Skip to content

feat: CDK re-write --DO NOT MERGE-- #328

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 174 commits into
base: staging
Choose a base branch
from
Draft

feat: CDK re-write --DO NOT MERGE-- #328

wants to merge 174 commits into from

Conversation

rafaelpereyra
Copy link
Contributor

Added pre-commit hooks and other validation tools for this process

Issue #, if available:

Description of changes:

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@rapgaws
feat: Basic structure proposal for cdk rewrite
73c6319 
Added pre-commit hooks and other validation tools for this process
@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 30, 2025
edited
Loading

ASH Security Scan Report

  • Report generated: 2025-10-20T14:03:25+00:00
  • Time since scan: 1 minute

Scan Metadata

  • Project: ASH
  • Scan executed: 2025-10-20T14:02:08+00:00
  • ASH version: 3.1.2

Summary

Scanner Results

The table below shows findings by scanner, with status based on severity thresholds and dependencies:

  • Severity levels:
    • Suppressed (S): Findings that have been explicitly suppressed and don't affect scanner status
    • Critical (C): Highest severity findings that require immediate attention
    • High (H): Serious findings that should be addressed soon
    • Medium (M): Moderate risk findings
    • Low (L): Lower risk findings
    • Info (I): Informational findings with minimal risk
  • Duration (Time): Time taken by the scanner to complete its execution
  • Actionable: Number of findings at or above the threshold severity level that require attention
  • Result:
    • PASSED = No findings at or above threshold
    • FAILED = Findings at or above threshold
    • MISSING = Required dependencies not available
    • SKIPPED = Scanner explicitly disabled
    • ERROR = Scanner execution error
  • Threshold: The minimum severity level that will cause a scanner to fail
    • Thresholds: ALL, LOW, MEDIUM, HIGH, CRITICAL
    • Source: Values in parentheses indicate where the threshold is set:
      • global (global_settings section in the ASH_CONFIG used)
      • config (scanner config section in the ASH_CONFIG used)
      • scanner (default configuration in the plugin, if explicitly set)
  • Statistics calculation:
    • All statistics are calculated from the final aggregated SARIF report
    • Suppressed findings are counted separately and do not contribute to actionable findings
    • Scanner status is determined by comparing actionable findings to the threshold
Scanner Suppressed Critical High Medium Low Info Actionable Result Threshold
bandit 0 0 0 0 20 0 0 PASSED MEDIUM (global)
cdk-nag 0 0 0 0 0 0 0 SKIPPED MEDIUM (global)
cfn-nag 0 0 0 0 0 0 0 MISSING MEDIUM (global)
checkov 19 14 0 0 0 0 14 SKIPPED MEDIUM (global)
detect-secrets 0 0 0 0 0 0 0 SKIPPED MEDIUM (global)
grype 0 0 0 3 1 0 3 FAILED MEDIUM (global)
npm-audit 0 0 0 0 0 0 0 PASSED MEDIUM (global)
opengrep 0 0 0 0 0 0 0 MISSING MEDIUM (global)
semgrep 0 32 0 0 0 0 32 FAILED MEDIUM (global)
syft 0 0 0 0 0 0 0 PASSED MEDIUM (global)
trivy-repo 0 0 0 0 0 0 0 MISSING MEDIUM (global)

Top 10 Hotspots

Files with the highest number of security findings:

Finding Count File Location
7 src/applications/microservices/petsearch-java/docker-compose.yml
6 src/applications/lambda/petfood-cleanup-processor-node/index.js
4 src/applications/microservices/payforadoption-go/benchmark/Dockerfile
4 src/applications/lambda/traffic-generator-node/index.js
4 src/applications/microservices/petlistadoptions-py/docker-compose.yml
3 src/applications/microservices/petsite-net/petsite/Dockerfile
3 src/applications/microservices/payforadoption-go/Dockerfile
2 src/applications/microservices/petsearch-java/Dockerfile
2 src/applications/microservices/petlistadoptions-py/Dockerfile
2 src/cdk/lib/microservices/manifests/petsite-deployment.yaml

Detailed Findings

Show 20 of 49 actionable findings

Finding 1: CKV_DOCKER_2

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_2
  • Location: src/applications/microservices/petsearch-java/Dockerfile:1-17

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

FROM --platform=$BUILDPLATFORM public.ecr.aws/docker/library/gradle:7.3-jdk17 as build

WORKDIR /app
COPY ./build.gradle ./build.gradle
COPY ./src ./src
COPY ./settings.gradle ./settings.gradle

ENV GRADLE_OPTS "-Dorg.gradle.daemon=false"
RUN gradle build -DexcludeTags='integration' --no-daemon --stacktrace

FROM public.ecr.aws/amazoncorretto/amazoncorretto:17-al2-generic-jdk
WORKDIR /app

ARG JAR_FILE=build/libs/\*.jar
COPY --from=build /app/${JAR_FILE} ./app.jar

ENTRYPOINT ["java","-jar","/app/app.jar"]

Finding 2: CKV_DOCKER_3

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_3
  • Location: src/applications/microservices/petsearch-java/Dockerfile:1-17

Description:
Ensure that a user for the container has been created

Code Snippet:

FROM --platform=$BUILDPLATFORM public.ecr.aws/docker/library/gradle:7.3-jdk17 as build

WORKDIR /app
COPY ./build.gradle ./build.gradle
COPY ./src ./src
COPY ./settings.gradle ./settings.gradle

ENV GRADLE_OPTS "-Dorg.gradle.daemon=false"
RUN gradle build -DexcludeTags='integration' --no-daemon --stacktrace

FROM public.ecr.aws/amazoncorretto/amazoncorretto:17-al2-generic-jdk
WORKDIR /app

ARG JAR_FILE=build/libs/\*.jar
COPY --from=build /app/${JAR_FILE} ./app.jar

ENTRYPOINT ["java","-jar","/app/app.jar"]

Finding 3: CKV_DOCKER_2

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_2
  • Location: src/applications/microservices/petfoodagent-strands-py/Dockerfile:1-40

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

FROM ghcr.io/astral-sh/uv:python3.13-bookworm-slim
WORKDIR /app

# Configure UV for container environment
ENV UV_SYSTEM_PYTHON=1 UV_COMPILE_BYTECODE=1



COPY requirements.txt requirements.txt
# Install from requirements file
RUN uv pip install -r requirements.txt




RUN uv pip install aws-opentelemetry-distro>=0.10.1


# Set AWS region environment variable

ENV AWS_REGION=us-east-1
ENV AWS_DEFAULT_REGION=us-east-1


# Signal that this is running in Docker for host binding logic
ENV DOCKER_CONTAINER=1

# Create non-root user
RUN useradd -m -u 1000 bedrock_agentcore
USER bedrock_agentcore

EXPOSE 8080
EXPOSE 8000

# Copy entire project (respecting .dockerignore)
COPY . .

# Use the full module path

CMD ["opentelemetry-instrument", "python", "-m", "agent"]

Finding 4: CKV_DOCKER_7

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_7
  • Location: src/applications/microservices/payforadoption-go/benchmark/Dockerfile:1

Description:
Ensure the base image uses a non latest version tag

Code Snippet:

FROM public.ecr.aws/docker/library/rust:latest:latest as builder

Finding 5: CKV_DOCKER_2

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_2
  • Location: src/applications/microservices/payforadoption-go/benchmark/Dockerfile:1-6

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

FROM public.ecr.aws/docker/library/rust:latest:latest as builder
WORKDIR /app
RUN
COPY . .
RUN cargo install drill
CMD ["./benchmark.sh"]

Finding 6: CKV_DOCKER_3

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_3
  • Location: src/applications/microservices/payforadoption-go/benchmark/Dockerfile:1-6

Description:
Ensure that a user for the container has been created

Code Snippet:

FROM public.ecr.aws/docker/library/rust:latest:latest as builder
WORKDIR /app
RUN
COPY . .
RUN cargo install drill
CMD ["./benchmark.sh"]

Finding 7: CKV_DOCKER_3

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_3
  • Location: src/applications/microservices/petlistadoptions-py/Dockerfile:1-49

Description:
Ensure that a user for the container has been created

Code Snippet:

FROM public.ecr.aws/docker/library/python:3.11-slim as builder

WORKDIR /app

# Install system dependencies
RUN apt-get update && apt-get install -y \
    gcc \
    libpq-dev \
    && rm -rf /var/lib/apt/lists/*

# Copy requirements and install Python dependencies
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

# Copy application code
COPY . .

# Production stage
FROM public.ecr.aws/docker/library/python:3.11-slim

WORKDIR /app

# Install runtime dependencies
RUN apt-get update && apt-get install -y \
    libpq5 \
    curl \
    && rm -rf /var/lib/apt/lists/*

# Copy Python packages from builder
COPY --from=builder /usr/local/lib/python3.11/site-packages /usr/local/lib/python3.11/site-packages
COPY --from=builder /usr/local/bin /usr/local/bin

# Copy application code
COPY --from=builder /app .

# Make start script executable
RUN chmod +x start.sh

# Create non-root user for future use (but run as root for port 80 access)
RUN useradd -m -u 1000 appuser && chown -R appuser:appuser /app

# Add health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
    CMD curl -f http://localhost:80/health/status || exit 1

EXPOSE 80

# Use startup script (running as root for port 80 access)
CMD ["./start.sh"]

Finding 8: CKV_DOCKER_2

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_2
  • Location: src/applications/microservices/petsite-net/petsite/Dockerfile:1-22

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
WORKDIR /src
COPY *.csproj .
RUN dotnet restore "PetSite.csproj" --no-cache
COPY . .
RUN dotnet publish "PetSite.csproj" -c Release -o /app/publish

FROM mcr.microsoft.com/dotnet/aspnet:8.0 AS final
WORKDIR /app
EXPOSE 80
ENV ASPNETCORE_HTTP_PORTS=80
# Install AWS CLI and curl for troubleshooting
RUN apt-get update && apt-get install -y curl unzip && \
    curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" && \
    unzip awscliv2.zip && \
    ./aws/install && \
    rm -rf awscliv2.zip aws && \
    apt-get remove -y unzip && \
    apt-get autoremove -y && \
    rm -rf /var/lib/apt/lists/*
COPY --from=build /app/publish .
ENTRYPOINT ["dotnet", "PetSite.dll"]

Finding 9: CKV_DOCKER_3

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_3
  • Location: src/applications/microservices/petsite-net/petsite/Dockerfile:1-22

Description:
Ensure that a user for the container has been created

Code Snippet:

FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
WORKDIR /src
COPY *.csproj .
RUN dotnet restore "PetSite.csproj" --no-cache
COPY . .
RUN dotnet publish "PetSite.csproj" -c Release -o /app/publish

FROM mcr.microsoft.com/dotnet/aspnet:8.0 AS final
WORKDIR /app
EXPOSE 80
ENV ASPNETCORE_HTTP_PORTS=80
# Install AWS CLI and curl for troubleshooting
RUN apt-get update && apt-get install -y curl unzip && \
    curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" && \
    unzip awscliv2.zip && \
    ./aws/install && \
    rm -rf awscliv2.zip aws && \
    apt-get remove -y unzip && \
    apt-get autoremove -y && \
    rm -rf /var/lib/apt/lists/*
COPY --from=build /app/publish .
ENTRYPOINT ["dotnet", "PetSite.dll"]

Finding 10: CKV_DOCKER_2

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_2
  • Location: src/applications/microservices/payforadoption-go/Dockerfile:1-14

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

FROM public.ecr.aws/docker/library/golang:1.23 as builder
WORKDIR /go/src/app
COPY . .
ENV GOPROXY=https://goproxy.io,direct
RUN go get .
RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .

FROM public.ecr.aws/docker/library/alpine:3.22.1
WORKDIR /app
RUN apk --no-cache add ca-certificates
COPY --from=builder /go/src/app/app .
COPY --from=builder /go/src/app/seed.json .
EXPOSE 80
CMD ["./app"]

Finding 11: CKV_DOCKER_3

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_3
  • Location: src/applications/microservices/payforadoption-go/Dockerfile:1-14

Description:
Ensure that a user for the container has been created

Code Snippet:

FROM public.ecr.aws/docker/library/golang:1.23 as builder
WORKDIR /go/src/app
COPY . .
ENV GOPROXY=https://goproxy.io,direct
RUN go get .
RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .

FROM public.ecr.aws/docker/library/alpine:3.22.1
WORKDIR /app
RUN apk --no-cache add ca-certificates
COPY --from=builder /go/src/app/app .
COPY --from=builder /go/src/app/seed.json .
EXPOSE 80
CMD ["./app"]

Finding 12: CKV_DOCKER_2

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_2
  • Location: src/applications/microservices/petfood-rs/Dockerfile:1-25

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

# Build stage
FROM public.ecr.aws/docker/library/rust:bookworm AS builder
COPY . .
RUN cargo build --release

# Runtime stage
FROM public.ecr.aws/docker/library/debian:bookworm-slim

# Install runtime dependencies and CA certificates
RUN apt-get update && apt-get install -y \
    ca-certificates \
    openssl \
    curl \
    && rm -rf /var/lib/apt/lists/* \
    && update-ca-certificates

COPY --from=builder /target/release/petfood-rs /app/petfood-rs

# Create a non-root user for security
RUN useradd -r -s /bin/false petfood && \
    chown petfood:petfood /app/petfood-rs

USER petfood
EXPOSE 8080
CMD ["/app/petfood-rs"]

Finding 13: CKV2_GHA_1

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV2_GHA_1
  • Location: .github/workflows/pre-commit.yml:1

Description:
Ensure top-level permissions are not set to write-all

Finding 14: CKV2_GHA_1

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV2_GHA_1
  • Location: .github/workflows/tests.yml:1

Description:
Ensure top-level permissions are not set to write-all

Finding 15: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring

  • Severity: HIGH
  • Scanner: semgrep
  • Rule ID: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
  • Location: src/applications/lambda/petfood-cleanup-processor-node/index.js:61

Description:
Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.

Code Snippet:

console.error(`Failed to delete S3 object s3://${bucket}/${key}:`, error.message);

Finding 16: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring

  • Severity: HIGH
  • Scanner: semgrep
  • Rule ID: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
  • Location: src/applications/lambda/petfood-cleanup-processor-node/index.js:82

Description:
Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.

Code Snippet:

console.error(`Failed to delete DynamoDB record for food ${foodId}:`, error.message);

Finding 17: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring

  • Severity: HIGH
  • Scanner: semgrep
  • Rule ID: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
  • Location: src/applications/lambda/petfood-cleanup-processor-node/index.js:108

Description:
Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.

Code Snippet:

console.log(`Attempt ${attempt} failed, retrying in ${delay}ms:`, error.message);

Finding 18: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring

  • Severity: HIGH
  • Scanner: semgrep
  • Rule ID: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
  • Location: src/applications/lambda/petfood-cleanup-processor-node/index.js:133

Description:
Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.

Code Snippet:

console.log(`Processing cleanup event for food ${eventData.foodId}`, {

Finding 19: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring

  • Severity: HIGH
  • Scanner: semgrep
  • Rule ID: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
  • Location: src/applications/lambda/petfood-cleanup-processor-node/index.js:182

Description:
Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.

Code Snippet:

`Cleanup processing completed successfully for food ${eventData.foodId}`,

Finding 20: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring

  • Severity: HIGH
  • Scanner: semgrep
  • Rule ID: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
  • Location: src/applications/lambda/petfood-cleanup-processor-node/index.js:193

Description:
Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.

Code Snippet:

`Cleanup processing failed for food ${eventData.foodId}:`,

Note: Showing 20 of 49 total actionable findings. Configure max_detailed_findings to adjust this limit.

Report generated by Automated Security Helper (ASH) at 2025-10-20T14:03:25+00:00

rapgaws and others added 21 commits July 31, 2025 11:48
@rapgaws
fix: fixed ASH findings for template, re-enabled fail on findings for…
3970175 
… new code
@rapgaws
feat: improved codebuild template
0f7e680
@rapgaws
feat: fixed cdk-nag issues
5c2d7a7 
added PipelineArn output so initial Codebuild can succeed
@rapgaws
refactor: replace CONFIG_BUCKET_KEY with dynamic S3 path and upgrade …
4e9ead2 
…to CodeBuildStep

- Remove CONFIG_BUCKET_KEY environment variable and replace with dynamic S3 key path construction
- Add WORKING_FOLDER environment variable for configurable working directory
- Update CDKPipeline interface to use workingFolder instead of configBucketKey
- Replace ShellStep with CodeBuildStep for synthesis with Node.js 22.x runtime
- Add proper build environment configuration and CodeBuild defaults
- Grant read permissions to config bucket for pipeline role
@rapgaws
feat: add S3 bucket cleanup functionality and update gitignore
e6903e3 
- Add Lambda execution role with S3 permissions for bucket cleanup
- Add Lambda function to empty S3 bucket on stack deletion
- Add custom resource to trigger bucket cleanup during CloudFormation deletion
- Change S3 bucket versioning from Enabled to Suspended
- Update .gitignore to exclude .ash/ash_output directory
@rapgaws
refactor: rename CDK pipeline stack to OneObservabilityWorkshopPipeline
945811f 
Changed CDK pipeline stack name from 'CDKPipeline' to 'OneObservabilityWorkshopPipeline' in workshop.ts
@rapgaws
fix: correct S3 bucket policy resource references and remove erroneou…
859aba2 
…s character

- Fixed S3 bucket policy resource reference in codebuild-deployment-template.yaml by correcting the order of bucket ARN references
- Removed erroneous 'q' character from buildspec command in the same template file
@rapgaws
fix: enabled bucket versioning
f8bc451
@rapgaws
refactor: enhance resource cleanup and migrate to Python runtime
b98e6a6 
- Rename bucket cleanup components to generic resource cleanup functionality
- Extend cleanup to handle EventBridge rules and Lambda permissions
- Migrate Lambda functions from Node.js 22.x to Python 3.13 runtime
- Replace static EventBridge rule with dynamic rule creation during build
- Update IAM policies for EventBridge and Lambda cleanup permissions
- Fix S3 resource ARN reference format
- Remove static resources in favor of dynamic creation approach
@rapgaws
style: reformat CloudFormation template YAML syntax
9b1cdee 
Reformatted CloudFormation template YAML syntax by converting quoted strings to unquoted format, changing description block style from folded to literal, expanding inline conditional statements to multi-line format, and adding explicit function name to Lambda resource to prevent circular dependency.
@rapgaws
docs: add comprehensive documentation and deployment templates
5095353 
- Add docs/ folder with README, CHANGELOG, and detailed template documentation
- Add architecture and deployment flow diagrams (PNG files)
- Add template documentation with implementation details, retry handling, and troubleshooting
- Add templates folder README with quick start guide
- Add new simplified CodeBuild deployment template with intelligent retry handling
- Enhance IAM permissions in original template with S3 bucket access policies and CFN-NAG suppressions
@rafaelpereyra @rapgaws
Feat/networking (#329)
ddf09a7 
* fix: improve CloudFormation signaling in CDK deployment template

- Add explicit SUCCESS signal when pipeline monitoring detects completion
- Prevent duplicate signaling in final success handling
- Enhance logging for better visibility of signaling events

* fix: replace CloudFormation signal-resource with direct wait handle URL calls

Modified CloudFormation wait condition signaling mechanism in CodeBuild deployment template. Replaced direct aws cloudformation signal-resource commands with curl-based HTTP PUT requests to wait condition handle URLs. Changes include:

- Retrieving wait condition handle URL using describe-stack-resource command
- Using curl to send SUCCESS/FAILURE signals with JSON payload containing status, reason, unique ID, and data fields
- Applied to both success and failure signaling paths in the deployment process

* feat: add core infrastructure stage with enhanced configuration

- Enhanced environment configuration with comprehensive documentation and type definitions
- Added core infrastructure stage with VPC creation and networking setup
- Improved pipeline structure with stage sequencing and tagging support
- Updated CDK-nag suppressions for better compliance handling
- Added comprehensive JSDoc documentation across all modified files
- Restructured application entry point with better configuration management

* feat: add CloudTrail construct with CloudWatch integration

- Added CloudTrail construct with CloudWatch logs integration and anomaly detection (92 lines)
- Updated environment configuration with CloudTrail integration (8 lines)
- Enhanced workshop configuration with CloudTrail support (2 lines)
- Updated main index with CloudTrail exports (1 line)
- Modified pipeline configuration for CloudTrail deployment (2 lines)
- Extended core stage with CloudTrail trail setup (15 lines)

---------

Co-authored-by: Rafael Pereyra <[email protected]>
@rapgaws
fix: improve CloudFormation signaling in CDK deployment template
8686aae 
- Add explicit SUCCESS signal when pipeline monitoring detects completion
- Prevent duplicate signaling in final success handling
- Enhance logging for better visibility of signaling events
@rafaelpereyra @rapgaws
Fix/ts cloudtrail (#330)
011564e 
* refactor: improve CloudTrail construct configuration

- Remove unused imports (DataResourceType, ReadWriteType)
- Add includeLambdaEvents property to interface
- Remove unused cloudTrailRole variable assignment
- Replace custom S3 event selector with logAllS3DataEvents() method
- Add Lambda data events logging when includeLambdaEvents is enabled

* fix: improve pipeline retry logic in codebuild template

- Added RETRY_LOOP_COUNT and MAX_RETRY_LOOPS variables for better retry tracking
- Enhanced retry mechanism to distinguish between execution retries and loop retries
- Reset retry loop counter when new pipeline execution is detected
- Updated error messages to reflect the new retry loop logic
- Changed maximum retry logic to use retry loops instead of execution count

* feat: enhance logging capabilities for CloudTrail and VPC networking

- Add unique resource naming for CloudTrail log groups to prevent conflicts
- Implement configurable VPC Flow Logs with comprehensive log format
- Add DNS Query Resolver Logs functionality for VPC
- Enable optional log retention configuration across constructs
- Update Core stack to enable logging features by default

* fix: correct core stage tags structure in CDK pipeline

Modified the core stage properties handling to properly wrap tags in a tags property instead of spreading them directly into the properties object. This ensures proper tag structure for the CoreStage constructor.

* feat: add local development setup and enhance contributing guidelines

- Added Apache-2.0 license header to CONTRIBUTING.md
- Enhanced CONTRIBUTING.md with comprehensive documentation for security scanning, pre-commit hooks, and local development setup
- Added new local CDK application entry point (src/cdk/bin/local.ts) for faster development workflow

---------

Co-authored-by: Rafael Pereyra <[email protected]>
@rapgaws
feat: enhance CDK infrastructure with applications stage and deployme…
2acdb61 
…nt tooling

- Updated CONTRIBUTING.md with additional content (22 lines added)
- Added new environment sample file (.env.sample) with 9 lines
- Enhanced environment.ts configuration with 45 new lines
- Extended local.ts deployment script with additional functionality
- Added CloudTrail construct enhancements (12 lines)
- Minor updates to network construct (2 lines)
- Updated pipeline configuration (5 lines modified)
- Created new applications stage with comprehensive setup (150 lines)
- Added deployment check script with validation logic (66 lines)
@rafaelpereyra @rapgaws
Feat/appstage (#331)
6b6be38 
* feat: integrate applications pipeline stage with CDK pipeline

- Add APPLICATION_LIST import and configuration to workshop.ts
- Enhance CDKPipeline with applicationList property and ApplicationsPipelineStage
- Extract bucket key configuration to variable for reusability
- Add comprehensive documentation and type definitions to applications.ts
- Integrate Applications stage into main pipeline with proper tagging and source configuration

* refactor: organize pipeline stages into Core wave

Modified pipeline.ts to organize deployment stages into a wave structure. Added a 'Core' wave and moved both the Core stage and Applications stage into this wave for better deployment organization and sequencing.

* docs: standardize JSDoc parameter names and configure TypeDoc

- Update constructor parameter documentation from 'props' to 'properties' in CloudTrail and Network constructs
- Add dedicated TypeDoc configuration for CDK documentation generation
- Update root TypeDoc configuration to reference CDK entry point and README

* feat: add RemovalPolicy.DESTROY to CloudTrail LogGroup

Modified CloudTrail construct to add RemovalPolicy.DESTROY to the CloudWatch Logs LogGroup and imported RemovalPolicy from aws-cdk-lib.

---------

Co-authored-by: Rafael Pereyra <[email protected]>
@rafaelpereyra @bonclay7 @rapgaws
Feat/compute (#332)
09e7200 
* From Aurora serverless to Instance (#327)

* Switch from serverless v2 to instances

* Bump aurora version

* Ignore editor settings

* Add action for CDK tests

* Export reader endpoint

* Update tests

* Remove unit, merge lint and synth

* Skip docker builds on unrelated changes

* Update petlist to use aurora reader endpoint

* Bump versions

* Bump CDK version

* feat: add comprehensive infrastructure constructs and deployment stages

- Modified environment configuration files (environment.ts, local.ts, workshop.ts) to add new deployment configurations
- Added new construct files for assets, database, DynamoDB, and queue infrastructure components
- Enhanced network construct with additional networking capabilities
- Updated pipeline configuration with new stages and deployment logic
- Added new compute stage for application deployment
- Renamed applications.ts to containers.ts with updated container deployment logic
- Added new storage stage for data persistence infrastructure
- Total: 643 additions, 24 deletions across 12 files

* feat: upgrade container images and database version

- Update all Dockerfiles to use AWS ECR Public Gallery base images
- Upgrade Aurora PostgreSQL from v13.20 to v16.8
- Update pre-commit hook versions (mypy v1.17.1, cfn-python-lint v1.38.2, ASH v3.0.0)
- Enhance database construct with configurable instance types and CDK NAG suppressions
- Add utility functions for CDK infrastructure
- Improve deployment check script with enhanced validation

* build: update Python base image to ECR public registry

Modified PetAdoptions/petadoptionshistory-py/Dockerfile to update the base Python image from python:3.8 to public.ecr.aws/docker/library/python:3.8.20-bullseye.

* feat: add compute infrastructure with ECS and EKS support

- Add ECS cluster construct with auto scaling group and security group
- Add EKS cluster construct with managed node groups and add-ons
- Create microservice base class and ECS service implementation
- Add pay-for-adoption microservice with database integration
- Enhance network construct to disable public IP mapping
- Update queue construct with CloudFormation exports for resource sharing
- Add compute stage to pipeline with ECS and EKS deployment
- Include kubectl v33 layer dependency for EKS operations
- Add applications stage structure for microservices deployment

* feat: add serverless microservices and enhance CDK infrastructure

- Add new Lambda construct for serverless functions
- Create serverless status-updater construct
- Add new microservices: list-adoptions, pet-search, and traffic-generator
- Enhance pay-for-adoption microservice with additional features
- Update database and DynamoDB constructs with expanded functionality
- Refactor ECS service construct with improved configuration
- Enhance microservice construct with expanded capabilities
- Significantly expand applications stage with new service integrations
- Update environment and local configuration with enhanced setup
- Add utility functions for improved helper capabilities

* feat: add VPC endpoints and enhance API Gateway security

- Add VPC endpoints construct for API Gateway, DynamoDB, and Lambda services
- Configure status updater API Gateway as private endpoint with VPC endpoint policy
- Add request authorizer and access logging to API Gateway
- Include CDK NAG suppressions for security compliance
- Export VPC endpoint IDs for cross-stack references
- Integrate VPC endpoints into network construct and applications stack

* feat: add EKS support and petsite microservice

- Added new constants file and EKS deployment construct for better configuration management
- Created new petsite microservice with Kubernetes deployment manifest
- Enhanced EKS construct with additional deployment capabilities
- Updated microservice construct to support both ECS and EKS deployments
- Modified application stage to integrate new petsite service
- Updated development configuration with new VS Code launch settings
- Refined utility functions and updated project dependencies
- Updated pre-commit configuration and prettier ignore rules

* docs: add comprehensive architecture documentation and diagrams

- Add detailed architecture.md covering system overview, deployment stages, microservices architecture, and observability components
- Add 16 architectural diagrams illustrating complete system architecture, deployment stages, microservices structure, and observability setup
- Update CDK constructs and microservices with minor code improvements and configuration adjustments

* feat: enhance observability demo with service discovery and configuration management

- Add CloudMap namespace support for ECS service discovery
- Implement SSM parameter outputs for assets, database, and DynamoDB
- Enhance ECS service construct to support load balancer-less services
- Add VPC endpoints for ServiceDiscovery with improved networking
- Update microservice configurations with service discovery integration
- Improve database construct with separate reader/writer endpoint outputs
- Add EKS kubectl lambda role export for enhanced cluster management
- Update Kubernetes manifests and application stage configurations

* feat: add microservices stage and standardize resource tagging

- Add standardized tagging to all microservice classes with app:owner, app:project, app:name, app:computType, and app:hostType tags
- Add MicroservicesStage to CDK pipeline with proper stage sequencing and tagging
- Move QueueResources from StorageStack to CoreStack for better architectural organization
- Update pipeline interface to include microservicesProperties parameter
- Add missing Utilities import in traffic-generator.ts

* feat: add microservices configuration to CDK pipeline

Added microservices configuration to CDK pipeline by importing MICROSERVICES_PLACEMENT and LAMBDA_FUNCTIONS from environment and passing them as microservicesProperties to the CDKPipeline constructor.

* feat: update CDK infrastructure and dependencies

- Updated CDK TypeScript files across bin, lib/constructs, lib/stages, and lib/utils directories
- Modified package.json and package-lock.json with dependency updates
- Total: 8 files changed, 252 insertions, 272 deletions

* refactor: simplify deployment template architecture

- Remove EventBridge-based pipeline monitoring system
- Replace Lambda functions with direct CodePipeline status polling
- Eliminate complex event-driven architecture for simpler inline monitoring
- Remove codebuild-deployment-template-simplified.yaml file
- Update documentation and container configurations
- Streamline deployment process with reduced complexity

* fix: improve logging permissions and autoscaling group tagging

- Update pipeline log ARN to use wildcard pattern for broader log group access
- Simplify CloudWatch logs policy resources configuration
- Add PropagateAtLaunch support for AutoScaling Group tags
- Improve code formatting in utilities

* docs: add comprehensive JSDoc documentation to CDK infrastructure

- Added module-level documentation with package descriptions for all 6 files
- Enhanced interface and class documentation with detailed parameter descriptions
- Documented enums, constants, and configuration objects throughout
- Added inline comments for improved code readability
- Improved constructor and method documentation with parameter and return types

* docs: restructure documentation and add automated generation

- Added GitHub Actions workflow for documentation generation
- Updated .gitignore to exclude documentation build artifacts
- Updated pre-commit configuration
- Moved CHANGELOG.md from docs/ to root directory
- Removed diagram documentation and PNG files from docs/diagrams/
- Added new modules documentation file
- Enhanced list-adoptions microservice with improved error handling
- Updated containers stage with additional configuration
- Enhanced TypeDoc configuration files with better documentation settings

---------

Co-authored-by: Rodrigue Koffi <[email protected]>
Co-authored-by: Rafael Pereyra <[email protected]>
@rapgaws
Merge branch 'staging' into feat/cdkpipeline
671ea1e
@rapgaws
feat: add OpenTelemetry instrumentation to petsite deployment
d3f3e2e 
Added instrumentation.opentelemetry.io/inject-dotnet annotation to enable
automatic .NET instrumentation injection for the petsite deployment.
@rapgaws
ci: update CDK test workflow for new project structure
3f1b217 
- Update all path references from PetAdoptions/cdk/pet_stack/ to src/cdk/
- Update cache paths and working directories to match new structure
- Add environment file setup step to copy .env.example to .env before CDK synth
- Maintain all existing workflow functionality with updated paths
@rapgaws
ci: .net 8 for .net build
f65721f
@rafaelpereyra rafaelpereyra changed the base branch from main to staging August 9, 2025 00:53
rapgaws added 2 commits August 8, 2025 21:06
@rapgaws
ci: add staging branch support and improve docs workflow
ef60178 
- Extended build-test.yml and cdk-test.yml workflows to trigger on both main and staging branches
- Refactored docs.yml workflow to separate build and deploy jobs, with deployment only occurring on main branch pushes
- Added conditional logic to prevent staging branch changes from deploying to GitHub Pages
@rapgaws
ci: reorganize environment setup in CDK workflow
a87de9b 
Move environment file copy operation from CDK synth step to separate earlier step for better workflow organization
bonclay7
bonclay7 reviewed Oct 10, 2025
View reviewed changes
src/cdk/lib/stages/applications.ts
}

private createCanariesAndLambdas(properties: MicroserviceApplicationsProperties, imports: ImportedResources) {
const canaryArtifactBucket = new Bucket(this, 'CanaryArtifacts', {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

The bucket should have server access logging enabled to provide detailed records for the requests that are made to the bucket.

bonclay7
bonclay7 reviewed Oct 10, 2025
View reviewed changes
src/cdk/lib/stages/containers.ts
this.applicationRepositories.set(app.name, repository);
}

const artifactBucket = new Bucket(this, 'ContainersPipelineArtifact', {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

The bucket should have server access logging enabled to provide detailed records for the requests that are made to the bucket.

bonclay7
bonclay7 reviewed Oct 10, 2025
View reviewed changes
src/cdk/lib/pipeline.ts
* The bucket has encryption at rest using a CMK and enforces encryption in transit.
* Versioning is enabled on the bucket for audit and recovery purposes.
*/
const pipelineArtifactBucket = new Bucket(this, 'ArtifactBucket', {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

The bucket should have server access logging enabled to provide detailed records for the requests that are made to the bucket.

bonclay7
bonclay7 reviewed Oct 10, 2025
View reviewed changes
src/cdk/lib/constructs/assets.ts
constructor(scope: Construct, id: string, properties?: AssetsProperties) {
super(scope, id);

this.bucket = new Bucket(this, 'petadoptionBucket', {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

The bucket should have server access logging enabled to provide detailed records for the requests that are made to the bucket.

bonclay7
bonclay7 reviewed Oct 10, 2025
View reviewed changes
src/cdk/lib/constructs/cloudtrail.ts
},
});

const trailBucket = new Bucket(this, 'TrailBucket', {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

The bucket should have server access logging enabled to provide detailed records for the requests that are made to the bucket.

bonclay7
bonclay7 reviewed Oct 10, 2025
View reviewed changes
src/cdk/lib/microservices/petsite.ts
});

// TODO: Autodelete is not working for this bucket
const cloudfrontAccessBucket = new Bucket(this, 'CloudfrontAccessLogs', {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

The bucket should have server access logging enabled to provide detailed records for the requests that are made to the bucket.

bonclay7
bonclay7 reviewed Oct 10, 2025
View reviewed changes
src/cdk/lib/constructs/queue.ts
true,
);

this.topic = new Topic(this, 'topic_petadoption', {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

Server side encryption adds additional protection of sensitive data delivered as messages to subscribers.

bonclay7
bonclay7 reviewed Oct 10, 2025
View reviewed changes
src/cdk/scripts/deploy-check.sh
fi

# Load environment variables
source "$ENV_FILE"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

ShellCheck can't follow non-constant source. Use a directive to specify location.

bonclay7
bonclay7 reviewed Oct 10, 2025
View reviewed changes
archive/keycloak-setup.sh

echo "Checking if namespace '$KEYCLOAK_NAMESPACE' exists..."
CMD_OUT=$(kubectl get ns keycloak -o jsonpath={.metadata.name} 2>&1)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

This { is literal. Check expression (missing ;/\n?) or quote it.

bonclay7
bonclay7 reviewed Oct 10, 2025
View reviewed changes
archive/keycloak-setup.sh

echo "Checking existing keycloak ExternalSecret..."
CMD_OUT=$(kubectl get externalsecret keycloak -n keycloak -o jsonpath={.metadata.name} 2>&1)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

This { is literal. Check expression (missing ;/\n?) or quote it.

bonclay7
bonclay7 reviewed Oct 10, 2025
View reviewed changes
archive/keycloak-setup.sh

echo "Checking existing keycloak SecretStore..."
CMD_OUT=$(kubectl get secretstore keycloak -n $KEYCLOAK_NAMESPACE -o jsonpath={.metadata.name} 2>&1)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

This { is literal. Check expression (missing ;/\n?) or quote it.

bonclay7
bonclay7 reviewed Oct 10, 2025
View reviewed changes
src/cdk/scripts/generate-images.sh
IFS=',' read -ra process_categories <<< "$CATEGORIES"
# Validate categories
for cat in "${process_categories[@]}"; do
if [[ ! " ${all_categories[*]} " =~ " ${cat} " ]]; then
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

Remove quotes from right-hand side of =~ to match as a regex rather than literally.

bonclay7
bonclay7 reviewed Oct 10, 2025
View reviewed changes
src/cdk/scripts/generate-images.sh
echo "Playful puppy with $color coat $personality_hint $expression_style, professional pet photography, clean background, high resolution"
;;
"petfood")
local name=$(echo "$item_data" | jq -r '.name // "Premium Pet Food"')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

name appears unused. Verify use (or export if used externally).

bonclay7
bonclay7 reviewed Oct 10, 2025
View reviewed changes
src/cdk/scripts/redeploy-app.sh
# Display applications
echo -e "${YELLOW}Available applications:${NC}"
for i in "${!APPS[@]}"; do
IFS=':' read -r name path host <<< "${APPS[$i]}"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

path appears unused. Verify use (or export if used externally).

@rafaelpereyra
Feat/output variables (#438)
4269f42 
* feat: added petsite output variable

* feat: az selection for agentcore

* fix: moved template parameter in metadata

* fix: fixed AZ selection

* fix: added describeAz permissions for synth

* fix: added script to idenity subnets for agentcore

* fix: used AWS_REGION from environment variables if available

* feat: added debug line for .env file

* feat: enabled petfood agent by default

* fix: added debug output to the script

* fix: added debug output to the script

* fix: handled last line without newline

* fix: removed debug entries

* Feat/cloudtrail network (#439)

* feat: implemented network events trail

* feat: implemented network events trail
bonclay7
bonclay7 reviewed Oct 14, 2025
View reviewed changes
src/templates/codebuild-deployment-template.yaml
"FunctionName": "${rCDKStackListerFunction}",
"Payload": {}
},
"ResultPath": "$.stackList",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

It appears that you have a refernce path in value of the file and you are not ending the key name with .$. Make sure to end the key name with .$.

Similar issue at line numbers 968, 977, 1024, 1037, 1042, 1098, 1111, and 1116.

sguruvar and others added 2 commits October 14, 2025 22:11
@sguruvar @rafaelpereyra
Bug bash fix for petlist adoption python app signals (#437)
d88059f 
* capture trace info

* More logs and traces

* fix: added parameter names to all services

* More logs and traces

* More logs and traces

* More logs and traces

* More logs and traces

* fix: Remove manual OTel instrumentation to enable Application Signals for petlistadoptions-py

* fix: Remove OTel instrumentation packages to use Application Signals ADOT layer

* fix: Remove all OTel code to rely purely on Application Signals auto-instrumentation

* fix: Add back FastAPI instrumentation for Application Signals HTTP metrics

* fix: Use manual OTEL instrumentation for petlistadoptions (Application Signals Python auto-inst doesn't work for FastAPI)

* fix: Use correct OTLP endpoint for CloudWatch Agent (4316 not 4317)

* fix: Extract host:port from OTLP endpoint URL for gRPC exporter

* petlist adoption with app signals

* petlist adoption with app signals

* petlist adoption with app signals

* petlist adoption with app signals

* petlist adoption with app signals

---------

Co-authored-by: Siva Guruvareddiar <[email protected]>
Co-authored-by: Rafael Pereyra <[email protected]>
Co-authored-by: Rafael Pereyra <[email protected]>
@bonclay7
fix: adjustments to support xa/xr (#440)
25f4eba 
* Skip agent-core

* Allow specifying vpc cidr

* Remove authorizer

* Revert "Skip agent-core"

This reverts commit 1a60128.

* Pre-commit
bonclay7
bonclay7 reviewed Oct 14, 2025
View reviewed changes
src/applications/microservices/petlistadoptions-py/app.py

def __init__(self):
self.pet_search_url = os.getenv("APP_PET_SEARCH_URL")
self.rds_secret_arn = os.getenv("APP_RDS_SECRET_ARN")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

This code relies on a client-controlled input (e.g., cookies, URL parameters, or headers) to determine user roles, which is vulnerable to manipulation. An attacker could potentially elevate their privileges by tampering with these inputs. To fix this, enforce role-based checks using server-side session data or an external authentication service. Avoid relying on any user-controlled data for role validation. Learn more about authorization vulnerabilities from OWASP[https://owasp.org/Top10/A01_2021-Broken_Access_Control/].

bonclay7
bonclay7 reviewed Oct 14, 2025
View reviewed changes
src/templates/codebuild-deployment-template.yaml
"FunctionName": "${rCDKStackListerFunction}",
"Payload": {}
},
"ResultPath": "$.stackList",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

It appears that you have a refernce path in value of the file and you are not ending the key name with .$. Make sure to end the key name with .$.

Similar issue at line numbers 981, 990, 1037, 1050, 1055, 1111, 1124, and 1129.

@rafaelpereyra @hibira
Feat/waf (#441)
4ea2deb 
* upgrade to amazon-cloudwatch-observability addon version 4.4.0 (#392)

* upgrade to latest version amazon-cloudwatch-observability addon

* upgrade to latest version amazon-cloudwatch-observability addon

* upgrade to latest version amazon-cloudwatch-observability addon

---------

Co-authored-by: XXX <[email protected]>

* feat:initial waf deployment

* feat: added waf configuration

* feat: added waf configuration

* feat: added logs to waf

* fix: added outputs and minor deployment fixes
- Unique lambda log names to avoid conflict
- Disabled Cludfront log auto-delete function since it's broken
- Added retention policy to cloudfront logs

* fix: changed region environment variable

* cicd: fixed synth command and missing config

* cicd: cleanup fix for CDK Bootstrap

* fix: fixed unreachable state

* fix: renamed apigw log

* fix: set cloudfront buckets to retain

* fix: removed agent core deployment

* fix: removed s3 auto-cleanup

* fix: petagent deployment default

* fix: output name for CFN template

* fix: AgentCore fixes

---------

Co-authored-by: t_hibira <[email protected]>
Co-authored-by: XXX <[email protected]>
bonclay7
bonclay7 reviewed Oct 17, 2025
View reviewed changes
src/templates/codebuild-deployment-template.yaml
"FunctionName": "${rCDKStackListerFunction}",
"Payload": {}
},
"ResultPath": "$.stackList",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

It appears that you have a refernce path in value of the file and you are not ending the key name with .$. Make sure to end the key name with .$.

Similar issue at line numbers 981, 990, 1037, 1050, 1055, 1115, 1128, and 1133.

@bonclay7
impr(payforadoption): Improve appsignals correlation with DB insights (
8b06260 
…#443)

* Add trace attributes to aurora calls

* Tone down attributes

* Move aurora correlation from root to span

* Fix  content

* Cleanup

* Standardize logging
bonclay7
bonclay7 reviewed Oct 20, 2025
View reviewed changes
src/applications/microservices/payforadoption-go/payforadoption/transport.go
if traceID != "" {
fmt.Printf("[INFO] trace_id=%s %s %s %s %s %d\n", traceID, r.Method, r.RequestURI, r.Proto, r.RemoteAddr, code)
} else {
fmt.Printf("[INFO] %s %s %s %s %d\n", r.Method, r.RequestURI, r.Proto, r.RemoteAddr, code)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

Potential log injection detected. Ensure all untrusted input is properly sanitized before logging. Use parameterized logging or validate input against an allow list to prevent log injection vulnerabilities. Consider using a dedicated logging library's built-in sanitization features when available. Learn more - https://cwe.mitre.org/data/definitions/117.html

bonclay7
bonclay7 reviewed Oct 20, 2025
View reviewed changes
src/applications/microservices/payforadoption-go/payforadoption/transport.go
// Extract trace ID from context
traceID := extractTraceIDFromContext(ctx)
if traceID != "" {
fmt.Printf("[INFO] trace_id=%s %s %s %s %s %d\n", traceID, r.Method, r.RequestURI, r.Proto, r.RemoteAddr, code)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

Potential log injection detected. Ensure all untrusted input is properly sanitized before logging. Use parameterized logging or validate input against an allow list to prevent log injection vulnerabilities. Consider using a dedicated logging library's built-in sanitization features when available. Learn more - https://cwe.mitre.org/data/definitions/117.html

bonclay7
bonclay7 reviewed Oct 20, 2025
View reviewed changes
src/applications/microservices/payforadoption-go/sql_span_processor.go
}

// Build resource identifier for Aurora correlation
resourceIdentifier := fmt.Sprintf("postgres|%s|%d", dbConfig.Host, dbConfig.Port)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

Potential log injection detected. Ensure all untrusted input is properly sanitized before logging. Use parameterized logging or validate input against an allow list to prevent log injection vulnerabilities. Consider using a dedicated logging library's built-in sanitization features when available. Learn more - https://cwe.mitre.org/data/definitions/117.html

bonclay7
bonclay7 reviewed Oct 20, 2025
View reviewed changes
src/applications/microservices/payforadoption-go/database.go

// Build resource identifier for Aurora correlation
// Format: engine|host|port for CloudWatch Application Signals correlation
resourceIdentifier := fmt.Sprintf("postgres|%s|%d", dbConfig.Host, dbConfig.Port)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

Potential log injection detected. Ensure all untrusted input is properly sanitized before logging. Use parameterized logging or validate input against an allow list to prevent log injection vulnerabilities. Consider using a dedicated logging library's built-in sanitization features when available. Learn more - https://cwe.mitre.org/data/definitions/117.html

bonclay7
bonclay7 reviewed Oct 20, 2025
View reviewed changes
src/applications/microservices/payforadoption-go/database.go
u := &url.URL{
Scheme: "postgres",
User: url.UserPassword(config.Username, config.Password),
Host: fmt.Sprintf("%s:%d", config.Host, config.Port),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

Potential log injection detected. Ensure all untrusted input is properly sanitized before logging. Use parameterized logging or validate input against an allow list to prevent log injection vulnerabilities. Consider using a dedicated logging library's built-in sanitization features when available. Learn more - https://cwe.mitre.org/data/definitions/117.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bonclay7 bonclay7 bonclay7 left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@rafaelpereyra @bonclay7 @lewinkedrs @rapgaws @awsimaya @sunkavar @sguruvar