Upgrade Lambda Runtimes to Ruby 3.3 and Java 17

.gitignore

@@ -14,5 +14,7 @@
 # Ignore Gradle build output directory
 build
 
-# Ignore the generated template.yml file
+# Ignore the generated template.yml files
 template.yml
+app-template.yml
+packaged-app-template.yml

.ruby-version

@@ -1 +1 @@
-2.7.8
+3.0.5

api-gateway-routes/.ruby-version

@@ -0,0 +1 @@
+2.7.8

beta-template.yml.erb

@@ -57,7 +57,7 @@ JAVALAB_APP_TYPES = %w(
 -%>
 Globals:
   Function:
-    Runtime: ruby2.7
+    Runtime: ruby3.2
     Timeout: 30
     MemorySize: 256
     Tracing: Active

cicd/3-app/javabuilder/config/dev.config.json

@@ -1,4 +1,5 @@
 {
+  "_comment": "This file is used by AWS CodePipeline for automated dev deployments. Referenced in cicd/2-cicd/cicd.template.yml line 314 as TemplateConfiguration. Local dev scripts use hardcoded parameters instead.",
   "Parameters": {
     "BaseDomainName": "code.org",
     "BaseDomainNameHostedZonedID": "Z2LCOI49SCXUGU",

cicd/3-app/javabuilder/template.yml.erb

@@ -56,6 +56,10 @@ Parameters:
     Type: Number
     Description: The threshold for the high concurrent executions alarm.
     Default: 400
+  WildcardCertificateArn:
+    Type: String
+    Description: ARN of existing wildcard certificate for dev environments (optional)
+    Default: ""
 <%
 JAVALAB_APP_TYPES = %w(
   Theater
@@ -65,12 +69,14 @@ JAVALAB_APP_TYPES = %w(
 -%>
 Globals:
   Function:
-    Runtime: ruby2.7
+    Runtime: ruby3.2
     Timeout: 30
     MemorySize: 256
     Tracing: Active
 Conditions:
   IsDevCondition: !Equals [!Ref BaseDomainName, "dev-code.org"]
+  UseWildcardCertificate: !Not [!Equals [!Ref WildcardCertificateArn, ""]]
+  CreateNewCertificates: !Equals [!Ref WildcardCertificateArn, ""]
   SilenceAlertsCondition: !Or [Condition: IsDevCondition, !Equals [!Ref SilenceAlerts, "true"]]
 Resources:
 # Note: We can't update the name of a DomainName resource once it has been created because the
@@ -96,11 +102,12 @@ Resources:
       DomainName: !Sub "${SubdomainName}<%=config[:Suffix]%>.${BaseDomainName}"
       DomainNameConfigurations:
         - EndpointType: REGIONAL
-          CertificateArn: !Ref <%=config[:Prefix]%>Certificate
+          CertificateArn: !If [UseWildcardCertificate, !Ref WildcardCertificateArn, !Ref <%=config[:Prefix]%>Certificate]
           CertificateName: !Sub "${SubdomainName}<%=config[:Suffix]%>.${BaseDomainName}"
 
   <%=config[:Prefix]%>Certificate:
     Type: AWS::CertificateManager::Certificate
+    Condition: CreateNewCertificates
     Properties:
       DomainName: !Sub "${SubdomainName}<%=config[:Suffix]%>.${BaseDomainName}"
       ValidationMethod: DNS
@@ -489,6 +496,15 @@ Resources:
             Status: Enabled
             ExpirationInDays: 1
 
+  ContentOAC:
+    Type: AWS::CloudFront::OriginAccessControl
+    Properties:
+      OriginAccessControlConfig:
+        Name: !Sub "${SubdomainName}-content-oac"
+        OriginAccessControlOriginType: s3
+        SigningBehavior: always
+        SigningProtocol: sigv4
+
   ContentBucketPolicy:
     Type: AWS::S3::BucketPolicy
     Properties:
@@ -498,10 +514,15 @@ Resources:
         - Action: ['s3:GetObject']
           Effect: Allow
           Resource: !Sub "arn:aws:s3:::${ContentBucket}/*"
-          Principal: '*'
+          Principal:
+            Service: cloudfront.amazonaws.com
+          Condition:
+            StringEquals:
+              "AWS:SourceArn": !Sub "arn:aws:cloudfront::${AWS::AccountId}:distribution/${ContentCDN}"
 
   ContentApiCertificate:
     Type: AWS::CertificateManager::Certificate
+    Condition: CreateNewCertificates
     Properties:
       DomainName: !Sub "${SubdomainName}-content.${BaseDomainName}"
       ValidationMethod: DNS
@@ -526,7 +547,7 @@ Resources:
         Enabled: true
         Aliases: [!Sub "${SubdomainName}-content.${BaseDomainName}"]
         ViewerCertificate:
-          AcmCertificateArn: !Ref ContentApiCertificate
+          AcmCertificateArn: !If [UseWildcardCertificate, !Ref WildcardCertificateArn, !Ref ContentApiCertificate]
           MinimumProtocolVersion: TLSv1
           SslSupportMethod: sni-only
         CustomErrorResponses:
@@ -540,7 +561,7 @@ Resources:
         Origins:
           - Id: ContentBucket
             DomainName: !GetAtt ContentBucket.DomainName
-            S3OriginConfig: {}
+            OriginAccessControlId: !Ref ContentOAC
         DefaultCacheBehavior:
           TargetOriginId: ContentBucket
           AllowedMethods: [DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT]

dev-deployment/README.md

@@ -0,0 +1,195 @@
+# Javabuilder Dev Environment Deployment Guide
+
+Comprehensive guide for deploying and managing the JavaBuilder AWS Lambda environment for development.
+
+## 🎯 Quick Start
+
+For a complete no-SSL deployment (recommended for dev):
+```bash
+./deploy-javabuilder-dev-no-ssl-fixed.sh
+```
+
+For modular deployment:
+```bash
+./01-deploy-base-infrastructure.sh  # Deploy IAM roles first
+./02-build-java-components.sh       # Build Java artifacts  
+./03-deploy-application.sh          # Deploy application stack
+```
+
+## 📋 Current Environment Status
+
+- **AWS Account**: 165336972514
+- **Profile**: codeorg-dev
+- **Region**: us-east-1
+- **Stack Name**: javabuilder-dev
+- **Bucket**: javabuilder-dev-artifacts-*
+
+### ✅ Working Components
+- ✅ AWS CLI configured with `codeorg-dev` profile
+- ✅ S3 bucket creation for artifacts
+- ✅ ERB template processing with SSL removal
+- ✅ CloudFormation template packaging and deployment
+- ✅ Java artifacts built and packaged correctly
+- ✅ Lambda functions deployed and active
+
+### 🔧 Key Components
+- **javabuilder-authorizer**: Handles API Gateway authorization
+- **api-gateway-routes**: API Gateway interaction logic
+- **org-code-javabuilder**: Core Java logic built with Gradle
+- **WebSocket API**: Real-time communication for build sessions
+- **CloudFront**: Content delivery for build artifacts
+
+## 🚀 Deployment Options
+
+### Option 1: No-SSL Deployment (Recommended for Dev)
+**Best for development environments without Route53 permissions**
+```bash
+./deploy-javabuilder-dev-no-ssl-fixed.sh
+```
+- Removes SSL certificates and custom domains
+- Uses CloudFront default domain
+- Faster deployment, fewer permissions needed
+
+### Option 2: Full SSL Deployment
+**For production-like environments with Route53 access**
+```bash
+./01-deploy-base-infrastructure.sh
+./02-build-java-components.sh
+./03-deploy-application.sh
+```
+
+### Option 3: Clean Slate Deployment
+**If stack exists but needs complete refresh**
+```bash
+./cleanup-javabuilder-dev.sh      # Remove existing stack
+./deploy-javabuilder-dev-no-ssl-fixed.sh  # Deploy fresh
+```
+
+## 🔧 Prerequisites
+
+### Required Software
+- **AWS CLI**: Configure with `codeorg-dev` profile
+- **Ruby**: For ERB template processing
+- **Java/Gradle**: For building org-code-javabuilder components
+
+### Required Permissions
+- CloudFormation stack management
+- S3 bucket creation and object management
+- Lambda function deployment
+- IAM role creation (for base infrastructure)
+- API Gateway management
+
+### Pre-Deployment Check
+```bash
+./pre-deploy-check.sh  # Verify all prerequisites
+```
+
+## 📁 Required Artifacts
+
+### Java Build Artifacts
+- ✅ `org-code-javabuilder/lib/build/distributions/lib.zip`
+- ✅ `org-code-javabuilder/font_config.zip` 
+- ✅ `org-code-javabuilder/change_runtime_directory/` (directory)
+
+### CloudFormation Templates
+- `../cicd/3-app/javabuilder/template.yml.erb` (source)
+- `process-template-no-ssl.rb` (SSL removal script)
+- Generated templates: `template-no-ssl.yml`, `packaged-*.yml`
+
+## 🔍 Deployment Process Details
+
+### 1. Template Processing
+- Processes ERB template with environment variables
+- Removes SSL resources for no-SSL deployment
+- Handles large template packaging via S3
+
+### 2. Artifact Packaging
+- Creates S3 bucket for deployment artifacts
+- Packages Lambda code from local directories
+- Uploads packaged template to S3
+
+### 3. CloudFormation Deployment
+- Uses `--template-url` for large templates
+- Includes `CAPABILITY_AUTO_EXPAND` for SAM transforms
+- Provides all required parameters via JSON file
+
+### 4. Post-Deployment Verification
+- Validates stack creation status
+- Tests WebSocket API endpoint
+- Verifies CloudFront distribution
+- Confirms Lambda function deployment
+
+## 🚨 Common Issues & Solutions
+
+### Template Too Large
+**Error**: Template body exceeds 51200 characters
+**Solution**: Script automatically uploads to S3 and uses `--template-url`
+
+### SSL Certificate Errors
+**Error**: Certificate validation or Route53 permissions
+**Solution**: Use no-SSL deployment script
+
+### Missing IAM Roles
+**Error**: Stack exports not found
+**Solution**: Deploy base infrastructure first with `01-deploy-base-infrastructure.sh`
+
+### Java Artifacts Missing
+**Error**: CodeUri points to non-existent files
+**Solution**: Run `02-build-java-components.sh` or ensure artifacts exist
+
+### Stack in ROLLBACK_COMPLETE State
+**Error**: Cannot update stack in failed state
+**Solution**: Use `cleanup-javabuilder-dev.sh` to delete and recreate
+
+## 🧪 Testing & Verification
+
+### Health Check Script
+```bash
+./test-deployment-health.sh  # Verify deployment status
+```
+
+### Manual Verification
+```bash
+# Check stack status
+aws cloudformation describe-stacks --stack-name javabuilder-dev --profile codeorg-dev
+
+# Test WebSocket endpoint
+aws apigatewayv2 get-apis --profile codeorg-dev
+
+# Verify Lambda functions
+aws lambda list-functions --profile codeorg-dev | grep -i javabuilder
+```
+
+## 🧹 Cleanup & Maintenance
+
+### Clean Failed Deployments
+```bash
+./cleanup-failed-stack.sh     # Remove failed stacks
+./cleanup-javabuilder-dev.sh  # Remove specific dev stack
+```
+
+### Artifact Management
+- S3 buckets are created with unique suffixes
+- Old artifacts remain in S3 (manual cleanup needed)
+- CloudFormation stacks are idempotent (safe to redeploy)
+
+## 📖 File Reference
+
+### Main Scripts
+- `deploy-javabuilder-dev-no-ssl-fixed.sh` - Complete no-SSL deployment
+- `01-deploy-base-infrastructure.sh` - IAM roles and base resources
+- `02-build-java-components.sh` - Build Java artifacts
+- `03-deploy-application.sh` - Deploy application stack
+
+### Configuration Files
+- `dev-deployment-params.json` - CloudFormation parameters
+- `dev.config.json` - Environment configuration
+- `process-template-no-ssl.rb` - SSL removal script
+
+### Generated Files
+- `template-no-ssl.yml` - Processed template without SSL
+- `packaged-*.yml` - CloudFormation packaged templates
+- `runtime.zip` - Lambda runtime artifacts
+
+For issues or questions, consult AWS CloudFormation logs or reach out to the DevOps team.
+

dev-deployment/cleanup-javabuilder-dev.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# Cleanup JavaBuilder Dev Environment
+set -e
+
+PROFILE="codeorg-dev"
+APP_STACK="javabuilder-dev"
+BASE_STACK="javabuilder-base-infrastructure"
+
+echo "🗑️  Starting JavaBuilder Dev Environment Cleanup..."
+
+echo "📋 Checking if application stack exists..."
+if aws cloudformation describe-stacks --stack-name "$APP_STACK" --profile "$PROFILE" >/dev/null 2>&1; then
+    echo "🔄 Deleting application stack: $APP_STACK"
+    aws cloudformation delete-stack --stack-name "$APP_STACK" --profile "$PROFILE"
+
+    echo "⏳ Waiting for application stack deletion to complete..."
+    aws cloudformation wait stack-delete-complete --stack-name "$APP_STACK" --profile "$PROFILE"
+    echo "✅ Application stack deleted successfully!"
+else
+    echo "ℹ️  Application stack $APP_STACK not found"
+fi
+
+echo "🧹 Checking for leftover S3 buckets..."
+echo "S3 buckets that may need manual cleanup:"
+aws s3 ls --profile "$PROFILE" | grep javabuilder || echo "No JavaBuilder S3 buckets found"
+
+echo "✅ Cleanup complete!"
+echo "💡 To also remove base infrastructure, run:"
+echo "   aws cloudformation delete-stack --stack-name $BASE_STACK --profile $PROFILE"