WIP

Author: Yuriy Bezsonov

.kiro/specs/infra/design.md

@@ -86,7 +86,7 @@ public class WorkshopStack extends Stack {
 
 **Vpc**: Creates VPC with appropriate subnets and networking configuration
 **Ide**: Creates VS Code IDE environment with necessary permissions
-**Eks**: Creates EKS cluster with AutoMode
+**Eks**: Creates EKS cluster with Auto Mode, v1.34, native add-ons (Secrets Store CSI, Mountpoint S3 CSI, Pod Identity Agent), and Access Entries
 **Database**: Configures RDS Aurora PostgreSQL cluster with universal "workshop-" naming convention
 **CodeBuild**: Creates CodeBuild project for AWS service-linked role creation
 **Roles**: Creates IAM roles and policies for workshop resources
@@ -199,8 +199,16 @@ Where:
 - `bootstrap.sh`: Full system setup, CloudWatch, environment variables, git clone, calls vscode.sh and template script
 - `vscode.sh`: Complete VS Code IDE setup (code-server, Caddy, configuration)
 - `base.sh`: Base development tools (for base template type)
+- `java-on-aws.sh`: Calls base.sh + EKS implementation (cluster setup, add-ons, storage classes)
 - Future template scripts will be added to `/ide` folder as needed
 
+#### Workshop Orchestration Pattern
+Workshop scripts follow a layered approach:
+1. **Base Layer**: `base.sh` provides foundational development tools (Java, Node.js, kubectl, Helm, etc.)
+2. **Workshop Layer**: Workshop-specific scripts (e.g., `java-on-aws.sh`) call base.sh then add specialized setup
+3. **Error Handling**: Each layer implements proper error handling and progress feedback
+4. **Verification**: Final verification ensures all tools and services are operational
+
 #### Configuration
 - **Template Type**: Configurable via `TEMPLATE_TYPE` environment variable (defaults to `base`)
 - **Git Branch**: Defined in code as `"main"`
@@ -436,6 +444,34 @@ public class BuildConfig {
 *For any* database resource created, it should use the "workshop-" prefix instead of workshop-specific naming
 **Validates: Requirements 12.1, 12.2, 12.3, 12.4, 12.5, 12.6**
 
+### Property 19: EKS Access Entry Configuration
+*For any* EKS cluster created, it should include Access Entry for WSParticipantRole with cluster admin permissions
+**Validates: Requirements 13.8**
+
+### Property 20: Workshop Script Orchestration
+*For any* java-on-aws workshop execution, it should first execute base.sh successfully before proceeding to EKS implementation
+**Validates: Requirements 17.1, 17.2**
+
+### Property 21: Workshop Error Handling
+*For any* workshop orchestration error, the system should halt execution and provide clear error messages indicating which phase failed
+**Validates: Requirements 17.3**
+
+### Property 22: Workshop Verification
+*For any* completed workshop setup, both base tools and EKS services should be verified as operational
+**Validates: Requirements 17.4**
+
+### Property 23: EKS Cluster Readiness Check
+*For any* EKS setup script execution, it should wait until kubectl get ns command works successfully before proceeding with resource deployment
+**Validates: Requirements 18.1**
+
+### Property 24: Kubectl Context Configuration
+*For any* EKS cluster setup, the system should update kubeconfig and add cluster to kubectl context
+**Validates: Requirements 18.2**
+
+### Property 25: Parallel Deployment Independence
+*For any* EKS cluster and database creation, they should depend only on VPC and deploy in parallel without unnecessary dependencies
+**Validates: Requirements 19.1, 19.2, 19.3**
+
 ## Error Handling
 
 ### Script Error Handling Strategy

.kiro/specs/infra/requirements.md

@@ -177,3 +177,93 @@ This document specifies the requirements for creating a new AWS workshop infrast
 5. WHEN database parameters are stored, THE system SHALL use "workshop-db-connection-string" in Parameter Store
 6. WHEN database name is specified, THE system SHALL use "workshop" as the database name instead of workshop-specific names
 
+### Requirement 13
+
+**User Story:** As a workshop developer, I want a standardized EKS cluster with universal naming and modern configuration using the latest CDK constructs, so that Kubernetes-based workshops have consistent infrastructure with current best practices and native CloudFormation resources.
+
+#### Acceptance Criteria
+
+1. WHEN EKS cluster is created, THE system SHALL use the EKS v2 developer preview construct from package "software.amazon.awscdk.services.eks.v2.alpha" for native CloudFormation resource support
+2. WHEN EKS cluster is created, THE system SHALL name it "workshop-cluster" for universal identification across workshop types
+3. WHEN EKS cluster is configured, THE system SHALL use version 1.34 for current Kubernetes features and security updates
+4. WHEN EKS cluster deploys, THE system SHALL enable Auto Mode with "system" and "general-purpose" node pools for automatic node management
+5. WHEN EKS cluster networking is configured, THE system SHALL place cluster in private subnets with public and private API access for security and flexibility
+6. WHEN EKS cluster logging is enabled, THE system SHALL activate all log types (api, audit, authenticator, controllerManager, scheduler) for comprehensive monitoring
+7. WHEN EKS cluster permissions are configured, THE system SHALL use Access Entries authentication mode instead of deprecated ConfigMap-based authentication
+8. WHEN EKS cluster access is configured, THE system SHALL create Access Entry for WSParticipantRole and IDE instance role with cluster admin permissions for workshop participant access
+
+### Requirement 14
+
+**User Story:** As a workshop developer, I want database secrets mounted as environment variables in Kubernetes pods using the AWS Secrets Store CSI Driver, so that applications can securely access database credentials without hardcoding them and without requiring External Secrets Operator.
+
+#### Acceptance Criteria
+
+1. WHEN EKS cluster is configured for secrets management, THE system SHALL use AWS Secrets Store CSI Driver add-on instead of External Secrets Operator for mounting secrets
+2. WHEN database secrets are mounted, THE system SHALL mount "workshop-db-secret" as environment variables in pods for database connection credentials
+3. WHEN database password is mounted, THE system SHALL mount "workshop-db-password-secret" as environment variables in pods for database authentication
+4. WHEN database connection string is mounted, THE system SHALL mount "workshop-db-connection-string" from Parameter Store as environment variables in pods for application configuration
+5. WHEN secrets access is configured, THE system SHALL use EKS Pod Identity with AWSSecretsManagerClientReadOnlyAccess managed policy for secure secrets retrieval
+6. WHEN SecretProviderClass is created, THE system SHALL define which secrets and parameters to mount as files and expose as environment variables in Kubernetes workloads
+
+### Requirement 15
+
+**User Story:** As a workshop developer, I want essential EKS add-ons and configurations for workshop functionality, so that participants have access to storage, ingress, S3 mounting, and proper workshop permissions without manual setup.
+
+#### Acceptance Criteria
+
+1. WHEN EKS cluster is configured for storage, THE system SHALL create GP3 StorageClass as default with encryption enabled for persistent volume claims since EKS Auto Mode does not provide encrypted GP3 by default
+2. WHEN EKS cluster is configured for ingress, THE system SHALL create ALB IngressClass and IngressClassParams resources for Application Load Balancer integration since EKS Auto Mode requires explicit IngressClass configuration
+3. WHEN EKS cluster is configured for secrets management, THE system SHALL install AWS Secrets Store CSI Driver add-on for mounting database secrets as environment variables
+4. WHEN EKS cluster is configured for S3 access, THE system SHALL install AWS Mountpoint S3 CSI driver add-on for S3 bucket mounting capabilities
+5. WHEN EKS cluster is configured for authentication, THE system SHALL install EKS Pod Identity Agent add-on for modern IAM authentication with AWS services
+6. WHEN EKS cluster is configured for workshop access, THE system SHALL grant WSParticipantRole cluster admin permissions via Access Entries for workshop participant access
+7. WHEN EKS cluster setup is complete, THE system SHALL verify all three add-ons (Secrets Store CSI Driver, Mountpoint S3 CSI Driver, Pod Identity Agent) are installed and functional before marking deployment as successful
+
+### Requirement 16
+
+**User Story:** As a workshop developer, I want a complete EKS add-on based architecture that eliminates Helm chart dependencies, so that the infrastructure uses only AWS-native managed services for simplified operations and maintenance.
+
+#### Acceptance Criteria
+
+1. WHEN EKS infrastructure is deployed, THE system SHALL use only EKS add-ons and eliminate all Helm chart installations for a fully AWS-native setup
+2. WHEN comparing to original infrastructure, THE system SHALL reduce Helm charts from 2 to 0 by converting External Secrets Operator and Mountpoint S3 CSI Driver to EKS add-ons
+3. WHEN EKS add-ons are installed, THE system SHALL configure AWS Secrets Store CSI Driver add-on to replace External Secrets Operator functionality
+4. WHEN EKS add-ons are installed, THE system SHALL configure AWS Mountpoint S3 CSI Driver add-on to replace Helm chart installation
+5. WHEN EKS add-ons are installed, THE system SHALL configure EKS Pod Identity Agent add-on to provide modern IAM authentication for other add-ons
+6. WHEN add-on architecture is complete, THE system SHALL provide equivalent functionality to original setup while using only AWS-managed components
+
+### Requirement 17
+
+**User Story:** As a workshop developer, I want a complete workshop orchestration system that executes foundational and workshop-specific setup in sequence, so that participants have a fully configured development environment with all necessary tools and services.
+
+#### Acceptance Criteria
+
+1. WHEN java-on-aws workshop setup executes, THE system SHALL first run base.sh for foundational development tools installation
+2. WHEN base setup completes successfully, THE system SHALL proceed to EKS-specific implementation including cluster configuration and add-ons
+3. WHEN workshop orchestration encounters errors, THE system SHALL halt execution and provide clear error messages indicating which phase failed
+4. WHEN all setup phases complete, THE system SHALL verify that both base tools and EKS services are operational
+5. WHEN workshop script executes, THE system SHALL provide progress feedback for each major phase (base setup, EKS setup, verification)
+
+### Requirement 18
+
+**User Story:** As a workshop developer, I want EKS cluster setup scripts that wait for cluster readiness and configure kubectl context, so that subsequent operations can reliably interact with the cluster and participants have proper access.
+
+#### Acceptance Criteria
+
+1. WHEN EKS setup script executes, THE system SHALL check cluster status and wait until kubectl get ns command works successfully
+2. WHEN cluster is ready, THE system SHALL update kubeconfig and add cluster to kubectl context
+3. WHEN kubectl context is configured, THE system SHALL deploy GP3 StorageClass, ALB IngressClass, and SecretProviderClass resources
+4. WHEN setup script completes, THE system SHALL verify all deployed resources are functional
+5. WHEN base development tools are installed, THE system SHALL include kubectl alias 'k' for convenience
+
+### Requirement 19
+
+**User Story:** As a workshop developer, I want EKS cluster and database to deploy in parallel for optimal deployment time, so that infrastructure provisioning is as fast as possible.
+
+#### Acceptance Criteria
+
+1. WHEN EKS cluster is created, THE system SHALL depend only on VPC and deploy in parallel with other resources
+2. WHEN database is created, THE system SHALL depend only on VPC and deploy in parallel with EKS cluster
+3. WHEN both EKS and database are deploying, THE system SHALL not create unnecessary dependencies between them
+4. WHEN parallel deployment completes, THE system SHALL ensure both resources are available for workshop setup scripts
+

.kiro/specs/infra/tasks.md

@@ -216,8 +216,9 @@
   - Added Kubernetes tools (kubectl 1.34.2, Helm 3.19.3, eks-node-viewer, k9s, e1s)
   - Integrated container tools (Docker, SOCI snapshotter 0.12.0) with proper configuration
   - Added AWS tools (SAM CLI, Session Manager Plugin) and utilities (jq, yq 4.49.2)
+  - Added kubectl alias 'k' for convenience in base.sh
   - Implemented comprehensive error handling and logging for all tool installations
-  - _Requirements: 6.4, 6.7_
+  - _Requirements: 6.4, 6.7, 18.5_
 
 - [x] 11.10 Fix CloudFormation signaling permissions
   - Added cloudformation:SignalResource permission to IDE instance IAM role
@@ -371,15 +372,17 @@
   - Reference unicorn-roles-analysis.md for IAM role requirements
   - _Requirements: 5.4, 5.5_
 
-- [ ] 100.2 Create EKS construct
-  - Create infra/cdk/src/main/java/sample/com/constructs/Eks.java
-  - Copy and refactor infrastructure/cdk/src/main/java/com/unicorn/constructs/EksCluster.java
-  - Update to use EKS AutoMode and integrate with new Vpc and Roles constructs
-  - Implement unicorn EKS roles: cluster-role, node-role, pod-role, eso-role, eso-sm-role (see unicorn-roles-analysis.md)
-  - Remove workshop-specific customizations, keep generic EKS setup
-  - _Requirements: 5.6_
-
-- [ ] 100.3 Create Database construct with universal naming
+- [ ] 100.2 Create EKS construct using EKS v2 with Auto Mode
+  - Create infra/cdk/src/main/java/sample/com/constructs/Eks.java using software.amazon.awscdk.services.eks.v2.alpha
+  - Configure workshop-cluster with Auto Mode, version 1.34, system+general-purpose node pools
+  - Add 3 EKS add-ons: AWS Secrets Store CSI Driver, AWS Mountpoint S3 CSI Driver, EKS Pod Identity Agent
+  - Create Access Entry for WSParticipantRole AND IDE instance role with cluster admin permissions
+  - Use Access Entries authentication mode instead of ConfigMap-based authentication
+  - Enable all log types (api, audit, authenticator, controllerManager, scheduler) for comprehensive monitoring
+  - EKS cluster should depend only on VPC for parallel deployment with Database
+  - _Requirements: 13.1, 13.2, 13.3, 13.4, 13.7, 13.8, 15.3, 15.5, 15.6, 19.1_
+
+- [x] 100.3 Create Database construct with universal naming
   - Create infra/cdk/src/main/java/sample/com/constructs/Database.java
   - Copy and refactor database setup from infrastructure/cdk/src/main/java/com/unicorn/core/DatabaseSetup.java
   - Update all database resource names to use "workshop-" prefix: cluster, writer, security group, subnet group
@@ -392,33 +395,56 @@
   - Consolidate RDS and database schema setup into single construct
   - _Requirements: 5.6, 12.1, 12.2, 12.3, 12.4, 12.5, 12.6_
 
-- [ ] 100.4 Update WorkshopStack for java-on-aws
-  - Add conditional EKS creation: if (!"base".equals(workshopType) && !"java-ai-agents".equals(workshopType))
-  - Database already conditionally created for non-base templates (same as Roles)
-  - Test WORKSHOP_TYPE=java-on-aws generates template with all required resources
-  - Validate generated template matches existing unicornstore-stack.yaml functionality
-  - _Requirements: 1.2, 5.5_
-
-- [ ] 100.5 Migrate java-on-aws setup scripts
-  - Copy and refactor infrastructure/scripts/setup/eks.sh to infra/scripts/setup/eks.sh
-  - Copy and refactor infrastructure/scripts/setup/app.sh to infra/scripts/setup/app.sh
-  - Copy and refactor infrastructure/scripts/setup/monitoring.sh to infra/scripts/setup/monitoring.sh
-  - Update all scripts with emoji-based logging and consistent error handling
-  - _Requirements: 3.3, 5.7_
+- [x] 100.4 Update WorkshopStack for java-on-aws with EKS integration (Database part complete)
+  - Database already conditionally created for non-base templates (same as Roles) ✅
+  - Need to add conditional EKS creation: if (!"base".equals(workshopType) && !"java-ai-agents".equals(workshopType))
+  - Test TEMPLATE_TYPE=java-on-aws generates template with VPC, IDE, CodeBuild, Roles, Database, and EKS resources
+  - Validate generated template includes all EKS add-ons and Access Entries configuration
+  - Ensure template supports both java-on-aws and base templates from same codebase
+  - _Requirements: 1.2, 1.3, 13.1, 16.1_
+
+- [ ] 100.5 Create EKS post-deployment setup script
+  - Create infra/scripts/setup/eks.sh for EKS cluster configuration (based on original infrastructure/scripts/setup/eks.sh)
+  - Check cluster status and wait until kubectl get ns works successfully before proceeding
+  - Update kubeconfig and add workshop-cluster to kubectl context
+  - Deploy GP3 StorageClass (encrypted, default) since EKS Auto Mode doesn't provide encrypted GP3 by default
+  - Deploy ALB IngressClass + IngressClassParams for Application Load Balancer integration
+  - Create SecretProviderClass for database secrets (workshop-db-secret, workshop-db-password-secret, workshop-db-connection-string)
+  - Configure EKS Pod Identity with AWSSecretsManagerClientReadOnlyAccess managed policy
+  - Verify all three add-ons are installed and functional before completing
+  - Update script with emoji-based logging and consistent error handling
+  - _Requirements: 15.1, 15.2, 14.2, 14.3, 14.4, 15.7, 18.1, 18.2, 18.3, 18.4_
 
 - [ ] 100.6 Create java-on-aws workshop orchestration script
-  - Create infra/scripts/workshops/java-on-aws.sh
-  - Orchestrate: base.sh, eks.sh, app.sh, monitoring.sh
-  - Implement proper error handling and progress feedback
+  - Create infra/scripts/ide/java-on-aws.sh that executes base.sh and EKS implementation
+  - Script should call base.sh first for foundational development tools
+  - Then execute EKS-specific setup (cluster configuration, add-ons, storage classes)
+  - Implement proper error handling and progress feedback between base and EKS phases
   - Test script execution and validate all setup steps complete successfully
   - _Requirements: 3.1, 3.2_
 
-- [ ] 100.7 Validate java-on-aws migration
-  - Generate template and compare with existing unicornstore-stack.yaml
-  - Verify all required resources are present and properly configured
-  - Test workshop deployment end-to-end (optional, can be done manually)
-  - Document any differences and ensure they are acceptable
-  - _Requirements: 5.5_
+- [ ]* 100.7 Write property test for EKS Access Entry configuration
+  - **Property 19: EKS Access Entry Configuration**
+  - **Validates: Requirements 13.8**
+
+- [ ]* 100.8 Write property test for workshop script orchestration
+  - **Property 20: Workshop Script Orchestration**
+  - **Validates: Requirements 17.1, 17.2**
+
+- [ ]* 100.9 Write property test for workshop error handling
+  - **Property 21: Workshop Error Handling**
+  - **Validates: Requirements 17.3**
+
+- [ ]* 100.10 Write property test for workshop verification
+  - **Property 22: Workshop Verification**
+  - **Validates: Requirements 17.4**
+
+- [ ] 100.11 Validate java-on-aws migration
+  - Generate template with TEMPLATE_TYPE=java-on-aws and verify all EKS resources are present
+  - Test template generation for both base and java-on-aws from same codebase
+  - Verify EKS add-ons, Access Entries, and database resources are properly configured
+  - Document template differences and ensure they provide equivalent functionality
+  - _Requirements: 1.2, 1.3, 16.1_
 
 ## Java-on-EKS Migration (200.x)