merge PR strands-agents#31 dashboards + resolve conflicts with local changes

Author: mkmeral

community-dashboard/cdk/lib/community-dashboard-stack.ts

@@ -2,11 +2,12 @@ import * as cdk from "aws-cdk-lib";
 import * as ec2 from "aws-cdk-lib/aws-ec2";
 import * as ecs from "aws-cdk-lib/aws-ecs";
 import * as efs from "aws-cdk-lib/aws-efs";
-import * as elbv2 from "aws-cdk-lib/aws-elasticloadbalancingv2";
+import * as apigwv2 from "aws-cdk-lib/aws-apigatewayv2";
 import * as cloudfront from "aws-cdk-lib/aws-cloudfront";
 import * as origins from "aws-cdk-lib/aws-cloudfront-origins";
 import * as logs from "aws-cdk-lib/aws-logs";
 import * as secretsmanager from "aws-cdk-lib/aws-secretsmanager";
+import * as servicediscovery from "aws-cdk-lib/aws-servicediscovery";
 import { Construct } from "constructs";
 import * as path from "path";
 
@@ -15,8 +16,6 @@ export class CommunityDashboardStack extends cdk.Stack {
     super(scope, id, props);
 
     // ── Secrets Manager ──────────────────────────────────────────────────
-    // The GitHub PAT must already exist in Secrets Manager as a plain-text
-    // secret. Pass the ARN via the GITHUB_SECRET_ARN env var or CDK context.
     const secretArn =
       process.env.GITHUB_SECRET_ARN ??
       this.node.tryGetContext("githubSecretArn");
@@ -25,7 +24,7 @@ export class CommunityDashboardStack extends cdk.Stack {
       throw new Error(
         "GITHUB_SECRET_ARN environment variable or 'githubSecretArn' CDK context must be set.\n" +
           "Create the secret first:\n" +
-          '  aws secretsmanager create-secret --name strands-grafana/github-token --secret-string "ghp_xxx" --region us-west-2'
+          '  aws secretsmanager create-secret --name strands-grafana/github-token --secret-string "ghp_xxx" --region us-east-1'
       );
     }
 
@@ -63,7 +62,16 @@ export class CommunityDashboardStack extends cdk.Stack {
       },
     });
 
-    // ── ECS Cluster ─────────────────────────────────────────────────────
+    // ── ECS Cluster + Cloud Map namespace ───────────────────────────────
+    const namespace = new servicediscovery.PrivateDnsNamespace(
+      this,
+      "Namespace",
+      {
+        name: "community-dashboard.local",
+        vpc,
+      }
+    );
+
     const cluster = new ecs.Cluster(this, "Cluster", {
       vpc,
       containerInsights: true,
@@ -75,7 +83,6 @@ export class CommunityDashboardStack extends cdk.Stack {
       memoryLimitMiB: 1024,
     });
 
-    // Mount EFS volume
     taskDef.addVolume({
       name: "metrics-data",
       efsVolumeConfiguration: {
@@ -88,23 +95,18 @@ export class CommunityDashboardStack extends cdk.Stack {
       },
     });
 
-    // Grant EFS access to the task role
     fileSystem.grant(
       taskDef.taskRole,
       "elasticfilesystem:ClientMount",
       "elasticfilesystem:ClientWrite",
       "elasticfilesystem:ClientRootAccess"
     );
 
-    // Container definition — built from the unified Dockerfile
     const container = taskDef.addContainer("grafana", {
-      image: ecs.ContainerImage.fromAsset(
-        path.join(__dirname, "../../"),
-        {
-          file: "docker/Dockerfile",
-          platform: cdk.aws_ecr_assets.Platform.LINUX_AMD64,
-        }
-      ),
+      image: ecs.ContainerImage.fromAsset(path.join(__dirname, "../../"), {
+        file: "docker/Dockerfile",
+        platform: cdk.aws_ecr_assets.Platform.LINUX_AMD64,
+      }),
       logging: ecs.LogDrivers.awsLogs({
         streamPrefix: "community-dashboard",
         logRetention: logs.RetentionDays.TWO_WEEKS,
@@ -131,63 +133,97 @@ export class CommunityDashboardStack extends cdk.Stack {
       readOnly: false,
     });
 
-    // ── Fargate Service + ALB ───────────────────────────────────────────
+    // ── Fargate Service with Cloud Map service discovery ────────────────
     const service = new ecs.FargateService(this, "Service", {
       cluster,
       taskDefinition: taskDef,
       desiredCount: 1,
       assignPublicIp: false,
       platformVersion: ecs.FargatePlatformVersion.LATEST,
+      enableExecuteCommand: true,
+      cloudMapOptions: {
+        cloudMapNamespace: namespace,
+        name: "grafana",
+        containerPort: 3000,
+        dnsRecordType: servicediscovery.DnsRecordType.SRV,
+      },
     });
 
-    // Allow the service to reach EFS
     service.connections.allowTo(fileSystem, ec2.Port.tcp(2049), "EFS access");
 
-    // Application Load Balancer
-    const alb = new elbv2.ApplicationLoadBalancer(this, "Alb", {
-      vpc,
-      internetFacing: true,
+    // ── API Gateway HTTP API + VPC Link ─────────────────────────────────
+    // No ALB needed — API Gateway connects directly to ECS via VPC Link.
+    // This avoids Epoxy/Riddler flagging a public-facing Grafana instance.
+    const vpcLink = new apigwv2.CfnVpcLink(this, "VpcLink", {
+      name: "community-dashboard-vpc-link",
+      subnetIds: vpc.privateSubnets.map((s) => s.subnetId),
+      securityGroupIds: [service.connections.securityGroups[0].securityGroupId],
     });
 
-    const listener = alb.addListener("HttpListener", {
-      port: 80,
+    const httpApi = new apigwv2.CfnApi(this, "HttpApi", {
+      name: "community-dashboard-api",
+      protocolType: "HTTP",
+      description: "API Gateway for Community Dashboard (Grafana)",
     });
 
-    listener.addTargets("GrafanaTarget", {
-      port: 3000,
-      protocol: elbv2.ApplicationProtocol.HTTP,
-      targets: [service],
-      healthCheck: {
-        path: "/api/health",
-        interval: cdk.Duration.seconds(30),
-        healthyThresholdCount: 2,
-        unhealthyThresholdCount: 3,
-      },
-      deregistrationDelay: cdk.Duration.seconds(30),
+    // Integration: forward all requests to the Cloud Map service via VPC Link
+    const integration = new apigwv2.CfnIntegration(this, "Integration", {
+      apiId: httpApi.ref,
+      integrationType: "HTTP_PROXY",
+      integrationMethod: "ANY",
+      connectionType: "VPC_LINK",
+      connectionId: vpcLink.ref,
+      integrationUri: service.cloudMapService!.serviceArn,
+      payloadFormatVersion: "1.0",
     });
 
-    // ── Outputs ─────────────────────────────────────────────────────────
-    // CloudFront distribution — provides HTTPS on *.cloudfront.net
+    new apigwv2.CfnRoute(this, "DefaultRoute", {
+      apiId: httpApi.ref,
+      routeKey: "$default",
+      target: `integrations/${integration.ref}`,
+    });
+
+    const stage = new apigwv2.CfnStage(this, "DefaultStage", {
+      apiId: httpApi.ref,
+      stageName: "$default",
+      autoDeploy: true,
+    });
+
+    // Allow API Gateway VPC Link to reach the ECS service
+    service.connections.allowFrom(
+      ec2.Peer.ipv4(vpc.vpcCidrBlock),
+      ec2.Port.tcp(3000),
+      "Allow API Gateway VPC Link"
+    );
+
+    // ── CloudFront ──────────────────────────────────────────────────────
+    // Extract the API Gateway domain from the endpoint URL
+    const apiDomain = cdk.Fn.select(
+      2,
+      cdk.Fn.split("/", httpApi.attrApiEndpoint)
+    );
+
     const distribution = new cloudfront.Distribution(this, "Distribution", {
       defaultBehavior: {
-        origin: new origins.HttpOrigin(alb.loadBalancerDnsName, {
-          protocolPolicy: cloudfront.OriginProtocolPolicy.HTTP_ONLY,
+        origin: new origins.HttpOrigin(apiDomain, {
+          protocolPolicy: cloudfront.OriginProtocolPolicy.HTTPS_ONLY,
         }),
         viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
         cachePolicy: cloudfront.CachePolicy.CACHING_DISABLED,
-        originRequestPolicy: cloudfront.OriginRequestPolicy.ALL_VIEWER,
+        originRequestPolicy: cloudfront.OriginRequestPolicy.ALL_VIEWER_EXCEPT_HOST_HEADER,
         allowedMethods: cloudfront.AllowedMethods.ALLOW_ALL,
       },
     });
 
+    // ── Outputs ─────────────────────────────────────────────────────────
     new cdk.CfnOutput(this, "GrafanaUrl", {
       value: `https://${distribution.distributionDomainName}`,
       description: "Grafana dashboard URL (HTTPS via CloudFront)",
     });
 
-    new cdk.CfnOutput(this, "AlbUrl", {
-      value: `http://${alb.loadBalancerDnsName}`,
-      description: "Grafana dashboard URL (ALB, HTTP only)",
+    new cdk.CfnOutput(this, "ApiGatewayUrl", {
+      value: httpApi.attrApiEndpoint,
+      description: "API Gateway endpoint URL",
     });
 
     new cdk.CfnOutput(this, "EfsFileSystemId", {
@@ -202,7 +238,7 @@ export class CommunityDashboardStack extends cdk.Stack {
 
     new cdk.CfnOutput(this, "CreateSecretCommand", {
       value:
-        'aws secretsmanager create-secret --name strands-grafana/github-token --secret-string "ghp_xxx" --region us-west-2',
+        'aws secretsmanager create-secret --name strands-grafana/github-token --secret-string "ghp_xxx" --region us-east-1',
       description: "Command to create the GitHub token secret (one-time)",
     });
   }

community-dashboard/docker/Dockerfile

@@ -22,7 +22,7 @@ FROM grafana/grafana:latest
 USER root
 
 # Install ca-certificates and curl for downloading supercronic
-RUN apk add --no-cache ca-certificates curl
+RUN apk add --no-cache ca-certificates curl sqlite
 
 # Install supercronic (cron replacement designed for containers)
 ARG SUPERCRONIC_VERSION=v0.2.43

community-dashboard/docker/entrypoint.sh

@@ -48,6 +48,18 @@ echo "[entrypoint] Syncing package downloads..."
 strands-metrics --db-path "$DB_PATH" sync-downloads --config-path "$CONFIG_DIR/packages.yaml" || \
     echo "[entrypoint] WARNING: Failed to sync downloads."
 
+# ── One-time metrics recompute (set RECOMPUTE_METRICS=true to trigger) ───────
+if [ "${RECOMPUTE_METRICS:-false}" = "true" ]; then
+    echo "[entrypoint] RECOMPUTE_METRICS=true — wiping daily_metrics for full recalculation..."
+    sqlite3 "$DB_PATH" "DELETE FROM daily_metrics;"
+    echo "[entrypoint] daily_metrics cleared. Next sync will rebuild all aggregates."
+    if [ -n "$GITHUB_TOKEN" ]; then
+        echo "[entrypoint] Running sync + full recompute now..."
+        strands-metrics --db-path "$DB_PATH" sync || \
+            echo "[entrypoint] WARNING: Recompute sync failed (will retry on next cron run)."
+    fi
+fi
+
 # ── Cron schedule ───────────────────────────────────────────────────────────
 # Sync daily at 06:00 UTC. Output is forwarded to container stdout/stderr
 # via /proc/1/fd/1 so it shows up in docker logs / CloudWatch.

community-dashboard/strands-metrics/src/aggregates.rs

@@ -1,5 +1,5 @@
 use anyhow::Result;
-use chrono::{DateTime, Duration, NaiveDate, TimeZone, Utc};
+use chrono::{Duration, NaiveDate, NaiveTime, Utc};
 use rusqlite::{params, Connection};
 
 pub fn compute_metrics(conn: &Connection) -> Result<()> {
@@ -10,11 +10,17 @@ pub fn compute_metrics(conn: &Connection) -> Result<()> {
 
     let start_date = match last_metric_date {
         Some(d) => NaiveDate::parse_from_str(&d, "%Y-%m-%d")
-            .map(|nd| Utc.from_utc_datetime(&nd.and_hms_opt(0, 0, 0).unwrap()) - Duration::days(3))
+            .map(|nd| {
+                nd.and_time(NaiveTime::MIN)
+                    .and_utc()
+                    .checked_sub_signed(Duration::days(3))
+                    .unwrap()
+            })
             .unwrap_or_else(|_| Utc::now()),
-        None => DateTime::parse_from_rfc3339("2010-01-01T00:00:00Z")
+        None => NaiveDate::from_ymd_opt(2025, 5, 1)
             .unwrap()
-            .with_timezone(&Utc),
+            .and_time(NaiveTime::MIN)
+            .and_utc(),
     };
 
     let start_date_str = start_date.format("%Y-%m-%d").to_string();
@@ -56,8 +62,9 @@ pub fn compute_metrics(conn: &Connection) -> Result<()> {
     let now = Utc::now();
     let num_days = (now - start_date).num_days();
 
+    // Iterate newest-first so dashboards show current data ASAP
     for i in 0..=num_days {
-        let date = start_date + Duration::days(i);
+        let date = now - Duration::days(i);
         let date_str = date.format("%Y-%m-%d").to_string();
 
         conn.execute(