Skip to content

Feature/platform enhancements#14

Open
tukue wants to merge 32 commits into
mainfrom
feature/platform-enhancements
Open

Feature/platform enhancements#14
tukue wants to merge 32 commits into
mainfrom
feature/platform-enhancements

Conversation

@tukue

@tukue tukue commented Jun 19, 2026

Copy link
Copy Markdown
Owner

No description provided.

tukue added 30 commits May 25, 2026 18:24
…stom resource Lambda

Apply Aspect at stack level to reach the singleton provider Lambda, set
reservedConcurrentExecutions and DLQ, and skip VPC placement check.
- Add cdk-nag compliance guardrails (AwsSolutionsChecks + tag enforcement)
- Add snapshot/synth tests to detect infrastructure drift
- Define platform product contract with SLOs, personas, support model
- Update CI pipeline with cdk-nag compliance checks
- Add governance tag enforcement CDK Aspect
- Integrate cdk-nag into CdkAppStack and OrdersServiceStack
- Scope DLQ aspect to construct only (cdk.Aspects.of(this)) instead of entire stack
- Add optional chaining to prevent crash when allowOrigins is undefined
…place example vault token/password with placeholders\n- Update README to avoid displaying real tokens/passwords\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…le provisioning\n\n- docs/terraform/approle: step-by-step AppRole guide\n- script to create role_id + secret_id for CI consumption\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
… demo workflow\n\n- Ordered step-by-step integration in terraform/approle/README.md\n- ci-vault-login.sh helper script for CI/local demo\n- .github/workflows/vault-approle-demo.yml (workflow_dispatch) to demonstrate AppRole login and secret fetch\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…st-practices\n\n- Sanitize Terraform secrets\n- Add AppRole scripts and demo workflow\n- Ensure DynamoDB finops tag and build config fixes\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ectations\n\n- Relaxed DynamoDB tag assertion in snapshot test

- Updated Lambda runtime expectation to nodejs18.x
- Fixed lint warnings and unused vars\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…G resource exists for tests\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Add CI/CD workflows: CD pipeline, drift detection, security audit, scorecard
- Add security configs: Checkov, Trivy, GitLeaks, Prettier
- Add developer experience: LocalStack docker-compose, dev script, VSCode config
- Extract PlatformObservability construct with composite alarms + SLO widgets
- Add platform version tracking and environment-aware feature flags
- Add contract tests for constructs and platform configuration
- Add architecture decision records (ADRs) for key platform decisions
- Improve Makefile with comprehensive dev/pipeline/security targets
- Bump platform version to 0.2.0
@tukue tukue self-assigned this Jun 19, 2026
@tukue tukue added the enhancement New feature or request label Jun 19, 2026

@amazon-q-developer amazon-q-developer Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review Summary

This PR introduces significant platform enhancements including CI/CD workflows, security guardrails, observability infrastructure, and reusable CDK constructs. The implementation demonstrates solid security practices with encryption, compliance checks, and comprehensive monitoring.

Critical Issues Identified (Must Fix Before Merge)

CD Workflow - Missing AWS Credentials: The platform-iac-cd.yml workflow will fail at deployment time because AWS credentials are not configured. While the workflow declares id-token: write permission (indicating OIDC intent), it lacks the required aws-actions/configure-aws-credentials step in all three deployment jobs (dev, stage, prod). This will cause immediate deployment failures when the workflow runs.

Overall Assessment

The platform architecture is well-designed with proper separation of concerns, security-by-default patterns, and comprehensive observability. The code quality is high with good validation, error handling, and encryption practices. Once the credential configuration is added to the CD workflow, this PR will be ready to merge.


You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.


⚠️ This PR contains more than 30 files. Amazon Q is better at reviewing smaller PRs, and may miss issues in larger changesets.

Comment on lines +66 to +67
- name: CDK deploy to dev
run: npx cdk deploy --all --require-approval never -c platformEnv=dev

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛑 Deployment Failure: Missing AWS credential configuration will cause all CDK deployments to fail. The workflow has id-token: write permission indicating OIDC authentication intent, but lacks the required aws-actions/configure-aws-credentials step to establish AWS session credentials before CDK operations.

Suggested change
- name: CDK deploy to dev
run: npx cdk deploy --all --require-approval never -c platformEnv=dev
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: us-east-1
- name: CDK deploy to dev
run: npx cdk deploy --all --require-approval never -c platformEnv=dev

Comment on lines +87 to +88
- name: CDK synth stage
run: npx cdk synth -c platformEnv=stage

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛑 Deployment Failure: Missing AWS credential configuration will cause stage deployment to fail. Add aws-actions/configure-aws-credentials step before CDK deploy.

Suggested change
- name: CDK synth stage
run: npx cdk synth -c platformEnv=stage
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: us-east-1
- name: CDK synth stage
run: npx cdk synth -c platformEnv=stage

Comment on lines +112 to +113
- name: CDK synth prod
run: npx cdk synth -c platformEnv=prod

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛑 Deployment Failure: Missing AWS credential configuration will cause production deployment to fail. Add aws-actions/configure-aws-credentials step before CDK deploy.

Suggested change
- name: CDK synth prod
run: npx cdk synth -c platformEnv=prod
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: us-east-1
- name: CDK synth prod
run: npx cdk synth -c platformEnv=prod

tukue added 2 commits June 19, 2026 13:54
- Replace cloudwatch.actions.SnsAction with cwActions.SnsAction from aws-cloudwatch-actions module
- Use alarmName instead of compositeAlarmName on CompositeAlarm construct
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant