Skip to content

Feat/codeconnection #448

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 22 commits into from
Oct 25, 2025
Merged

Feat/codeconnection #448

merged 22 commits into from
Oct 25, 2025

Conversation

@rafaelpereyra
Copy link
Contributor

Issue #, if available:
N/A
Description of changes:
Enables CodeConnection for sourcing code

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@rafaelpereyra
feat: add CodeConnection and Parameter Store integration
6048e95 
- Add CodeConnection support for GitHub integration as alternative to S3 source
- Implement Parameter Store configuration management for centralized config
- Update CONTRIBUTING.md formatting (bullet points, spacing, emphasis)
- Add comprehensive documentation for new integration features
- Create reusable configuration retrieval script for pipeline steps
- Update CloudFormation template with new parameters and IAM permissions
- Modify CDK pipeline to support conditional source selection
- Add fallback mechanisms for backward compatibility
@rafaelpereyra rafaelpereyra changed the base branch from feat/cdkpipeline to feat/exportspage October 24, 2025 18:14
@github-actions
Copy link

github-actions bot commented Oct 24, 2025
edited
Loading

ASH Security Scan Report

  • Report generated: 2025-10-25T16:36:57+00:00
  • Time since scan: 1 minute

Scan Metadata

  • Project: ASH
  • Scan executed: 2025-10-25T16:35:43+00:00
  • ASH version: 3.1.2

Summary

Scanner Results

The table below shows findings by scanner, with status based on severity thresholds and dependencies:

  • Severity levels:
    • Suppressed (S): Findings that have been explicitly suppressed and don't affect scanner status
    • Critical (C): Highest severity findings that require immediate attention
    • High (H): Serious findings that should be addressed soon
    • Medium (M): Moderate risk findings
    • Low (L): Lower risk findings
    • Info (I): Informational findings with minimal risk
  • Duration (Time): Time taken by the scanner to complete its execution
  • Actionable: Number of findings at or above the threshold severity level that require attention
  • Result:
    • PASSED = No findings at or above threshold
    • FAILED = Findings at or above threshold
    • MISSING = Required dependencies not available
    • SKIPPED = Scanner explicitly disabled
    • ERROR = Scanner execution error
  • Threshold: The minimum severity level that will cause a scanner to fail
    • Thresholds: ALL, LOW, MEDIUM, HIGH, CRITICAL
    • Source: Values in parentheses indicate where the threshold is set:
      • global (global_settings section in the ASH_CONFIG used)
      • config (scanner config section in the ASH_CONFIG used)
      • scanner (default configuration in the plugin, if explicitly set)
  • Statistics calculation:
    • All statistics are calculated from the final aggregated SARIF report
    • Suppressed findings are counted separately and do not contribute to actionable findings
    • Scanner status is determined by comparing actionable findings to the threshold
Scanner Suppressed Critical High Medium Low Info Actionable Result Threshold
bandit 0 0 0 0 20 0 0 PASSED MEDIUM (global)
cdk-nag 0 0 0 0 0 0 0 SKIPPED MEDIUM (global)
cfn-nag 0 0 0 0 0 0 0 MISSING MEDIUM (global)
checkov 28 15 0 0 0 0 15 SKIPPED MEDIUM (global)
detect-secrets 0 0 0 0 0 0 0 SKIPPED MEDIUM (global)
grype 0 3 0 11 1 0 14 SKIPPED MEDIUM (global)
npm-audit 0 0 0 0 0 0 0 PASSED MEDIUM (global)
opengrep 0 0 0 0 0 0 0 MISSING MEDIUM (global)
semgrep 0 35 0 0 0 0 35 FAILED MEDIUM (global)
syft 0 0 0 0 0 0 0 PASSED MEDIUM (global)
trivy-repo 0 0 0 0 0 0 0 MISSING MEDIUM (global)

Top 10 Hotspots

Files with the highest number of security findings:

Finding Count File Location
11 src/applications/microservices/payforadoption-go/app
7 src/applications/microservices/petsearch-java/docker-compose.yml
6 src/applications/lambda/petfood-cleanup-processor-node/index.js
4 src/applications/microservices/payforadoption-go/benchmark/Dockerfile
4 src/applications/lambda/traffic-generator-node/index.js
4 src/applications/microservices/petlistadoptions-py/docker-compose.yml
3 src/applications/microservices/payforadoption-go/Dockerfile
3 src/applications/microservices/petsite-net/petsite/Dockerfile
2 src/applications/microservices/petlistadoptions-py/Dockerfile
2 src/applications/microservices/petsearch-java/Dockerfile

Detailed Findings

Show 20 of 64 actionable findings

Finding 1: CKV_AWS_111

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_111
  • Location: src/templates/codebuild-deployment-template.yaml:1447-1470

Description:
Ensure IAM policies does not allow write access without constraints

Code Snippet:

rCrossRegionStackOperationRole:
    Type: AWS::IAM::Role
    DeletionPolicy: Retain
    UpdateReplacePolicy: Retain
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      Policies:
        - PolicyName: CrossRegionStackOperationPolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - cloudformation:DescribeStacks
                  - cloudformation:DeleteStack
                Resource: "*"

Finding 2: CKV_DOCKER_2

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_2
  • Location: src/applications/microservices/payforadoption-go/Dockerfile:1-14

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

FROM public.ecr.aws/docker/library/golang:1.23 as builder
WORKDIR /go/src/app
COPY . .
ENV GOPROXY=https://goproxy.io,direct
RUN go get .
RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .

FROM public.ecr.aws/docker/library/alpine:3.22.1
WORKDIR /app
RUN apk --no-cache add ca-certificates curl aws-cli
COPY --from=builder /go/src/app/app .
COPY --from=builder /go/src/app/seed.json .
EXPOSE 80
CMD ["./app"]

Finding 3: CKV_DOCKER_3

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_3
  • Location: src/applications/microservices/payforadoption-go/Dockerfile:1-14

Description:
Ensure that a user for the container has been created

Code Snippet:

FROM public.ecr.aws/docker/library/golang:1.23 as builder
WORKDIR /go/src/app
COPY . .
ENV GOPROXY=https://goproxy.io,direct
RUN go get .
RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .

FROM public.ecr.aws/docker/library/alpine:3.22.1
WORKDIR /app
RUN apk --no-cache add ca-certificates curl aws-cli
COPY --from=builder /go/src/app/app .
COPY --from=builder /go/src/app/seed.json .
EXPOSE 80
CMD ["./app"]

Finding 4: CKV_DOCKER_2

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_2
  • Location: src/applications/microservices/petfood-rs/Dockerfile:1-32

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

# Build stage
FROM public.ecr.aws/docker/library/rust:bookworm AS builder
COPY . .
RUN cargo build --release

# Runtime stage
FROM public.ecr.aws/docker/library/debian:bookworm-slim

# Install runtime dependencies and CA certificates
RUN apt-get update && apt-get install -y \
    ca-certificates \
    openssl \
    curl \
    unzip \
    && curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" \
    && unzip awscliv2.zip \
    && ./aws/install \
    && rm -rf awscliv2.zip aws \
    && apt-get remove -y unzip \
    && apt-get autoremove -y \
    && rm -rf /var/lib/apt/lists/* \
    && update-ca-certificates

COPY --from=builder /target/release/petfood-rs /app/petfood-rs

# Create a non-root user for security
RUN useradd -r -s /bin/false petfood && \
    chown petfood:petfood /app/petfood-rs

USER petfood
EXPOSE 8080
CMD ["/app/petfood-rs"]

Finding 5: CKV_DOCKER_3

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_3
  • Location: src/applications/microservices/petlistadoptions-py/Dockerfile:1-50

Description:
Ensure that a user for the container has been created

Code Snippet:

FROM public.ecr.aws/docker/library/python:3.11-slim as builder

WORKDIR /app

# Install system dependencies
RUN apt-get update && apt-get install -y \
    gcc \
    libpq-dev \
    && rm -rf /var/lib/apt/lists/*

# Copy requirements and install Python dependencies
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt
RUN pip install awscli

# Copy application code
COPY . .

# Production stage
FROM public.ecr.aws/docker/library/python:3.11-slim

WORKDIR /app

# Install runtime dependencies
RUN apt-get update && apt-get install -y \
    libpq5 \
    curl \
    && rm -rf /var/lib/apt/lists/*

# Copy Python packages from builder
COPY --from=builder /usr/local/lib/python3.11/site-packages /usr/local/lib/python3.11/site-packages
COPY --from=builder /usr/local/bin /usr/local/bin

# Copy application code
COPY --from=builder /app .

# Make start script executable
RUN chmod +x start.sh

# Create non-root user for future use (but run as root for port 80 access)
RUN useradd -m -u 1000 appuser && chown -R appuser:appuser /app

# Add health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
    CMD curl -f http://localhost:80/health/status || exit 1

EXPOSE 80

# Use startup script (running as root for port 80 access)
CMD ["./start.sh"]

Finding 6: CKV_DOCKER_2

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_2
  • Location: src/applications/microservices/petsearch-java/Dockerfile:1-24

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

FROM --platform=$BUILDPLATFORM public.ecr.aws/docker/library/gradle:7.3-jdk17 as build

WORKDIR /app
COPY ./build.gradle ./build.gradle
COPY ./src ./src
COPY ./settings.gradle ./settings.gradle

ENV GRADLE_OPTS "-Dorg.gradle.daemon=false"
RUN gradle build -DexcludeTags='integration' --no-daemon --stacktrace

FROM public.ecr.aws/amazoncorretto/amazoncorretto:17-al2-generic-jdk
WORKDIR /app

RUN yum install -y curl unzip && \
    curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" && \
    unzip awscliv2.zip && \
    ./aws/install && \
    rm -rf awscliv2.zip aws && \
    yum clean all

ARG JAR_FILE=build/libs/\*.jar
COPY --from=build /app/${JAR_FILE} ./app.jar

ENTRYPOINT ["java","-jar","/app/app.jar"]

Finding 7: CKV_DOCKER_3

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_3
  • Location: src/applications/microservices/petsearch-java/Dockerfile:1-24

Description:
Ensure that a user for the container has been created

Code Snippet:

FROM --platform=$BUILDPLATFORM public.ecr.aws/docker/library/gradle:7.3-jdk17 as build

WORKDIR /app
COPY ./build.gradle ./build.gradle
COPY ./src ./src
COPY ./settings.gradle ./settings.gradle

ENV GRADLE_OPTS "-Dorg.gradle.daemon=false"
RUN gradle build -DexcludeTags='integration' --no-daemon --stacktrace

FROM public.ecr.aws/amazoncorretto/amazoncorretto:17-al2-generic-jdk
WORKDIR /app

RUN yum install -y curl unzip && \
    curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" && \
    unzip awscliv2.zip && \
    ./aws/install && \
    rm -rf awscliv2.zip aws && \
    yum clean all

ARG JAR_FILE=build/libs/\*.jar
COPY --from=build /app/${JAR_FILE} ./app.jar

ENTRYPOINT ["java","-jar","/app/app.jar"]

Finding 8: CKV_DOCKER_2

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_2
  • Location: src/applications/microservices/petsite-net/petsite/Dockerfile:1-22

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
WORKDIR /src
COPY *.csproj .
RUN dotnet restore "PetSite.csproj" --no-cache
COPY . .
RUN dotnet publish "PetSite.csproj" -c Release -o /app/publish

FROM mcr.microsoft.com/dotnet/aspnet:8.0 AS final
WORKDIR /app
EXPOSE 80
ENV ASPNETCORE_HTTP_PORTS=80
# Install AWS CLI and curl for troubleshooting
RUN apt-get update && apt-get install -y curl unzip && \
    curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" && \
    unzip awscliv2.zip && \
    ./aws/install && \
    rm -rf awscliv2.zip aws && \
    apt-get remove -y unzip && \
    apt-get autoremove -y && \
    rm -rf /var/lib/apt/lists/*
COPY --from=build /app/publish .
ENTRYPOINT ["dotnet", "PetSite.dll"]

Finding 9: CKV_DOCKER_3

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_3
  • Location: src/applications/microservices/petsite-net/petsite/Dockerfile:1-22

Description:
Ensure that a user for the container has been created

Code Snippet:

FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
WORKDIR /src
COPY *.csproj .
RUN dotnet restore "PetSite.csproj" --no-cache
COPY . .
RUN dotnet publish "PetSite.csproj" -c Release -o /app/publish

FROM mcr.microsoft.com/dotnet/aspnet:8.0 AS final
WORKDIR /app
EXPOSE 80
ENV ASPNETCORE_HTTP_PORTS=80
# Install AWS CLI and curl for troubleshooting
RUN apt-get update && apt-get install -y curl unzip && \
    curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" && \
    unzip awscliv2.zip && \
    ./aws/install && \
    rm -rf awscliv2.zip aws && \
    apt-get remove -y unzip && \
    apt-get autoremove -y && \
    rm -rf /var/lib/apt/lists/*
COPY --from=build /app/publish .
ENTRYPOINT ["dotnet", "PetSite.dll"]

Finding 10: CKV_DOCKER_7

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_7
  • Location: src/applications/microservices/payforadoption-go/benchmark/Dockerfile:1

Description:
Ensure the base image uses a non latest version tag

Code Snippet:

FROM public.ecr.aws/docker/library/rust:latest:latest as builder

Finding 11: CKV_DOCKER_2

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_2
  • Location: src/applications/microservices/payforadoption-go/benchmark/Dockerfile:1-6

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

FROM public.ecr.aws/docker/library/rust:latest:latest as builder
WORKDIR /app
RUN
COPY . .
RUN cargo install drill
CMD ["./benchmark.sh"]

Finding 12: CKV_DOCKER_3

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_3
  • Location: src/applications/microservices/payforadoption-go/benchmark/Dockerfile:1-6

Description:
Ensure that a user for the container has been created

Code Snippet:

FROM public.ecr.aws/docker/library/rust:latest:latest as builder
WORKDIR /app
RUN
COPY . .
RUN cargo install drill
CMD ["./benchmark.sh"]

Finding 13: CKV_DOCKER_2

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_2
  • Location: src/applications/microservices/petfoodagent-strands-py/Dockerfile:1-40

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

FROM ghcr.io/astral-sh/uv:python3.13-bookworm-slim
WORKDIR /app

# Configure UV for container environment
ENV UV_SYSTEM_PYTHON=1 UV_COMPILE_BYTECODE=1



COPY requirements.txt requirements.txt
# Install from requirements file
RUN uv pip install -r requirements.txt




RUN uv pip install aws-opentelemetry-distro>=0.10.1


# Set AWS region environment variable

ENV AWS_REGION=us-east-1
ENV AWS_DEFAULT_REGION=us-east-1


# Signal that this is running in Docker for host binding logic
ENV DOCKER_CONTAINER=1

# Create non-root user
RUN useradd -m -u 1000 bedrock_agentcore
USER bedrock_agentcore

EXPOSE 8080
EXPOSE 8000

# Copy entire project (respecting .dockerignore)
COPY . .

# Use the full module path

CMD ["opentelemetry-instrument", "python", "-m", "agent"]

Finding 14: CKV2_GHA_1

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV2_GHA_1
  • Location: .github/workflows/tests.yml:1

Description:
Ensure top-level permissions are not set to write-all

Finding 15: CKV2_GHA_1

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV2_GHA_1
  • Location: .github/workflows/pre-commit.yml:1

Description:
Ensure top-level permissions are not set to write-all

Finding 16: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring

  • Severity: HIGH
  • Scanner: semgrep
  • Rule ID: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
  • Location: src/applications/lambda/petfood-cleanup-processor-node/index.js:61

Description:
Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.

Code Snippet:

console.error(`Failed to delete S3 object s3://${bucket}/${key}:`, error.message);

Finding 17: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring

  • Severity: HIGH
  • Scanner: semgrep
  • Rule ID: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
  • Location: src/applications/lambda/petfood-cleanup-processor-node/index.js:82

Description:
Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.

Code Snippet:

console.error(`Failed to delete DynamoDB record for food ${foodId}:`, error.message);

Finding 18: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring

  • Severity: HIGH
  • Scanner: semgrep
  • Rule ID: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
  • Location: src/applications/lambda/petfood-cleanup-processor-node/index.js:108

Description:
Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.

Code Snippet:

console.log(`Attempt ${attempt} failed, retrying in ${delay}ms:`, error.message);

Finding 19: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring

  • Severity: HIGH
  • Scanner: semgrep
  • Rule ID: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
  • Location: src/applications/lambda/petfood-cleanup-processor-node/index.js:133

Description:
Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.

Code Snippet:

console.log(`Processing cleanup event for food ${eventData.foodId}`, {

Finding 20: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring

  • Severity: HIGH
  • Scanner: semgrep
  • Rule ID: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
  • Location: src/applications/lambda/petfood-cleanup-processor-node/index.js:182

Description:
Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.

Code Snippet:

`Cleanup processing completed successfully for food ${eventData.foodId}`,

Note: Showing 20 of 64 total actionable findings. Configure max_detailed_findings to adjust this limit.

Report generated by Automated Security Helper (ASH) at 2025-10-25T16:36:57+00:00

@rafaelpereyra
feat: enhance configuration flexibility and add troubleshooting docs
030679c 
- Add troubleshooting section for CDK bootstrap stack deletion issues
- Support environment variables for Parameter Store base path configuration
- Add CodeConnection ARN support for GitHub integration
- Update workshop template with consistent parameter defaults
- Enable conditional source configuration (CodeConnection vs S3) in local deployment
@rafaelpereyra
refactor: simplify parameter store configuration management
fbd638e 
Modified parameter storage approach in AWS Systems Manager Parameter Store from individual key-value parameters to a single parameter containing the complete .env file content. Updated the retrieve-config.sh script to fetch a single parameter instead of using get-parameters-by-path, and modified the CodeBuild deployment template to store the entire .env file as one parameter rather than splitting it into multiple parameters.
@rafaelpereyra
feat: implement single parameter approach for Parameter Store integra…
ab90599 
…tion

Updated CodeConnection and Parameter Store integration with single parameter approach. Modified documentation to reflect new CloudFormation-managed parameter creation, updated CDK pipeline to use single parameter path with stack name, and enhanced CodeBuild template to create Parameter Store parameter as CloudFormation resource instead of manual creation.
@rafaelpereyra
fix: deployment issues
53d4519
@rafaelpereyra
fix: added tags to initial stack
316b43d
bonclay7
bonclay7 reviewed Oct 24, 2025
View reviewed changes
src/applications/canaries/petsite-canary/nodejs/node_modules/index.js

// Attempt to read from SSM
try {
const { SSMClient, GetParameterCommand } = require('@aws-sdk/client-ssm');
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

We detected that you are importing a module inside a function, which is known as lazy loading. If modules are imported within a function, it might prevent other requests from being handled at a more critical time. We recommend that you load all modules at the beginning of each file, before and outside of any functions.

@rafaelpereyra
fix: pipeline error
5a7de08
@rafaelpereyra
fix: update environment validation and opensearch pipeline logging
daf998b 
- Modified environment variable validation to accept either CONFIG_BUCKET or CODE_CONNECTION_ARN
- Reordered CloudWatch log group creation before IAM role definition in OpenSearch pipeline
- Fixed log group ARN references in IAM policies to use correct log group name
@rafaelpereyra
fix: rolled back log name for opensearch
752333c
@rafaelpereyra
fix: publish export error
b1519ef
@rafaelpereyra
fix: missing permissions for dashboard
d7ef212
@rafaelpereyra
fix: unterminated quoete
d48680d
@rafaelpereyra
fix: missing permissions
b2bc3d0
@rafaelpereyra
fix: added shell for export dashboard
ef76118
@rafaelpereyra
feat: enhance CDK infrastructure and deployment scripts
9b6a633 
- Updated constants configuration in bin/constants.ts
- Enhanced asset constructs and petsite microservice
- Modified pipeline configuration and status updater function
- Significantly expanded manage-exports.py script with 654 additions
- Enhanced retrieve-config.sh script with 318 additions
- Total changes: 860 additions, 138 deletions across 7 files
bonclay7
bonclay7 reviewed Oct 25, 2025
View reviewed changes
src/cdk/scripts/retrieve-config.sh
log_debug "Attempting to retrieve parameter from SSM..."

local ssm_output
local ssm_error
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

ssm_error appears unused. Verify use (or export if used externally).

src/cdk/scripts/retrieve-config.sh
if [[ "$LOG_LEVEL" == "DEBUG" ]]; then
log_debug "Configuration file contents:"
log_debug "----------------------------------------------"
cat "$TARGET_ENV_FILE" | sed 's/\(.*=\).*/\1[REDACTED]/' >&2
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

Unnecessary use of 'cat' in shell scripts, can lead to inefficient code and reduced script performance. Instead of 'cat file | command', use input redirection 'command < file' or pass the filename directly command file when possible. This practice improves script efficiency, especially for commands that benefit from seekable input. It also enhances code readability and maintainability. For more information on secure coding practices, including shell scripting, refer to the OWASP Secure Coding Practices Quick Reference Guide: https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/

src/cdk/scripts/retrieve-config.sh
if [[ "$LOG_LEVEL" == "DEBUG" ]]; then
log_debug "Existing .env contents:"
log_debug "----------------------------------------------"
cat ".env" | sed 's/\(.*=\).*/\1[REDACTED]/' >&2
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

Unnecessary use of 'cat' in shell scripts, can lead to inefficient code and reduced script performance. Instead of 'cat file | command', use input redirection 'command < file' or pass the filename directly command file when possible. This practice improves script efficiency, especially for commands that benefit from seekable input. It also enhances code readability and maintainability. For more information on secure coding practices, including shell scripting, refer to the OWASP Secure Coding Practices Quick Reference Guide: https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/

@rafaelpereyra rafaelpereyra merged commit 2cb402a into feat/exportspage Oct 25, 2025
2 checks passed
rafaelpereyra added a commit that referenced this pull request Oct 25, 2025
@rafaelpereyra
Feat/exportspage (#447)
344184d 
* refactor: improve CDK infrastructure maintainability and documentation

- Remove hardcoded CloudWatch log group names to prevent deployment conflicts
- Add descriptive CloudFormation output descriptions for better resource identification
- Remove unused Names import and logGroupName parameters
- Add CDK-nag rule to enforce dynamic log group naming
- Set default values for CloudFormation template parameters

* feat: add exports management system and enhance CDK infrastructure

- Modified CDK configuration constants and local deployment settings
- Enhanced WAF construct and pipeline configuration
- Improved status updater function and utility functions
- Refined workshop nag pack rules
- Added complete exports management system with Python script, dashboard template, and documentation
- Updated CodeBuild deployment template

* Feat/codeconnection (#448)

* feat: add CodeConnection and Parameter Store integration

- Add CodeConnection support for GitHub integration as alternative to S3 source
- Implement Parameter Store configuration management for centralized config
- Update CONTRIBUTING.md formatting (bullet points, spacing, emphasis)
- Add comprehensive documentation for new integration features
- Create reusable configuration retrieval script for pipeline steps
- Update CloudFormation template with new parameters and IAM permissions
- Modify CDK pipeline to support conditional source selection
- Add fallback mechanisms for backward compatibility

* feat: enhance configuration flexibility and add troubleshooting docs

- Add troubleshooting section for CDK bootstrap stack deletion issues
- Support environment variables for Parameter Store base path configuration
- Add CodeConnection ARN support for GitHub integration
- Update workshop template with consistent parameter defaults
- Enable conditional source configuration (CodeConnection vs S3) in local deployment

* refactor: simplify parameter store configuration management

Modified parameter storage approach in AWS Systems Manager Parameter Store from individual key-value parameters to a single parameter containing the complete .env file content. Updated the retrieve-config.sh script to fetch a single parameter instead of using get-parameters-by-path, and modified the CodeBuild deployment template to store the entire .env file as one parameter rather than splitting it into multiple parameters.

* feat: implement single parameter approach for Parameter Store integration

Updated CodeConnection and Parameter Store integration with single parameter approach. Modified documentation to reflect new CloudFormation-managed parameter creation, updated CDK pipeline to use single parameter path with stack name, and enhanced CodeBuild template to create Parameter Store parameter as CloudFormation resource instead of manual creation.

* fix: deployment issues

* fix: added tags to initial stack

* fix: pipeline error

* fix: update environment validation and opensearch pipeline logging

- Modified environment variable validation to accept either CONFIG_BUCKET or CODE_CONNECTION_ARN
- Reordered CloudWatch log group creation before IAM role definition in OpenSearch pipeline
- Fixed log group ARN references in IAM policies to use correct log group name

* fix: rolled back log name for opensearch

* fix: publish export error

* fix: missing permissions for dashboard

* fix: unterminated quoete

* fix: missing permissions

* fix: added shell for export dashboard

* feat: enhance CDK infrastructure and deployment scripts

- Updated constants configuration in bin/constants.ts
- Enhanced asset constructs and petsite microservice
- Modified pipeline configuration and status updater function
- Significantly expanded manage-exports.py script with 654 additions
- Enhanced retrieve-config.sh script with 318 additions
- Total changes: 860 additions, 138 deletions across 7 files

* feat: added debug flag for scripts

* fix: script error handling logic

* feat: improved dashboard

* fix: missing permissions for dashboard

* cicd: removed debug flag

* fix: broad permissions for putobject

* feat: improved console access links
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bonclay7 bonclay7 bonclay7 left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rafaelpereyra @bonclay7