{"id":31727122,"url":"https://github.com/loftwah/aws-lab-java","last_synced_at":"2026-04-11T10:36:29.527Z","repository":{"id":315425455,"uuid":"1059203676","full_name":"loftwah/aws-lab-java","owner":"loftwah","description":"An AWS lab with a focus on Java and the tooling around it.","archived":false,"fork":false,"pushed_at":"2025-10-28T05:41:42.000Z","size":177,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-01-13T15:07:47.609Z","etag":null,"topics":["aws","demo","demo-application","docker","gradle","infrastructure-as-code","java","mono-repo","terraform"],"latest_commit_sha":null,"homepage":"https://blog.deanlofts.xyz","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/loftwah.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-18T06:17:52.000Z","updated_at":"2025-10-28T05:41:45.000Z","dependencies_parsed_at":"2025-10-28T07:09:49.746Z","dependency_job_id":"896f08ba-c6e3-4ef6-9a36-8baefd4ced92","html_url":"https://github.com/loftwah/aws-lab-java","commit_stats":null,"previous_names":["loftwah/aws-lab-java"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/loftwah/aws-lab-java","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/loftwah%2Faws-lab-java","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/loftwah%2Faws-lab-java/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/loftwah%2Faws-lab-java/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/loftwah%2Faws-lab-java/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/loftwah","download_url":"https://codeload.github.com/loftwah/aws-lab-java/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/loftwah%2Faws-lab-java/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31677819,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-11T08:18:19.405Z","status":"ssl_error","status_checked_at":"2026-04-11T08:17:08.892Z","response_time":54,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","demo","demo-application","docker","gradle","infrastructure-as-code","java","mono-repo","terraform"],"created_at":"2025-10-09T06:18:24.819Z","updated_at":"2026-04-11T10:36:29.498Z","avatar_url":"https://github.com/loftwah.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# AWS Labs - Java\n\n![AWS Labs - Java](open-graph-java-aws.jpg)\n\n\u003e **Purpose:** A single, tool-agnostic **requirements catalogue** capturing all the work you can slice into labs, tickets, or milestones later. No sequencing, no commands, no tooling decisions made for you.\n\n## Scope snapshot\n\n- AWS region `ap-southeast-2` using profile `devops-sandbox`\n- Terraform 1.13.x with S3-backed state and native S3 locking (`use_lockfile = true`)\n- Default tags: Owner=Dean Lofts, Environment=\u003cenv\u003e, Project/App=aws-lab-java, ManagedBy=Terraform\n- Deployment targets: ECS Fargate service and EC2 (Docker via Ansible) with shared RDS PostgreSQL\n- Terraform stacks under `infrastructure/terraform/stacks/\u003cenv\u003e/\u003cstack\u003e` (e.g. `core-networking`) applied independently; ECR lives in `container-registry` so compute stacks can depend on it without owning it.\n- CI separation: GitHub Actions (`.github/workflows/ci.yml`) stays GitHub-only (build/test + GHCR); AWS lab automation uses CodePipeline/CodeBuild from Terraform `cicd` stacks.\n- Reference docs: `docs/architecture.md`, `docs/terraform-approach.md`, `docs/state-bootstrap.md`, `docs/demo-application.md`, `docs/local-development.md`, `docs/testing-validation.md`\n\n## Lab roadmap\n\nThe labs are sequenced in `docs/architecture.md` under _Next steps (labs sequencing)_. Use them to plan Jira tickets or workshop sessions.\n\n---\n\n## Governance \u0026 ways of working\n\n**Outcomes to produce**\n\n- Lightweight engineering standards (coding, branching, PRs, change control, docs).\n- ADRs for every significant choice (context, options, decision, consequences).\n- Named environments with promotion rules and change windows.\n- Cross-functional Definition of Done (testing, security checks, observability hooks, docs, rollout plan).\n\n**Evidence of done**\n\n- Standards doc; ADR-0001..N; environment matrix; DoD checklist signed by engineering + ops + stakeholders. ([AWS Documentation][1])\n\n---\n\n## Application (service baseline)\n\n**Outcomes to produce**\n\n- Health contract (readiness + liveness, deterministic semantics).\n- Externalised configuration model (env/params/secrets).\n- Telemetry contract (minimum app metrics: throughput, latency p95/p99, error %, structured logs; optional traces).\n- Backwards-compat policy for APIs and migrations.\n\n**Open decisions**\n\n- Runtime (e.g. Java 21 LTS vs 24) and framework (e.g. Spring Boot/Micronaut/Quarkus/plain).\n\n**Evidence of done**\n\n- Health spec with sample payloads; config key catalogue; metrics/log fields list; compatibility policy. (If Spring Boot, align with Actuator health endpoint.) ([Home][2])\n\n---\n\n## Build \u0026 packaging\n\n**Outcomes to produce**\n\n- Reproducible build from a single command yielding deterministic artefacts.\n- Versioning scheme (immutable, semver-ish, traceable to commit).\n- Container image (if you choose containers): multi-stage, minimal base, baked-in healthcheck, SBOM/provenance captured.\n\n**Open decisions**\n\n- Build tool (Maven/Gradle/other).\n- Container vs host-VM deliverable.\n\n**Evidence of done**\n\n- Build plan; versioning rules; artefact manifest; image size budget + base image rationale.\n\n---\n\n## Infrastructure topology\n\n**Outcomes to produce**\n\n- VPC across ≥2 AZs; public subnets for ingress/NAT, private subnets for app/DB.\n- Ingress choice (ALB/NLB), listener policy, target health checks mapped to app readiness.\n- Runtime choice: **EC2 (ASG + systemd)** or **ECS (Fargate/EC2)** with trade-off table.\n- Access model: **SSH-less** by default (Session Manager) with audit trail; bastion optional and justified.\n- Centralised secrets/config with KMS and rotation policy.\n\n**Open decisions**\n\n- EC2 vs ECS; TLS/WAF now vs later; domain \u0026 certificate strategy.\n\n**Evidence of done**\n\n- Topology diagram; security-group matrix; access model doc; secrets lifecycle; initial cost estimate. ([AWS Documentation][3])\n\n---\n\n## Database (PostgreSQL)\n\n**Outcomes to produce**\n\n- Managed Postgres (e.g. RDS/Aurora) with Multi-AZ, backups/retention, parameter baseline.\n- Connectivity policy (SGs, pooling, idle timeouts).\n- Observability plan: error/slow logs + **pg_stat_statements** query insight.\n- Ops runbooks (restore, failover, schema migration, vacuum/auto-vacuum).\n\n**Open decisions**\n\n- RDS vs Aurora; credential store (SSM vs Secrets Manager).\n\n**Evidence of done**\n\n- DB runbook; log retention; performance guardrails (locks, queue depth, CPU/IO thresholds). ([PostgreSQL][4])\n\n---\n\n## CI (build, test, scan, publish)\n\n**Outcomes to produce**\n\n- PR and main pipelines with clear stages (build, test, scan, publish).\n- Federated auth for CI (OIDC) to obtain short-lived cloud credentials; no static keys.\n- Quality gates (unit tests, static analysis, dependency/container scans) with thresholds.\n- Immutable artefacts in a registry/repository; retention policy; SBOM/provenance.\n\n**Open decisions**\n\n- CI platform (GitHub Actions, GitLab, CodeBuild/CodePipeline, etc.) and scanners.\n\n**Evidence of done**\n\n- Pipeline design doc; gate thresholds; registry retention/provenance policy. ([GitHub Docs][5])\n\n---\n\n## CD (promotion \u0026 rollout)\n\n**Outcomes to produce**\n\n- Promotion model using the **same artefact** through environments; approvals for prod.\n- Rollout strategy (rolling/blue-green/canary) with automated abort + rollback triggers.\n- Post-deploy checks (synthetics + smoke tests); rollback playbook.\n- Environment config mapping (vars/params/secrets) with no inline secrets.\n\n**Open decisions**\n\n- Deployer: orchestrator-native vs host-level (e.g. ASG + systemd + SSM).\n\n**Evidence of done**\n\n- Promotion workflow; rollout SLOs; rollback time objective; change log format. ([AWS Documentation][3])\n\n---\n\n## Observability \u0026 alerting\n\n**Outcomes to produce**\n\n- Structured logs with correlation IDs; **host log rotation** (size + count) to prevent disk bloat.\n- Core metrics (rate/latency/errors/saturation) at app, OS, load balancer, DB layers.\n- Optional traces across ingress → app → DB.\n- Dashboards per env with ownership; alert catalogue tied to SLOs; escalation path.\n- Retention strategy by signal type.\n\n**Open decisions**\n\n- AWS-native only (CloudWatch) vs hybrid/OSS (Grafana, Loki, Tempo, Prometheus).\n\n**Evidence of done**\n\n- Data-flow diagram (logs/metrics/traces), dashboards, alert catalogue, runbooks for the top incidents. ([Docker Documentation][6])\n\n---\n\n## Security\n\n**Outcomes to produce**\n\n- Least-privilege IAM for CI, runtime, and humans; deny-by-default posture.\n- No long-lived secrets; federation for CI (OIDC) and temporary creds for humans.\n- Edge controls (TLS via ACM; optional WAF) with cipher/header policy.\n- Supply-chain policy (base image cadence, dependency controls, provenance).\n- Audit trails (CloudTrail/SSM session logs) stored immutably.\n\n**Evidence of done**\n\n- IAM diff (before/after hardening); threat model (DFD + STRIDE); exception register with expiry; audit review notes. ([GitHub Docs][5])\n\n---\n\n## Reliability, DR \u0026 resilience\n\n**Outcomes to produce**\n\n- Self-healing behaviour (ASG/Service), failed instance/task eviction tested.\n- Backups, restores, and game-day notes with RPO/RTO targets.\n- Capacity policies (autoscaling, warm-up, anti-flap).\n- Change safety (pre/post checks; optional feature flags).\n\n**Evidence of done**\n\n- DR test report; scaling policy doc; rollback drill timings. ([AWS Documentation][1])\n\n---\n\n## Performance, cost \u0026 sustainability\n\n**Outcomes to produce**\n\n- k6 (or similar) profiles: smoke, load, stress, soak; thresholds mapped to SLIs.\n- Right-sizing trials (compute + DB), including energy-efficient families where applicable.\n- Autoscaling policies (CPU/mem/queue depth) with cool-downs; scheduled off for idle envs.\n- Cost visibility (tagging, budgets/alerts); monthly perf–cost review; sustainability notes.\n\n**Evidence of done**\n\n- Performance report with latency/error/cost deltas; action backlog with owners. ([AWS Documentation][1])\n\n---\n\n## Operability \u0026 support\n\n**Outcomes to produce**\n\n- Runbooks for the top five incidents (deploy rollback; DB lock storm; 5xx spikes; disk pressure/log growth; access issues).\n- Access model including break-glass with auditable, time-bound elevation.\n- Change calendar visible to stakeholders; blackout periods honoured.\n- Platform one-pager and FAQ for stakeholder/sales/security questionnaires.\n\n**Evidence of done**\n\n- Runbook index; access audit sample; platform one-pager. ([AWS Documentation][1])\n\n---\n\n## JD traceability (short)\n\n- **Infra coordination \u0026 environments:** Infrastructure topology, CD, reliability/DR, operability.\n- **Monitoring \u0026 alerting:** Observability \u0026 alerting; performance/cost/sustainability.\n- **Builds, releases, deployments:** Build \u0026 packaging; CI; CD.\n- **Tooling \u0026 automation:** Build/CI/CD/observability choices documented and automated.\n- **Standards \u0026 documentation:** Governance \u0026 ways of working; operability \u0026 support.\n- **Security SME:** Security.\n- **PostgreSQL:** Database.\n\n---\n\n## Open decisions to record before building\n\n- Runtime platform (EC2 vs ECS), access model (SSM-only vs bastion + SSM), CI/CD stack, observability stack, Java version, DB flavour, edge controls (TLS/WAF).\n  Reference material for common choices: **Well-Architected** for pillars; **Session Manager** for SSH-less access; **OIDC** for short-lived CI creds; **Docker log rotation**; **pg_stat_statements**; **Spring Actuator** for health semantics. ([AWS Documentation][7])\n\n---\n\n## Changes in this version\n\n- **Additions:** Consolidated, tool-agnostic requirements only; JD traceability; explicit “open decisions”.\n- **Removals:** No lab numbering, no repo scaffolding, no commands, no sequencing.\n- **Modifications:** Title changed to **AWS Labs - Java**; headings de-numbered; Australian English style.\n\n---\n\n## Sources (with credibility)\n\n- **AWS Well-Architected Framework (pillars \u0026 guidance)** — _Credibility: High (official)._ ([AWS Documentation][1])\n- **AWS Systems Manager Session Manager (SSH-less access \u0026 audit)** — _Credibility: High (official)._ ([AWS Documentation][3])\n- **GitHub Actions OIDC ↔ AWS (short-lived creds)** — _Credibility: High (official: GitHub + AWS)._ ([GitHub Docs][5])\n- **Docker `json-file` driver \u0026 rotation** — _Credibility: High (official)._ ([Docker Documentation][8])\n- **PostgreSQL `pg_stat_statements`** — _Credibility: High (official)._ ([PostgreSQL][4])\n- **Spring Boot Actuator health** — _Credibility: High (official)._ ([Home][2])\n\n---\n\n[1]: https://docs.aws.amazon.com/wellarchitected/latest/framework/welcome.html? \"AWS Well-Architected Framework\"\n[2]: https://docs.spring.io/spring-boot/reference/actuator/endpoints.html? \"Endpoints :: Spring Boot\"\n[3]: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html? \"AWS Systems Manager Session Manager\"\n[4]: https://www.postgresql.org/docs/current/pgstatstatements.html? \"PostgreSQL: Documentation: 17: F.30. pg_stat_statements — track ...\"\n[5]: https://docs.github.com/en/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-aws?apiVersion=2022-11-28\u0026 \"Configuring OpenID Connect in Amazon Web Services - GitHub Docs\"\n[6]: https://docs.docker.com/engine/logging/configure/? \"Configure logging drivers | Docker Docs\"\n[7]: https://docs.aws.amazon.com/wellarchitected/2024-06-27/framework/the-pillars-of-the-framework.html? \"The pillars of the framework - AWS Well-Architected Framework\"\n[8]: https://docs.docker.com/engine/logging/drivers/json-file/? \"JSON File logging driver | Docker Docs\"\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Floftwah%2Faws-lab-java","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Floftwah%2Faws-lab-java","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Floftwah%2Faws-lab-java/lists"}