|
| 1 | +# Testing Guide: SSM Parameter Store — Cross-Stack Sharing (PR 1 of 2) |
| 2 | + |
| 3 | +## Overview |
| 4 | + |
| 5 | +This is the first of two PRs that together eliminate CloudFormation `Fn::ImportValue` |
| 6 | +hard dependencies between `BaseStack` and `DeepracerEventManagerStack`. |
| 7 | + |
| 8 | +**Why this matters:** `Fn::ImportValue` creates a CloudFormation lock between stacks |
| 9 | +that blocks independent updates. The symptom is: |
| 10 | + |
| 11 | +``` |
| 12 | +Delete canceled. Cannot delete export drem-backend-X-base:ExportsOutput... |
| 13 | +as it is in use by drem-backend-X-infrastructure. |
| 14 | +``` |
| 15 | + |
| 16 | +### What this PR does (additive only — safe for fresh installs and upgrades) |
| 17 | + |
| 18 | +- Adds 14 SSM parameters to `BaseStack` under `/${stackName}/<key>` |
| 19 | +- Removes T&C checkbox/link from sign-up flow and admin Create User form |
| 20 | +- No changes to `DeepracerEventManagerStack`, the pipeline stage, or any cross-stack |
| 21 | + references — existing `Fn::ImportValue` dependencies are untouched |
| 22 | + |
| 23 | +### What PR 2 does (follow-up — requires two-pipeline migration, documented below) |
| 24 | + |
| 25 | +- Switches `DeepracerEventManagerStack` to read all 14 values from SSM instead of |
| 26 | + via `Fn::ImportValue` |
| 27 | +- Removes T&C CDK infrastructure (S3 bucket, CloudFront distributions, pipeline step) |
| 28 | + |
| 29 | +--- |
| 30 | + |
| 31 | +## Automated Tests |
| 32 | + |
| 33 | +Run before doing anything else. No Docker or live AWS account needed. |
| 34 | + |
| 35 | +```sh |
| 36 | +npm install |
| 37 | +make test.cdk |
| 38 | +``` |
| 39 | + |
| 40 | +Expected output: |
| 41 | + |
| 42 | +``` |
| 43 | +PASS test/deepracer-event-manager.test.ts |
| 44 | + BaseStack |
| 45 | + ✓ creates all required SSM parameters for cross-stack sharing |
| 46 | +``` |
| 47 | + |
| 48 | +--- |
| 49 | + |
| 50 | +## Integration Test Plan (PR 1) |
| 51 | + |
| 52 | +### Prerequisites |
| 53 | + |
| 54 | +- AWS account bootstrapped for CDK (`make bootstrap`) |
| 55 | +- `build.config` configured with your account, region, email, and label |
| 56 | +- AWS CLI and CDK CLI available locally |
| 57 | + |
| 58 | +### Step 1 — Tear down any existing deployment (if upgrading) |
| 59 | + |
| 60 | +Fresh installations can skip to Step 2. |
| 61 | + |
| 62 | +```sh |
| 63 | +make drem.clean |
| 64 | +``` |
| 65 | + |
| 66 | +Expected duration: 15–30 minutes. |
| 67 | + |
| 68 | +> **Note:** The logs S3 bucket logs access to itself, which causes CloudFormation |
| 69 | +> auto-delete to fail. `make drem.clean` handles this by disabling logging and emptying |
| 70 | +> the bucket first. If the base stack enters `DELETE_FAILED`, re-run manually: |
| 71 | +> ```sh |
| 72 | +> BUCKET=<bucket-name> REGION=<region> |
| 73 | +> aws s3api put-bucket-logging --bucket $BUCKET --bucket-logging-status {} --region $REGION |
| 74 | +> aws s3 rm s3://$BUCKET --recursive --region $REGION |
| 75 | +> aws cloudformation delete-stack --stack-name drem-backend-<label>-base --region $REGION |
| 76 | +> ``` |
| 77 | +
|
| 78 | +### Step 2 — Deploy from upstream `release/stable` (baseline) |
| 79 | +
|
| 80 | +``` |
| 81 | +source_repo = aws-solutions-library-samples/guidance-for-aws-deepracer-event-management |
| 82 | +source_branch = release/stable |
| 83 | +``` |
| 84 | +
|
| 85 | +```sh |
| 86 | +make install |
| 87 | +``` |
| 88 | + |
| 89 | +Approve the `DeployDREM` manual approval step when it appears. Expected: 45–90 min. |
| 90 | + |
| 91 | +> **Verify:** Pipeline green, website accessible, sign-up shows T&C checkbox. |
| 92 | +
|
| 93 | +### Step 3 — Switch to this branch |
| 94 | + |
| 95 | +``` |
| 96 | +source_repo = <your-fork>/guidance-for-aws-deepracer-event-management |
| 97 | +source_branch = feat/ssm-cross-stack-sharing |
| 98 | +``` |
| 99 | + |
| 100 | +```sh |
| 101 | +make install |
| 102 | +``` |
| 103 | + |
| 104 | +Approve `DeployDREM` when prompted. Expected: 45–90 min. |
| 105 | + |
| 106 | +This is a safe upgrade — the pipeline only **adds** 14 SSM parameters to the base |
| 107 | +stack. No exports are removed, no cross-stack references change. |
| 108 | + |
| 109 | +### Step 4 — Verify post-deploy state |
| 110 | + |
| 111 | +#### SSM Parameter Store console |
| 112 | + |
| 113 | +Open [SSM Parameter Store](https://console.aws.amazon.com/systems-manager/parameters) |
| 114 | +and filter by `/drem-backend-<label>-base/`. Expect **14 parameters**: |
| 115 | + |
| 116 | +| Parameter | Contains | |
| 117 | +|-----------|---------| |
| 118 | +| `cloudfrontDistributionId` | CloudFront distribution ID | |
| 119 | +| `cloudfrontDistributionDomainName` | e.g. `abc123.cloudfront.net` | |
| 120 | +| `cloudfrontDomainName` | Custom domain or CloudFront domain | |
| 121 | +| `logsBucketName` | S3 bucket name | |
| 122 | +| `websiteBucketName` | S3 bucket name | |
| 123 | +| `eventBusArn` | EventBridge custom bus ARN | |
| 124 | +| `userPoolId` | Cognito User Pool ID | |
| 125 | +| `identityPoolId` | Cognito Identity Pool ID | |
| 126 | +| `userPoolClientWebId` | Cognito App Client ID | |
| 127 | +| `adminGroupRoleArn` | IAM Role ARN | |
| 128 | +| `operatorGroupRoleArn` | IAM Role ARN | |
| 129 | +| `commentatorGroupRoleArn` | IAM Role ARN | |
| 130 | +| `registrationGroupRoleArn` | IAM Role ARN | |
| 131 | +| `authenticatedUserRoleArn` | IAM Role ARN | |
| 132 | + |
| 133 | +Or via CLI: |
| 134 | + |
| 135 | +```sh |
| 136 | +aws ssm get-parameters-by-path \ |
| 137 | + --path /drem-backend-<label>-base/ \ |
| 138 | + --region <region> \ |
| 139 | + --query 'Parameters[*].Name' \ |
| 140 | + --output table |
| 141 | +``` |
| 142 | + |
| 143 | +#### Functional checks |
| 144 | + |
| 145 | +```sh |
| 146 | +make local.config |
| 147 | +make test.cdk |
| 148 | +``` |
| 149 | + |
| 150 | +> **Verify:** |
| 151 | +> - Website accessible and functional |
| 152 | +> - Sign-up flow has no T&C checkbox |
| 153 | +> - Admin Create User form has no T&C checkbox |
| 154 | +> - T&C page still accessible at its CloudFront URL (CDK infrastructure not yet removed) |
| 155 | +
|
| 156 | +### Step 5 — Clean up |
| 157 | + |
| 158 | +```sh |
| 159 | +make drem.clean |
| 160 | +``` |
| 161 | + |
| 162 | +--- |
| 163 | + |
| 164 | +## PR 2 Migration Guide (Fn::ImportValue removal) |
| 165 | + |
| 166 | +> Run this **after** PR 1 has been deployed and confirmed working. |
| 167 | +
|
| 168 | +PR 2 switches `DeepracerEventManagerStack` from `Fn::ImportValue` to SSM reads, and |
| 169 | +removes the T&C CDK infrastructure. Because this removes CloudFormation exports that |
| 170 | +the infra stack currently imports, it **cannot be done in a single pipeline run** when |
| 171 | +upgrading from PR 1. Two pipeline runs are required. |
| 172 | + |
| 173 | +### Why two pipeline runs are needed |
| 174 | + |
| 175 | +With `Fn::ImportValue`, CloudFormation enforces: a stack cannot remove an export while |
| 176 | +another stack imports it. Even if both stacks update in the same pipeline run, the |
| 177 | +evaluation is against the **currently deployed** infra state. |
| 178 | + |
| 179 | +- **Pipeline run 1** (infra-first ordering): Infra drops all `Fn::ImportValue` references |
| 180 | + (reads from SSM instead). Base unchanged. |
| 181 | +- **Pipeline run 2** (base-first ordering): Base removes the now-unused `CfnOutput` |
| 182 | + exports and the T&C CDK resources. Infra already uses SSM — no conflict. |
| 183 | + |
| 184 | +### Pipeline run 1 — Drop Fn::ImportValue from infra |
| 185 | + |
| 186 | +Switch `build.config` to the PR 2 branch with `stack.addDependency` temporarily |
| 187 | +**reversed** (infra first). SSM params already exist from PR 1, so infra can resolve |
| 188 | +them at changeset creation time. |
| 189 | + |
| 190 | +After this pipeline run completes, infra no longer has any `Fn::ImportValue`: |
| 191 | + |
| 192 | +```sh |
| 193 | +aws cloudformation get-template \ |
| 194 | + --stack-name drem-backend-<label>-infrastructure \ |
| 195 | + --region <region> \ |
| 196 | + --query 'TemplateBody' \ |
| 197 | + | grep -c 'Fn::ImportValue' |
| 198 | +# Expected: 0 |
| 199 | +``` |
| 200 | + |
| 201 | +### Pipeline run 2 — Remove base exports and T&C infrastructure |
| 202 | + |
| 203 | +Restore `stack.addDependency(baseStack)` (base first). Trigger a second pipeline run. |
| 204 | +Base can now safely remove its `CfnOutput` exports and T&C resources. |
| 205 | + |
| 206 | +> See `docs/testing-ssm-cross-stack-migration-pr2.md` (in the PR 2 branch) for the |
| 207 | +> full step-by-step guide. |
| 208 | +
|
| 209 | +--- |
| 210 | + |
| 211 | +## Key Files Changed (PR 1) |
| 212 | + |
| 213 | +| File | What changed | |
| 214 | +|------|-------------| |
| 215 | +| `lib/base-stack.ts` | Writes 14 SSM parameters at end of constructor | |
| 216 | +| `lib/constructs/cdn.ts` | Added `comment` prop for CloudFront distribution descriptions | |
| 217 | +| `lib/constructs/leaderboard.ts` | Passes `comment` to Cdn construct | |
| 218 | +| `lib/constructs/streaming-overlay.ts` | Passes `comment` to Cdn construct | |
| 219 | +| `website/src/App.tsx` | Removed T&C checkbox and footer link from sign-up flow | |
| 220 | +| `website/src/admin/users/createUser.tsx` | Removed T&C checkbox from Create User form | |
| 221 | +| `website/public/locales/en/translation.json` | Removed T&C translation strings | |
| 222 | +| `scripts/generate_amplify_config_cfn.py` | Removed `termsAndConditionsUrl` from config | |
| 223 | +| `tsconfig.json` | Exclude `website*/` subdirs from CDK `tsc` compilation | |
| 224 | +| `test/deepracer-event-manager.test.ts` | CDK assertion test for the 14 SSM parameters | |
| 225 | +| `jest.config.ts` | Converted from `.js` to `.ts` | |
| 226 | +| `Makefile` | `make drem.clean`, Python venv fixes, `make test.cdk`, `--require-approval never` | |
| 227 | +| `CLAUDE.md` | Project overview, commands, and architecture notes | |
0 commit comments