Feature/platform enhancements#14
Conversation
…stom resource Lambda Apply Aspect at stack level to reach the singleton provider Lambda, set reservedConcurrentExecutions and DLQ, and skip VPC placement check.
- Add cdk-nag compliance guardrails (AwsSolutionsChecks + tag enforcement) - Add snapshot/synth tests to detect infrastructure drift - Define platform product contract with SLOs, personas, support model - Update CI pipeline with cdk-nag compliance checks - Add governance tag enforcement CDK Aspect - Integrate cdk-nag into CdkAppStack and OrdersServiceStack
- Scope DLQ aspect to construct only (cdk.Aspects.of(this)) instead of entire stack - Add optional chaining to prevent crash when allowOrigins is undefined
… validation covered by tests
…ties throws, not returns boolean)
…place example vault token/password with placeholders\n- Update README to avoid displaying real tokens/passwords\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…le provisioning\n\n- docs/terraform/approle: step-by-step AppRole guide\n- script to create role_id + secret_id for CI consumption\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
… demo workflow\n\n- Ordered step-by-step integration in terraform/approle/README.md\n- ci-vault-login.sh helper script for CI/local demo\n- .github/workflows/vault-approle-demo.yml (workflow_dispatch) to demonstrate AppRole login and secret fetch\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…compatible example types in CI
…ces to avoid compiling example apps
… prevent example compilation during build
…st-practices\n\n- Sanitize Terraform secrets\n- Add AppRole scripts and demo workflow\n- Ensure DynamoDB finops tag and build config fixes\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…lyBudget usage and test mocks
…ectations\n\n- Relaxed DynamoDB tag assertion in snapshot test - Updated Lambda runtime expectation to nodejs18.x - Fixed lint warnings and unused vars\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
… default SECRET_PATH env
…provider Lambda Checkov failures
…G resource exists for tests\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…t@users.noreply.github.com>
- Add CI/CD workflows: CD pipeline, drift detection, security audit, scorecard - Add security configs: Checkov, Trivy, GitLeaks, Prettier - Add developer experience: LocalStack docker-compose, dev script, VSCode config - Extract PlatformObservability construct with composite alarms + SLO widgets - Add platform version tracking and environment-aware feature flags - Add contract tests for constructs and platform configuration - Add architecture decision records (ADRs) for key platform decisions - Improve Makefile with comprehensive dev/pipeline/security targets - Bump platform version to 0.2.0
There was a problem hiding this comment.
Review Summary
This PR introduces significant platform enhancements including CI/CD workflows, security guardrails, observability infrastructure, and reusable CDK constructs. The implementation demonstrates solid security practices with encryption, compliance checks, and comprehensive monitoring.
Critical Issues Identified (Must Fix Before Merge)
CD Workflow - Missing AWS Credentials: The platform-iac-cd.yml workflow will fail at deployment time because AWS credentials are not configured. While the workflow declares id-token: write permission (indicating OIDC intent), it lacks the required aws-actions/configure-aws-credentials step in all three deployment jobs (dev, stage, prod). This will cause immediate deployment failures when the workflow runs.
Overall Assessment
The platform architecture is well-designed with proper separation of concerns, security-by-default patterns, and comprehensive observability. The code quality is high with good validation, error handling, and encryption practices. Once the credential configuration is added to the CD workflow, this PR will be ready to merge.
You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.
| - name: CDK deploy to dev | ||
| run: npx cdk deploy --all --require-approval never -c platformEnv=dev |
There was a problem hiding this comment.
🛑 Deployment Failure: Missing AWS credential configuration will cause all CDK deployments to fail. The workflow has id-token: write permission indicating OIDC authentication intent, but lacks the required aws-actions/configure-aws-credentials step to establish AWS session credentials before CDK operations.
| - name: CDK deploy to dev | |
| run: npx cdk deploy --all --require-approval never -c platformEnv=dev | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_ROLE_ARN }} | |
| aws-region: us-east-1 | |
| - name: CDK deploy to dev | |
| run: npx cdk deploy --all --require-approval never -c platformEnv=dev |
| - name: CDK synth stage | ||
| run: npx cdk synth -c platformEnv=stage |
There was a problem hiding this comment.
🛑 Deployment Failure: Missing AWS credential configuration will cause stage deployment to fail. Add aws-actions/configure-aws-credentials step before CDK deploy.
| - name: CDK synth stage | |
| run: npx cdk synth -c platformEnv=stage | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_ROLE_ARN }} | |
| aws-region: us-east-1 | |
| - name: CDK synth stage | |
| run: npx cdk synth -c platformEnv=stage |
| - name: CDK synth prod | ||
| run: npx cdk synth -c platformEnv=prod |
There was a problem hiding this comment.
🛑 Deployment Failure: Missing AWS credential configuration will cause production deployment to fail. Add aws-actions/configure-aws-credentials step before CDK deploy.
| - name: CDK synth prod | |
| run: npx cdk synth -c platformEnv=prod | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_ROLE_ARN }} | |
| aws-region: us-east-1 | |
| - name: CDK synth prod | |
| run: npx cdk synth -c platformEnv=prod |
- Replace cloudwatch.actions.SnsAction with cwActions.SnsAction from aws-cloudwatch-actions module - Use alarmName instead of compositeAlarmName on CompositeAlarm construct
No description provided.