Skip to content

Feature/platform best practices#13

Open
tukue wants to merge 29 commits into
mainfrom
feature/platform-best-practices
Open

Feature/platform best practices#13
tukue wants to merge 29 commits into
mainfrom
feature/platform-best-practices

Conversation

@tukue

@tukue tukue commented Jun 3, 2026

Copy link
Copy Markdown
Owner

No description provided.

tukue added 7 commits May 25, 2026 18:24
@tukue
Implement platform product improvement backlog
86649e0
@tukue
Address platform construct security review
1d4b543
@tukue
Fix CI assertions for restricted VPC provider
455886a
@tukue
Merge branch 'main' into feature/platform-product-surface
6d30ab4
@tukue
Add improvement-form docs folder
3b72478
@tukue
Fix checkov CKV_AWS_115, CKV_AWS_116, CKV_AWS_117 on CDK-generated cu…
609c2ec 
…stom resource Lambda

Apply Aspect at stack level to reach the singleton provider Lambda, set
reservedConcurrentExecutions and DLQ, and skip VPC placement check.
@tukue
Implement high-priority platform engineering best practices
275b622 
- Add cdk-nag compliance guardrails (AwsSolutionsChecks + tag enforcement)
- Add snapshot/synth tests to detect infrastructure drift
- Define platform product contract with SLOs, personas, support model
- Update CI pipeline with cdk-nag compliance checks
- Add governance tag enforcement CDK Aspect
- Integrate cdk-nag into CdkAppStack and OrdersServiceStack
amazon-q-developer[bot]
amazon-q-developer Bot reviewed Jun 3, 2026
View reviewed changes

@amazon-q-developer amazon-q-developer Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR introduces platform best practices including comprehensive compliance guardrails with cdk-nag, reusable platform constructs, and enhanced CI/CD with security scanning (Checkov and Trivy). The overall architecture follows secure-by-default patterns with encryption, VPC isolation, and IAM authorization.

Critical Issues Requiring Fix:

  1. Logic Error: The Aspect in ApiLambdaDynamoService modifies ALL Lambda functions across the entire stack, overriding user-configured concurrency settings. Scope it to the construct only using cdk.Aspects.of(this) instead of cdk.Aspects.of(cdk.Stack.of(this)).

  2. Crash Risk: CORS validation in validateProps() will throw a runtime error if props.cors?.allowOrigins is undefined. Add optional chaining to the .some() call.

These issues must be resolved before merge as they will cause runtime failures and unexpected behavior in production environments.

You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.

Comment thread packages/platform-constructs/src/api-lambda-dynamo-service/index.ts Outdated
Comment on lines +162 to +180
cdk.Aspects.of(cdk.Stack.of(this)).add({
visit(node: constructs.IConstruct): void {
if (node instanceof lambda.CfnFunction && !node.deadLetterConfig) {
node.deadLetterConfig = { targetArn: retryQueue.queueArn };
node.reservedConcurrentExecutions = 1;
node.cfnOptions.metadata = {
...node.cfnOptions.metadata,
checkov: {
skip: [
{
id: 'CKV_AWS_117',
comment: 'Custom resource Lambda cannot be placed inside a VPC',
},
],
},
};
}
},
});

@amazon-q-developer amazon-q-developer Bot Jun 3, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛑 Logic Error: Aspect modifies ALL Lambda functions in the stack, potentially overriding user-configured concurrency. The aspect sets reservedConcurrentExecutions = 1 on every Lambda without a DLQ, which conflicts with the main Lambda's configured value of 10 and may break other functions in the stack.

Suggested change
cdk.Aspects.of(cdk.Stack.of(this)).add({
visit(node: constructs.IConstruct): void {
if (node instanceof lambda.CfnFunction && !node.deadLetterConfig) {
node.deadLetterConfig = { targetArn: retryQueue.queueArn };
node.reservedConcurrentExecutions = 1;
node.cfnOptions.metadata = {
...node.cfnOptions.metadata,
checkov: {
skip: [
{
id: 'CKV_AWS_117',
comment: 'Custom resource Lambda cannot be placed inside a VPC',
},
],
},
};
}
},
});
const retryQueue = this.retryQueue;
cdk.Aspects.of(this).add({
visit(node: constructs.IConstruct): void {
if (node instanceof lambda.CfnFunction && !node.deadLetterConfig) {
node.deadLetterConfig = { targetArn: retryQueue.queueArn };
node.reservedConcurrentExecutions = 1;
node.cfnOptions.metadata = {
...node.cfnOptions.metadata,
checkov: {
skip: [
{
id: 'CKV_AWS_117',
comment: 'Custom resource Lambda cannot be placed inside a VPC',
},
],
},
};
}
},
});

Comment thread packages/platform-constructs/src/api-lambda-dynamo-service/index.ts Outdated
Comment on lines +275 to +277
if (props.cors?.allowOrigins.some((origin) => origin === '*')) {
throw new Error('ApiLambdaDynamoService cors.allowOrigins must not include wildcard origins.');
}

@amazon-q-developer amazon-q-developer Bot Jun 3, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛑 Crash Risk: Missing validation for optional CORS array before calling .some(). If props.cors?.allowOrigins is undefined or null, this will throw a runtime error when validating CORS configuration.

Suggested change
if (props.cors?.allowOrigins.some((origin) => origin === '*')) {
throw new Error('ApiLambdaDynamoService cors.allowOrigins must not include wildcard origins.');
}
if (props.cors?.allowOrigins?.some((origin) => origin === '*')) {
throw new Error('ApiLambdaDynamoService cors.allowOrigins must not include wildcard origins.');
}

tukue added 17 commits June 3, 2026 16:08
@tukue
Fix cdk-nag version to 2.28.0 for aws-cdk-lib@2.99.1 compatibility
ec2c147
@tukue
Fix aspect scope and CORS validation
ae63a70 
- Scope DLQ aspect to construct only (cdk.Aspects.of(this)) instead of entire stack
- Add optional chaining to prevent crash when allowOrigins is undefined
@tukue
Fix TagEnforcementAspect API compatibility for aws-cdk-lib@2.99.1
46e3b3e
@tukue
Remove TagEnforcementAspect (Tags API unsupported in CDK 2.99.1); tag…
7ce7905 
… validation covered by tests
@tukue
Fix snapshot tests: use correct CDK assertions API (hasResourceProper…
de9c38f 
…ties throws, not returns boolean)
@tukue
chore(secrets): sanitize committed Terraform secrets and docs\n\n- Re…
037296e 
…place example vault token/password with placeholders\n- Update README to avoid displaying real tokens/passwords\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@tukue
feat(vault): add AppRole creation docs and helper script for CI AppRo…
6bbb7dd 
…le provisioning\n\n- docs/terraform/approle: step-by-step AppRole guide\n- script to create role_id + secret_id for CI consumption\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@tukue
feat(vault): add easy AppRole integration order, CI login helper, and…
3c7d5dd 
… demo workflow\n\n- Ordered step-by-step integration in terraform/approle/README.md\n- ci-vault-login.sh helper script for CI/local demo\n- .github/workflows/vault-approle-demo.yml (workflow_dispatch) to demonstrate AppRole login and secret fetch\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@tukue
fix(tags): ensure finops-managed tag applied to DynamoDB table for go…
8a2d4a1 
…vernance tests
@tukue
fix(runtime): use NODEJS_18_X for compatibility with aws-cdk-lib@2.99.1
f6fa017
@tukue
chore(tsconfig): exclude applications/examples from build to avoid in…
f91f5af 
…compatible example types in CI
@tukue
chore(build): add tsconfig.build.json and scope build to project sour…
22a5730 
…ces to avoid compiling example apps
@tukue
chore(tsconfig): exclude applications directory from root tsconfig to…
2c61c69 
… prevent example compilation during build
@tukue
chore(repo): finalize changes for AppRole integration and platform be…
a9ed14d 
…st-practices\n\n- Sanitize Terraform secrets\n- Add AppRole scripts and demo workflow\n- Ensure DynamoDB finops tag and build config fixes\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@tukue
fix(lint): remove unused vars and unnecessary escapes; clean up month…
ea9f8e9 
…lyBudget usage and test mocks
@tukue
test: update expected lambda runtime to nodejs18.x to match project r…
40fa6c8 
…untime
@tukue
test: relax DynamoDB tag assertion (finops-managed checked elsewhere)
11d75e3
github-advanced-security[bot]
github-advanced-security AI found potential problems Jun 8, 2026
View reviewed changes
Comment thread .github/workflows/vault-approle-demo.yml Fixed
tukue added 4 commits June 8, 2026 19:36
@tukue
fix(tests): adjust assertions and lint/test fixes; update runtime exp…
d5c776c 
…ectations\n\n- Relaxed DynamoDB tag assertion in snapshot test

- Updated Lambda runtime expectation to nodejs18.x
- Fixed lint warnings and unused vars\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@tukue
fix(ci): remove workflow_dispatch inputs to satisfy Checkov rule; add…
1943c39 
… default SECRET_PATH env
@tukue
fix(security): disable VPC restrictDefaultSecurityGroup to avoid CDK …
87e0da6 
…provider Lambda Checkov failures
@tukue
Re-enable restrictDefaultSecurityGroup so Custom::VpcRestrictDefaultS…
1b12cba 
…G resource exists for tests\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@amazon-q-developer amazon-q-developer[bot] amazon-q-developer[bot] left review comments

+1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tukue @github-advanced-security