Switch infra to SSM reads and remove T&C CDK infrastructure

Requires PR 1 (feat/ssm-cross-stack-sharing) to be deployed first so
the 14 SSM parameters exist when CloudFormation validates infra's
changeset.

Infrastructure stack:
- Reads all 14 shared values from SSM via valueForStringParameter()
- No longer accepts direct cross-stack props beyond baseStackName
- Eliminates all Fn::ImportValue dependencies on BaseStack
- IEventBus type used across all 11 domain constructs (compatible with
  EventBus.fromEventBusArn() which returns IEventBus)

BaseStack:
- Removes T&C CloudFront distribution and S3 bucket (tacCdn)
- Retains all 14 SSM parameters from PR 1

Pipeline stage:
- Passes only baseStackName to DeepracerEventManagerStack
- MIGRATION ordering: baseStack.addDependency(stack) (infra first) so
  infra drops Fn::ImportValue before base removes CfnOutput exports.
  SSM params already exist from PR 1 so infra can resolve them.
  Revert to stack.addDependency(baseStack) after this PR is deployed.
- Removes TermsAndConditionsDeployToS3 pipeline step

Also removes website-terms-and-conditions/ directory and all remaining
T&C CDK references from bin/drem.ts.

CDK tests: all 4 pass (SSM params in base, no Fn::ImportValue in infra,
SSM parameter types used in infra template).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: davidfsmith

CLAUDE.md

@@ -80,3 +80,20 @@ pytest                        # Run Python tests
 ### Public Frontends
 - **Leaderboard** (`website-leaderboard/`) — unauthenticated, subscribes to AppSync via API key for live data; supports URL query params for display (lang, QR, track, format, flag)
 - **Stream Overlays** (`website-stream-overlays/`) — unauthenticated, API key auth; uses D3.js for animated visualisations; supports chroma key background for broadcast use
+
+### Cross-Stack Sharing Pattern
+
+`BaseStack` and `DeepracerEventManagerStack` share values exclusively via **SSM Parameter Store** — there are no CloudFormation `Fn::ImportValue` / `CfnOutput` cross-stack references between them. This means either stack can be updated independently and in any order without CloudFormation blocking on export dependencies.
+
+**How it works:**
+- `BaseStack` writes all shared resource identifiers to SSM under `/${stackName}/<key>` at the end of its constructor
+- `DeepracerEventManagerStack` reads them via `ssm.StringParameter.valueForStringParameter()` (resolved at CloudFormation deploy time, not synth time) and reconstructs CDK objects using `from*` static methods (`Role.fromRoleArn`, `EventBus.fromEventBusArn`, `Bucket.fromBucketName`, etc.)
+- `DeepracerEventManagerStack` only takes `baseStackName: string` as a cross-stack prop
+
+**When adding new resources to BaseStack that InfrastructureStack needs:**
+1. Write the resource identifier to SSM in `BaseStack` constructor
+2. Read it with `valueForStringParameter` in `DeepracerEventManagerStack` and reconstruct the CDK object
+3. Do NOT pass it as a constructor prop — this would recreate the `Fn::ImportValue` dependency
+
+**When removing resources from BaseStack:**
+Because there are no `Fn::ImportValue` dependencies, you can remove a resource from `BaseStack` and deploy in a single pipeline run without the "cannot delete export in use" error. Ensure `InfrastructureStack` no longer reads the corresponding SSM parameter in the same commit.

bin/drem.ts

@@ -86,22 +86,6 @@ if (app.node.tryGetContext('manual_deploy') === 'True') {
 
   new DeepracerEventManagerStack(app, `drem-backend-${labelName}-infrastructure`, {
     baseStackName: baseStack.stackName,
-    cloudfrontDistribution: baseStack.cloudfrontDistribution,
-    cloudfrontDomainNames: baseStack.cloudfrontDomainNames,
-    tacCloudfrontDistribution: baseStack.tacCloudfrontDistribution,
-    tacSourceBucket: baseStack.tacSourceBucket,
-    logsBucket: baseStack.logsBucket,
-    lambdaConfig: baseStack.lambdaConfig,
-    adminGroupRole: baseStack.idp.adminGroupRole,
-    operatorGroupRole: baseStack.idp.operatorGroupRole,
-    commentatorGroupRole: baseStack.idp.commentatorGroupRole,
-    registrationGroupRole: baseStack.idp.registrationGroupRole,
-    authenticatedUserRole: baseStack.idp.authenticatedUserRole,
-    userPool: baseStack.idp.userPool,
-    identiyPool: baseStack.idp.identityPool,
-    userPoolClientWeb: baseStack.idp.userPoolClientWeb,
-    dremWebsiteBucket: baseStack.dremWebsitebucket,
-    eventbus: baseStack.eventbridge.eventbus,
     env: env,
   });
 } else {

lib/base-stack.ts

@@ -28,8 +28,6 @@ export class BaseStack extends cdk.Stack {
   public readonly idp: Idp;
   public readonly cloudfrontDistribution: Distribution;
   public readonly cloudfrontDomainNames?: string[];
-  public readonly tacSourceBucket: s3.Bucket;
-  public readonly tacCloudfrontDistribution: Distribution;
   public readonly logsBucket: s3.Bucket;
   public readonly lambdaConfig: {
     runtime: awsLambda.Runtime;
@@ -107,6 +105,7 @@ export class BaseStack extends cdk.Stack {
       logsBucket: logsBucket,
       domainNames: siteDomain,
       certificate: certificate,
+      comment: 'DREM main website',
     });
     this.cloudfrontDistribution = cdn.distribution;
 
@@ -118,22 +117,6 @@ export class BaseStack extends cdk.Stack {
         zone: hostedZone,
       });
     }
-    // Terms And Conditions webpage
-    const tacWebsite = new Website(this, 'TermsNConditions', {
-      contentPath: './website-terms-and-conditions/',
-      pathPattern: '/terms-and-conditions.html',
-      logsBucket: logsBucket,
-      cdnDistribution: cdn.distribution,
-    });
-    this.tacSourceBucket = tacWebsite.sourceBucket;
-
-    // Terms And Conditions cloudfront Distribution
-    const tacCdn = new Cdn(this, 'tacCdn', {
-      defaultOrigin: tacWebsite.origin,
-      logsBucket: logsBucket,
-    });
-    this.tacCloudfrontDistribution = tacCdn.distribution;
-
     // Lambda
     // Common Config
     const lambda_architecture = awsLambda.Architecture.ARM_64;

lib/cdk-pipeline-stack.ts

@@ -29,8 +29,6 @@ class InfrastructurePipelineStage extends Stage {
   public readonly leaderboardSourceBucketName: cdk.CfnOutput;
   public readonly streamingOverlayDistributionId: cdk.CfnOutput;
   public readonly streamingOverlaySourceBucketName: cdk.CfnOutput;
-  public readonly termAndConditionsDistributionId: cdk.CfnOutput;
-  public readonly termAndConditionsSourceBucketName: cdk.CfnOutput;
 
   constructor(scope: Construct, id: string, props: InfrastructurePipelineStageProps) {
     super(scope, id, props);
@@ -42,32 +40,19 @@ class InfrastructurePipelineStage extends Stage {
     });
     const stack = new DeepracerEventManagerStack(this, 'infrastructure', {
       baseStackName: baseStack.stackName,
-      cloudfrontDistribution: baseStack.cloudfrontDistribution,
-      cloudfrontDomainNames: baseStack.cloudfrontDomainNames,
-      tacCloudfrontDistribution: baseStack.tacCloudfrontDistribution,
-      tacSourceBucket: baseStack.tacSourceBucket,
-      logsBucket: baseStack.logsBucket,
-      lambdaConfig: baseStack.lambdaConfig,
-      adminGroupRole: baseStack.idp.adminGroupRole,
-      operatorGroupRole: baseStack.idp.operatorGroupRole,
-      commentatorGroupRole: baseStack.idp.commentatorGroupRole,
-      registrationGroupRole: baseStack.idp.registrationGroupRole,
-      authenticatedUserRole: baseStack.idp.authenticatedUserRole,
-      userPool: baseStack.idp.userPool,
-      identiyPool: baseStack.idp.identityPool,
-      userPoolClientWeb: baseStack.idp.userPoolClientWeb,
-      dremWebsiteBucket: baseStack.dremWebsitebucket,
-      eventbus: baseStack.eventbridge.eventbus,
     });
+    // MIGRATION: infrastructure deploys before base so infra can drop
+    // Fn::ImportValue references while base still exports them. SSM parameters
+    // already exist from PR 1 so infra can resolve them at changeset time.
+    // Revert to stack.addDependency(baseStack) after this PR is deployed.
+    baseStack.addDependency(stack);
 
     this.distributionId = stack.distributionId;
     this.sourceBucketName = stack.sourceBucketName;
     this.leaderboardSourceBucketName = stack.leaderboardSourceBucketName;
     this.leaderboardDistributionId = stack.leaderboardDistributionId;
     this.streamingOverlaySourceBucketName = stack.streamingOverlaySourceBucketName;
     this.streamingOverlayDistributionId = stack.streamingOverlayDistributionId;
-    this.termAndConditionsSourceBucketName = stack.tacSourceBucketName;
-    this.termAndConditionsDistributionId = stack.tacWebsitedistributionId;
   }
 }
 export interface CdkPipelineStackProps extends cdk.StackProps {
@@ -300,28 +285,6 @@ export class CdkPipelineStack extends cdk.Stack {
       })
     );
 
-    // Terms and Conditions website Deploy to S3
-    infrastructure_stage.addPost(
-      new pipelines.CodeBuildStep('TermsAndConditionsDeployToS3', {
-        buildEnvironment: {
-          privileged: false,
-          computeType: codebuild.ComputeType.LARGE,
-        },
-        commands: [
-          // configure and deploy Terms and Conditions website
-          "echo 'Starting to deploy the Terms and Conditions website'",
-          'echo website bucket= $sourceBucketName',
-          'aws s3 sync ./website-terms-and-conditions/ s3://$sourceBucketName/ --delete',
-          "aws cloudfront create-invalidation --distribution-id $distributionId --paths '/*'",
-        ],
-        envFromCfnOutputs: {
-          sourceBucketName: infrastructure.termAndConditionsSourceBucketName,
-          distributionId: infrastructure.termAndConditionsDistributionId,
-        },
-        rolePolicyStatements: rolePolicyStatementsForWebsiteDeployStages,
-      })
-    );
-
     pipeline.buildPipeline();
     const topic = new sns.Topic(this, 'PipelineTopic');
     topic.addSubscription(new subs.EmailSubscription(props.email));

lib/constructs/car-logs-manager.ts

@@ -6,7 +6,7 @@ import * as dynamodb from 'aws-cdk-lib/aws-dynamodb';
 import * as ec2 from 'aws-cdk-lib/aws-ec2';
 import { SubnetType } from 'aws-cdk-lib/aws-ec2';
 import * as ecr_assets from 'aws-cdk-lib/aws-ecr-assets';
-import { EventBus, Rule } from 'aws-cdk-lib/aws-events';
+import { IEventBus, Rule } from 'aws-cdk-lib/aws-events';
 import { LambdaFunction } from 'aws-cdk-lib/aws-events-targets';
 import * as iam from 'aws-cdk-lib/aws-iam';
 import * as lambda from 'aws-cdk-lib/aws-lambda';
@@ -50,7 +50,7 @@ export interface CarLogsManagerProps {
       powerToolsLayer: lambda.ILayerVersion;
     };
   };
-  eventbus: EventBus;
+  eventbus: IEventBus;
 }
 
 export class CarLogsManager extends Construct {

lib/constructs/cars-manager.ts

@@ -4,7 +4,7 @@ import { DockerImage, Duration, RemovalPolicy } from 'aws-cdk-lib';
 import * as appsync from 'aws-cdk-lib/aws-appsync';
 import * as dynamodb from 'aws-cdk-lib/aws-dynamodb';
 import * as awsEvents from 'aws-cdk-lib/aws-events';
-import { EventBus } from 'aws-cdk-lib/aws-events';
+import { IEventBus } from 'aws-cdk-lib/aws-events';
 import * as awsEventsTargets from 'aws-cdk-lib/aws-events-targets';
 import * as iam from 'aws-cdk-lib/aws-iam';
 import { ManagedPolicy, ServicePrincipal } from 'aws-cdk-lib/aws-iam';
@@ -36,7 +36,7 @@ export interface CarManagerProps {
       appsyncHelpersLayer: lambda.ILayerVersion;
     };
   };
-  eventbus: EventBus;
+  eventbus: IEventBus;
 }
 
 export class CarManager extends Construct {

lib/constructs/clamscan-serverless.ts

@@ -1,7 +1,7 @@
 import { DockerImage, Duration, RemovalPolicy, Size } from 'aws-cdk-lib';
 import * as appsync from 'aws-cdk-lib/aws-appsync';
 import { Platform } from 'aws-cdk-lib/aws-ecr-assets';
-import { EventBus, Match, Rule, Schedule } from 'aws-cdk-lib/aws-events';
+import { IEventBus, Match, Rule, Schedule } from 'aws-cdk-lib/aws-events';
 import { LambdaFunction } from 'aws-cdk-lib/aws-events-targets';
 import * as lambda from 'aws-cdk-lib/aws-lambda';
 import { EventBridgeDestination } from 'aws-cdk-lib/aws-lambda-destinations';
@@ -34,7 +34,7 @@ interface ClamscanServerlessProps {
       powerToolsLayer: lambda.ILayerVersion;
     };
   };
-  eventbus: EventBus;
+  eventbus: IEventBus;
 }
 
 export class ClamscanServerless extends Construct {

lib/constructs/events-manager.ts

@@ -1,7 +1,7 @@
 import { DockerImage, Duration, RemovalPolicy, Stack } from 'aws-cdk-lib';
 import * as appsync from 'aws-cdk-lib/aws-appsync';
 import * as dynamodb from 'aws-cdk-lib/aws-dynamodb';
-import { EventBus } from 'aws-cdk-lib/aws-events';
+import { IEventBus } from 'aws-cdk-lib/aws-events';
 import * as lambda from 'aws-cdk-lib/aws-lambda';
 import { StartingPosition } from 'aws-cdk-lib/aws-lambda';
 import { DynamoEventSource } from 'aws-cdk-lib/aws-lambda-event-sources';
@@ -43,7 +43,7 @@ export interface EventsManagerProps {
     landingPageConfigObjectType: ObjectType;
     landingPageConfigInputType: InputType;
   };
-  eventbus: EventBus;
+  eventbus: IEventBus;
 }
 export class EventsManager extends Construct {
   constructor(scope: Construct, id: string, props: EventsManagerProps) {

lib/constructs/fleets-manager.ts

@@ -1,7 +1,7 @@
 import { DockerImage, Duration, RemovalPolicy } from 'aws-cdk-lib';
 import * as appsync from 'aws-cdk-lib/aws-appsync';
 import * as dynamodb from 'aws-cdk-lib/aws-dynamodb';
-import { EventBus } from 'aws-cdk-lib/aws-events';
+import { IEventBus } from 'aws-cdk-lib/aws-events';
 import * as lambda from 'aws-cdk-lib/aws-lambda';
 import { CodeFirstSchema, Directive, GraphqlType, ObjectType, ResolvableField } from 'awscdk-appsync-utils';
 import { NagSuppressions } from 'cdk-nag';
@@ -27,7 +27,7 @@ export interface FleetsManagerProps {
       appsyncHelpersLayer: lambda.ILayerVersion;
     };
   };
-  eventbus: EventBus;
+  eventbus: IEventBus;
 }
 
 export class FleetsManager extends Construct {

lib/constructs/landing-page.ts

@@ -1,7 +1,7 @@
 import { DockerImage, Duration, RemovalPolicy } from 'aws-cdk-lib';
 import * as appsync from 'aws-cdk-lib/aws-appsync';
 import * as dynamodb from 'aws-cdk-lib/aws-dynamodb';
-import { EventBus, Rule } from 'aws-cdk-lib/aws-events';
+import { IEventBus, Rule } from 'aws-cdk-lib/aws-events';
 import { IRole } from 'aws-cdk-lib/aws-iam';
 import * as lambda from 'aws-cdk-lib/aws-lambda';
 import { StandardLambdaPythonFunction } from './standard-lambda-python-function';
@@ -35,7 +35,7 @@ export interface LandingPageManagerProps {
             powerToolsLayer: lambda.ILayerVersion;
         };
     };
-    eventbus: EventBus;
+    eventbus: IEventBus;
 }
 export class LandingPageManager extends Construct {
     public readonly api: {