WIP

Author: Yuriy Bezsonov

.kiro/specs/infra/deployment-guide.md

@@ -13,7 +13,7 @@ aws cloudformation deploy \
   --template-file cfn/java-on-aws-stack.yaml \
   --stack-name workshop-stack \
   --capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM \
-  --s3-bucket workshop-cfn-templates-1765640257
+  --s3-bucket workshop-cfn-templates-192330716364
 ```
 
 ## Architecture Fix Applied

infra/cdk/src/main/java/sample/com/constructs/Database.java

@@ -58,7 +58,7 @@ public Database(final Construct scope, final String id, final IVpc vpc) {
         // Create database security group
         databaseSecurityGroup = SecurityGroup.Builder.create(this, "DatabaseSG")
             .securityGroupName("workshop-db-sg")
-            .allowAllOutbound(false)
+            .allowAllOutbound(true)
             .vpc(vpc)
             .build();
 

infra/cfn/base-stack.yaml

@@ -714,7 +714,30 @@ Resources:
         Fn::GetAtt:
           - IdeInstanceLauncherFunction803C5A2A
           - Arn
-      InstanceTypes: m5.xlarge,m6i.xlarge,t3.xlarge
+      InstanceName: ide
+      IamInstanceProfileArn:
+        Fn::GetAtt:
+          - IdeIdeInstanceProfile8BD997EA
+          - Arn
+      VolumeSize: "50"
+      SubnetIds:
+        Fn::Join:
+          - ""
+          - - Ref: VpcWorkshopVpcPublicSubnet1SubnetBCB45C45
+            - ","
+            - Ref: VpcWorkshopVpcPublicSubnet2SubnetF8F9426F
+      SecurityGroupIds:
+        Fn::Join:
+          - ""
+          - - Fn::GetAtt:
+                - IdeIdeSecurityGroup5C503C8A
+                - GroupId
+            - ","
+            - Fn::GetAtt:
+                - IdeIdeInternalSecurityGroupD5D3B421
+                - GroupId
+      ImageId:
+        Ref: SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61x8664C96584B6F00A464EAD1953AFF4B05118Parameter
       UserData:
         Fn::Base64:
           Fn::Join:
@@ -848,30 +871,7 @@ Resources:
                 "
                     exit 1
                 fi
-      ImageId:
-        Ref: SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61x8664C96584B6F00A464EAD1953AFF4B05118Parameter
-      SecurityGroupIds:
-        Fn::Join:
-          - ""
-          - - Fn::GetAtt:
-                - IdeIdeSecurityGroup5C503C8A
-                - GroupId
-            - ","
-            - Fn::GetAtt:
-                - IdeIdeInternalSecurityGroupD5D3B421
-                - GroupId
-      SubnetIds:
-        Fn::Join:
-          - ""
-          - - Ref: VpcWorkshopVpcPublicSubnet1SubnetBCB45C45
-            - ","
-            - Ref: VpcWorkshopVpcPublicSubnet2SubnetF8F9426F
-      VolumeSize: "50"
-      IamInstanceProfileArn:
-        Fn::GetAtt:
-          - IdeIdeInstanceProfile8BD997EA
-          - Arn
-      InstanceName: ide
+      InstanceTypes: m5.xlarge,m6i.xlarge,t3.xlarge
     UpdateReplacePolicy: Delete
     DeletionPolicy: Delete
   IdeIdeEipAssociation6C6C215D:
@@ -1452,12 +1452,12 @@ Resources:
       Description: workshop-setup build complete
       EventPattern:
         detail:
+          project-name:
+            - Ref: CodeBuildProjectA0FF5539
           build-status:
             - SUCCEEDED
             - FAILED
             - STOPPED
-          project-name:
-            - Ref: CodeBuildProjectA0FF5539
         detail-type:
           - CodeBuild Build State Change
         source:
@@ -1489,13 +1489,13 @@ Resources:
         Fn::GetAtt:
           - CodeBuildStartLambdaFunction8349284F
           - Arn
-      ContentHash: "1765715394125"
+      ProjectName:
+        Ref: CodeBuildProjectA0FF5539
       CodeBuildIamRoleArn:
         Fn::GetAtt:
           - CodeBuildCodeBuildRoleBA9C6D5C
           - Arn
-      ProjectName:
-        Ref: CodeBuildProjectA0FF5539
+      ContentHash: "1765718855273"
     DependsOn:
       - CodeBuildBuildCompleteRuleAllowEventRuleWorkshopStackCodeBuildReportLambdaFunctionD77C6091DA4A4BD8
       - CodeBuildBuildCompleteRule06AAF17D

infra/cfn/java-on-aws-stack.yaml

@@ -734,6 +734,11 @@ Resources:
         Fn::GetAtt:
           - IdeInstanceLauncherFunction803C5A2A
           - Arn
+      IamInstanceProfileArn:
+        Fn::GetAtt:
+          - IdeIdeInstanceProfile8BD997EA
+          - Arn
+      VolumeSize: "50"
       SubnetIds:
         Fn::Join:
           - ""
@@ -887,11 +892,6 @@ Resources:
                 fi
       InstanceTypes: m5.xlarge,m6i.xlarge,t3.xlarge
       InstanceName: ide
-      IamInstanceProfileArn:
-        Fn::GetAtt:
-          - IdeIdeInstanceProfile8BD997EA
-          - Arn
-      VolumeSize: "50"
     UpdateReplacePolicy: Delete
     DeletionPolicy: Delete
   IdeIdeEipAssociation6C6C215D:
@@ -1509,13 +1509,13 @@ Resources:
         Fn::GetAtt:
           - CodeBuildStartLambdaFunction8349284F
           - Arn
+      ProjectName:
+        Ref: CodeBuildProjectA0FF5539
       CodeBuildIamRoleArn:
         Fn::GetAtt:
           - CodeBuildCodeBuildRoleBA9C6D5C
           - Arn
-      ContentHash: "1765715399417"
-      ProjectName:
-        Ref: CodeBuildProjectA0FF5539
+      ContentHash: "1765718860840"
     DependsOn:
       - CodeBuildBuildCompleteRuleAllowEventRuleWorkshopStackCodeBuildReportLambdaFunctionD77C6091DA4A4BD8
       - CodeBuildBuildCompleteRule06AAF17D
@@ -1552,11 +1552,9 @@ Resources:
       GroupDescription: WorkshopStack/Database/DatabaseSG
       GroupName: workshop-db-sg
       SecurityGroupEgress:
-        - CidrIp: 255.255.255.255/32
-          Description: Disallow all traffic
-          FromPort: 252
-          IpProtocol: icmp
-          ToPort: 86
+        - CidrIp: 0.0.0.0/0
+          Description: Allow all outbound traffic by default
+          IpProtocol: "-1"
       SecurityGroupIngress:
         - CidrIp: 10.0.0.0/16
           Description: Allow Database Traffic from local network

infra/scripts/setup/eks.sh

@@ -20,44 +20,21 @@ log_info "Region: $REGION, Account: $ACCOUNT_ID"
 log_info "Waiting for EKS cluster to be ready..."
 wait_for_eks_cluster "$CLUSTER_NAME"
 
-# Update kubeconfig
+# Update kubeconfig with infinite retry (like original)
 log_info "Updating kubeconfig for cluster $CLUSTER_NAME..."
-retry_count=0
-max_retries=5
-while [ $retry_count -lt $max_retries ]; do
-    if aws eks --region "$REGION" update-kubeconfig --name "$CLUSTER_NAME"; then
-        log_success "Successfully updated kubeconfig"
-        break
-    else
-        retry_count=$((retry_count + 1))
-        log_warning "Failed to update kubeconfig (attempt $retry_count/$max_retries). Retrying in 10 seconds..."
-        sleep 10
-    fi
+while ! aws eks --region "$REGION" update-kubeconfig --name "$CLUSTER_NAME"; do
+    log_warning "Failed to update kubeconfig. Retrying in 10 seconds..."
+    sleep 10
 done
+log_success "Successfully updated kubeconfig"
 
-if [ $retry_count -eq $max_retries ]; then
-    log_error "Failed to update kubeconfig after $max_retries attempts"
-    exit 1
-fi
-
-# Verify kubectl connectivity
+# Verify kubectl connectivity with infinite retry (like original)
 log_info "Verifying kubectl connectivity..."
-retry_count=0
-while [ $retry_count -lt $max_retries ]; do
-    if kubectl get ns >/dev/null 2>&1; then
-        log_success "kubectl connectivity verified"
-        break
-    else
-        retry_count=$((retry_count + 1))
-        log_warning "kubectl connectivity failed (attempt $retry_count/$max_retries). Retrying in 10 seconds..."
-        sleep 10
-    fi
+while ! kubectl get ns >/dev/null 2>&1; do
+    log_warning "kubectl connectivity failed. Retrying in 10 seconds..."
+    sleep 10
 done
-
-if [ $retry_count -eq $max_retries ]; then
-    log_error "kubectl connectivity failed after $max_retries attempts"
-    exit 1
-fi
+log_success "kubectl connectivity verified"
 
 # Deploy GP3 StorageClass (encrypted, default)
 log_info "Deploying GP3 StorageClass..."