Merge pull request #91 from awslabs/fix/codebuild-remove-git-dependency

kaleko · web-flow · commit ab052109b982 · 2026-06-11T09:32:54.000-04:00
Remove git dependency from CodeBuild deployment script
diff --git a/docs/DEPLOYMENT.md b/docs/DEPLOYMENT.md
@@ -6,7 +6,9 @@ This guide walks you through deploying the Fullstack AgentCore Solution Template
 
 ## Prerequisites
 
-Before deploying, ensure you have:
+> **Note:** If you prefer not to install local tooling, see [Option B: Deploy via CodeBuild](#option-b-deploy-via-codebuild) — requires only Python 3.11+ and AWS CLI.
+
+For local deployment (Option A), ensure you have:
 
 - **Node.js 20+** installed (see [AWS guide for installing Node.js on EC2](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-up-node-on-ec2-instance.html))
 - **AWS CLI** configured with credentials (`aws configure`) - see [AWS CLI Configuration guide](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html)
@@ -146,7 +148,8 @@ The CDK stack auto-creates a security group for the AgentCore Runtime. This same
 ## Deployment Steps
 
 ### TL;DR version
-Here are the commands to deploy backend and frontend:
+
+**Full local setup (Node.js + Docker + CDK):**
 ```bash
 cd infra-cdk
 npm install
@@ -156,15 +159,14 @@ cd ..
 python scripts/deploy-frontend.py
 ```
 
-### Deploy Without Local Tooling (via CodeBuild)
-
-If you don't have Node.js, Docker, or CDK installed locally, you can deploy entirely in the cloud using a temporary CodeBuild project. Requires only Python 3.8+ and AWS CLI:
-
+**No local tooling (just Python + AWS CLI):**
 ```bash
 python scripts/deploy-with-codebuild.py
 ```
 
-See `scripts/README.md` for details and required IAM permissions.
+### Option A: Deploy Locally (CDK + Docker)
+
+This path requires the full set of prerequisites listed above (Node.js, Docker, CDK, Python).
 
 ### 1. Install Dependencies
 
@@ -248,6 +250,24 @@ You will see the URL for application in the script's output, which will look sim
 1. Sign in with the Cognito user you created
 1. You'll be prompted to change your temporary password on first login
 
+---
+
+### Option B: Deploy via CodeBuild
+
+Requires only Python 3.11+, AWS CLI, and git — no Node.js, Docker, or CDK needed.
+
+1. Edit `infra-cdk/config.yaml` (see [Configuration](#configuration) above)
+2. Stage or commit your changes — only git-tracked or staged files are packaged for deployment. Untracked files are skipped and reported as a warning.
+3. Run:
+
+```bash
+python scripts/deploy-with-codebuild.py
+```
+
+The script packages your git-tracked source and runs the full CDK + frontend deploy in the cloud via CodeBuild, streaming logs to your terminal. On success, the build resources (project, IAM role, permission boundary, S3 bucket) are removed; on failure they are retained for debugging (the script prints the console URL and log group) and reused on the next run.
+
+See `scripts/README.md` for details and required IAM permissions.
+
 ## Post-Deployment
 
 ### Updating the Application
@@ -282,7 +302,9 @@ cd infra-cdk
 cdk destroy --force
 ```
 
-**Warning**: This will delete all data including S3 buckets created during deployment and ECR images.
+If you deployed via CodeBuild (Option B), its build resources are already removed on success (or on the next successful run) — only the deployed FAST stack above needs tearing down.
+
+**Warning**: `cdk destroy` will delete all data including S3 buckets created during deployment and ECR images.
 
 ## Troubleshooting
 
diff --git a/infra-cdk/lib/backend-stack.ts b/infra-cdk/lib/backend-stack.ts
@@ -929,6 +929,8 @@ export class BackendStack extends cdk.NestedStack {
 
     const cedarPolicyLambda = new PythonFunction(this, "CedarPolicyLambda", {
       runtime: lambda.Runtime.PYTHON_3_13,
+      // ARM_64 required — avoids cross-platform (amd64-on-arm) bundling failures.
+      architecture: lambda.Architecture.ARM_64,
       entry: path.join(__dirname, "..", "lambdas", "cedar-policy"),
       handler: "handler",
       timeout: cdk.Duration.minutes(14),
diff --git a/scripts/README.md b/scripts/README.md
@@ -55,22 +55,24 @@ change anything:
 
 ### CodeBuild Deployment
 
-- `deploy-with-codebuild.py` - Deploys the entire FAST stack (backend + frontend) using an ephemeral CodeBuild project. No local Node.js, Docker, CDK, or npm required — only Python 3.8+ and AWS CLI.
+- `deploy-with-codebuild.py` - Deploys the entire FAST stack (backend + frontend) using a CodeBuild project. No local Node.js, Docker, CDK, or npm required — only Python 3.11+, AWS CLI, and git.
 
 ```bash
 python scripts/deploy-with-codebuild.py
 ```
 
-Creates temporary AWS resources (S3 bucket, IAM role with permission boundary, CodeBuild project), runs the full deployment in the cloud, streams logs to your terminal, and cleans up all temporary resources on exit.
+Packages your git-tracked source and runs the full deployment in the cloud via a CodeBuild project, streaming logs to your terminal. On a **successful** build, all created resources (S3 source bucket, CodeBuild project, IAM role, permission boundary) are removed. On a **failed** build, they are retained for debugging and reused on the next run.
 
-The temporary IAM role is created with `AdministratorAccess` but constrained by a permission boundary that explicitly denies dangerous actions such as `iam:CreateUser`, `iam:CreateAccessKey`, `organizations:*`, and others. This prevents privilege escalation even if the build is compromised.
+Only git-tracked or staged files are deployed — stage or commit first, as untracked files are skipped with a warning. This does not remove your deployed FAST stack; for that, run `cd infra-cdk && cdk destroy`.
+
+The IAM role has `AdministratorAccess` constrained by a permission boundary that denies dangerous actions (`iam:CreateUser`, `iam:CreateAccessKey`, `organizations:*`, etc.) to prevent privilege escalation.
 
 Your IAM user/role needs these permissions to run the script:
 
-- `s3:CreateBucket`, `s3:DeleteBucket`, `s3:PutObject`, `s3:DeleteObject`
+- `s3:CreateBucket`, `s3:DeleteBucket`, `s3:PutObject`, `s3:DeleteObject`, `s3:PutLifecycleConfiguration`
 - `iam:CreateRole`, `iam:DeleteRole`, `iam:AttachRolePolicy`, `iam:DetachRolePolicy`
 - `iam:CreatePolicy`, `iam:DeletePolicy`
-- `codebuild:CreateProject`, `codebuild:StartBuild`, `codebuild:BatchGetBuilds`
+- `codebuild:CreateProject`, `codebuild:DeleteProject`, `codebuild:StartBuild`, `codebuild:BatchGetBuilds`
 - `logs:GetLogEvents`
 - `sts:GetCallerIdentity`
 
@@ -79,7 +81,7 @@ Your IAM user/role needs these permissions to run the script:
 ## Requirements
 
 - AWS CLI configured with appropriate permissions
-- Python 3.8+ (standard library only, no pip install needed for deployment)
+- Python 3.11+ (standard library only, no pip install needed for deployment)
 - Node.js and npm (for frontend build)
 - CDK stack deployed with the required outputs:
   - `CognitoClientId`
diff --git a/scripts/deploy-with-codebuild.py b/scripts/deploy-with-codebuild.py
