Skip to content

Remove git dependency from CodeBuild deployment script #91

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kaleko merged 1 commit into from
Jun 11, 2026
Merged

Remove git dependency from CodeBuild deployment script #91

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 30 additions & 8 deletions docs/DEPLOYMENT.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,9 @@ This guide walks you through deploying the Fullstack AgentCore Solution Template

## Prerequisites

Before deploying, ensure you have:
> **Note:** If you prefer not to install local tooling, see [Option B: Deploy via CodeBuild](#option-b-deploy-via-codebuild) — requires only Python 3.11+ and AWS CLI.

For local deployment (Option A), ensure you have:

- **Node.js 20+** installed (see [AWS guide for installing Node.js on EC2](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-up-node-on-ec2-instance.html))
- **AWS CLI** configured with credentials (`aws configure`) - see [AWS CLI Configuration guide](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html)
Expand Down Expand Up @@ -146,7 +148,8 @@ The CDK stack auto-creates a security group for the AgentCore Runtime. This same
## Deployment Steps

### TL;DR version
Here are the commands to deploy backend and frontend:

**Full local setup (Node.js + Docker + CDK):**
```bash
cd infra-cdk
npm install
Expand All @@ -156,15 +159,14 @@ cd ..
python scripts/deploy-frontend.py
```

### Deploy Without Local Tooling (via CodeBuild)

If you don't have Node.js, Docker, or CDK installed locally, you can deploy entirely in the cloud using a temporary CodeBuild project. Requires only Python 3.8+ and AWS CLI:

**No local tooling (just Python + AWS CLI):**
```bash
python scripts/deploy-with-codebuild.py
```

See `scripts/README.md` for details and required IAM permissions.
### Option A: Deploy Locally (CDK + Docker)

This path requires the full set of prerequisites listed above (Node.js, Docker, CDK, Python).

### 1. Install Dependencies

Expand Down Expand Up @@ -248,6 +250,24 @@ You will see the URL for application in the script's output, which will look sim
1. Sign in with the Cognito user you created
1. You'll be prompted to change your temporary password on first login

---

### Option B: Deploy via CodeBuild

Requires only Python 3.11+, AWS CLI, and git — no Node.js, Docker, or CDK needed.

1. Edit `infra-cdk/config.yaml` (see [Configuration](#configuration) above)
2. Stage or commit your changes — only git-tracked or staged files are packaged for deployment. Untracked files are skipped and reported as a warning.
3. Run:

```bash
python scripts/deploy-with-codebuild.py
```

The script packages your git-tracked source and runs the full CDK + frontend deploy in the cloud via CodeBuild, streaming logs to your terminal. On success, the build resources (project, IAM role, permission boundary, S3 bucket) are removed; on failure they are retained for debugging (the script prints the console URL and log group) and reused on the next run.

See `scripts/README.md` for details and required IAM permissions.

## Post-Deployment

### Updating the Application
Expand Down Expand Up @@ -282,7 +302,9 @@ cd infra-cdk
cdk destroy --force
```

**Warning**: This will delete all data including S3 buckets created during deployment and ECR images.
If you deployed via CodeBuild (Option B), its build resources are already removed on success (or on the next successful run) — only the deployed FAST stack above needs tearing down.

**Warning**: `cdk destroy` will delete all data including S3 buckets created during deployment and ECR images.

## Troubleshooting

Expand Down
2 changes: 2 additions & 0 deletions infra-cdk/lib/backend-stack.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -929,6 +929,8 @@ export class BackendStack extends cdk.NestedStack {

const cedarPolicyLambda = new PythonFunction(this, "CedarPolicyLambda", {
runtime: lambda.Runtime.PYTHON_3_13,
// ARM_64 required — avoids cross-platform (amd64-on-arm) bundling failures.
architecture: lambda.Architecture.ARM_64,
entry: path.join(__dirname, "..", "lambdas", "cedar-policy"),
handler: "handler",
timeout: cdk.Duration.minutes(14),
Expand Down
14 changes: 8 additions & 6 deletions scripts/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,22 +55,24 @@ change anything:

### CodeBuild Deployment

- `deploy-with-codebuild.py` - Deploys the entire FAST stack (backend + frontend) using an ephemeral CodeBuild project. No local Node.js, Docker, CDK, or npm required — only Python 3.8+ and AWS CLI.
- `deploy-with-codebuild.py` - Deploys the entire FAST stack (backend + frontend) using a CodeBuild project. No local Node.js, Docker, CDK, or npm required — only Python 3.11+, AWS CLI, and git.

```bash
python scripts/deploy-with-codebuild.py
```

Creates temporary AWS resources (S3 bucket, IAM role with permission boundary, CodeBuild project), runs the full deployment in the cloud, streams logs to your terminal, and cleans up all temporary resources on exit.
Packages your git-tracked source and runs the full deployment in the cloud via a CodeBuild project, streaming logs to your terminal. On a **successful** build, all created resources (S3 source bucket, CodeBuild project, IAM role, permission boundary) are removed. On a **failed** build, they are retained for debugging and reused on the next run.

The temporary IAM role is created with `AdministratorAccess` but constrained by a permission boundary that explicitly denies dangerous actions such as `iam:CreateUser`, `iam:CreateAccessKey`, `organizations:*`, and others. This prevents privilege escalation even if the build is compromised.
Only git-tracked or staged files are deployed — stage or commit first, as untracked files are skipped with a warning. This does not remove your deployed FAST stack; for that, run `cd infra-cdk && cdk destroy`.

The IAM role has `AdministratorAccess` constrained by a permission boundary that denies dangerous actions (`iam:CreateUser`, `iam:CreateAccessKey`, `organizations:*`, etc.) to prevent privilege escalation.

Your IAM user/role needs these permissions to run the script:

- `s3:CreateBucket`, `s3:DeleteBucket`, `s3:PutObject`, `s3:DeleteObject`
- `s3:CreateBucket`, `s3:DeleteBucket`, `s3:PutObject`, `s3:DeleteObject`, `s3:PutLifecycleConfiguration`
- `iam:CreateRole`, `iam:DeleteRole`, `iam:AttachRolePolicy`, `iam:DetachRolePolicy`
- `iam:CreatePolicy`, `iam:DeletePolicy`
- `codebuild:CreateProject`, `codebuild:StartBuild`, `codebuild:BatchGetBuilds`
- `codebuild:CreateProject`, `codebuild:DeleteProject`, `codebuild:StartBuild`, `codebuild:BatchGetBuilds`
- `logs:GetLogEvents`
- `sts:GetCallerIdentity`

Expand All @@ -79,7 +81,7 @@ Your IAM user/role needs these permissions to run the script:
## Requirements

- AWS CLI configured with appropriate permissions
- Python 3.8+ (standard library only, no pip install needed for deployment)
- Python 3.11+ (standard library only, no pip install needed for deployment)
- Node.js and npm (for frontend build)
- CDK stack deployed with the required outputs:
- `CognitoClientId`
Expand Down
Loading
Loading