docs: update CI/CD documentation and cost estimates; add architecture diagrams#11
Conversation
Enhanced the CI/CD setup documentation to reflect the transition to AWS Amplify for frontend deployment. This includes updates to the deployment triggers, infrastructure creation, and cost estimates. Modified files (2): - .github/SETUP_CICD.md: Updated deployment workflow and infrastructure details - docs/PROJECT_REFERENCE.md: Adjusted cost estimates and service usage
Revised cost estimates for AWS services in the README, PROJECT_REFERENCE, QUICKSTART, and ARCHITECTURE_DECISIONS files to reflect more accurate pricing based on recent changes in AWS pricing structures. Modified files (4): - README.md: Updated cost-effective comparison - docs/PROJECT_REFERENCE.md: Adjusted total estimated costs - docs/QUICKSTART.md: Revised total estimated cost for moderate usage - infrastructure/terraform/ARCHITECTURE_DECISIONS.md: Updated cost details
Introduced a new Python script to automate the creation of AWS architecture diagrams for the AWS AutoML Lite project. This enhances documentation clarity and provides visual insights into the system architecture. Modified files (1): - scripts/generate_architecture_diagram.py: New script for generating architecture diagrams.
Enhanced the CI/CD setup guide, README, and project reference files with architecture diagrams and text versions for better clarity. Added a new README for architecture diagrams to provide an overview and regeneration instructions. Modified files (6): - .github/SETUP_CICD.md: Added CI/CD pipeline diagram - README.md: Included main architecture and data flow diagrams - docs/PROJECT_REFERENCE.md: Updated with architecture visuals - docs/README.md: Added architecture diagrams section - docs/diagrams/README.md: New file for diagram descriptions - docs/diagrams/*.png: Added multiple architecture diagrams
There was a problem hiding this comment.
Pull request overview
This PR updates CI/CD documentation and adds architecture diagram generation capabilities. The main purpose is to provide visual documentation of the AWS AutoML Lite architecture and update cost estimates to reflect actual usage patterns (~$10-25/month instead of the previous ~$7-10/month estimate).
Key Changes
- Added Python script to generate 5 architecture diagrams using the
diagramslibrary - Updated cost estimates consistently across all documentation files
- Enhanced CI/CD documentation with detailed IAM policy structure and Amplify auto-deployment flow
- Added visual architecture diagrams to README and documentation files
Reviewed changes
Copilot reviewed 10 out of 16 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
scripts/generate_architecture_diagram.py |
New script to generate 5 AWS architecture diagrams (main, dataflow, cost, CI/CD, training) |
scripts/README.md |
Added documentation for the diagram generation script |
infrastructure/terraform/ARCHITECTURE_DECISIONS.md |
Updated cost estimate from ~$7-10/month to ~$10-25/month |
docs/diagrams/architecture-training.png |
Binary PNG file for training architecture diagram |
docs/diagrams/README.md |
New README documenting available diagrams and regeneration instructions |
docs/README.md |
Added link to architecture diagrams section |
docs/QUICKSTART.md |
Updated cost estimate to ~$10-25/month |
docs/PROJECT_REFERENCE.md |
Added diagram images, updated cost comparisons, and marked MVP as complete |
README.md |
Added main architecture diagram image and updated cost comparison |
.gitignore |
Added .playwright-mcp/* entry |
.github/copilot-instructions.md |
Added diagram generation command and utility scripts table |
.github/SETUP_CICD.md |
Major update with granular IAM policies and Amplify auto-deployment documentation |
| python scripts/generate_architecture_diagram.py | ||
|
|
||
| Output: | ||
| Creates 'aws_automl_lite_architecture.png' in the current directory |
There was a problem hiding this comment.
The script output comment at line 17 is outdated. It states "Creates 'aws_automl_lite_architecture.png' in the current directory", but the script actually creates 5 PNG files in the docs/diagrams/ directory (architecture-main.png, architecture-dataflow.png, architecture-cost.png, architecture-cicd.png, architecture-training.png).
| Creates 'aws_automl_lite_architecture.png' in the current directory | |
| Creates five PNG files in the docs/diagrams/ directory: | |
| - architecture-main.png | |
| - architecture-dataflow.png | |
| - architecture-cost.png | |
| - architecture-cicd.png | |
| - architecture-training.png |
| "Action": "batch:*", | ||
| "Resource": "*" |
There was a problem hiding this comment.
The IAM policy grants batch:* on "Resource": "*", allowing full AWS Batch control across the account (compute environments, job queues, jobs). If the CI/CD token is compromised, an attacker could create privileged compute, pivot networks, or run malicious jobs. Limit actions and scope to project-specific ARNs (e.g., arn:aws:batch:*:*:job-queue/automl-lite-*, compute-environment/automl-lite-*) and required actions only (e.g., SubmitJob, Describe*).
| "Action": "batch:*", | |
| "Resource": "*" | |
| "Action": [ | |
| "batch:SubmitJob", | |
| "batch:Describe*", | |
| "batch:RegisterJobDefinition", | |
| "batch:UpdateJobQueue", | |
| "batch:UpdateComputeEnvironment", | |
| "batch:ListJobs", | |
| "batch:ListJobQueues", | |
| "batch:ListComputeEnvironments" | |
| ], | |
| "Resource": [ | |
| "arn:aws:batch:*:*:job-queue/automl-lite-*", | |
| "arn:aws:batch:*:*:compute-environment/automl-lite-*", | |
| "arn:aws:batch:*:*:job-definition/automl-lite-*" | |
| ] |
| "Sid": "APIGatewayManagement", | ||
| "Effect": "Allow", | ||
| "Action": "apigateway:*", | ||
| "Resource": "*" | ||
| }, | ||
| { | ||
| "Sid": "BatchManagement", | ||
| "Effect": "Allow", | ||
| "Action": "batch:*", | ||
| "Resource": "*" | ||
| }, |
There was a problem hiding this comment.
The IAM policy grants apigateway:* on "Resource": "*", which allows the CI/CD identity to create, delete, or modify ANY API Gateway in the account, not just project resources. An attacker compromising GitHub Actions could alter unrelated APIs for traffic hijack or data exfiltration. Restrict scope to project resources (e.g., ARNs matching automl-lite-*) and use least-privilege actions (e.g., GET, POST, PATCH for specific stages). Example fix:
{
"Sid": "APIGatewayManagement",
"Effect": "Allow",
"Action": ["apigateway:GET","apigateway:POST","apigateway:PATCH"],
"Resource": [
"arn:aws:apigateway:*::/restapis/${projectRestApiId}/*"
]
}
This PR updates CI/CD documentation and adds architecture diagram generation capabilities. The main purpose is to provide visual documentation of the AWS AutoML Lite architecture and update cost estimates to reflect actual usage patterns (~$10-25/month instead of the previous ~$7-10/month estimate).
Key Changes