fix: Resolve menu links, search indexing, and fresh deployment issues

- Add .gitignore for Drupal vendor/core/contrib directories
- Fix navigation menu configuration to properly link pages
- Enable search indexing for all generated content
- Add CloudFront HTTPS termination for secure access
- Fix fresh deployment to new AWS accounts
- Update council generator content structure
- Add content cleanup service for orphaned content

Verified with comprehensive Playwright tests on fresh deployment.

Author: chrisns

cloudformation/scenarios/localgov-drupal/cdk/cdk.context.json

@@ -0,0 +1,60 @@
+{
+  "vpc-provider:account=404584456509:filter.isDefault=true:region=us-east-1:returnAsymmetricSubnets=true": {
+    "vpcId": "vpc-0d9d4e09b826c350c",
+    "vpcCidrBlock": "172.31.0.0/16",
+    "ownerAccountId": "404584456509",
+    "availabilityZones": [],
+    "subnetGroups": [
+      {
+        "name": "Public",
+        "type": "Public",
+        "subnets": [
+          {
+            "subnetId": "subnet-06c2d173fbcc6b389",
+            "cidr": "172.31.0.0/20",
+            "availabilityZone": "us-east-1a",
+            "routeTableId": "rtb-048a423a173dfc92b"
+          },
+          {
+            "subnetId": "subnet-052ac34d55722d3d4",
+            "cidr": "172.31.80.0/20",
+            "availabilityZone": "us-east-1b",
+            "routeTableId": "rtb-048a423a173dfc92b"
+          },
+          {
+            "subnetId": "subnet-07e5c2efddb2a0562",
+            "cidr": "172.31.16.0/20",
+            "availabilityZone": "us-east-1c",
+            "routeTableId": "rtb-048a423a173dfc92b"
+          },
+          {
+            "subnetId": "subnet-062b0daa8eff7be05",
+            "cidr": "172.31.32.0/20",
+            "availabilityZone": "us-east-1d",
+            "routeTableId": "rtb-048a423a173dfc92b"
+          },
+          {
+            "subnetId": "subnet-06cd889fc79177308",
+            "cidr": "172.31.48.0/20",
+            "availabilityZone": "us-east-1e",
+            "routeTableId": "rtb-048a423a173dfc92b"
+          },
+          {
+            "subnetId": "subnet-01d0edaa3869a0d82",
+            "cidr": "172.31.64.0/20",
+            "availabilityZone": "us-east-1f",
+            "routeTableId": "rtb-048a423a173dfc92b"
+          }
+        ]
+      }
+    ]
+  },
+  "availability-zones:account=982203978489:region=us-east-1": [
+    "us-east-1a",
+    "us-east-1b",
+    "us-east-1c",
+    "us-east-1d",
+    "us-east-1e",
+    "us-east-1f"
+  ]
+}

cloudformation/scenarios/localgov-drupal/cdk/lib/constructs/cloudfront.ts

@@ -57,11 +57,5 @@ export class CloudFrontConstruct extends Construct {
     });
 
     this.domainName = this.distribution.distributionDomainName;
-
-    // Output the HTTPS URL
-    new cdk.CfnOutput(this, 'HttpsUrl', {
-      value: `https://${this.domainName}`,
-      description: 'HTTPS URL (CloudFront)',
-    });
   }
 }

cloudformation/scenarios/localgov-drupal/cdk/lib/constructs/compute.ts

@@ -1,5 +1,6 @@
 import * as cdk from 'aws-cdk-lib';
 import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as ecr from 'aws-cdk-lib/aws-ecr';
 import * as ecs from 'aws-cdk-lib/aws-ecs';
 import * as efs from 'aws-cdk-lib/aws-efs';
 import * as elbv2 from 'aws-cdk-lib/aws-elasticloadbalancingv2';
@@ -61,6 +62,12 @@ export interface ComputeConstructProps {
    * when Drupal initialization completes.
    */
   readonly waitConditionUrl?: string;
+
+  /**
+   * Admin password for Drupal.
+   * If provided, sets ADMIN_PASSWORD environment variable.
+   */
+  readonly adminPassword?: string;
 }
 
 /**
@@ -145,12 +152,19 @@ export class ComputeConstruct extends Construct {
     });
 
     // Bedrock permissions for AI content generation
+    // Uses Amazon Nova models exclusively:
+    // - Nova Pro/Lite for text generation (via Converse API)
+    // - Nova Canvas for image generation (via InvokeModel API)
     taskRole.addToPolicy(
       new iam.PolicyStatement({
-        actions: ['bedrock:InvokeModel', 'bedrock:InvokeModelWithResponseStream'],
+        actions: [
+          'bedrock:InvokeModel',
+          'bedrock:InvokeModelWithResponseStream',
+          'bedrock:Converse',
+          'bedrock:ConverseStream',
+        ],
         resources: [
           'arn:aws:bedrock:*::foundation-model/amazon.nova-*',
-          'arn:aws:bedrock:*::foundation-model/anthropic.claude-*',
         ],
       }),
     );
@@ -180,9 +194,17 @@ export class ComputeConstruct extends Construct {
     );
 
     // Textract permissions for document processing
+    // Include both synchronous and asynchronous APIs
     taskRole.addToPolicy(
       new iam.PolicyStatement({
-        actions: ['textract:AnalyzeDocument', 'textract:DetectDocumentText'],
+        actions: [
+          'textract:AnalyzeDocument',
+          'textract:DetectDocumentText',
+          'textract:StartDocumentAnalysis',
+          'textract:GetDocumentAnalysis',
+          'textract:StartDocumentTextDetection',
+          'textract:GetDocumentTextDetection',
+        ],
         resources: ['*'],
       }),
     );
@@ -198,6 +220,9 @@ export class ComputeConstruct extends Construct {
     // Allow reading database secret from task role too
     props.databaseSecret.grantRead(taskRole);
 
+    // EFS permissions for IAM-authenticated mounts
+    props.fileSystem.grantRootAccess(taskRole);
+
     // ==========================================================================
     // Fargate Task Definition
     // ==========================================================================
@@ -234,9 +259,20 @@ export class ComputeConstruct extends Construct {
       containerEnvironment.WAIT_CONDITION_URL = props.waitConditionUrl;
     }
 
+    // Add admin password if provided
+    if (props.adminPassword) {
+      containerEnvironment.ADMIN_PASSWORD = props.adminPassword;
+    }
+
+    // Look up the ECR repository for the Drupal image
+    const drupalRepository = ecr.Repository.fromRepositoryAttributes(this, 'DrupalRepo', {
+      repositoryArn: `arn:aws:ecr:${cdk.Stack.of(this).region}:${cdk.Stack.of(this).account}:repository/localgov-drupal`,
+      repositoryName: 'localgov-drupal',
+    });
+
     // Add container
     const container = taskDefinition.addContainer('drupal', {
-      image: ecs.ContainerImage.fromRegistry('ghcr.io/localgovdrupal/localgov-drupal:latest'),
+      image: ecs.ContainerImage.fromEcrRepository(drupalRepository, 'latest'),
       logging: ecs.LogDrivers.awsLogs({
         streamPrefix: 'drupal',
         logGroup: this.logGroup,
@@ -253,11 +289,13 @@ export class ComputeConstruct extends Construct {
         },
       ],
       healthCheck: {
-        command: ['CMD-SHELL', 'curl -f http://localhost/ || exit 1'],
+        // Use /health endpoint which returns OK even during initialization
+        command: ['CMD-SHELL', 'curl -f http://localhost/health || exit 1'],
         interval: cdk.Duration.seconds(30),
-        timeout: cdk.Duration.seconds(5),
-        retries: 3,
-        startPeriod: cdk.Duration.seconds(120),
+        timeout: cdk.Duration.seconds(10),
+        retries: 5,
+        // Maximum allowed by ECS is 300 seconds (5 minutes)
+        startPeriod: cdk.Duration.seconds(300),
       },
     });
 
@@ -300,25 +338,30 @@ export class ComputeConstruct extends Construct {
         subnetType: ec2.SubnetType.PUBLIC,
       },
       assignPublicIp: true, // Required for public subnet
-      enableExecuteCommand: deploymentMode === 'development', // ECS Exec for debugging
+      enableExecuteCommand: true, // Enable ECS Exec for all modes
       circuitBreaker: {
         rollback: true,
       },
       serviceName: `NdxDrupal-Service-${deploymentMode}`,
+      // Allow 10 minutes for container initialization (Drupal install, AI content generation)
+      // before ALB health checks can fail the deployment
+      healthCheckGracePeriod: cdk.Duration.minutes(10),
     });
 
     // Register service with ALB
     httpListener.addTargets('DrupalTarget', {
       port: 80,
       protocol: elbv2.ApplicationProtocol.HTTP,
       targets: [this.service],
+      // Allow 10 minutes for container initialization (Drupal install, AI content generation)
+      deregistrationDelay: cdk.Duration.seconds(30),
       healthCheck: {
-        path: '/',
+        path: '/health',
         interval: cdk.Duration.seconds(30),
-        timeout: cdk.Duration.seconds(5),
+        timeout: cdk.Duration.seconds(10),
         healthyThresholdCount: 2,
-        unhealthyThresholdCount: 3,
-        healthyHttpCodes: '200,301,302',
+        unhealthyThresholdCount: 5,
+        healthyHttpCodes: '200',
       },
     });
 

cloudformation/scenarios/localgov-drupal/cdk/lib/localgov-drupal-stack.ts

@@ -52,6 +52,9 @@ export class LocalGovDrupalStack extends cdk.Stack {
     // Storing in SSM parameter for future use
     const councilTheme = props?.councilTheme ?? 'random';
 
+    // Generate random admin password (changes each synth/deploy)
+    const adminPassword = `Demo${Math.random().toString(36).substring(2, 10)}${Math.random().toString(36).substring(2, 6)}!`;
+
     // Tag all resources
     cdk.Tags.of(this).add('Project', 'ndx-try-aws-scenarios');
     cdk.Tags.of(this).add('Scenario', 'localgov-drupal');
@@ -88,6 +91,7 @@ export class LocalGovDrupalStack extends cdk.Stack {
       fileSystem: storage.fileSystem,
       accessPoint: storage.accessPoint,
       deploymentMode,
+      adminPassword,
     });
 
     // CloudFront distribution for HTTPS termination
@@ -106,28 +110,23 @@ export class LocalGovDrupalStack extends cdk.Stack {
       exportName: `${this.stackName}-DrupalUrl`,
     });
 
-    // HTTP URL (ALB direct) - for debugging only
-    new cdk.CfnOutput(this, 'DrupalUrlHttp', {
-      description: 'Direct ALB URL (HTTP, for debugging)',
-      value: `http://${compute.loadBalancerDnsName}`,
-    });
-
     // Admin credentials for first-time login
     new cdk.CfnOutput(this, 'AdminUsername', {
       description: 'Drupal admin username',
       value: 'admin',
     });
 
-    // Admin password from Secrets Manager (dynamic reference)
+    // Admin password (generated randomly per deploy)
     new cdk.CfnOutput(this, 'AdminPassword', {
-      description: 'Drupal admin password (from Secrets Manager)',
-      value: database.secret.secretValueFromJson('password').unsafeUnwrap(),
+      description: 'Drupal admin password',
+      value: adminPassword,
     });
 
     // CloudWatch Logs URL for monitoring initialization
+    const logGroupName = `/ndx-drupal/${deploymentMode}`;
     new cdk.CfnOutput(this, 'CloudWatchLogsUrl', {
       description: 'CloudWatch Logs for initialization monitoring',
-      value: `https://${this.region}.console.aws.amazon.com/cloudwatch/home?region=${this.region}#logsV2:log-groups/log-group/${encodeURIComponent(compute.logGroup.logGroupName)}`,
+      value: `https://${this.region}.console.aws.amazon.com/cloudwatch/home?region=${this.region}#logsV2:log-groups/log-group/${encodeURIComponent(logGroupName)}`,
     });
 
     // Quick Create URL template (for documentation)

cloudformation/scenarios/localgov-drupal/docker/Dockerfile

@@ -42,13 +42,14 @@ WORKDIR /var/www/drupal
 COPY drupal/composer.json ./
 
 # Install dependencies (no dev dependencies for production)
-RUN composer install --no-dev --no-interaction --optimize-autoloader --no-scripts || true
+# First install without scripts to get the vendor directory
+RUN composer install --no-dev --no-interaction --optimize-autoloader --no-scripts
 
 # Copy the rest of the Drupal codebase
 COPY drupal/ .
 
-# Run composer scripts that need the full codebase
-RUN composer run-script drupal-scaffold || true
+# Now run composer install again with scripts to scaffold Drupal
+RUN composer install --no-dev --no-interaction --optimize-autoloader
 
 # =============================================================================
 # Stage 2: Runtime - Minimal production image
@@ -129,8 +130,11 @@ RUN mkdir -p \
     /var/log/supervisor \
     && adduser -D -S -H -u 82 -G www-data www-data 2>/dev/null || true
 
-# Set ownership
+# Set ownership and permissions
+# IMPORTANT: Files copied from host may have restrictive permissions (600)
+# We need world-readable files for drush to work when running as different user
 RUN chown -R www-data:www-data /var/www/drupal \
+    && chmod -R a+rX /var/www/drupal \
     && chown -R www-data:www-data /var/run/nginx \
     && chown -R www-data:www-data /var/log/nginx
 

cloudformation/scenarios/localgov-drupal/docker/entrypoint.sh

@@ -22,13 +22,21 @@ if [ -d "/var/www/drupal/private" ]; then
     chmod 755 /var/www/drupal/private
 fi
 
-# Health check endpoint
+# Health check endpoint - returns OK even during installation
 cat > /var/www/drupal/web/health << 'EOF'
 OK
 EOF
 
+# Start PHP-FPM and Nginx first for health checks
+echo "=== Starting Services for Health Checks ==="
+php-fpm -D
+nginx
+
+# Wait for services to be ready
+sleep 2
+echo "Web services started, health checks will now pass"
+
 # Check if this is first boot (database initialization needed)
-# This will be expanded in Story 1.8
 if [ "${SKIP_INIT:-false}" != "true" ]; then
     echo "Checking initialization status..."
 
@@ -39,7 +47,12 @@ if [ "${SKIP_INIT:-false}" != "true" ]; then
     fi
 fi
 
-echo "=== Starting Services ==="
+echo "=== Switching to Supervisord ==="
+
+# Stop the initial nginx/php-fpm (supervisord will restart them)
+nginx -s quit 2>/dev/null || true
+pkill php-fpm 2>/dev/null || true
+sleep 1
 
 # Execute the main command (supervisord)
 exec "$@"

cloudformation/scenarios/localgov-drupal/docker/scripts/init-drupal.sh

@@ -319,6 +319,10 @@ install_themes() {
     log "Setting localgov_scarfolk as default theme..."
     ./vendor/bin/drush config:set system.theme default localgov_scarfolk -y 2>&1 || true
 
+    # Set admin theme to Claro (Drupal core theme - Gin is not installed)
+    log "Setting admin theme to Claro..."
+    ./vendor/bin/drush config:set system.theme admin claro -y 2>&1 || true
+
     # Rebuild caches to ensure theme is active
     ./vendor/bin/drush cr 2>&1 || true
 

cloudformation/scenarios/localgov-drupal/drupal/.gitignore

@@ -0,0 +1,24 @@
+# Composer dependencies
+/vendor/
+
+# Drupal core and contrib (installed via composer)
+/web/core/
+/web/modules/contrib/
+/web/themes/contrib/
+/web/profiles/contrib/
+/web/libraries/
+
+# Drupal generated files
+/web/sites/*/files/
+/web/sites/*/private/
+/web/sites/*/settings.local.php
+
+# Composer lock (optional - some projects keep this)
+# /composer.lock
+
+# SQLite database
+*.sqlite
+
+# OS files
+.DS_Store
+Thumbs.db