refactor(infra): simplify Unicorn construct and reorganize CloudFormation templates

Author: Yuriy Bezsonov

infra/cdk/src/main/java/sample/com/WorkshopStack.java

@@ -120,8 +120,6 @@ public WorkshopStack(final Construct scope, final String id, final StackProps pr
             // Unicorn construct: Roles + DB Setup (uses unicorn* naming for workshop content compatibility)
             Unicorn unicorn = new Unicorn(this, "Unicorn", Unicorn.UnicornProps.builder()
                 .vpc(vpc.getVpc())
-                .eksRolesEnabled(true)
-                .ecsRolesEnabled(false)
                 .database(database)
                 .workshopBucket(workshopBucket.getBucket())
                 .build());

infra/cdk/src/main/java/sample/com/constructs/Unicorn.java

@@ -70,14 +70,10 @@ public Unicorn(final Construct scope, final String id, final UnicornProps props)
             .build();
 
         // === EKS ROLES ===
-        if (props.isEksRolesEnabled()) {
-            createEksRoles(props);
-        }
+        createEksRoles(props);
 
         // === ECS ROLES ===
-        if (props.isEcsRolesEnabled()) {
-            createEcsRoles(props);
-        }
+        createEcsRoles(props);
 
         // === DATABASE SETUP ===
         if (props.getDatabase() != null) {
@@ -278,15 +274,11 @@ public Role getEcsTaskExecutionRole() {
 
     // Props class
     public static class UnicornProps {
-        private final boolean eksRolesEnabled;
-        private final boolean ecsRolesEnabled;
         private final Database database;
         private final IBucket workshopBucket;
         private final software.amazon.awscdk.services.ec2.IVpc vpc;
 
         private UnicornProps(Builder builder) {
-            this.eksRolesEnabled = builder.eksRolesEnabled;
-            this.ecsRolesEnabled = builder.ecsRolesEnabled;
             this.database = builder.database;
             this.workshopBucket = builder.workshopBucket;
             this.vpc = builder.vpc;
@@ -296,14 +288,6 @@ public static Builder builder() {
             return new Builder();
         }
 
-        public boolean isEksRolesEnabled() {
-            return eksRolesEnabled;
-        }
-
-        public boolean isEcsRolesEnabled() {
-            return ecsRolesEnabled;
-        }
-
         public Database getDatabase() {
             return database;
         }
@@ -317,22 +301,10 @@ public software.amazon.awscdk.services.ec2.IVpc getVpc() {
         }
 
         public static class Builder {
-            private boolean eksRolesEnabled = false;
-            private boolean ecsRolesEnabled = false;
             private Database database;
             private IBucket workshopBucket;
             private software.amazon.awscdk.services.ec2.IVpc vpc;
 
-            public Builder eksRolesEnabled(boolean eksRolesEnabled) {
-                this.eksRolesEnabled = eksRolesEnabled;
-                return this;
-            }
-
-            public Builder ecsRolesEnabled(boolean ecsRolesEnabled) {
-                this.ecsRolesEnabled = ecsRolesEnabled;
-                return this;
-            }
-
             public Builder database(Database database) {
                 this.database = database;
                 return this;

infra/cfn/base-stack.yaml

@@ -676,18 +676,6 @@ Resources:
         Fn::GetAtt:
           - IdeInstanceLauncherFunction803C5A2A
           - Arn
-      InstanceName: ide
-      IamInstanceProfileArn:
-        Fn::GetAtt:
-          - IdeInstanceProfile61B92038
-          - Arn
-      VolumeSize: "50"
-      SubnetIds:
-        Fn::Join:
-          - ""
-          - - Ref: VpcPublicSubnet1Subnet8E8DEDC0
-            - ","
-            - Ref: VpcPublicSubnet2SubnetA811849C
       SecurityGroupIds:
         Fn::Join:
           - ""
@@ -698,8 +686,19 @@ Resources:
             - Fn::GetAtt:
                 - IdeInternalSecurityGroupB0A5D76B
                 - GroupId
-      ImageId:
-        Ref: SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61x8664C96584B6F00A464EAD1953AFF4B05118Parameter
+      SubnetIds:
+        Fn::Join:
+          - ""
+          - - Ref: VpcPublicSubnet1Subnet8E8DEDC0
+            - ","
+            - Ref: VpcPublicSubnet2SubnetA811849C
+      VolumeSize: "50"
+      IamInstanceProfileArn:
+        Fn::GetAtt:
+          - IdeInstanceProfile61B92038
+          - Arn
+      InstanceName: ide
+      InstanceTypes: m6i.xlarge,m5.xlarge,m6a.xlarge,m7i-flex.xlarge,m7a.xlarge,t3.xlarge
       UserData:
         Fn::Base64:
           Fn::Join:
@@ -836,7 +835,8 @@ Resources:
                 "
                     exit 1
                 fi
-      InstanceTypes: m6i.xlarge,m5.xlarge,m6a.xlarge,m7i-flex.xlarge,m7a.xlarge,t3.xlarge
+      ImageId:
+        Ref: SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61x8664C96584B6F00A464EAD1953AFF4B05118Parameter
     UpdateReplacePolicy: Delete
     DeletionPolicy: Delete
   IdeEipAssociationDFF81215:

infra/cfn/java-ai-agents-stack.yaml

@@ -760,6 +760,7 @@ Resources:
         Fn::GetAtt:
           - IdeInstanceLauncherFunction803C5A2A
           - Arn
+      InstanceName: ide
       IamInstanceProfileArn:
         Fn::GetAtt:
           - IdeInstanceProfile61B92038
@@ -920,7 +921,6 @@ Resources:
                     exit 1
                 fi
       InstanceTypes: m6i.xlarge,m5.xlarge,m6a.xlarge,m7i-flex.xlarge,m7a.xlarge,t3.xlarge
-      InstanceName: ide
     UpdateReplacePolicy: Delete
     DeletionPolicy: Delete
   IdeEipAssociationDFF81215:

infra/cfn/java-on-amazon-eks-stack.yaml

@@ -780,13 +780,6 @@ Resources:
         Fn::GetAtt:
           - IdeInstanceLauncherFunction803C5A2A
           - Arn
-      SubnetIds:
-        Fn::Join:
-          - ""
-          - - Ref: VpcPublicSubnet1Subnet8E8DEDC0
-            - ","
-            - Ref: VpcPublicSubnet2SubnetA811849C
-      VolumeSize: "50"
       IamInstanceProfileArn:
         Fn::GetAtt:
           - IdeInstanceProfile61B92038
@@ -941,6 +934,13 @@ Resources:
             - Fn::GetAtt:
                 - IdeInternalSecurityGroupB0A5D76B
                 - GroupId
+      SubnetIds:
+        Fn::Join:
+          - ""
+          - - Ref: VpcPublicSubnet1Subnet8E8DEDC0
+            - ","
+            - Ref: VpcPublicSubnet2SubnetA811849C
+      VolumeSize: "50"
     UpdateReplacePolicy: Delete
     DeletionPolicy: Delete
   IdeEipAssociationDFF81215:
@@ -1319,12 +1319,12 @@ Resources:
       Environment:
         ComputeType: BUILD_GENERAL1_MEDIUM
         EnvironmentVariables:
-          - Name: TEMPLATE_TYPE
-            Type: PLAINTEXT
-            Value: java-on-amazon-eks
           - Name: GIT_BRANCH
             Type: PLAINTEXT
             Value: new-ws-infra
+          - Name: TEMPLATE_TYPE
+            Type: PLAINTEXT
+            Value: java-on-amazon-eks
         Image: aws/codebuild/amazonlinux2-x86_64-standard:5.0
         ImagePullCredentialsType: CODEBUILD
         PrivilegedMode: false
@@ -1529,12 +1529,12 @@ Resources:
       Description: workshop-setup build complete
       EventPattern:
         detail:
-          project-name:
-            - Ref: CodeBuildProjectA0FF5539
           build-status:
             - SUCCEEDED
             - FAILED
             - STOPPED
+          project-name:
+            - Ref: CodeBuildProjectA0FF5539
         detail-type:
           - CodeBuild Build State Change
         source:
@@ -1566,13 +1566,13 @@ Resources:
         Fn::GetAtt:
           - CodeBuildStartLambdaFunction8349284F
           - Arn
-      ProjectName:
-        Ref: CodeBuildProjectA0FF5539
-      ContentHash: "1766758207993"
+      ContentHash: "1766773872588"
       CodeBuildIamRoleArn:
         Fn::GetAtt:
           - CodeBuildRoleE9A44575
           - Arn
+      ProjectName:
+        Ref: CodeBuildProjectA0FF5539
     DependsOn:
       - CodeBuildCompleteRuleAllowEventRuleWorkshopStackCodeBuildReportLambdaFunctionD77C60919E0B0C89
       - CodeBuildCompleteRuleEE9277E8
@@ -1884,7 +1884,7 @@ Resources:
             - Ref: AWS::AccountId
             - "-"
             - Ref: AWS::Region
-            - "-20251226151008"
+            - "-20251226193112"
       PublicAccessBlockConfiguration:
         BlockPublicAcls: true
         BlockPublicPolicy: true
@@ -2465,6 +2465,110 @@ Resources:
       PolicyName: UnicornUnicornStoreEksPodRoleDefaultPolicy0D527B93
       Roles:
         - Ref: UnicornUnicornStoreEksPodRoleB15D12B7
+  UnicornUnicornStoreEcsInfrastructureRoleEDFFC1E6:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+          - Action: sts:AssumeRole
+            Effect: Allow
+            Principal:
+              Service: ecs.amazonaws.com
+        Version: "2012-10-17"
+      Description: ECS infrastructure role for Express Mode services
+      ManagedPolicyArns:
+        - Fn::Join:
+            - ""
+            - - "arn:"
+              - Ref: AWS::Partition
+              - :iam::aws:policy/service-role/AmazonECSInfrastructureRoleforExpressGatewayServices
+      Path: /service-role/
+      RoleName: unicornstore-ecs-infrastructure-role
+  UnicornUnicornStoreEcsTaskExecutionRoleC2148AE8:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+          - Action: sts:AssumeRole
+            Effect: Allow
+            Principal:
+              Service: ecs-tasks.amazonaws.com
+        Version: "2012-10-17"
+      Description: ECS task execution role for pulling images and injecting secrets
+      ManagedPolicyArns:
+        - Fn::Join:
+            - ""
+            - - "arn:"
+              - Ref: AWS::Partition
+              - :iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
+      Path: /service-role/
+      RoleName: unicornstore-ecs-task-execution-role
+  UnicornUnicornStoreEcsTaskExecutionRoleDefaultPolicy3FC9EFEE:
+    Type: AWS::IAM::Policy
+    Properties:
+      PolicyDocument:
+        Statement:
+          - Action: logs:CreateLogGroup
+            Effect: Allow
+            Resource: "*"
+          - Action:
+              - secretsmanager:DescribeSecret
+              - secretsmanager:GetSecretValue
+            Effect: Allow
+            Resource:
+              Ref: DatabaseSecret3B817195
+          - Action:
+              - ssm:DescribeParameters
+              - ssm:GetParameter
+              - ssm:GetParameterHistory
+              - ssm:GetParameters
+            Effect: Allow
+            Resource:
+              Fn::Join:
+                - ""
+                - - "arn:"
+                  - Ref: AWS::Partition
+                  - ":ssm:"
+                  - Ref: AWS::Region
+                  - ":"
+                  - Ref: AWS::AccountId
+                  - :parameter/
+                  - Ref: DatabaseConnectionString52D1E98E
+        Version: "2012-10-17"
+      PolicyName: UnicornUnicornStoreEcsTaskExecutionRoleDefaultPolicy3FC9EFEE
+      Roles:
+        - Ref: UnicornUnicornStoreEcsTaskExecutionRoleC2148AE8
+  UnicornUnicornStoreEcsTaskRoleD7FBB789:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+          - Action: sts:AssumeRole
+            Effect: Allow
+            Principal:
+              Service: ecs-tasks.amazonaws.com
+        Version: "2012-10-17"
+      Description: ECS task role for application runtime permissions
+      Path: /service-role/
+      RoleName: unicornstore-ecs-task-role
+  UnicornUnicornStoreEcsTaskRoleDefaultPolicy477138EA:
+    Type: AWS::IAM::Policy
+    Properties:
+      PolicyDocument:
+        Statement:
+          - Action: xray:PutTraceSegments
+            Effect: Allow
+            Resource: "*"
+          - Action: events:PutEvents
+            Effect: Allow
+            Resource:
+              Fn::GetAtt:
+                - UnicornUnicornEventBusB728845C
+                - Arn
+        Version: "2012-10-17"
+      PolicyName: UnicornUnicornStoreEcsTaskRoleDefaultPolicy477138EA
+      Roles:
+        - Ref: UnicornUnicornStoreEcsTaskRoleD7FBB789
   UnicornUnicornStoreDatabaseSetupFunctionServiceRole61942171:
     Type: AWS::IAM::Role
     Properties:
@@ -2717,6 +2821,9 @@ Resources:
         Fn::GetAtt:
           - UnicornUnicornStoreDatabaseSetupFunction04E12F8B
           - Arn
+      SqlStatements: |
+        CREATE TABLE IF NOT EXISTS unicorns(id TEXT DEFAULT gen_random_uuid() PRIMARY KEY, name TEXT, age TEXT, size TEXT, type TEXT);
+        CREATE EXTENSION IF NOT EXISTS vector;
       SecretName:
         Fn::Join:
           - "-"
@@ -2747,9 +2854,6 @@ Resources:
                         - Fn::Split:
                             - ":"
                             - Ref: DatabaseSecret3B817195
-      SqlStatements: |
-        CREATE TABLE IF NOT EXISTS unicorns(id TEXT DEFAULT gen_random_uuid() PRIMARY KEY, name TEXT, age TEXT, size TEXT, type TEXT);
-        CREATE EXTENSION IF NOT EXISTS vector;
     DependsOn:
       - DatabaseClusterDatabaseWriterF4C0B9A6
       - DatabaseCluster5B53A178