Skip to content

Feature/platform best practices#13

Open
tukue wants to merge 12 commits into
mainfrom
feature/platform-best-practices
Open

Feature/platform best practices#13
tukue wants to merge 12 commits into
mainfrom
feature/platform-best-practices

Conversation

@tukue
Copy link
Copy Markdown
Owner

@tukue tukue commented Jun 3, 2026

No description provided.

tukue added 7 commits May 25, 2026 18:24
@tukue
Implement platform product improvement backlog
86649e0
@tukue
Address platform construct security review
1d4b543
@tukue
Fix CI assertions for restricted VPC provider
455886a
@tukue
Merge branch 'main' into feature/platform-product-surface
6d30ab4
@tukue
Add improvement-form docs folder
3b72478
@tukue
Fix checkov CKV_AWS_115, CKV_AWS_116, CKV_AWS_117 on CDK-generated cu…
609c2ec 
…stom resource Lambda

Apply Aspect at stack level to reach the singleton provider Lambda, set
reservedConcurrentExecutions and DLQ, and skip VPC placement check.
@tukue
Implement high-priority platform engineering best practices
275b622 
- Add cdk-nag compliance guardrails (AwsSolutionsChecks + tag enforcement)
- Add snapshot/synth tests to detect infrastructure drift
- Define platform product contract with SLOs, personas, support model
- Update CI pipeline with cdk-nag compliance checks
- Add governance tag enforcement CDK Aspect
- Integrate cdk-nag into CdkAppStack and OrdersServiceStack
amazon-q-developer[bot]
amazon-q-developer Bot reviewed Jun 3, 2026
View reviewed changes
Copy link
Copy Markdown

@amazon-q-developer amazon-q-developer Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR introduces platform best practices including comprehensive compliance guardrails with cdk-nag, reusable platform constructs, and enhanced CI/CD with security scanning (Checkov and Trivy). The overall architecture follows secure-by-default patterns with encryption, VPC isolation, and IAM authorization.

Critical Issues Requiring Fix:

  1. Logic Error: The Aspect in ApiLambdaDynamoService modifies ALL Lambda functions across the entire stack, overriding user-configured concurrency settings. Scope it to the construct only using cdk.Aspects.of(this) instead of cdk.Aspects.of(cdk.Stack.of(this)).

  2. Crash Risk: CORS validation in validateProps() will throw a runtime error if props.cors?.allowOrigins is undefined. Add optional chaining to the .some() call.

These issues must be resolved before merge as they will cause runtime failures and unexpected behavior in production environments.

You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.

Comment thread packages/platform-constructs/src/api-lambda-dynamo-service/index.ts Outdated
Comment on lines +162 to +180
cdk.Aspects.of(cdk.Stack.of(this)).add({
visit(node: constructs.IConstruct): void {
if (node instanceof lambda.CfnFunction && !node.deadLetterConfig) {
node.deadLetterConfig = { targetArn: retryQueue.queueArn };
node.reservedConcurrentExecutions = 1;
node.cfnOptions.metadata = {
...node.cfnOptions.metadata,
checkov: {
skip: [
{
id: 'CKV_AWS_117',
comment: 'Custom resource Lambda cannot be placed inside a VPC',
},
],
},
};
}
},
});
Copy link
Copy Markdown

@amazon-q-developer amazon-q-developer Bot Jun 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛑 Logic Error: Aspect modifies ALL Lambda functions in the stack, potentially overriding user-configured concurrency. The aspect sets reservedConcurrentExecutions = 1 on every Lambda without a DLQ, which conflicts with the main Lambda's configured value of 10 and may break other functions in the stack.

Suggested change
cdk.Aspects.of(cdk.Stack.of(this)).add({
visit(node: constructs.IConstruct): void {
if (node instanceof lambda.CfnFunction && !node.deadLetterConfig) {
node.deadLetterConfig = { targetArn: retryQueue.queueArn };
node.reservedConcurrentExecutions = 1;
node.cfnOptions.metadata = {
...node.cfnOptions.metadata,
checkov: {
skip: [
{
id: 'CKV_AWS_117',
comment: 'Custom resource Lambda cannot be placed inside a VPC',
},
],
},
};
}
},
});
const retryQueue = this.retryQueue;
cdk.Aspects.of(this).add({
visit(node: constructs.IConstruct): void {
if (node instanceof lambda.CfnFunction && !node.deadLetterConfig) {
node.deadLetterConfig = { targetArn: retryQueue.queueArn };
node.reservedConcurrentExecutions = 1;
node.cfnOptions.metadata = {
...node.cfnOptions.metadata,
checkov: {
skip: [
{
id: 'CKV_AWS_117',
comment: 'Custom resource Lambda cannot be placed inside a VPC',
},
],
},
};
}
},
});

Comment thread packages/platform-constructs/src/api-lambda-dynamo-service/index.ts Outdated
Comment on lines +275 to +277
if (props.cors?.allowOrigins.some((origin) => origin === '*')) {
throw new Error('ApiLambdaDynamoService cors.allowOrigins must not include wildcard origins.');
}
Copy link
Copy Markdown

@amazon-q-developer amazon-q-developer Bot Jun 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛑 Crash Risk: Missing validation for optional CORS array before calling .some(). If props.cors?.allowOrigins is undefined or null, this will throw a runtime error when validating CORS configuration.

Suggested change
if (props.cors?.allowOrigins.some((origin) => origin === '*')) {
throw new Error('ApiLambdaDynamoService cors.allowOrigins must not include wildcard origins.');
}
if (props.cors?.allowOrigins?.some((origin) => origin === '*')) {
throw new Error('ApiLambdaDynamoService cors.allowOrigins must not include wildcard origins.');
}

tukue added 5 commits June 3, 2026 16:08
@tukue
Fix cdk-nag version to 2.28.0 for aws-cdk-lib@2.99.1 compatibility
ec2c147
@tukue
Fix aspect scope and CORS validation
ae63a70 
- Scope DLQ aspect to construct only (cdk.Aspects.of(this)) instead of entire stack
- Add optional chaining to prevent crash when allowOrigins is undefined
@tukue
Fix TagEnforcementAspect API compatibility for aws-cdk-lib@2.99.1
46e3b3e
@tukue
Remove TagEnforcementAspect (Tags API unsupported in CDK 2.99.1); tag…
7ce7905 
… validation covered by tests
@tukue
Fix snapshot tests: use correct CDK assertions API (hasResourceProper…
de9c38f 
…ties throws, not returns boolean)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@amazon-q-developer amazon-q-developer[bot] amazon-q-developer[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tukue