aws-samples
diff --git a/‎.kiro/specs/infra/design.md‎
Lines changed: 43 additions & 15 deletions b/‎.kiro/specs/infra/design.md‎
Lines changed: 43 additions & 15 deletions
diff --git a/‎.kiro/specs/infra/tasks.md‎
Lines changed: 52 additions & 38 deletions b/‎.kiro/specs/infra/tasks.md‎
Lines changed: 52 additions & 38 deletions
diff --git a/‎infra/cdk/src/main/java/sample/com/WorkshopStack.java‎
Lines changed: 13 additions & 13 deletions b/‎infra/cdk/src/main/java/sample/com/WorkshopStack.java‎
Lines changed: 13 additions & 13 deletions
@@ -29,6 +29,11 @@ infra/
 │   │   └── WorkshopApp.java      # Main CDK application
 │   ├── src/main/resources/
 │   │   ├── userdata.sh           # Minimal UserData script (embedded in CDK)
+│   │   ├── iam-policy-base.json
+│   │   ├── iam-policy-java-on-aws-immersion-day.json
+│   │   ├── iam-policy-java-on-amazon-eks.json
+│   │   ├── iam-policy-java-ai-agents.json
+│   │   ├── iam-policy-java-spring-ai-agents.json
 │   │   └── lambda/               # Lambda function source files
 │   │       ├── ec2-launcher.py
 │   │       ├── codebuild-start.py
@@ -41,7 +46,10 @@ infra/
 │   └── cdk.json
 ├── cfn/                         # Generated CloudFormation templates
 │   ├── base-stack.yaml
-│   └── java-on-aws-stack.yaml
+│   ├── java-on-aws-immersion-day-stack.yaml
+│   ├── java-on-amazon-eks-stack.yaml
+│   ├── java-ai-agents-stack.yaml
+│   └── java-spring-ai-agents-stack.yaml
 ├── scripts/
 │   ├── ide/                     # IDE setup scripts
 │   │   ├── bootstrap.sh         # Full bootstrap orchestration
@@ -53,7 +61,10 @@ infra/
 │   │   └── shell-p10k.zsh       # Powerlevel10k configuration
 │   ├── templates/               # Workshop-specific post-deploy scripts
 │   │   ├── base.sh              # Base template (empty placeholder)
-│   │   └── java-on-aws.sh       # Java-on-AWS workshop setup
+│   │   ├── java-on-aws-immersion-day.sh  # Java-on-AWS Immersion Day workshop setup
+│   │   ├── java-on-amazon-eks.sh         # Java-on-Amazon-EKS workshop setup (same as java-on-aws-immersion-day)
+│   │   ├── java-ai-agents.sh             # Java-AI-Agents workshop setup (same as base)
+│   │   └── java-spring-ai-agents.sh      # Java-Spring-AI-Agents workshop setup (same as base)
 │   ├── setup/                   # Infrastructure setup scripts
 │   │   ├── eks.sh               # EKS cluster configuration
 │   │   ├── monitoring.sh        # Prometheus + Grafana setup
@@ -81,28 +92,37 @@ public class WorkshopStack extends Stack {
     public WorkshopStack(final Construct scope, final String id, final StackProps props) {
         super(scope, id, props);
 
-        String templateType = System.getenv("TEMPLATE_TYPE");
+        String templateType = (String) this.getNode().tryGetContext("template.type");
         if (templateType == null) {
             templateType = "base"; // default
         }
 
         // Core infrastructure (always created)
         var vpc = new Vpc(this, "Vpc");
-        var ide = new Ide(this, "Ide", vpc.getVpc());
+        var ide = new Ide(this, "Ide", ideProps);
 
-        // Custom roles and database only for non-base templates
-        if (!"base".equals(templateType)) {
-            var roles = new Roles(this, "Roles");
+        // java-on-aws-immersion-day and java-on-amazon-eks specific resources
+        if ("java-on-aws-immersion-day".equals(templateType) || "java-on-amazon-eks".equals(templateType)) {
+            new CodeBuild(this, "CodeBuild", codeBuildProps);
             var database = new Database(this, "Database", vpc.getVpc());
+            var eks = new Eks(this, "Eks", eksProps);
+            var performanceAnalysis = new PerformanceAnalysis(this, "PerformanceAnalysis", analysisProps);
+            var unicorn = new Unicorn(this, "Unicorn", unicornProps);
         }
-
-        // CodeBuild for service-linked role creation
-        new CodeBuild(this, "CodeBuild",
-            Map.of("STACK_NAME", Aws.STACK_NAME, "TEMPLATE_TYPE", templateType));
     }
 }
 ```
 
+#### Supported Template Types
+
+| Template Type | Resources Created |
+|---------------|-------------------|
+| `base` | VPC, IDE |
+| `java-ai-agents` | VPC, IDE (same as base) |
+| `java-spring-ai-agents` | VPC, IDE (same as base) |
+| `java-on-aws-immersion-day` | VPC, IDE, CodeBuild, Database, EKS, PerformanceAnalysis, Unicorn |
+| `java-on-amazon-eks` | VPC, IDE, CodeBuild, Database, EKS, PerformanceAnalysis, Unicorn (same as java-on-aws-immersion-day) |
+
 #### Reusable Constructs
 
 **Vpc**: Creates VPC with appropriate subnets and networking configuration
@@ -195,7 +215,12 @@ infra/cdk/src/main/resources/
 │   ├── cloudfront-prefix-lookup.py # CloudFront prefix list lookup
 │   └── thread-dump-lambda.py     # Thread dump collection and AI analysis
 ├── userdata.sh                   # Minimal UserData script with CloudWatch logging
-├── iam-policy.json               # IAM policy for workshop participants
+├── iam-policy-base.json          # Base template IAM policy (Allow *)
+├── iam-policy-java-on-aws-immersion-day.json   # Java-on-AWS Immersion Day workshop IAM policy
+├── iam-policy-java-on-amazon-eks.json          # Java-on-Amazon-EKS workshop IAM policy (same as java-on-aws-immersion-day)
+├── iam-policy-java-ai-agents.json              # Java-AI-Agents workshop IAM policy (same as base)
+├── iam-policy-java-spring-ai-agents.json       # Java-Spring-AI-Agents workshop IAM policy (same as base)
+├── iam-policy-{workshop}.json    # Workshop-specific IAM policies (required for each template type)
 └── unicorns.sql                  # Database schema SQL
 ```
 
@@ -277,8 +302,11 @@ infra/scripts/ide/
 └── shell-p10k.zsh        # Powerlevel10k configuration
 
 infra/scripts/templates/
-├── base.sh               # Base template (empty placeholder)
-└── java-on-aws.sh        # Java-on-AWS workshop post-deploy
+├── base.sh                       # Base template (empty placeholder)
+├── java-on-aws-immersion-day.sh  # Java-on-AWS Immersion Day workshop post-deploy
+├── java-on-amazon-eks.sh         # Java-on-Amazon-EKS workshop post-deploy (same as java-on-aws-immersion-day)
+├── java-ai-agents.sh             # Java-AI-Agents workshop post-deploy (same as base)
+└── java-spring-ai-agents.sh      # Java-Spring-AI-Agents workshop post-deploy (same as base)
 ```
 
 #### Bootstrap Flow
@@ -398,7 +426,7 @@ echo "✅ Generated workshop-template.yaml"
 #!/bin/bash
 set -e
 
-WORKSHOPS=("ide" "java-on-aws" "java-on-eks" "java-ai-agents" "java-spring-ai-agents")
+WORKSHOPS=("ide" "java-on-aws-immersion-day" "java-on-amazon-eks" "java-ai-agents" "java-spring-ai-agents")
 
 for workshop in "${WORKSHOPS[@]}"; do
   target_dir="../$workshop/static"
 
@@ -33,17 +33,20 @@
   - _Requirements: 4.1, 4.4_
 
 - [x] 2.2 Create workshop sync script
-  - Create infra/scripts/cfn/sync.sh that copies workshop-template.yaml to workshop directories as {workshop}-stack.yaml
-  - Include iam-policy.json copying from cdk/src/main/resources/ directory to workshop static/ directories
-  - Implement directory existence checking and error reporting
-  - Support workshop list: ide, java-on-aws, java-on-eks, java-ai-agents, java-spring-ai-agents
+  - Create infra/scripts/cfn/sync.sh that copies cfn/{workshop}-stack.yaml → workshop-stack.yaml ✅
+  - Copy workshop-specific IAM policies (iam-policy-{workshop}.json → iam-policy.json) ✅
+  - Target files use static names: workshop-stack.yaml and iam-policy.json ✅
+  - Implement directory existence checking and error reporting ✅
+  - Support workshop list: ide, java-on-aws-immersion-day, java-on-amazon-eks, java-ai-agents, java-spring-ai-agents ✅
   - _Requirements: 4.2, 4.5_
 
 - [x] 2.3 Set up build automation
-  - Create infra/package.json with generate and sync npm scripts
-  - Make scripts executable and test npm run generate && npm run sync workflow
-  - Validate that generated templates are copied to correct locations with proper naming
-  - Copy existing iam-policy.json to infra/cdk/src/main/resources/ for single source of truth
+  - Create infra/package.json with generate and sync npm scripts ✅
+  - Make scripts executable and test npm run generate && npm run sync workflow ✅
+  - Validate that generated templates are copied to correct locations with proper naming ✅
+  - Workshop-specific IAM policies stored as iam-policy-{workshop}.json in cdk/src/main/resources/ ✅
+  - Ide.java loads iam-policy-{templateType}.json and throws exception if not found ✅
+  - Created iam-policy-base.json with Allow * for base template ✅
   - _Requirements: 4.3_
 
 ## Base IDE Stack (10.x)
@@ -383,9 +386,9 @@
   - Enabled easy filtering and management of workshop resources in AWS console and CLI
   - _Requirements: 21.1, 21.2, 21.3, 21.4, 21.5_
 
-## Java-on-AWS Migration (100.x)
+## Java-on-AWS-Immersion-Day Migration (100.x)
 
-- [x] 100.1 Analyze java-on-aws workshop requirements
+- [x] 100.1 Analyze java-on-aws-immersion-day workshop requirements
   - Reviewed infrastructure/cfn/unicornstore-stack.yaml and identified required resources ✅
   - Documented EKS, Database, and other workshop-specific components ✅
   - Mapped existing resources to new construct pattern ✅
@@ -416,14 +419,14 @@
   - Consolidate RDS and database schema setup into single construct
   - _Requirements: 5.6, 12.1, 12.2, 12.3, 12.4, 12.5, 12.6_
 
-- [x] 100.4 Update WorkshopStack for java-on-aws with EKS integration
+- [x] 100.4 Update WorkshopStack for java-on-aws-immersion-day with EKS integration
   - Database already conditionally created for non-base templates (same as Roles) ✅
   - Added conditional EKS creation: if (!"base".equals(templateType) && !"java-ai-agents".equals(templateType)) ✅
   - Integrated EKS with IDE security group: eks.ideInternalSecurityGroup(ide.getIdeInternalSecurityGroup()) ✅
   - Integrated EKS with IDE instance role: eks.ideInstanceRole(ideProps.getIdeRole()) ✅
-  - Tested TEMPLATE_TYPE=java-on-aws generates template with VPC, IDE, CodeBuild, Roles, Database, and EKS resources ✅
+  - Tested TEMPLATE_TYPE=java-on-aws-immersion-day generates template with VPC, IDE, CodeBuild, Roles, Database, and EKS resources ✅
   - Validated generated template includes all EKS add-ons and Access Entries configuration ✅
-  - Ensured template supports both java-on-aws and base templates from same codebase ✅
+  - Ensured template supports both java-on-aws-immersion-day and base templates from same codebase ✅
   - _Requirements: 1.2, 1.3, 13.1, 16.1_
 
 - [x] 100.5 Create EKS post-deployment setup script
@@ -439,8 +442,8 @@
   - Verified all three add-ons are installed and functional before completing ✅
   - _Requirements: 15.1, 15.2, 14.2, 14.3, 14.4, 15.7, 18.1, 18.2, 18.3, 18.4, 18.6_
 
-- [x] 100.6 Create java-on-aws workshop orchestration script
-  - Created infra/scripts/ide/java-on-aws.sh that executes base.sh and workshop-specific setup ✅
+- [x] 100.6 Create java-on-aws-immersion-day workshop orchestration script
+  - Created infra/scripts/templates/java-on-aws-immersion-day.sh that executes base.sh and workshop-specific setup ✅
   - Script calls base.sh first for foundational development tools ✅
   - Then executes EKS-specific setup (cluster configuration, add-ons, storage classes) ✅
   - Added Phase 3: Monitoring stack (Prometheus + Grafana) via monitoring.sh ✅
@@ -480,8 +483,8 @@
   - Updated bootstrap.sh to call tools.sh as part of default IDE setup (after vscode/code-editor) ✅
   - Created templates/ directory for workshop-specific post-deploy scripts ✅
   - Created templates/base.sh as empty placeholder with comment ✅
-  - Moved java-on-aws.sh to templates/java-on-aws.sh ✅
-  - Updated java-on-aws.sh to NOT call base (tools already installed by bootstrap) ✅
+  - Moved java-on-aws-immersion-day.sh to templates/java-on-aws-immersion-day.sh ✅
+  - Updated java-on-aws-immersion-day.sh to NOT call base (tools already installed by bootstrap) ✅
   - Updated bootstrap.sh to look for template scripts in templates/ folder ✅
   - Updated vscode.sh and code-editor.sh to use settings.sh ✅
   - Final structure:
@@ -504,14 +507,14 @@
     - eks.sh: "✅ Success: EKS cluster (workshop-eks)" ✅
     - monitoring.sh: "✅ Success: Monitoring (Prometheus + Grafana)" ✅
     - analysis.sh: "✅ Success: Analysis (Thread + Profiling dashboards)" ✅
-    - java-on-aws.sh: "✅ Success: Java-on-AWS workshop template" ✅
+    - java-on-aws-immersion-day.sh: "✅ Success: Java-on-AWS-Immersion-Day workshop template" ✅
   - _Requirements: 3.3, 3.7, 6.6_
 
 
 
-- [x] 100.11 Validate java-on-aws migration
-  - Generated template with TEMPLATE_TYPE=java-on-aws and verified all EKS resources are present ✅
-  - Tested template generation for both base and java-on-aws from same codebase ✅
+- [x] 100.11 Validate java-on-aws-immersion-day migration
+  - Generated template with TEMPLATE_TYPE=java-on-aws-immersion-day and verified all EKS resources are present ✅
+  - Tested template generation for both base and java-on-aws-immersion-day from same codebase ✅
   - Verified EKS add-ons, Access Entries, and database resources are properly configured ✅
   - Documented template differences and ensured they provide equivalent functionality ✅
   - _Requirements: 1.2, 1.3, 16.1_
@@ -542,11 +545,11 @@
   - _Requirements: 5.6_
 
 - [x] 100.15 Integrate PerformanceAnalysis into WorkshopStack
-  - Added conditional PerformanceAnalysis creation for java-on-aws template type ✅
+  - Added conditional PerformanceAnalysis creation for java-on-aws-immersion-day template type ✅
   - Passed EKS cluster reference for Access Entry creation ✅
   - Passed VPC reference for Lambda VPC placement ✅
   - Tested template generation with PerformanceAnalysis resources ✅
-  - Verified all resources present in generated java-on-aws-stack.yaml ✅
+  - Verified all resources present in generated java-on-aws-immersion-day-stack.yaml ✅
   - _Requirements: 1.2, 1.3_
 
 - [x] 100.16 Create thread-dump-lambda.py implementation
@@ -570,22 +573,33 @@
   - Note: ESO roles not needed - replaced by AWS Secrets Store CSI Driver add-on
   - _Requirements: 5.6_
 
-## Java-AI-Agents Migration (300.x)
+## Java-on-Amazon-EKS Template (200.x)
 
-- [ ] 300.1 Analyze and migrate java-ai-agents workshop
-  - Review infrastructure/cfn/java-ai-agents-stack.yaml (no EKS, includes Bedrock permissions, has database)
-  - Verify EKS exclusion logic: if (!"base".equals(workshopType) && !"java-ai-agents".equals(workshopType))
-  - Database will be included automatically (non-base template)
-  - Create infra/scripts/setup/ai-agents.sh for AI-specific setup
-  - Create infra/scripts/workshops/java-ai-agents.sh orchestration script
-  - _Requirements: 5.4, 5.5_
+- [x] 200.1 Create java-on-amazon-eks template (same infrastructure as java-on-aws-immersion-day)
+  - Updated WorkshopStack.java to include java-on-amazon-eks in same conditional as java-on-aws-immersion-day ✅
+  - Updated generate.sh to generate java-on-amazon-eks-stack.yaml template ✅
+  - Created infra/scripts/templates/java-on-amazon-eks.sh (same setup as java-on-aws-immersion-day.sh) ✅
+  - Created infra/cdk/src/main/resources/iam-policy-java-on-amazon-eks.json (copy of java-on-aws-immersion-day policy) ✅
+  - Template includes: VPC, IDE, CodeBuild, Database, EKS, PerformanceAnalysis, Unicorn ✅
+  - _Requirements: 1.2, 1.3, 5.4_
 
-## Java-Spring-AI-Agents Migration (400.x)
+## Java-AI-Agents Migration (300.x)
 
-- [ ] 400.1 Analyze and migrate java-spring-ai-agents workshop
-  - Review infrastructure/cfn/spring-ai-stack.yaml for specific requirements
-  - Create infra/scripts/setup/spring-ai.sh for Spring AI specific setup
-  - Create infra/scripts/workshops/java-spring-ai-agents.sh orchestration script
-  - Validate template generation and workshop setup scripts
-  - _Requirements: 5.4, 5.5_
+- [x] 300.1 Create java-ai-agents template (same infrastructure as base)
+  - Updated generate.sh to generate java-ai-agents-stack.yaml template ✅
+  - Created infra/scripts/templates/java-ai-agents.sh (minimal setup, no EKS/Database) ✅
+  - Created infra/cdk/src/main/resources/iam-policy-java-ai-agents.json (Allow * like base) ✅
+  - Template includes: VPC, IDE, CodeBuild only (same as base) ✅
+  - No EKS, Database, PerformanceAnalysis, or Unicorn resources ✅
+  - _Requirements: 1.2, 1.3, 5.4_
+
+## Java-Spring-AI-Agents Template (400.x)
+
+- [x] 400.1 Create java-spring-ai-agents template (same infrastructure as base)
+  - Updated generate.sh to generate java-spring-ai-agents-stack.yaml template ✅
+  - Created infra/scripts/templates/java-spring-ai-agents.sh (minimal setup, no EKS/Database) ✅
+  - Created infra/cdk/src/main/resources/iam-policy-java-spring-ai-agents.json (Allow * like base) ✅
+  - Template includes: VPC, IDE only (same as base) ✅
+  - No EKS, Database, PerformanceAnalysis, or Unicorn resources ✅
+  - _Requirements: 1.2, 1.3, 5.4_
 
@@ -26,7 +26,6 @@ public class WorkshopStack extends Stack {
               - |
                 # Resolution for when creating the first service in the account
                 aws iam create-service-linked-role --aws-service-name ecs.amazonaws.com 2>/dev/null || true
-                aws iam create-service-linked-role --aws-service-name apprunner.amazonaws.com 2>/dev/null || true
                 aws iam create-service-linked-role --aws-service-name elasticloadbalancing.amazonaws.com 2>/dev/null || true
         """;
 
@@ -56,19 +55,20 @@ public WorkshopStack(final Construct scope, final String id, final StackProps pr
             .build();
         Ide ide = new Ide(this, "Ide", ideProps);
 
-        // CodeBuild for workshop setup
-        CodeBuild codeBuild = new CodeBuild(this, "CodeBuild",
-            CodeBuild.CodeBuildProps.builder()
-                .projectName("workshop-setup")
-                .vpc(vpc.getVpc())
-                .environmentVariables(Map.of(
-                    "TEMPLATE_TYPE", templateType,
-                    "GIT_BRANCH", gitBranch))
-                .buildSpec(buildSpec)
-                .build());
+        // java-on-aws-immersion-day and java-on-amazon-eks specific resources (CodeBuild for service-linked roles)
+        if ("java-on-aws-immersion-day".equals(templateType) || "java-on-amazon-eks".equals(templateType)) {
+            // CodeBuild for workshop setup (service-linked role creation)
+            new CodeBuild(this, "CodeBuild",
+                CodeBuild.CodeBuildProps.builder()
+                    .projectName("workshop-setup")
+                    .vpc(vpc.getVpc())
+                    .environmentVariables(Map.of(
+                        "TEMPLATE_TYPE", templateType,
+                        "GIT_BRANCH", gitBranch))
+                    .buildSpec(buildSpec)
+                    .build());
 
-        // java-on-aws specific resources
-        if ("java-on-aws".equals(templateType)) {
+            // Database, EKS, PerformanceAnalysis, Unicorn
             Database database = new Database(this, "Database", vpc.getVpc());
 
             // EKS cluster