Skip to content

feat(bootstrap): resource-action-map for synth-time validation#165

Draft
scottschreckengaust wants to merge 9 commits into
mainfrom
feat/bootstrap-action-map
Draft

feat(bootstrap): resource-action-map for synth-time validation#165
scottschreckengaust wants to merge 9 commits into
mainfrom
feat/bootstrap-action-map

Conversation

@scottschreckengaust
Copy link
Copy Markdown
Contributor

@scottschreckengaust scottschreckengaust commented May 21, 2026

Summary

Closes #124
Closes #164

Creates a mapping from CloudFormation resource types to required IAM actions (CRUD lifecycle), scoped to all resource types in this app's synthesized template. Introduces getRequiredBootstrapPolicies() for downstream consumption by the Aspect (#125) and preflight validator (#126). Gates ECS construct on compute_type context variable (replaces comment toggle).

Stack position

PR 5 for #120 — least-privilege CDK bootstrap policies as code

Prior: Custom template generator + compute variants (PR #162, #123)

This PR: Resource-action-map + ECS context gate + required-policies module

Next: CDK Aspect for policy envelope checking (#125)

Key decisions

  • ECS context gate (refactor(compute): gate ECS construct on compute_type context instead of comment toggle #164): Construct is always in source, compute_type governs synthesis — no commenting/uncommenting
  • getRequiredBootstrapPolicies(computeType): Single function declaring what the app needs, consumed by Aspect and preflight
  • Dual-config synth-coverage test: Validates map completeness for both agentcore and ecs configurations
  • Map scoped to this app resources (~60 types): Unknown types produce warnings, not errors
  • All map actions within configured policy set: Test enforces the map never requires more than policies allow

Deliverables

Test plan

  • All existing CDK tests pass
  • Map covers all resource types in both synth configurations
  • All mapped actions exist in the combined policy set (wildcard-aware)
  • getRequiredBootstrapPolicies returns correct sets for each compute type
  • tsc --noEmit compiles cleanly
  • No circular imports between preflight/ and policies/

Open questions

  • SQS: AWS::SQS::Queue is in the template but no policy has SQS actions — needs investigation (may require policy update + version bump)

Implementation plan

See: docs/superpowers/plans/2026-05-21-resource-action-map.md

Blocked by: #123 (PR #162)
References: RFC #120, ADR-002

🤖 Generated with Claude Code

scottschreckengaust and others added 6 commits May 21, 2026 01:17
@scottschreckengaust @claude
feat(bootstrap): extract compute-agentcore, add compute-ecs, bump to …
b8bbade 
…v1.1.0

Move bedrock-agentcore:* from observability policy into dedicated
compute-agentcore policy. Add compute-ecs policy from DEPLOYMENT_ROLES.md.
This enables per-compute-variant bootstrap configuration.

Closes: part of #123

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@scottschreckengaust @claude
feat(bootstrap): add custom template generator with compute-variant s…
6c2fc9e 
…upport

Generates a custom CDK bootstrap template that replaces AdministratorAccess
with inline least-privilege policies. Supports per-compute-variant selection
via ComputeTypes parameter. Adds PolicyVersion/Hash/Set CF outputs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@scottschreckengaust @claude
feat(bootstrap): add mise bootstrap:generate task and update bootstra…
a4d6258 
…p command

mise //cdk:bootstrap now uses the custom least-privilege template.
mise //cdk:bootstrap:generate regenerates all artifacts (policies JSON,
template YAML, version/hash files) from source.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@scottschreckengaust @claude
chore(deps): deduplicate yarn.lock after js-yaml addition
0a64e5c 
CI yarn install deduplicates transitive deps (yaml, uuid) which
mutates the lockfile if it wasn't committed in deduplicated form.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@scottschreckengaust
chore(bootstrap): scaffold preflight directory for resource-action-map (
f46cfb7 
#124)
@scottschreckengaust @claude
refactor(compute): gate ECS construct on compute_type context
d3a9804 
Replace comment toggle with proper context gate. ECS resources only
synthesize when compute_type=ecs is passed. Default (agentcore) behavior
unchanged. Closes #164

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@scottschreckengaust scottschreckengaust force-pushed the feat/bootstrap-action-map branch from d31fd4d to d3a9804 Compare May 21, 2026 07:50
scottschreckengaust and others added 3 commits May 21, 2026 07:53
@scottschreckengaust @claude
feat(bootstrap): add getRequiredBootstrapPolicies for compute-type-aw…
5ed8db3 
…are policy selection

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@scottschreckengaust @claude
feat(bootstrap): add resource-action-map for 57 CF resource types
83099e1 
Maps all CloudFormation resource types used by the ABCA stack to their
required IAM actions per lifecycle phase (create/read/update/delete).
Actions are sourced from CloudTrail-validated policies in DEPLOYMENT_ROLES.md.
Tests validate structure, format, and policy coverage (with known gaps
for SQS, S3 bucket lifecycle, and Lambda ESM/Layer actions documented).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@scottschreckengaust @claude
test(bootstrap): add dual-config synth-coverage test (agentcore + ecs)
ed0cf6b 
Validates that all resource types in the synthesized CloudFormation
template have entries in the resource-action-map. Tests agentcore from
existing cdk.out and attempts ECS synth gracefully skipping when AWS
credentials are unavailable.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@scottschreckengaust
Copy link
Copy Markdown
Contributor Author

scottschreckengaust commented May 21, 2026 

┌─────────┬──────┬───────────────────────────────────────────┐
│ Commit  │ Task │                   What                    │
├─────────┼──────┼───────────────────────────────────────────┤
│ d3a9804 │ 0    │ ECS context gate (closes #164)            │
├─────────┼──────┼───────────────────────────────────────────┤
│ 5ed8db3 │ 1    │ getRequiredBootstrapPolicies(computeType) │
├─────────┼──────┼───────────────────────────────────────────┤
│ 83099e1 │ 2    │ Resource-action-map (57 CF types)         │
├─────────┼──────┼───────────────────────────────────────────┤
│ ed0cf6b │ 3    │ Dual-config synth-coverage test           │
└─────────┴──────┴───────────────────────────────────────────┘

Note: this branch currently sits on top of feat/bootstrap-template (#162). When #162 merges to main, I'll retarget and rebase per ADR-001 §8 — the scaffold commit
(f46cfb7) will be skippable and the #123 commits will drop out, leaving just the 4 clean #124 commits on main.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

1 participant

@scottschreckengaust