Skip to content

test(samples/cloudwatch-applicationsignals-mcp): Added IaC for EKS deployment using CDK and terraform #1732

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

test(samples/cloudwatch-applicationsignals-mcp): Added IaC for EKS deployment using CDK and terraform #1732

wants to merge 8 commits into from
+5,021 −9

Conversation

@AsakerMohd
Copy link

@AsakerMohd AsakerMohd commented Nov 12, 2025

Fixes

Summary

Changes

Please provide a summary of what's being changed

This PR adds Terraform and CDK infrastructure-as-code for deploying Docker applications to EKS for testing AWS Application Signals enablement via the get_enablement_guide MCP tool.

Infrastructure as Code for EKS Deployment

This commit adds comprehensive Infrastructure as Code (IaC) support for EKS deployments using both CDK and Terraform:

CDK Implementation
  • New CDK project structure with TypeScript configuration
  • Application-specific configurations for Java Spring Boot, Node.js Express, and Python Flask
  • Complete CDK setup including package.json, tsconfig.json, and cdk.json
  • Entry point at bin/cdk.ts for stack deployment
Terraform Implementation
  • Main infrastructure definition in main.tf (244 lines)
  • Variable definitions and output configurations
  • Environment-specific configurations for each supported application framework
  • Example configuration template for easy setup
Documentation Updates
  • Restructured README with improved sectioning and organization
  • Clear deployment instructions for both CDK and Terraform workflows
  • Prerequisites and configuration reference tables
  • Enhanced .gitignore for build artifacts and dependencies
Files Added/Modified
  • 17 files changed with 4,822 insertions
  • New infrastructure directories for both CDK and Terraform
  • Configuration files for multiple application frameworks
  • Updated documentation and project structure

This enables users to deploy EKS infrastructure for Application Signals testing using their preferred IaC tool with framework-specific configurations.

User experience

N/A

Checklist

If your change doesn't seem to apply, please leave them unchecked.

  • I have reviewed the contributing guidelines
  • I have performed a self-review of this change
  • Changes have been tested
  • Changes are documented

Is this a breaking change? (Y/N)
N

RFC issue number:

Checklist:

  • Migration process documented
  • Implement warnings (if it can live side by side)

Acknowledgment

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the project license.

yiyuan-he
yiyuan-he reviewed Nov 12, 2025
View reviewed changes
samples/cloudwatch-applicationsignals-mcp/get-enablement-guide-samples/README.md
### EC2 Deployment

**Using CDK:**
#### Using CDK
Copy link
Contributor

@yiyuan-he yiyuan-he Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i don't have a strong opinion either way. will you update other sections in your README PR for consistency?

yiyuan-he
yiyuan-he reviewed Nov 12, 2025
View reviewed changes
...tch-applicationsignals-mcp/get-enablement-guide-samples/infrastructure/eks/terraform/main.tf
Copy link
Contributor

@yiyuan-he yiyuan-he Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not too familiar with eks, but wondering if we need to explicitly increase hop limit. had to do this for EC2 so my docker container could contact IMDS to get credentials. might just be an EC2 problem though

github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 13, 2025
View reviewed changes
...tch-applicationsignals-mcp/get-enablement-guide-samples/infrastructure/eks/terraform/main.tf
Comment on lines 90 to 104
resource "aws_eks_cluster" "app_cluster" {
name = "${var.app_name}-cluster"
role_arn = aws_iam_role.cluster_role.arn
version = "1.30"

vpc_config {
subnet_ids = data.aws_subnets.public.ids
endpoint_private_access = true
endpoint_public_access = true
}

depends_on = [
aws_iam_role_policy_attachment.cluster_policy
]
}

Check failure

Code scanning / checkov

Ensure Amazon EKS public endpoint disabled Error

Ensure Amazon EKS public endpoint disabled
...tch-applicationsignals-mcp/get-enablement-guide-samples/infrastructure/eks/terraform/main.tf
Comment on lines 90 to 104
resource "aws_eks_cluster" "app_cluster" {
name = "${var.app_name}-cluster"
role_arn = aws_iam_role.cluster_role.arn
version = "1.30"

vpc_config {
subnet_ids = data.aws_subnets.public.ids
endpoint_private_access = true
endpoint_public_access = true
}

depends_on = [
aws_iam_role_policy_attachment.cluster_policy
]
}

Check failure

Code scanning / checkov

Ensure Amazon EKS control plane logging is enabled for all log types Error

Ensure Amazon EKS control plane logging is enabled for all log types
...tch-applicationsignals-mcp/get-enablement-guide-samples/infrastructure/eks/terraform/main.tf
Comment on lines 90 to 104
resource "aws_eks_cluster" "app_cluster" {
name = "${var.app_name}-cluster"
role_arn = aws_iam_role.cluster_role.arn
version = "1.30"

vpc_config {
subnet_ids = data.aws_subnets.public.ids
endpoint_private_access = true
endpoint_public_access = true
}

depends_on = [
aws_iam_role_policy_attachment.cluster_policy
]
}

Check failure

Code scanning / checkov

Ensure EKS Cluster has Secrets Encryption Enabled Error

Ensure EKS Cluster has Secrets Encryption Enabled
...tch-applicationsignals-mcp/get-enablement-guide-samples/infrastructure/eks/terraform/main.tf
Comment on lines 90 to 104
resource "aws_eks_cluster" "app_cluster" {
name = "${var.app_name}-cluster"
role_arn = aws_iam_role.cluster_role.arn
version = "1.30"

vpc_config {
subnet_ids = data.aws_subnets.public.ids
endpoint_private_access = true
endpoint_public_access = true
}

depends_on = [
aws_iam_role_policy_attachment.cluster_policy
]
}

Check failure

Code scanning / checkov

Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0 Error

Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0
...tch-applicationsignals-mcp/get-enablement-guide-samples/infrastructure/eks/terraform/main.tf
Comment on lines 169 to 222
resource "kubernetes_deployment" "app" {
metadata {
name = var.app_name
}

spec {
replicas = 1

selector {
match_labels = {
app = var.app_name
}
}

template {
metadata {
labels = {
app = var.app_name
}
}

spec {
container {
image = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${data.aws_region.current.name}.amazonaws.com/${var.image_name}:latest"
name = var.app_name

port {
container_port = var.port
}

env {
name = "PORT"
value = tostring(var.port)
}

env {
name = "AWS_REGION"
value = data.aws_region.current.name
}

lifecycle {
post_start {
exec {
command = ["sh", "-c", "nohup bash /app/generate-traffic.sh > /dev/null 2>&1 &"]
}
}
}
}
}
}
}

depends_on = [aws_eks_node_group.app_nodes]
}

Check failure

Code scanning / checkov

CPU requests should be set Error

CPU requests should be set
...tch-applicationsignals-mcp/get-enablement-guide-samples/infrastructure/eks/terraform/main.tf
Comment on lines 169 to 222
resource "kubernetes_deployment" "app" {
metadata {
name = var.app_name
}

spec {
replicas = 1

selector {
match_labels = {
app = var.app_name
}
}

template {
metadata {
labels = {
app = var.app_name
}
}

spec {
container {
image = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${data.aws_region.current.name}.amazonaws.com/${var.image_name}:latest"
name = var.app_name

port {
container_port = var.port
}

env {
name = "PORT"
value = tostring(var.port)
}

env {
name = "AWS_REGION"
value = data.aws_region.current.name
}

lifecycle {
post_start {
exec {
command = ["sh", "-c", "nohup bash /app/generate-traffic.sh > /dev/null 2>&1 &"]
}
}
}
}
}
}
}

depends_on = [aws_eks_node_group.app_nodes]
}

Check failure

Code scanning / checkov

Liveness Probe Should be Configured Error

Liveness Probe Should be Configured
...tch-applicationsignals-mcp/get-enablement-guide-samples/infrastructure/eks/terraform/main.tf
Comment on lines 169 to 222
resource "kubernetes_deployment" "app" {
metadata {
name = var.app_name
}

spec {
replicas = 1

selector {
match_labels = {
app = var.app_name
}
}

template {
metadata {
labels = {
app = var.app_name
}
}

spec {
container {
image = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${data.aws_region.current.name}.amazonaws.com/${var.image_name}:latest"
name = var.app_name

port {
container_port = var.port
}

env {
name = "PORT"
value = tostring(var.port)
}

env {
name = "AWS_REGION"
value = data.aws_region.current.name
}

lifecycle {
post_start {
exec {
command = ["sh", "-c", "nohup bash /app/generate-traffic.sh > /dev/null 2>&1 &"]
}
}
}
}
}
}
}

depends_on = [aws_eks_node_group.app_nodes]
}

Check failure

Code scanning / checkov

Image should use digest Error

Image should use digest
...tch-applicationsignals-mcp/get-enablement-guide-samples/infrastructure/eks/terraform/main.tf
Comment on lines 169 to 222
resource "kubernetes_deployment" "app" {
metadata {
name = var.app_name
}

spec {
replicas = 1

selector {
match_labels = {
app = var.app_name
}
}

template {
metadata {
labels = {
app = var.app_name
}
}

spec {
container {
image = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${data.aws_region.current.name}.amazonaws.com/${var.image_name}:latest"
name = var.app_name

port {
container_port = var.port
}

env {
name = "PORT"
value = tostring(var.port)
}

env {
name = "AWS_REGION"
value = data.aws_region.current.name
}

lifecycle {
post_start {
exec {
command = ["sh", "-c", "nohup bash /app/generate-traffic.sh > /dev/null 2>&1 &"]
}
}
}
}
}
}
}

depends_on = [aws_eks_node_group.app_nodes]
}

Check failure

Code scanning / checkov

Readiness Probe Should be Configured Error

Readiness Probe Should be Configured
...tch-applicationsignals-mcp/get-enablement-guide-samples/infrastructure/eks/terraform/main.tf
Comment on lines 169 to 222
resource "kubernetes_deployment" "app" {
metadata {
name = var.app_name
}

spec {
replicas = 1

selector {
match_labels = {
app = var.app_name
}
}

template {
metadata {
labels = {
app = var.app_name
}
}

spec {
container {
image = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${data.aws_region.current.name}.amazonaws.com/${var.image_name}:latest"
name = var.app_name

port {
container_port = var.port
}

env {
name = "PORT"
value = tostring(var.port)
}

env {
name = "AWS_REGION"
value = data.aws_region.current.name
}

lifecycle {
post_start {
exec {
command = ["sh", "-c", "nohup bash /app/generate-traffic.sh > /dev/null 2>&1 &"]
}
}
}
}
}
}
}

depends_on = [aws_eks_node_group.app_nodes]
}

Check failure

Code scanning / checkov

Memory Limits should be set Error

Memory Limits should be set
...tch-applicationsignals-mcp/get-enablement-guide-samples/infrastructure/eks/terraform/main.tf
Comment on lines +225 to +244
resource "kubernetes_service" "app" {
metadata {
name = "${var.app_name}-service"
}

spec {
selector = {
app = var.app_name
}

port {
port = var.port
target_port = var.port
}

type = "ClusterIP"
}

depends_on = [kubernetes_deployment.app]
} No newline at end of file

Check failure

Code scanning / checkov

The default namespace should not be used Error

The default namespace should not be used
@codecov
Copy link

codecov bot commented Nov 13, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 90.26%. Comparing base (1cd1795) to head (706ee0d).
⚠️ Report is 3 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #1732   +/-   ##
=======================================
  Coverage   90.26%   90.26%           
=======================================
  Files         781      781           
  Lines       59912    59912           
  Branches     9718     9718           
=======================================
  Hits        54077    54077           
  Misses       3646     3646           
  Partials     2189     2189

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 13, 2025
View reviewed changes
...dwatch-applicationsignals-mcp/get-enablement-guide-samples/infrastructure/eks/cdk/bin/cdk.ts
throw new Error(`Invalid config file name: ${configFile}`);
}

const configPath = path.join(configDir, configFile);

Check warning

Code scanning / Semgrep OSS

Semgrep Finding: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal Warning

Detected possible user input going into a path.join or path.resolve function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.
...tch-applicationsignals-mcp/get-enablement-guide-samples/infrastructure/eks/terraform/main.tf
}

# EKS Cluster
resource "aws_eks_cluster" "app_cluster" {

Check warning

Code scanning / Semgrep OSS

Semgrep Finding: terraform.lang.security.eks-public-endpoint-enabled.eks-public-endpoint-enabled Warning

The vpc_config resource inside the eks cluster has not explicitly disabled public endpoint access
...tch-applicationsignals-mcp/get-enablement-guide-samples/infrastructure/eks/terraform/main.tf

# EKS Cluster
resource "aws_eks_cluster" "app_cluster" {
name = "${var.app_name}-cluster"

Check warning

Code scanning / Semgrep OSS

Semgrep Finding: terraform.lang.security.eks-insufficient-control-plane-logging.eks-insufficient-control-plane-logging Warning

Missing EKS control plane logging. It is recommended to enable at least Kubernetes API server component logs ("api") and audit logs ("audit") of the EKS control plane through the enabled_cluster_log_types attribute.
@AsakerMohd AsakerMohd changed the title Added IaC for EKS deployment using CDK and terraform test(samples/cloudwatch-applicationsignals-mcp): Added IaC for EKS deployment using CDK and terraform Nov 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yiyuan-he yiyuan-he yiyuan-he left review comments

@mxiamxia mxiamxia Awaiting requested review from mxiamxia

@syed-ahsan-ishtiaque syed-ahsan-ishtiaque Awaiting requested review from syed-ahsan-ishtiaque

@thpierce thpierce Awaiting requested review from thpierce

@blairhyy-amazon blairhyy-amazon Awaiting requested review from blairhyy-amazon

@vastin vastin Awaiting requested review from vastin

@wangzlei wangzlei Awaiting requested review from wangzlei

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

awslabs/mcp Project
Status: To triage

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AsakerMohd @yiyuan-he