refactor(infra): replace API Gateway with Lambda Function URL for thread analysis

Author: Yuriy Bezsonov

apps/jvm-ai-analyzer/.gitignore

@@ -27,6 +27,3 @@ release.properties
 # Test output
 *.exec
 test-output/
-
-# Kubernetes manifests (generated during workshop)
-k8s/

apps/unicorn-store-spring-java25/.gitignore

@@ -27,6 +27,3 @@ release.properties
 # Test output
 *.exec
 test-output/
-
-# Kubernetes manifests (generated during workshop)
-k8s/

apps/unicorn-store-spring-java25/src/main/java/com/unicorn/store/service/ThreadGeneratorService.java

@@ -24,13 +24,13 @@ public synchronized void startThreads(int threadCount) {
         logger.info("Starting {} threads", threadCount);
 
         for (int i = 0; i < threadCount; i++) {
-            var thread = Thread.ofVirtual()
+            var thread = Thread.ofPlatform()
                     .name("DummyThread-" + i)
                     .start(new DummyWorkload(running));
             activeThreads.add(thread);
         }
 
-        logger.info("Started {} virtual threads", threadCount);
+        logger.info("Started {} platform threads", threadCount);
     }
 
     public synchronized void stopThreads() {

infra/cdk/src/main/java/sample/com/constructs/ThreadAnalysis.java

@@ -2,7 +2,6 @@
 
 import software.amazon.awscdk.Duration;
 import software.amazon.awscdk.RemovalPolicy;
-import software.amazon.awscdk.services.apigateway.*;
 import software.amazon.awscdk.services.ec2.*;
 import software.amazon.awscdk.services.eks.v2.alpha.AccessEntry;
 import software.amazon.awscdk.services.eks.v2.alpha.AccessEntryType;
@@ -14,6 +13,9 @@
 import software.amazon.awscdk.services.iam.*;
 import software.amazon.awscdk.services.lambda.Code;
 import software.amazon.awscdk.services.lambda.Function;
+import software.amazon.awscdk.services.lambda.FunctionUrl;
+import software.amazon.awscdk.services.lambda.FunctionUrlAuthType;
+import software.amazon.awscdk.services.lambda.FunctionUrlOptions;
 import software.amazon.awscdk.services.lambda.Runtime;
 import software.amazon.awscdk.services.logs.LogGroup;
 import software.amazon.awscdk.services.logs.RetentionDays;
@@ -28,13 +30,14 @@
 
 /**
  * ThreadAnalysis construct for thread dump analysis.
- * Creates Lambda function and API Gateway for thread dump collection and AI analysis.
+ * Creates Lambda function with Function URL for thread dump collection and AI analysis.
+ * Uses async self-invocation pattern for fast webhook response.
  */
 public class ThreadAnalysis extends Construct {
 
     private final SecurityGroup lambdaSecurityGroup;
     private final Function threadDumpLambda;
-    private final RestApi threadDumpApi;
+    private final FunctionUrl functionUrl;
     private final Role lambdaRole;
 
     public static class ThreadAnalysisProps {
@@ -130,21 +133,14 @@ public ThreadAnalysis(final Construct scope, final String id, final ThreadAnalys
             props.getWorkshopBucket().grantReadWrite(lambdaRole);
         }
 
-        // Create Lambda security group
+        // Create Lambda security group for EKS and ECS access
         this.lambdaSecurityGroup = SecurityGroup.Builder.create(this, "SecurityGroup")
             .vpc(props.getVpc())
             .securityGroupName(prefix + "-thread-dump-lambda-sg")
             .description("Security group for Thread Dump Lambda function")
             .allowAllOutbound(true)
             .build();
 
-        // Allow inbound from VPC for HTTPS
-        lambdaSecurityGroup.addIngressRule(
-            Peer.ipv4(props.getVpc().getVpcCidrBlock()),
-            Port.tcp(443),
-            "Allow VPC traffic to Lambda"
-        );
-
         // Create CloudWatch Log Group
         LogGroup.Builder.create(this, "LogGroup")
             .logGroupName("/aws/lambda/" + prefix + "-thread-dump-lambda")
@@ -173,56 +169,22 @@ public ThreadAnalysis(final Construct scope, final String id, final ThreadAnalys
                 "S3_BUCKET_NAME", bucketName,
                 "EKS_CLUSTER_NAME", eksClusterName,
                 "S3_THREAD_DUMPS_PREFIX", "thread-dumps/",
-                "APP_LABEL", "unicorn-store-spring",
-                "KUBERNETES_AUTH_TYPE", "aws",
-                "K8S_NAMESPACE", "unicorn-store-spring",
                 "SECRET_NAME", prefix + "-ide-password"
             ))
             .build();
 
-        // Create VPC Endpoint for API Gateway
-        InterfaceVpcEndpoint apiGatewayEndpoint = InterfaceVpcEndpoint.Builder.create(this, "ApiGatewayVpcEndpoint")
-            .vpc(props.getVpc())
-            .service(InterfaceVpcEndpointAwsService.APIGATEWAY)
-            .subnets(SubnetSelection.builder()
-                .subnetType(SubnetType.PRIVATE_WITH_EGRESS)
-                .build())
-            .securityGroups(List.of(lambdaSecurityGroup))
-            .privateDnsEnabled(true)
-            .build();
-
-        // Create Private REST API Gateway
-        this.threadDumpApi = RestApi.Builder.create(this, "Api")
-            .restApiName(prefix + "-thread-dump-api")
-            .endpointConfiguration(EndpointConfiguration.builder()
-                .types(List.of(EndpointType.PRIVATE))
-                .vpcEndpoints(List.of(apiGatewayEndpoint))
-                .build())
-            .policy(PolicyDocument.Builder.create()
-                .statements(List.of(
-                    PolicyStatement.Builder.create()
-                        .effect(Effect.ALLOW)
-                        .principals(List.of(new AnyPrincipal()))
-                        .actions(List.of("execute-api:Invoke"))
-                        .resources(List.of("*"))
-                        .conditions(Map.of(
-                            "StringEquals", Map.of(
-                                "aws:SourceVpce", apiGatewayEndpoint.getVpcEndpointId()
-                            )
-                        ))
-                        .build()
-                ))
-                .build())
-            .build();
-
-        // Remove auto-generated endpoint output
-        threadDumpApi.getNode().tryRemoveChild("Endpoint");
-
-        // Add POST method to root
-        LambdaIntegration lambdaIntegration = LambdaIntegration.Builder.create(threadDumpLambda)
-            .build();
+        // Add permission for Lambda to invoke itself (async pattern)
+        threadDumpLambda.addToRolePolicy(PolicyStatement.Builder.create()
+            .effect(Effect.ALLOW)
+            .actions(List.of("lambda:InvokeFunction"))
+            .resources(List.of(threadDumpLambda.getFunctionArn()))
+            .build());
 
-        threadDumpApi.getRoot().addMethod("POST", lambdaIntegration);
+        // Create Function URL (replaces API Gateway + VPC Endpoint)
+        // Auth is handled by Lambda code via basic auth against Secrets Manager
+        this.functionUrl = threadDumpLambda.addFunctionUrl(FunctionUrlOptions.builder()
+            .authType(FunctionUrlAuthType.NONE)
+            .build());
 
         // Create EKS Access Entry for Lambda role (if EKS cluster provided)
         if (props.getEksCluster() != null) {
@@ -292,8 +254,8 @@ public Function getThreadDumpLambda() {
         return threadDumpLambda;
     }
 
-    public RestApi getThreadDumpApi() {
-        return threadDumpApi;
+    public FunctionUrl getFunctionUrl() {
+        return functionUrl;
     }
 
     public Role getLambdaRole() {

infra/cfn/base-stack.yaml

@@ -676,6 +676,29 @@ Resources:
         Fn::GetAtt:
           - IdeInstanceLauncherFunction803C5A2A
           - Arn
+      InstanceTypes: m6a.xlarge,m7a.xlarge
+      InstanceName: ide
+      IamInstanceProfileArn:
+        Fn::GetAtt:
+          - IdeInstanceProfile61B92038
+          - Arn
+      VolumeSize: "50"
+      SubnetIds:
+        Fn::Join:
+          - ""
+          - - Ref: VpcPublicSubnet1Subnet8E8DEDC0
+            - ","
+            - Ref: VpcPublicSubnet2SubnetA811849C
+      SecurityGroupIds:
+        Fn::Join:
+          - ""
+          - - Fn::GetAtt:
+                - IdeSecurityGroup73B02454
+                - GroupId
+            - ","
+            - Fn::GetAtt:
+                - IdeInternalSecurityGroupB0A5D76B
+                - GroupId
       ImageId:
         Ref: SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61x8664C96584B6F00A464EAD1953AFF4B05118Parameter
       UserData:
@@ -814,29 +837,6 @@ Resources:
                 "
                     exit 1
                 fi
-      InstanceTypes: m6a.xlarge,m7a.xlarge
-      InstanceName: ide
-      IamInstanceProfileArn:
-        Fn::GetAtt:
-          - IdeInstanceProfile61B92038
-          - Arn
-      VolumeSize: "50"
-      SubnetIds:
-        Fn::Join:
-          - ""
-          - - Ref: VpcPublicSubnet1Subnet8E8DEDC0
-            - ","
-            - Ref: VpcPublicSubnet2SubnetA811849C
-      SecurityGroupIds:
-        Fn::Join:
-          - ""
-          - - Fn::GetAtt:
-                - IdeSecurityGroup73B02454
-                - GroupId
-            - ","
-            - Fn::GetAtt:
-                - IdeInternalSecurityGroupB0A5D76B
-                - GroupId
     UpdateReplacePolicy: Delete
     DeletionPolicy: Delete
   IdeEipAssociationDFF81215:

infra/cfn/java-ai-agents-stack.yaml

@@ -760,25 +760,6 @@ Resources:
         Fn::GetAtt:
           - IdeInstanceLauncherFunction803C5A2A
           - Arn
-      VolumeSize: "50"
-      SubnetIds:
-        Fn::Join:
-          - ""
-          - - Ref: VpcPublicSubnet1Subnet8E8DEDC0
-            - ","
-            - Ref: VpcPublicSubnet2SubnetA811849C
-      SecurityGroupIds:
-        Fn::Join:
-          - ""
-          - - Fn::GetAtt:
-                - IdeSecurityGroup73B02454
-                - GroupId
-            - ","
-            - Fn::GetAtt:
-                - IdeInternalSecurityGroupB0A5D76B
-                - GroupId
-      ImageId:
-        Ref: SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61x8664C96584B6F00A464EAD1953AFF4B05118Parameter
       UserData:
         Fn::Base64:
           Fn::Join:
@@ -921,6 +902,25 @@ Resources:
         Fn::GetAtt:
           - IdeInstanceProfile61B92038
           - Arn
+      VolumeSize: "50"
+      SubnetIds:
+        Fn::Join:
+          - ""
+          - - Ref: VpcPublicSubnet1Subnet8E8DEDC0
+            - ","
+            - Ref: VpcPublicSubnet2SubnetA811849C
+      SecurityGroupIds:
+        Fn::Join:
+          - ""
+          - - Fn::GetAtt:
+                - IdeSecurityGroup73B02454
+                - GroupId
+            - ","
+            - Fn::GetAtt:
+                - IdeInternalSecurityGroupB0A5D76B
+                - GroupId
+      ImageId:
+        Ref: SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61x8664C96584B6F00A464EAD1953AFF4B05118Parameter
     UpdateReplacePolicy: Delete
     DeletionPolicy: Delete
   IdeEipAssociationDFF81215: