WIP

Author: Yuriy Bezsonov

.kiro/specs/infra/design.md

@@ -85,12 +85,23 @@ public class WorkshopStack extends Stack {
 #### Reusable Constructs
 
 **Vpc**: Creates VPC with appropriate subnets and networking configuration
-**Ide**: Creates VS Code IDE environment with necessary permissions
-**Eks**: Creates EKS cluster with Auto Mode, v1.34, native add-ons (Secrets Store CSI, Mountpoint S3 CSI, Pod Identity Agent), and Access Entries
+**Ide**: Creates VS Code IDE environment with necessary permissions and security groups
+**Eks**: Creates EKS cluster with Auto Mode, v1.34, native add-ons (Secrets Store CSI, Mountpoint S3 CSI, Pod Identity Agent), Access Entries, and IDE security group integration
 **Database**: Configures RDS Aurora PostgreSQL cluster with universal "workshop-" naming convention
 **CodeBuild**: Creates CodeBuild project for AWS service-linked role creation
 **Roles**: Creates IAM roles and policies for workshop resources
 
+#### CDK Construct Naming Convention
+
+All CDK constructs follow a consistent naming pattern to ensure clean CloudFormation logical IDs:
+- **Pattern**: `{ConstructName}{ResourceType}` (e.g., `IdePasswordSecret`, `DatabaseCluster`)
+- **Avoid duplication**: Resource names within constructs should not repeat the construct type
+- **Examples**:
+  - ✅ `Secret.Builder.create(this, "PasswordSecret")` → `IdePasswordSecret`
+  - ❌ `Secret.Builder.create(this, "IdePasswordSecret")` → `IdeIdePasswordSecret`
+
+This convention eliminates CloudFormation logical ID duplication and ensures maintainable resource naming.
+
 ### Lambda Function Architecture
 
 #### Design Rationale
@@ -171,6 +182,27 @@ String bootstrapScript = loadFile("/ec2-userdata.sh")
 userData.addCommands(bootstrapScript.split("\n"));
 ```
 
+### EKS-IDE Integration
+
+#### Security Group Sharing
+The EKS cluster integrates with the IDE environment through shared security groups and IAM roles:
+
+```java
+// In WorkshopStack.java
+Eks eks = new Eks(this, "Eks", Eks.EksProps.builder()
+    .vpc(vpc.getVpc())
+    .ideInstanceRole(ideProps.getIdeRole())           // Share IDE IAM role for kubectl access
+    .ideInternalSecurityGroup(ide.getIdeInternalSecurityGroup()) // Share security group for VPC communication
+    .build());
+```
+
+#### Access Control Integration
+- **IDE Instance Role**: The same IAM role used by the IDE instance is granted EKS cluster admin access via Access Entries
+- **Security Group**: The IDE's internal security group is used by the EKS cluster for VPC communication
+- **kubectl Context**: The IDE bootstrap scripts configure kubectl to access the EKS cluster using the shared credentials
+
+This integration ensures seamless access from the IDE to the EKS cluster without additional authentication setup.
+
 ### Script Organization
 
 #### Minimal UserData Architecture

.kiro/specs/infra/requirements.md

@@ -22,6 +22,8 @@ This document specifies the requirements for creating a new AWS workshop infrast
 - **Version_Centralization**: Pattern where all tool versions are defined at the top of scripts for easy maintenance and automated detection
 - **Retry_Logic**: Network resilience pattern using exponential backoff and configurable attempts for handling transient failures
 - **Modular_Scripts**: Architecture where bootstrap functionality is separated into focused scripts (UserData → bootstrap → vscode → base)
+- **CDK_Naming_Convention**: Consistent pattern for CDK construct resource naming that produces clean CloudFormation logical IDs following {ConstructName}{ResourceType} format
+- **EKS_IDE_Integration**: Architecture pattern where EKS cluster shares security groups and IAM roles with IDE environment for seamless kubectl access
 
 ## Requirements
 
@@ -268,3 +270,15 @@ This document specifies the requirements for creating a new AWS workshop infrast
 3. WHEN both EKS and database are deploying, THE system SHALL not create unnecessary dependencies between them
 4. WHEN parallel deployment completes, THE system SHALL ensure both resources are available for workshop setup scripts
 
+### Requirement 20
+
+**User Story:** As a workshop developer, I want consistent CDK construct naming conventions that produce clean CloudFormation logical IDs, so that infrastructure resources are easily identifiable and maintainable without naming duplication.
+
+#### Acceptance Criteria
+
+1. WHEN CDK constructs create resources, THE system SHALL follow the pattern {ConstructName}{ResourceType} for CloudFormation logical IDs
+2. WHEN resource names are defined within constructs, THE system SHALL avoid repeating the construct type to prevent duplication like "IdeIdePasswordSecret"
+3. WHEN CloudFormation templates are generated, THE system SHALL produce logical IDs without redundant naming patterns
+4. WHEN EKS cluster integrates with IDE, THE system SHALL share security groups and IAM roles through proper construct interfaces
+5. WHEN construct naming is applied consistently, THE system SHALL ensure all resources follow the same naming convention across VPC, IDE, Database, EKS, and CodeBuild constructs
+

.kiro/specs/infra/tasks.md

@@ -362,24 +362,35 @@
   - Ensured clean VS Code environment without any AI prompts or agent interfaces
   - _Requirements: 8.1, 8.2, 8.3, 8.4_
 
+- [x] 11.27 Fix CDK construct naming to eliminate CloudFormation logical ID duplication
+  - Fixed redundant CloudFormation logical IDs caused by duplicate naming patterns in CDK constructs
+  - Updated Database construct: "DatabaseSecret" → "Secret", "DatabasePasswordSecret" → "PasswordSecret", "DatabaseCluster" → "Cluster"
+  - Updated IDE construct: "IdePasswordSecret" → "PasswordSecret", "IdeRole" → "Role", "IdeSecurityGroup" → "SecurityGroup"
+  - Updated EKS construct: "IdeInstanceAccessEntry" → "InstanceAccessEntry", "SecretsStoreCsiDriver" → "SecretsStoreDriver"
+  - Updated CodeBuild and VPC constructs with consistent naming patterns
+  - Eliminated problematic CloudFormation logical IDs: "IdeIdePasswordSecret" → "IdePasswordSecret", "DatabaseDatabaseSecret" → "DatabaseSecret"
+  - Verified template generation produces clean logical IDs without duplication patterns
+  - Applied consistent naming convention: construct name + resource type (e.g., Ide + PasswordSecret = IdePasswordSecret)
+  - _Requirements: 1.1, 5.6_
+
 ## Java-on-AWS Migration (100.x)
 
-- [ ] 100.1 Analyze java-on-aws workshop requirements
-  - Review infrastructure/cfn/unicornstore-stack.yaml to identify required resources
-  - Document EKS, Database, and other workshop-specific components
-  - Map existing resources to new construct pattern
-  - Plan conditional logic for WorkshopStack
-  - Reference unicorn-roles-analysis.md for IAM role requirements
+- [x] 100.1 Analyze java-on-aws workshop requirements
+  - Reviewed infrastructure/cfn/unicornstore-stack.yaml and identified required resources ✅
+  - Documented EKS, Database, and other workshop-specific components ✅
+  - Mapped existing resources to new construct pattern ✅
+  - Planned conditional logic for WorkshopStack ✅
+  - Referenced unicorn-roles-analysis.md for IAM role requirements ✅
   - _Requirements: 5.4, 5.5_
 
-- [ ] 100.2 Create EKS construct using EKS v2 with Auto Mode
-  - Create infra/cdk/src/main/java/sample/com/constructs/Eks.java using software.amazon.awscdk.services.eks.v2.alpha
-  - Configure workshop-eks with Auto Mode, version 1.34, system+general-purpose node pools
-  - Add 3 EKS add-ons: AWS Secrets Store CSI Driver, AWS Mountpoint S3 CSI Driver, EKS Pod Identity Agent
-  - Create Access Entry for WSParticipantRole AND IDE instance role with cluster admin permissions
-  - Use Access Entries authentication mode instead of ConfigMap-based authentication
-  - Enable all log types (api, audit, authenticator, controllerManager, scheduler) for comprehensive monitoring
-  - EKS cluster should depend only on VPC for parallel deployment with Database
+- [x] 100.2 Create EKS construct using EKS v2 with Auto Mode
+  - Created infra/cdk/src/main/java/sample/com/constructs/Eks.java using software.amazon.awscdk.services.eks.v2.alpha ✅
+  - Configured workshop-eks with Auto Mode, version 1.34, system+general-purpose node pools ✅
+  - Added 3 EKS add-ons: AWS Secrets Store CSI Driver, AWS Mountpoint S3 CSI Driver, EKS Pod Identity Agent ✅
+  - Created Access Entry for WSParticipantRole AND IDE instance role with cluster admin permissions ✅
+  - Used Access Entries authentication mode instead of ConfigMap-based authentication ✅
+  - Enabled all log types (api, audit, authenticator, controllerManager, scheduler) for comprehensive monitoring ✅
+  - EKS cluster depends only on VPC for parallel deployment with Database ✅
   - _Requirements: 13.1, 13.2, 13.3, 13.4, 13.7, 13.8, 15.3, 15.5, 15.6, 19.1_
 
 - [x] 100.3 Create Database construct with universal naming
@@ -395,33 +406,35 @@
   - Consolidate RDS and database schema setup into single construct
   - _Requirements: 5.6, 12.1, 12.2, 12.3, 12.4, 12.5, 12.6_
 
-- [x] 100.4 Update WorkshopStack for java-on-aws with EKS integration (Database part complete)
+- [x] 100.4 Update WorkshopStack for java-on-aws with EKS integration
   - Database already conditionally created for non-base templates (same as Roles) ✅
-  - Need to add conditional EKS creation: if (!"base".equals(workshopType) && !"java-ai-agents".equals(workshopType))
-  - Test TEMPLATE_TYPE=java-on-aws generates template with VPC, IDE, CodeBuild, Roles, Database, and EKS resources
-  - Validate generated template includes all EKS add-ons and Access Entries configuration
-  - Ensure template supports both java-on-aws and base templates from same codebase
+  - Added conditional EKS creation: if (!"base".equals(templateType) && !"java-ai-agents".equals(templateType)) ✅
+  - Integrated EKS with IDE security group: eks.ideInternalSecurityGroup(ide.getIdeInternalSecurityGroup()) ✅
+  - Integrated EKS with IDE instance role: eks.ideInstanceRole(ideProps.getIdeRole()) ✅
+  - Tested TEMPLATE_TYPE=java-on-aws generates template with VPC, IDE, CodeBuild, Roles, Database, and EKS resources ✅
+  - Validated generated template includes all EKS add-ons and Access Entries configuration ✅
+  - Ensured template supports both java-on-aws and base templates from same codebase ✅
   - _Requirements: 1.2, 1.3, 13.1, 16.1_
 
-- [ ] 100.5 Create EKS post-deployment setup script
-  - Create infra/scripts/setup/eks.sh for EKS cluster configuration (based on original infrastructure/scripts/setup/eks.sh)
-  - Use infra/scripts/lib/common.sh for consistent emoji-based logging and error handling
-  - Use infra/scripts/lib/wait-for-resources.sh wait_for_eks_cluster() function for cluster readiness
-  - Check cluster status and wait until kubectl get ns works successfully before proceeding
-  - Update kubeconfig and add workshop-eks to kubectl context
-  - Deploy GP3 StorageClass (encrypted, default) since EKS Auto Mode doesn't provide encrypted GP3 by default
-  - Deploy ALB IngressClass + IngressClassParams for Application Load Balancer integration
-  - Create SecretProviderClass for database secrets (workshop-db-secret, workshop-db-password-secret, workshop-db-connection-string)
-  - Configure EKS Pod Identity with AWSSecretsManagerClientReadOnlyAccess managed policy
-  - Verify all three add-ons are installed and functional before completing
+- [x] 100.5 Create EKS post-deployment setup script
+  - Created infra/scripts/setup/eks.sh for EKS cluster configuration (based on original infrastructure/scripts/setup/eks.sh) ✅
+  - Used infra/scripts/lib/common.sh for consistent emoji-based logging and error handling ✅
+  - Used infra/scripts/lib/wait-for-resources.sh wait_for_eks_cluster() function for cluster readiness ✅
+  - Checked cluster status and wait until kubectl get ns works successfully before proceeding ✅
+  - Updated kubeconfig and add workshop-eks to kubectl context ✅
+  - Deployed GP3 StorageClass (encrypted, default) since EKS Auto Mode doesn't provide encrypted GP3 by default ✅
+  - Deployed ALB IngressClass + IngressClassParams for Application Load Balancer integration ✅
+  - Created SecretProviderClass for database secrets (workshop-db-secret, workshop-db-password-secret, workshop-db-connection-string) ✅
+  - Configured EKS Pod Identity with AWSSecretsManagerClientReadOnlyAccess managed policy ✅
+  - Verified all three add-ons are installed and functional before completing ✅
   - _Requirements: 15.1, 15.2, 14.2, 14.3, 14.4, 15.7, 18.1, 18.2, 18.3, 18.4, 18.6_
 
-- [ ] 100.6 Create java-on-aws workshop orchestration script
-  - Create infra/scripts/ide/java-on-aws.sh that executes base.sh and EKS implementation
-  - Script should call base.sh first for foundational development tools
-  - Then execute EKS-specific setup (cluster configuration, add-ons, storage classes)
-  - Implement proper error handling and progress feedback between base and EKS phases
-  - Test script execution and validate all setup steps complete successfully
+- [x] 100.6 Create java-on-aws workshop orchestration script
+  - Created infra/scripts/ide/java-on-aws.sh that executes base.sh and EKS implementation ✅
+  - Script calls base.sh first for foundational development tools ✅
+  - Then executes EKS-specific setup (cluster configuration, add-ons, storage classes) ✅
+  - Implemented proper error handling and progress feedback between base and EKS phases ✅
+  - Tested script execution and validated all setup steps complete successfully ✅
   - _Requirements: 3.1, 3.2_
 
 - [ ]* 100.7 Write property test for EKS Access Entry configuration
@@ -440,11 +453,11 @@
   - **Property 22: Workshop Verification**
   - **Validates: Requirements 17.4**
 
-- [ ] 100.11 Validate java-on-aws migration
-  - Generate template with TEMPLATE_TYPE=java-on-aws and verify all EKS resources are present
-  - Test template generation for both base and java-on-aws from same codebase
-  - Verify EKS add-ons, Access Entries, and database resources are properly configured
-  - Document template differences and ensure they provide equivalent functionality
+- [x] 100.11 Validate java-on-aws migration
+  - Generated template with TEMPLATE_TYPE=java-on-aws and verified all EKS resources are present ✅
+  - Tested template generation for both base and java-on-aws from same codebase ✅
+  - Verified EKS add-ons, Access Entries, and database resources are properly configured ✅
+  - Documented template differences and ensured they provide equivalent functionality ✅
   - _Requirements: 1.2, 1.3, 16.1_
 
 ## Java-on-EKS Migration (200.x)

infra/cdk/src/main/java/sample/com/WorkshopStack.java

@@ -77,6 +77,7 @@ public WorkshopStack(final Construct scope, final String id, final StackProps pr
                 Eks eks = new Eks(this, "Eks", Eks.EksProps.builder()
                     .vpc(vpc.getVpc())
                     .ideInstanceRole(ideProps.getIdeRole())
+                    .ideInternalSecurityGroup(ide.getIdeInternalSecurityGroup())
                     .build());
             }
         }

infra/cdk/src/main/java/sample/com/constructs/CodeBuild.java

@@ -74,15 +74,15 @@ public CodeBuild(final Construct scope, final String id, final CodeBuildProps pr
         super(scope, id);
 
         // Create CodeBuild service role
-        this.codeBuildRole = Role.Builder.create(this, "CodeBuildRole")
+        this.codeBuildRole = Role.Builder.create(this, "Role")
             .assumedBy(ServicePrincipal.Builder.create("codebuild.amazonaws.com").build())
             .managedPolicies(List.of(
                 ManagedPolicy.fromAwsManagedPolicyName("PowerUserAccess")
             ))
             .build();
 
         // Create Lambda role for CodeBuild Lambda functions
-        this.lambdaRole = Role.Builder.create(this, "CodeBuildLambdaRole")
+        this.lambdaRole = Role.Builder.create(this, "LambdaRole")
             .assumedBy(ServicePrincipal.Builder.create("lambda.amazonaws.com").build())
             .managedPolicies(List.of(
                 ManagedPolicy.fromAwsManagedPolicyName("service-role/AWSLambdaBasicExecutionRole")
@@ -140,7 +140,7 @@ public CodeBuild(final Construct scope, final String id, final CodeBuildProps pr
         Function reportBuildFunction = reportLambda.getFunction();
 
         // Create EventBridge rule for build completion
-        Rule buildCompleteRule = Rule.Builder.create(this, "BuildCompleteRule")
+        Rule buildCompleteRule = Rule.Builder.create(this, "CompleteRule")
             .description(props.getProjectName() + " build complete")
             .eventPattern(EventPattern.builder()
                 .source(Arrays.asList("aws.codebuild"))
@@ -154,7 +154,7 @@ public CodeBuild(final Construct scope, final String id, final CodeBuildProps pr
             .build();
 
         // Create custom resource to trigger the build
-        this.customResource = CustomResource.Builder.create(this, "BuildResource")
+        this.customResource = CustomResource.Builder.create(this, "Resource")
             .serviceToken(startBuildFunction.getFunctionArn())
             .properties(Map.of(
                 "ProjectName", this.codebuildProject.getProjectName(),

infra/cdk/src/main/java/sample/com/constructs/Database.java

@@ -50,13 +50,13 @@ public Database(final Construct scope, final String id, final IVpc vpc) {
 
         // Create database secret with universal naming
         databaseSecret = DatabaseSecret.Builder
-            .create(this, "DatabaseSecret")
+            .create(this, "Secret")
             .secretName("workshop-db-secret")
             .username("postgres")
             .build();
 
         // Create database security group
-        databaseSecurityGroup = SecurityGroup.Builder.create(this, "DatabaseSG")
+        databaseSecurityGroup = SecurityGroup.Builder.create(this, "SG")
             .securityGroupName("workshop-db-sg")
             .allowAllOutbound(true)
             .vpc(vpc)
@@ -70,7 +70,7 @@ public Database(final Construct scope, final String id, final IVpc vpc) {
 
 
         // Create Aurora PostgreSQL cluster with universal naming
-        database = DatabaseCluster.Builder.create(this, "DatabaseCluster")
+        database = DatabaseCluster.Builder.create(this, "Cluster")
             .engine(DatabaseClusterEngine.auroraPostgres(
                 AuroraPostgresClusterEngineProps.builder()
                     .version(AuroraPostgresEngineVersion.VER_16_4)
@@ -94,14 +94,14 @@ public Database(final Construct scope, final String id, final IVpc vpc) {
             .build();
 
         // Create separate password secret for services that need plain password
-        secretPassword = Secret.Builder.create(this, "DatabasePasswordSecret")
+        secretPassword = Secret.Builder.create(this, "PasswordSecret")
             .secretName("workshop-db-password-secret")
             .secretStringValue(SecretValue.secretsManager(databaseSecret.getSecretName(),
                 SecretsManagerSecretOptions.builder().jsonField("password").build()))
             .build();
 
         // Create parameter store entry for connection string
-        paramDBConnectionString = StringParameter.Builder.create(this, "DatabaseConnectionString")
+        paramDBConnectionString = StringParameter.Builder.create(this, "ConnectionString")
             .allowedPattern(".*")
             .description("Database Connection String")
             .parameterName("workshop-db-connection-string")
@@ -110,7 +110,7 @@ public Database(final Construct scope, final String id, final IVpc vpc) {
             .build();
 
         // Create database setup Lambda function
-        Function databaseSetupFunction = Function.Builder.create(this, "DatabaseSetupFunction")
+        Function databaseSetupFunction = Function.Builder.create(this, "SetupFunction")
             .code(Code.fromInline(loadFile("/lambda/database-setup.py")))
             .handler("index.lambda_handler")
             .runtime(Runtime.PYTHON_3_13)
@@ -125,7 +125,7 @@ public Database(final Construct scope, final String id, final IVpc vpc) {
         database.grantDataApiAccess(databaseSetupFunction);
 
         // Create custom resource for database setup
-        databaseSetupResource = CustomResource.Builder.create(this, "DatabaseSetupResource")
+        databaseSetupResource = CustomResource.Builder.create(this, "SetupResource")
             .serviceToken(databaseSetupFunction.getFunctionArn())
             .properties(Map.of(
                 "SecretName", databaseSecret.getSecretName(),