-workaround.mdOption 5 section matches PR Bump axios in /src/ui #1's implementation