Refactored Phoenix IaC and added IaC test workflow for Phoenix

.github/workflows/bedrock-build.yml

@@ -14,7 +14,6 @@ concurrency:
 defaults:
   run:
     shell: bash
-    working-directory: Bedrock/cdk/guardrail
 
 jobs:
   bedrock-guardrail:
@@ -24,22 +23,41 @@ jobs:
       ENV_STAGE: dev
     steps:
       - uses: actions/checkout@v4
-
       - run: make lint-python
-
       - uses: actions/setup-node@v4
         with:
           node-version: 22
-
       - name: Set up aws-cdk
         run: make install-cdk
-
       - name: Print deployment environment
         run: |
           echo "INFO: cdk version: $(cdk --version)"
           echo "INFO: node version: $(node --version)"
           echo "INFO: npm version: $(npm --version)"
           echo "INFO: python3 version: $(python3 --version)"
-
       - name: Run cdk synth
+        working-directory: Bedrock/cdk/guardrail
         run: make synth-guardrail
+
+  bedrock-phoenix:
+    name: Test Bedrock Phoenix IaC
+    runs-on: ubuntu-latest
+    env:
+      ENV_STAGE: dev
+    steps:
+      - uses: actions/checkout@v4
+      - run: make lint-python
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+      - name: Set up aws-cdk
+        run: make install-cdk
+      - name: Print deployment environment
+        run: |
+          echo "INFO: cdk version: $(cdk --version)"
+          echo "INFO: node version: $(node --version)"
+          echo "INFO: npm version: $(npm --version)"
+          echo "INFO: python3 version: $(python3 --version)"
+      - name: Run cdk synth
+        working-directory: Bedrock/cdk/phoenix
+        run: make synth-local

Bedrock/cdk/phoenix/Makefile

@@ -9,16 +9,19 @@ install-cdk:
 	python3 -m pip install -U pip
 	pip3 install -r requirements.txt
 
-synth-phoenix:
+synth:
 	cdk synth $(APP_NAME)-Phoenix -c env=$(ENV_STAGE)
 
-diff-phoenix:
+synth-local:
+	CDK_LOCAL_SYNC=true cdk synth $(APP_NAME)-Phoenix -c env=$(ENV_STAGE)
+
+diff:
 	cdk diff $(APP_NAME)-Phoenix -c env=$(ENV_STAGE)
 
-deploy-phoenix:
-	cdk deploy $(APP_NAME)-Phoenix -c env=$(ENV_STAGE) $(APP_NAME) --require-approval never
+deploy:
+	cdk deploy $(APP_NAME)-Phoenix -c env=$(ENV_STAGE) --require-approval never
 
-destroy-phoenix:
+destroy:
 	cdk destroy $(APP_NAME)-Phoenix -f -c env=$(ENV_STAGE)
 
 test-cdk:
@@ -41,4 +44,4 @@ lint-yaml:
 	yamllint -c .github/linters/.yaml-lint.yml -f parsable .
 
 clean:
-	rm -rf cdk.out __pycache__
+	rm -rf cdk.out lib/__pycache__

Bedrock/cdk/phoenix/app.py

@@ -2,8 +2,8 @@
 from os.path import dirname, join, realpath
 
 import yaml
-from aws_cdk import App, Environment, Tags
-from phoenix import AlbFargate
+from aws_cdk import App, CliCredentialsStackSynthesizer, Environment, Tags
+from lib.phoenix import AlbFargate
 
 ENV_DIR = join(dirname(realpath(__file__)), "environment")
 
@@ -25,6 +25,8 @@ def main():
         config=config,
         image=config["Phoenix"]["image"],
         env=Environment(account=config["Account"], region=config["Region"]),
+        synthesizer=CliCredentialsStackSynthesizer(),
+        termination_protection=(ENV_NAME == "prd"),
     )
     # stack.alb_sg.add_ingress_rule(
     #     peer=another_stack.task_security_group,

Bedrock/cdk/phoenix/base_infra.py → Bedrock/cdk/phoenix/lib/base_infra.py

@@ -1,8 +1,12 @@
+import os
+
 from aws_cdk import aws_ec2 as ec2
 from aws_cdk import aws_route53 as r53
 from aws_cdk.aws_ssm import StringParameter
 from constructs import Construct
 
+CDK_LOCAL_SYNC = os.environ.get("CDK_LOCAL_SYNC", "false").lower() == "true"  # with no credentials
+
 AZS = ["ap-southeast-2"]
 SSM_PARAM_INT_CERT_WILDCARD_ARN = "/account/int-certificate-wildcard-arn"
 SSM_PARAM_INT_HOSTZONE_NAME = "/account/int-hostedzone-name"
@@ -21,11 +25,9 @@ def __init__(self, scope: Construct, app_name: str) -> None:
         self.app_name = app_name
         self.base_stack_name = app_name.lower()
 
-        self.int_certificate_wildcard_arn = StringParameter.value_from_lookup(
-            self, SSM_PARAM_INT_CERT_WILDCARD_ARN
-        )
-        self.int_hosted_zone_name = StringParameter.value_from_lookup(self, SSM_PARAM_INT_HOSTZONE_NAME)
-        self.int_hosted_zone_id = StringParameter.value_from_lookup(self, SSM_PARAM_INT_HOSTZONE_ID)
+        self.int_certificate_wildcard_arn = self._value_from_lookup(SSM_PARAM_INT_CERT_WILDCARD_ARN)
+        self.int_hosted_zone_name = self._value_from_lookup(SSM_PARAM_INT_HOSTZONE_NAME)
+        self.int_hosted_zone_id = self._value_from_lookup(SSM_PARAM_INT_HOSTZONE_ID)
         self.int_hosted_zone = r53.HostedZone.from_hosted_zone_attributes(
             self,
             "InternalHostedZone",
@@ -38,13 +40,13 @@ def __init__(self, scope: Construct, app_name: str) -> None:
             self.int_domain_name = self.int_hosted_zone_name[:-1]
 
         self.app_subnet_ids = [
-            StringParameter.value_from_lookup(self, SSM_PARAM_VPC01_SUBNET_APP_A_ID),
-            StringParameter.value_from_lookup(self, SSM_PARAM_VPC01_SUBNET_APP_B_ID),
-            StringParameter.value_from_lookup(self, SSM_PARAM_VPC01_SUBNET_APP_C_ID),
+            self._value_from_lookup(SSM_PARAM_VPC01_SUBNET_APP_A_ID),
+            self._value_from_lookup(SSM_PARAM_VPC01_SUBNET_APP_B_ID),
+            self._value_from_lookup(SSM_PARAM_VPC01_SUBNET_APP_C_ID),
         ]
         self.app_subnets = [ec2.Subnet.from_subnet_id(self, id, id) for id in self.app_subnet_ids]
 
-        self.vpc_id = StringParameter.value_from_lookup(self, SSM_PARAM_VPC01_ID)
+        self.vpc_id = self._value_from_lookup(SSM_PARAM_VPC01_ID)
         self.app_vpc = ec2.Vpc.from_vpc_attributes(
             self,
             "AppVpc",
@@ -56,5 +58,10 @@ def __init__(self, scope: Construct, app_name: str) -> None:
         self.int_users_sg = ec2.SecurityGroup.from_security_group_id(
             self,
             "InternalUsersSG",
-            StringParameter.value_from_lookup(self, SSM_PARAM_VPC01_SG_INT_USERS_ID),
+            self._value_from_lookup(SSM_PARAM_VPC01_SG_INT_USERS_ID),
         )
+
+    def _value_from_lookup(self, param_name: str) -> str:
+        if CDK_LOCAL_SYNC is True:
+            return f'mock-{param_name.replace("/", "-")}'
+        return StringParameter.value_from_lookup(self, param_name)

Bedrock/cdk/phoenix/phoenix.py → Bedrock/cdk/phoenix/lib/phoenix.py

@@ -11,8 +11,8 @@
 from aws_cdk import aws_iam as iam
 from aws_cdk import aws_route53 as r53
 from aws_cdk import aws_route53_targets as r53_targets
-from base_infra import BaseInfra
 from constructs import Construct
+from lib.base_infra import BaseInfra
 
 
 class AlbFargate(Stack):

CHANGELOG.md

@@ -2,16 +2,15 @@
 
 All notable changes to this project will be documented in this file.
 
-
 ## 2024-09-23
 
 ### Added
-   * Added [Bedrock/cdk/phoenix/](Bedrock/cdk/phoenix/) - cdk for deploying Arize Phoenix.
+   * Added [Bedrock/cdk/phoenix/](Bedrock/cdk/phoenix/) cdk and workflow for deploying Arize Phoenix.
 
 ## 2024-09-20
 
 ### Added
-   * Added [Bedrock/cdk/guardrail/](Bedrock/cdk/guardrail/) - cdk for deploying Bedrock Guardrail.
+   * Added [Bedrock/cdk/guardrail/](Bedrock/cdk/guardrail/) cdk and workflow for deploying Bedrock Guardrail.
 
 ## 2024-05-23