Skip to content

feat: CDK re-write --DO NOT MERGE-- #328

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 74 commits into
base: staging
Choose a base branch
from
Draft

feat: CDK re-write --DO NOT MERGE-- #328

wants to merge 74 commits into from

Conversation

rafaelpereyra
Copy link
Contributor

Added pre-commit hooks and other validation tools for this process

Issue #, if available:

Description of changes:

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@rapgaws
feat: Basic structure proposal for cdk rewrite
73c6319 
Added pre-commit hooks and other validation tools for this process
@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 30, 2025
edited
Loading

ASH Security Scan Report

  • Report generated: 2025-08-22T14:49:19+00:00
  • Time since scan: 1 minute

Scan Metadata

  • Project: ASH
  • Scan executed: 2025-08-22T14:48:09+00:00
  • ASH version: 3.0.0

Summary

Scanner Results

The table below shows findings by scanner, with status based on severity thresholds and dependencies:

  • Severity levels:
    • Suppressed (S): Findings that have been explicitly suppressed and don't affect scanner status
    • Critical (C): Highest severity findings that require immediate attention
    • High (H): Serious findings that should be addressed soon
    • Medium (M): Moderate risk findings
    • Low (L): Lower risk findings
    • Info (I): Informational findings with minimal risk
  • Duration (Time): Time taken by the scanner to complete its execution
  • Actionable: Number of findings at or above the threshold severity level that require attention
  • Result:
    • PASSED = No findings at or above threshold
    • FAILED = Findings at or above threshold
    • MISSING = Required dependencies not available
    • SKIPPED = Scanner explicitly disabled
  • Threshold: The minimum severity level that will cause a scanner to fail
    • Thresholds: ALL, LOW, MEDIUM, HIGH, CRITICAL
    • Source: Values in parentheses indicate where the threshold is set:
      • global (global_settings section in the ASH_CONFIG used)
      • config (scanner config section in the ASH_CONFIG used)
      • scanner (default configuration in the plugin, if explicitly set)
  • Statistics calculation:
    • All statistics are calculated from the final aggregated SARIF report
    • Suppressed findings are counted separately and do not contribute to actionable findings
    • Scanner status is determined by comparing actionable findings to the threshold
Scanner Suppressed Critical High Medium Low Info Actionable Result Threshold
bandit 0 0 0 0 1 0 0 PASSED MEDIUM (global)
cdk-nag 20 0 0 0 0 9 0 PASSED MEDIUM (global)
cfn-nag 0 0 0 0 0 0 0 MISSING MEDIUM (global)
checkov 13 14 0 0 0 0 14 FAILED MEDIUM (global)
detect-secrets 0 0 0 0 0 0 0 SKIPPED MEDIUM (global)
grype 0 1 0 3 0 0 4 FAILED MEDIUM (global)
npm-audit 0 0 0 0 0 0 0 PASSED MEDIUM (global)
opengrep 0 0 0 0 0 0 0 MISSING MEDIUM (global)
semgrep 0 25 0 0 0 0 25 FAILED MEDIUM (global)
syft 0 0 0 0 0 0 0 PASSED MEDIUM (global)

Top 10 Hotspots

Files with the highest number of security findings:

Finding Count File Location
7 src/applications/microservices/petsearch-java/docker-compose.yml
4 src/applications/microservices/payforadoption-go/benchmark/Dockerfile
4 src/applications/microservices/petlistadoptions-py/docker-compose.yml
3 src/applications/microservices/payforadoption-go/Dockerfile
3 src/applications/microservices/petsite-net/petsite/Dockerfile
3 src/applications/microservices/petfood-rs/docker-compose.test.yml
2 src/applications/microservices/petlistadoptions-py/Dockerfile
2 src/applications/microservices/petsearch-java/Dockerfile
2 src/applications/microservices/petfood-rs/Dockerfile.test
2 src/cdk/lib/microservices/manifests/petsite-deployment.yaml

Detailed Findings

Show 20 of 43 actionable findings

Finding 1: CKV_DOCKER_3

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_3
  • Location: src/applications/microservices/petlistadoptions-py/Dockerfile:1-49

Description:
Ensure that a user for the container has been created

Code Snippet:

FROM python:3.11-slim as builder

WORKDIR /app

# Install system dependencies
RUN apt-get update && apt-get install -y \
    gcc \
    libpq-dev \
    && rm -rf /var/lib/apt/lists/*

# Copy requirements and install Python dependencies
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

# Copy application code
COPY . .

# Production stage
FROM python:3.11-slim

WORKDIR /app

# Install runtime dependencies
RUN apt-get update && apt-get install -y \
    libpq5 \
    curl \
    && rm -rf /var/lib/apt/lists/*

# Copy Python packages from builder
COPY --from=builder /usr/local/lib/python3.11/site-packages /usr/local/lib/python3.11/site-packages
COPY --from=builder /usr/local/bin /usr/local/bin

# Copy application code
COPY --from=builder /app .

# Make start script executable
RUN chmod +x start.sh

# Create non-root user for future use (but run as root for port 80 access)
RUN useradd -m -u 1000 appuser && chown -R appuser:appuser /app

# Add health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
    CMD curl -f http://localhost:80/health/status || exit 1

EXPOSE 80

# Use startup script (running as root for port 80 access)
CMD ["./start.sh"]

Finding 2: CKV_DOCKER_2

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_2
  • Location: src/applications/microservices/petsearch-java/Dockerfile:1-17

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

FROM --platform=$BUILDPLATFORM public.ecr.aws/docker/library/gradle:7.3-jdk17 as build

WORKDIR /app
COPY ./build.gradle ./build.gradle
COPY ./src ./src
COPY ./settings.gradle ./settings.gradle

ENV GRADLE_OPTS "-Dorg.gradle.daemon=false"
RUN gradle build -DexcludeTags='integration' --no-daemon --stacktrace

FROM public.ecr.aws/amazoncorretto/amazoncorretto:17-al2-generic-jdk
WORKDIR /app

ARG JAR_FILE=build/libs/\*.jar
COPY --from=build /app/${JAR_FILE} ./app.jar

ENTRYPOINT ["java","-jar","/app/app.jar"]

Finding 3: CKV_DOCKER_3

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_3
  • Location: src/applications/microservices/petsearch-java/Dockerfile:1-17

Description:
Ensure that a user for the container has been created

Code Snippet:

FROM --platform=$BUILDPLATFORM public.ecr.aws/docker/library/gradle:7.3-jdk17 as build

WORKDIR /app
COPY ./build.gradle ./build.gradle
COPY ./src ./src
COPY ./settings.gradle ./settings.gradle

ENV GRADLE_OPTS "-Dorg.gradle.daemon=false"
RUN gradle build -DexcludeTags='integration' --no-daemon --stacktrace

FROM public.ecr.aws/amazoncorretto/amazoncorretto:17-al2-generic-jdk
WORKDIR /app

ARG JAR_FILE=build/libs/\*.jar
COPY --from=build /app/${JAR_FILE} ./app.jar

ENTRYPOINT ["java","-jar","/app/app.jar"]

Finding 4: CKV_DOCKER_2

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_2
  • Location: src/applications/microservices/payforadoption-go/Dockerfile:1-14

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

FROM public.ecr.aws/docker/library/golang:1.23 as builder
WORKDIR /go/src/app
COPY . .
ENV GOPROXY=https://goproxy.io,direct
RUN go get .
RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .

FROM public.ecr.aws/docker/library/alpine:3.22.1
WORKDIR /app
RUN apk --no-cache add ca-certificates
COPY --from=builder /go/src/app/app .
COPY --from=builder /go/src/app/seed.json .
EXPOSE 80
CMD ["./app"]

Finding 5: CKV_DOCKER_3

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_3
  • Location: src/applications/microservices/payforadoption-go/Dockerfile:1-14

Description:
Ensure that a user for the container has been created

Code Snippet:

FROM public.ecr.aws/docker/library/golang:1.23 as builder
WORKDIR /go/src/app
COPY . .
ENV GOPROXY=https://goproxy.io,direct
RUN go get .
RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .

FROM public.ecr.aws/docker/library/alpine:3.22.1
WORKDIR /app
RUN apk --no-cache add ca-certificates
COPY --from=builder /go/src/app/app .
COPY --from=builder /go/src/app/seed.json .
EXPOSE 80
CMD ["./app"]

Finding 6: CKV_DOCKER_2

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_2
  • Location: src/applications/microservices/petfood-rs/Dockerfile.test:1-32

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

FROM rust:1.75-slim

# Install system dependencies
RUN apt-get update && apt-get install -y \
    pkg-config \
    libssl-dev \
    curl \
    && rm -rf /var/lib/apt/lists/*

# Install cargo tools for testing
RUN cargo install cargo-tarpaulin

# Set working directory
WORKDIR /app

# Copy Cargo files first for better caching
COPY Cargo.toml Cargo.lock ./

# Create a dummy main.rs to build dependencies
RUN mkdir src && echo "fn main() {}" > src/main.rs

# Build dependencies
RUN cargo build --release && rm -rf src

# Copy source code
COPY . .

# Make test script executable
RUN chmod +x scripts/run_tests.sh

# Default command
CMD ["./scripts/run_tests.sh"]

Finding 7: CKV_DOCKER_3

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_3
  • Location: src/applications/microservices/petfood-rs/Dockerfile.test:1-32

Description:
Ensure that a user for the container has been created

Code Snippet:

FROM rust:1.75-slim

# Install system dependencies
RUN apt-get update && apt-get install -y \
    pkg-config \
    libssl-dev \
    curl \
    && rm -rf /var/lib/apt/lists/*

# Install cargo tools for testing
RUN cargo install cargo-tarpaulin

# Set working directory
WORKDIR /app

# Copy Cargo files first for better caching
COPY Cargo.toml Cargo.lock ./

# Create a dummy main.rs to build dependencies
RUN mkdir src && echo "fn main() {}" > src/main.rs

# Build dependencies
RUN cargo build --release && rm -rf src

# Copy source code
COPY . .

# Make test script executable
RUN chmod +x scripts/run_tests.sh

# Default command
CMD ["./scripts/run_tests.sh"]

Finding 8: CKV_DOCKER_2

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_2
  • Location: src/applications/microservices/petfood-rs/Dockerfile:1-25

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

# Build stage
FROM rust:1.89-bookworm AS builder
COPY . .
RUN cargo build --release

# Runtime stage
FROM debian:bookworm-slim

# Install runtime dependencies and CA certificates
RUN apt-get update && apt-get install -y \
    ca-certificates \
    openssl \
    curl \
    && rm -rf /var/lib/apt/lists/* \
    && update-ca-certificates

COPY --from=builder /target/release/petfood-rs /app/petfood-rs

# Create a non-root user for security
RUN useradd -r -s /bin/false petfood && \
    chown petfood:petfood /app/petfood-rs

USER petfood
EXPOSE 8080
CMD ["/app/petfood-rs"]

Finding 9: CKV_DOCKER_2

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_2
  • Location: src/applications/microservices/petsite-net/petsite/Dockerfile:1-20

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

FROM mcr.microsoft.com/dotnet/aspnet:8.0 AS base
WORKDIR /app
EXPOSE 80
EXPOSE 443
ENV ASPNETCORE_HTTP_PORTS=80

FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
WORKDIR /src
COPY . .
RUN dotnet restore "PetSite.csproj"
RUN dotnet build "PetSite.csproj" -c Release -o /app/build

FROM build AS publish
RUN dotnet publish "PetSite.csproj" -c Release -o /app/publish

FROM base AS final
WORKDIR /app
# Removed X-Ray daemon address environment variable
COPY --from=publish /app/publish .
ENTRYPOINT ["dotnet", "PetSite.dll"]

Finding 10: CKV_DOCKER_3

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_3
  • Location: src/applications/microservices/petsite-net/petsite/Dockerfile:1-20

Description:
Ensure that a user for the container has been created

Code Snippet:

FROM mcr.microsoft.com/dotnet/aspnet:8.0 AS base
WORKDIR /app
EXPOSE 80
EXPOSE 443
ENV ASPNETCORE_HTTP_PORTS=80

FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
WORKDIR /src
COPY . .
RUN dotnet restore "PetSite.csproj"
RUN dotnet build "PetSite.csproj" -c Release -o /app/build

FROM build AS publish
RUN dotnet publish "PetSite.csproj" -c Release -o /app/publish

FROM base AS final
WORKDIR /app
# Removed X-Ray daemon address environment variable
COPY --from=publish /app/publish .
ENTRYPOINT ["dotnet", "PetSite.dll"]

Finding 11: CKV_DOCKER_7

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_7
  • Location: src/applications/microservices/payforadoption-go/benchmark/Dockerfile:1

Description:
Ensure the base image uses a non latest version tag

Code Snippet:

FROM public.ecr.aws/docker/library/rust:latest:latest as builder

Finding 12: CKV_DOCKER_2

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_2
  • Location: src/applications/microservices/payforadoption-go/benchmark/Dockerfile:1-6

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

FROM public.ecr.aws/docker/library/rust:latest:latest as builder
WORKDIR /app
RUN
COPY . .
RUN cargo install drill
CMD ["./benchmark.sh"]

Finding 13: CKV_DOCKER_3

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_3
  • Location: src/applications/microservices/payforadoption-go/benchmark/Dockerfile:1-6

Description:
Ensure that a user for the container has been created

Code Snippet:

FROM public.ecr.aws/docker/library/rust:latest:latest as builder
WORKDIR /app
RUN
COPY . .
RUN cargo install drill
CMD ["./benchmark.sh"]

Finding 14: CKV2_GHA_1

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV2_GHA_1
  • Location: .github/workflows/tests.yml:1

Description:
Ensure top-level permissions are not set to write-all

Finding 15: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring

  • Severity: HIGH
  • Scanner: semgrep
  • Rule ID: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
  • Location: src/applications/lambda/pethistory-node/index.js:103

Description:
Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.

Code Snippet:

console.error(`Failed to process adoption for pet ${validatedData.petId}:`, error);

Finding 16: dockerfile.security.missing-user.missing-user

  • Severity: HIGH
  • Scanner: semgrep
  • Rule ID: dockerfile.security.missing-user.missing-user
  • Location: src/applications/microservices/payforadoption-go/Dockerfile:14

Description:
By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.

Code Snippet:

CMD ["./app"]

Finding 17: dockerfile.security.missing-user.missing-user

  • Severity: HIGH
  • Scanner: semgrep
  • Rule ID: dockerfile.security.missing-user.missing-user
  • Location: src/applications/microservices/payforadoption-go/benchmark/Dockerfile:6

Description:
By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.

Code Snippet:

CMD ["./benchmark.sh"]

Finding 18: go.lang.security.audit.net.use-tls.use-tls

  • Severity: HIGH
  • Scanner: semgrep
  • Rule ID: go.lang.security.audit.net.use-tls.use-tls
  • Location: src/applications/microservices/payforadoption-go/main.go:157

Description:
Found an HTTP server without TLS. Use 'http.ListenAndServeTLS' instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information.

Code Snippet:

errs <- http.ListenAndServe(*httpAddr, h)

Finding 19: go.lang.security.audit.crypto.math_random.math-random-used

  • Severity: HIGH
  • Scanner: semgrep
  • Rule ID: go.lang.security.audit.crypto.math_random.math-random-used
  • Location: src/applications/microservices/payforadoption-go/payforadoption/utils.go:12

Description:
Do not use math/rand. Use crypto/rand instead.

Code Snippet:

"math/rand"

Finding 20: yaml.docker-compose.security.no-new-privileges.no-new-privileges

  • Severity: HIGH
  • Scanner: semgrep
  • Rule ID: yaml.docker-compose.security.no-new-privileges.no-new-privileges
  • Location: src/applications/microservices/petfood-rs/docker-compose.test.yml:4

Description:
Service 'localstack' allows for privilege escalation via setuid or setgid binaries. Add 'no-new-privileges:true' in 'security_opt' to prevent this.

Code Snippet:

localstack:

Note: Showing 20 of 43 total actionable findings. Configure max_detailed_findings to adjust this limit.

Report generated by Automated Security Helper (ASH) at 2025-08-22T14:49:19+00:00

rapgaws and others added 21 commits July 31, 2025 11:48
@rapgaws
fix: fixed ASH findings for template, re-enabled fail on findings for…
3970175 
… new code
@rapgaws
feat: improved codebuild template
0f7e680
@rapgaws
feat: fixed cdk-nag issues
5c2d7a7 
added PipelineArn output so initial Codebuild can succeed
@rapgaws
refactor: replace CONFIG_BUCKET_KEY with dynamic S3 path and upgrade …
4e9ead2 
…to CodeBuildStep

- Remove CONFIG_BUCKET_KEY environment variable and replace with dynamic S3 key path construction
- Add WORKING_FOLDER environment variable for configurable working directory
- Update CDKPipeline interface to use workingFolder instead of configBucketKey
- Replace ShellStep with CodeBuildStep for synthesis with Node.js 22.x runtime
- Add proper build environment configuration and CodeBuild defaults
- Grant read permissions to config bucket for pipeline role
@rapgaws
feat: add S3 bucket cleanup functionality and update gitignore
e6903e3 
- Add Lambda execution role with S3 permissions for bucket cleanup
- Add Lambda function to empty S3 bucket on stack deletion
- Add custom resource to trigger bucket cleanup during CloudFormation deletion
- Change S3 bucket versioning from Enabled to Suspended
- Update .gitignore to exclude .ash/ash_output directory
@rapgaws
refactor: rename CDK pipeline stack to OneObservabilityWorkshopPipeline
945811f 
Changed CDK pipeline stack name from 'CDKPipeline' to 'OneObservabilityWorkshopPipeline' in workshop.ts
@rapgaws
fix: correct S3 bucket policy resource references and remove erroneou…
859aba2 
…s character

- Fixed S3 bucket policy resource reference in codebuild-deployment-template.yaml by correcting the order of bucket ARN references
- Removed erroneous 'q' character from buildspec command in the same template file
@rapgaws
fix: enabled bucket versioning
f8bc451
@rapgaws
refactor: enhance resource cleanup and migrate to Python runtime
b98e6a6 
- Rename bucket cleanup components to generic resource cleanup functionality
- Extend cleanup to handle EventBridge rules and Lambda permissions
- Migrate Lambda functions from Node.js 22.x to Python 3.13 runtime
- Replace static EventBridge rule with dynamic rule creation during build
- Update IAM policies for EventBridge and Lambda cleanup permissions
- Fix S3 resource ARN reference format
- Remove static resources in favor of dynamic creation approach
@rapgaws
style: reformat CloudFormation template YAML syntax
9b1cdee 
Reformatted CloudFormation template YAML syntax by converting quoted strings to unquoted format, changing description block style from folded to literal, expanding inline conditional statements to multi-line format, and adding explicit function name to Lambda resource to prevent circular dependency.
@rapgaws
docs: add comprehensive documentation and deployment templates
5095353 
- Add docs/ folder with README, CHANGELOG, and detailed template documentation
- Add architecture and deployment flow diagrams (PNG files)
- Add template documentation with implementation details, retry handling, and troubleshooting
- Add templates folder README with quick start guide
- Add new simplified CodeBuild deployment template with intelligent retry handling
- Enhance IAM permissions in original template with S3 bucket access policies and CFN-NAG suppressions
@rafaelpereyra @rapgaws
Feat/networking (#329)
ddf09a7 
* fix: improve CloudFormation signaling in CDK deployment template

- Add explicit SUCCESS signal when pipeline monitoring detects completion
- Prevent duplicate signaling in final success handling
- Enhance logging for better visibility of signaling events

* fix: replace CloudFormation signal-resource with direct wait handle URL calls

Modified CloudFormation wait condition signaling mechanism in CodeBuild deployment template. Replaced direct aws cloudformation signal-resource commands with curl-based HTTP PUT requests to wait condition handle URLs. Changes include:

- Retrieving wait condition handle URL using describe-stack-resource command
- Using curl to send SUCCESS/FAILURE signals with JSON payload containing status, reason, unique ID, and data fields
- Applied to both success and failure signaling paths in the deployment process

* feat: add core infrastructure stage with enhanced configuration

- Enhanced environment configuration with comprehensive documentation and type definitions
- Added core infrastructure stage with VPC creation and networking setup
- Improved pipeline structure with stage sequencing and tagging support
- Updated CDK-nag suppressions for better compliance handling
- Added comprehensive JSDoc documentation across all modified files
- Restructured application entry point with better configuration management

* feat: add CloudTrail construct with CloudWatch integration

- Added CloudTrail construct with CloudWatch logs integration and anomaly detection (92 lines)
- Updated environment configuration with CloudTrail integration (8 lines)
- Enhanced workshop configuration with CloudTrail support (2 lines)
- Updated main index with CloudTrail exports (1 line)
- Modified pipeline configuration for CloudTrail deployment (2 lines)
- Extended core stage with CloudTrail trail setup (15 lines)

---------

Co-authored-by: Rafael Pereyra <rapg@amazon.com>
@rapgaws
fix: improve CloudFormation signaling in CDK deployment template
8686aae 
- Add explicit SUCCESS signal when pipeline monitoring detects completion
- Prevent duplicate signaling in final success handling
- Enhance logging for better visibility of signaling events
@rafaelpereyra @rapgaws
Fix/ts cloudtrail (#330)
011564e 
* refactor: improve CloudTrail construct configuration

- Remove unused imports (DataResourceType, ReadWriteType)
- Add includeLambdaEvents property to interface
- Remove unused cloudTrailRole variable assignment
- Replace custom S3 event selector with logAllS3DataEvents() method
- Add Lambda data events logging when includeLambdaEvents is enabled

* fix: improve pipeline retry logic in codebuild template

- Added RETRY_LOOP_COUNT and MAX_RETRY_LOOPS variables for better retry tracking
- Enhanced retry mechanism to distinguish between execution retries and loop retries
- Reset retry loop counter when new pipeline execution is detected
- Updated error messages to reflect the new retry loop logic
- Changed maximum retry logic to use retry loops instead of execution count

* feat: enhance logging capabilities for CloudTrail and VPC networking

- Add unique resource naming for CloudTrail log groups to prevent conflicts
- Implement configurable VPC Flow Logs with comprehensive log format
- Add DNS Query Resolver Logs functionality for VPC
- Enable optional log retention configuration across constructs
- Update Core stack to enable logging features by default

* fix: correct core stage tags structure in CDK pipeline

Modified the core stage properties handling to properly wrap tags in a tags property instead of spreading them directly into the properties object. This ensures proper tag structure for the CoreStage constructor.

* feat: add local development setup and enhance contributing guidelines

- Added Apache-2.0 license header to CONTRIBUTING.md
- Enhanced CONTRIBUTING.md with comprehensive documentation for security scanning, pre-commit hooks, and local development setup
- Added new local CDK application entry point (src/cdk/bin/local.ts) for faster development workflow

---------

Co-authored-by: Rafael Pereyra <rapg@amazon.com>
@rapgaws
feat: enhance CDK infrastructure with applications stage and deployme…
2acdb61 
…nt tooling

- Updated CONTRIBUTING.md with additional content (22 lines added)
- Added new environment sample file (.env.sample) with 9 lines
- Enhanced environment.ts configuration with 45 new lines
- Extended local.ts deployment script with additional functionality
- Added CloudTrail construct enhancements (12 lines)
- Minor updates to network construct (2 lines)
- Updated pipeline configuration (5 lines modified)
- Created new applications stage with comprehensive setup (150 lines)
- Added deployment check script with validation logic (66 lines)
@rafaelpereyra @rapgaws
Feat/appstage (#331)
6b6be38 
* feat: integrate applications pipeline stage with CDK pipeline

- Add APPLICATION_LIST import and configuration to workshop.ts
- Enhance CDKPipeline with applicationList property and ApplicationsPipelineStage
- Extract bucket key configuration to variable for reusability
- Add comprehensive documentation and type definitions to applications.ts
- Integrate Applications stage into main pipeline with proper tagging and source configuration

* refactor: organize pipeline stages into Core wave

Modified pipeline.ts to organize deployment stages into a wave structure. Added a 'Core' wave and moved both the Core stage and Applications stage into this wave for better deployment organization and sequencing.

* docs: standardize JSDoc parameter names and configure TypeDoc

- Update constructor parameter documentation from 'props' to 'properties' in CloudTrail and Network constructs
- Add dedicated TypeDoc configuration for CDK documentation generation
- Update root TypeDoc configuration to reference CDK entry point and README

* feat: add RemovalPolicy.DESTROY to CloudTrail LogGroup

Modified CloudTrail construct to add RemovalPolicy.DESTROY to the CloudWatch Logs LogGroup and imported RemovalPolicy from aws-cdk-lib.

---------

Co-authored-by: Rafael Pereyra <rapg@amazon.com>
@rafaelpereyra @bonclay7 @rapgaws
Feat/compute (#332)
09e7200 
* From Aurora serverless to Instance (#327)

* Switch from serverless v2 to instances

* Bump aurora version

* Ignore editor settings

* Add action for CDK tests

* Export reader endpoint

* Update tests

* Remove unit, merge lint and synth

* Skip docker builds on unrelated changes

* Update petlist to use aurora reader endpoint

* Bump versions

* Bump CDK version

* feat: add comprehensive infrastructure constructs and deployment stages

- Modified environment configuration files (environment.ts, local.ts, workshop.ts) to add new deployment configurations
- Added new construct files for assets, database, DynamoDB, and queue infrastructure components
- Enhanced network construct with additional networking capabilities
- Updated pipeline configuration with new stages and deployment logic
- Added new compute stage for application deployment
- Renamed applications.ts to containers.ts with updated container deployment logic
- Added new storage stage for data persistence infrastructure
- Total: 643 additions, 24 deletions across 12 files

* feat: upgrade container images and database version

- Update all Dockerfiles to use AWS ECR Public Gallery base images
- Upgrade Aurora PostgreSQL from v13.20 to v16.8
- Update pre-commit hook versions (mypy v1.17.1, cfn-python-lint v1.38.2, ASH v3.0.0)
- Enhance database construct with configurable instance types and CDK NAG suppressions
- Add utility functions for CDK infrastructure
- Improve deployment check script with enhanced validation

* build: update Python base image to ECR public registry

Modified PetAdoptions/petadoptionshistory-py/Dockerfile to update the base Python image from python:3.8 to public.ecr.aws/docker/library/python:3.8.20-bullseye.

* feat: add compute infrastructure with ECS and EKS support

- Add ECS cluster construct with auto scaling group and security group
- Add EKS cluster construct with managed node groups and add-ons
- Create microservice base class and ECS service implementation
- Add pay-for-adoption microservice with database integration
- Enhance network construct to disable public IP mapping
- Update queue construct with CloudFormation exports for resource sharing
- Add compute stage to pipeline with ECS and EKS deployment
- Include kubectl v33 layer dependency for EKS operations
- Add applications stage structure for microservices deployment

* feat: add serverless microservices and enhance CDK infrastructure

- Add new Lambda construct for serverless functions
- Create serverless status-updater construct
- Add new microservices: list-adoptions, pet-search, and traffic-generator
- Enhance pay-for-adoption microservice with additional features
- Update database and DynamoDB constructs with expanded functionality
- Refactor ECS service construct with improved configuration
- Enhance microservice construct with expanded capabilities
- Significantly expand applications stage with new service integrations
- Update environment and local configuration with enhanced setup
- Add utility functions for improved helper capabilities

* feat: add VPC endpoints and enhance API Gateway security

- Add VPC endpoints construct for API Gateway, DynamoDB, and Lambda services
- Configure status updater API Gateway as private endpoint with VPC endpoint policy
- Add request authorizer and access logging to API Gateway
- Include CDK NAG suppressions for security compliance
- Export VPC endpoint IDs for cross-stack references
- Integrate VPC endpoints into network construct and applications stack

* feat: add EKS support and petsite microservice

- Added new constants file and EKS deployment construct for better configuration management
- Created new petsite microservice with Kubernetes deployment manifest
- Enhanced EKS construct with additional deployment capabilities
- Updated microservice construct to support both ECS and EKS deployments
- Modified application stage to integrate new petsite service
- Updated development configuration with new VS Code launch settings
- Refined utility functions and updated project dependencies
- Updated pre-commit configuration and prettier ignore rules

* docs: add comprehensive architecture documentation and diagrams

- Add detailed architecture.md covering system overview, deployment stages, microservices architecture, and observability components
- Add 16 architectural diagrams illustrating complete system architecture, deployment stages, microservices structure, and observability setup
- Update CDK constructs and microservices with minor code improvements and configuration adjustments

* feat: enhance observability demo with service discovery and configuration management

- Add CloudMap namespace support for ECS service discovery
- Implement SSM parameter outputs for assets, database, and DynamoDB
- Enhance ECS service construct to support load balancer-less services
- Add VPC endpoints for ServiceDiscovery with improved networking
- Update microservice configurations with service discovery integration
- Improve database construct with separate reader/writer endpoint outputs
- Add EKS kubectl lambda role export for enhanced cluster management
- Update Kubernetes manifests and application stage configurations

* feat: add microservices stage and standardize resource tagging

- Add standardized tagging to all microservice classes with app:owner, app:project, app:name, app:computType, and app:hostType tags
- Add MicroservicesStage to CDK pipeline with proper stage sequencing and tagging
- Move QueueResources from StorageStack to CoreStack for better architectural organization
- Update pipeline interface to include microservicesProperties parameter
- Add missing Utilities import in traffic-generator.ts

* feat: add microservices configuration to CDK pipeline

Added microservices configuration to CDK pipeline by importing MICROSERVICES_PLACEMENT and LAMBDA_FUNCTIONS from environment and passing them as microservicesProperties to the CDKPipeline constructor.

* feat: update CDK infrastructure and dependencies

- Updated CDK TypeScript files across bin, lib/constructs, lib/stages, and lib/utils directories
- Modified package.json and package-lock.json with dependency updates
- Total: 8 files changed, 252 insertions, 272 deletions

* refactor: simplify deployment template architecture

- Remove EventBridge-based pipeline monitoring system
- Replace Lambda functions with direct CodePipeline status polling
- Eliminate complex event-driven architecture for simpler inline monitoring
- Remove codebuild-deployment-template-simplified.yaml file
- Update documentation and container configurations
- Streamline deployment process with reduced complexity

* fix: improve logging permissions and autoscaling group tagging

- Update pipeline log ARN to use wildcard pattern for broader log group access
- Simplify CloudWatch logs policy resources configuration
- Add PropagateAtLaunch support for AutoScaling Group tags
- Improve code formatting in utilities

* docs: add comprehensive JSDoc documentation to CDK infrastructure

- Added module-level documentation with package descriptions for all 6 files
- Enhanced interface and class documentation with detailed parameter descriptions
- Documented enums, constants, and configuration objects throughout
- Added inline comments for improved code readability
- Improved constructor and method documentation with parameter and return types

* docs: restructure documentation and add automated generation

- Added GitHub Actions workflow for documentation generation
- Updated .gitignore to exclude documentation build artifacts
- Updated pre-commit configuration
- Moved CHANGELOG.md from docs/ to root directory
- Removed diagram documentation and PNG files from docs/diagrams/
- Added new modules documentation file
- Enhanced list-adoptions microservice with improved error handling
- Updated containers stage with additional configuration
- Enhanced TypeDoc configuration files with better documentation settings

---------

Co-authored-by: Rodrigue Koffi <bonclay7@users.noreply.github.com>
Co-authored-by: Rafael Pereyra <rapg@amazon.com>
@rapgaws
Merge branch 'staging' into feat/cdkpipeline
671ea1e
@rapgaws
feat: add OpenTelemetry instrumentation to petsite deployment
d3f3e2e 
Added instrumentation.opentelemetry.io/inject-dotnet annotation to enable
automatic .NET instrumentation injection for the petsite deployment.
@rapgaws
ci: update CDK test workflow for new project structure
3f1b217 
- Update all path references from PetAdoptions/cdk/pet_stack/ to src/cdk/
- Update cache paths and working directories to match new structure
- Add environment file setup step to copy .env.example to .env before CDK synth
- Maintain all existing workflow functionality with updated paths
@rapgaws
ci: .net 8 for .net build
f65721f
@rafaelpereyra rafaelpereyra changed the base branch from main to staging August 9, 2025 00:53
rapgaws added 2 commits August 8, 2025 21:06
@rapgaws
ci: add staging branch support and improve docs workflow
ef60178 
- Extended build-test.yml and cdk-test.yml workflows to trigger on both main and staging branches
- Refactored docs.yml workflow to separate build and deploy jobs, with deployment only occurring on main branch pushes
- Added conditional logic to prevent staging branch changes from deploying to GitHub Pages
@rapgaws
ci: reorganize environment setup in CDK workflow
a87de9b 
Move environment file copy operation from CDK synth step to separate earlier step for better workflow organization
awsimaya and others added 30 commits August 19, 2025 21:49
@awsimaya
FoodService functionalities
045cf25
@awsimaya
Better error page data sharing
31e2f1c
@lewinkedrs
feat: add ecs env variables (#357)
43c704c
@awsimaya
update appsettings
73c9b6a
@awsimaya
Merge pull request #358 from awsimaya/feat/cdkpipeline
baf6325 
Update appsettings
@awsimaya
Update gitignore to include missing css (#359)
3d7e28b
@rafaelpereyra
Feat/fixcodebuild (#360)
166b967 
* fix: explicitely passed account and region to all stacks

* fix: typo on account number variable

* fix: added missing permissions for Synth stage

* fix: added missing permissions for Synth stage (2)

* fix: added missing permissions for Synth stage (3)
@awsimaya
Footer and font consistency (#362)
e8d3856 
* Update gitignore to include missing css

* Add footer thanking Amazon Q Developer

* Added footer and made font consistent to Roboto
@awsimaya
Clear cart (#363)
aba5ae4 
* Update gitignore to include missing css

* Add footer thanking Amazon Q Developer

* Added footer and made font consistent to Roboto

* Add Clear cart functionality
@bonclay7
Rename env var + error sim
819d902
@bonclay7
Update API doc
095ede9
@bonclay7
log user agent
6319077
@bonclay7
Add S3 URL to images path
080ea04
@bonclay7
Update doc
f7459b0
@bonclay7
Update dockerfile
5c09848
@bonclay7
Redeploy app takes default aws/config settings and ignore env variables
2f82932
@bonclay7
Add petfood env variables
555a359
@awsimaya
Add missing bootstrap files (#365)
35ab493
@bonclay7
API calls to DDB were failing cause missing ssl libs
9d1cb42
@bonclay7
Merge pull request #364 from aws-samples/impr/petfood
110c180 
Petfood improvements
@bonclay7
Reduce container image size
85037ea
@bonclay7
Merge pull request #366 from aws-samples/impr/reduce-petfood-ecr-size
a3ad904 
impr: Reduce petfood ecr size
@bonclay7
Fix cdk stack
3209840
@bonclay7
Fix libssl deps
3bcbc04
@bonclay7
Cargo fmt
0178ae3
@bonclay7
Merge pull request #369 from aws-samples/fix/petfood-docker
2922eca 
fix: petfood docker missing dependencies
@bonclay7
Merge pull request #367 from aws-samples/fix/cdk
f311ee8 
fix(petfood): Regressions in petfood definition
@bonclay7
fix: Run CI tests (#368)
7e90aad 
* Fix cdk stack

* Restore running tests

* Temporary remove paths filters

* Update paths

* Update paths

* Drop dead code

* Provide env for cdk tests
@awsimaya
Fix for food image url (#371)
e2ec43d 
* Add missing bootstrap files

* Fix food image url
@bonclay7
impr: petfood (#370)
30d4a86 
* Fix pettype filtering

* fix tests

* Drop unused code

* Improve image path handling with CDN/S3 config

* Update tests
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@rafaelpereyra @lewinkedrs @rapgaws @bonclay7 @awsimaya