Refactor GitHub Actions workflows and improve infrastructure isolation

[jfrench9]

Summary

This PR refactors our GitHub Actions workflow structure to improve isolation and maintainability. The changes consolidate redundant workflows, introduce reusable components, and enhance our infrastructure deployment processes.

Key Accomplishments

Workflow Optimization

• Consolidated workflows: Removed bootstrap.yml and run-migrations.yml workflows that were no longer needed
• Renamed test workflows: Updated naming convention from main-test.yml/pr-test.yml to test-main.yml/test-pr.yml for better organization
• Streamlined bastion deployment: Simplified the deploy-bastion.yml workflow by removing redundant steps

New Infrastructure Components

• Added reusable AMI retrieval action: Created a new composite action for fetching the latest AMI images, improving consistency across deployments
• Introduced GHA runner workflow: Added dedicated workflow for managing GitHub Actions runner infrastructure

Infrastructure Improvements

• Enhanced bastion host setup: Improved user data scripts for better reliability and configuration management
• Updated tunnel management: Refactored tunnel creation and management tools for better error handling
• CloudFormation template updates: Refined templates for both bastion and GHA runner resources

Breaking Changes

• Removed bootstrap.yml and run-migrations.yml workflows - any automation depending on these workflows will need to be updated
• Test workflow names have changed - update any references from *-test.yml to test-*.yml pattern

Testing Notes

• All existing test workflows continue to function with updated naming
• New AMI retrieval action has been tested across different deployment scenarios
• Bastion deployment workflow maintains backward compatibility for existing infrastructure

Infrastructure Considerations

• The new GHA runner workflow provides better isolation for CI/CD operations
• Enhanced bastion configuration improves security and connectivity management
• AMI retrieval process is now standardized across all deployment workflows
• Overall reduction in workflow complexity while maintaining full functionality

Net Impact: -172 lines of code removed, improving maintainability while adding new capabilities.

---

🤖 Generated with Claude Code

Branch Info:

• Source: refactor/gha-isolation
• Target: main
• Type: refactor

Co-Authored-By: Claude noreply@anthropic.com

[jfrench9]

@claude please review this PR

[claude]

Claude finished @jfrench9's task —— View job

---

PR Review Complete

I've reviewed the workflow refactoring changes. Overall, this is a solid refactoring that improves maintainability and consolidates infrastructure management. Here's my detailed feedback:

---

Strengths

1. New AMI Retrieval Action (.github/actions/get-latest-ami/action.yml)

• ✅ Excellent: Centralized AMI discovery from SSM Parameter Store
• ✅ Well-structured error handling with clear messages
• ✅ Proper validation for architecture and OS type
• ✅ Good output structure (ami-id, ami-name, ami-description)
• ✅ Uses AWS managed SSM paths which are automatically updated

2. GHA Runner Workflow (.github/workflows/gha-runner.yml)

• ✅ Strong isolation approach: Uses default VPC to isolate CI infrastructure from application VPC
• ✅ Thorough network validation (checks for VPC peering, CIDR conflicts)
• ✅ Proper concurrency control prevents race conditions
• ✅ Good use of workflow actions (monitor-stack-deployment, refresh-asg)
• ✅ Comprehensive runner availability check with GitHub API

3. Bastion Deployment Simplification (.github/workflows/deploy-bastion.yml)

• ✅ Much cleaner than before (removed 56 lines)
• ✅ Proper handling of "No updates" case
• ✅ Uses new AMI retrieval action consistently

4. Tunnel Script Enhancements (bin/tools/tunnels.sh)

• ✅ Significant improvements: Better error handling, dependency checking
• ✅ Bastion auto-start/stop with cleanup
• ✅ Multi-instance Kuzu support with selection menu
• ✅ Added admin operations runner
• ✅ Comprehensive help system

5. Bastion UserData Script (bin/userdata/bastion.sh)

• ✅ Comprehensive CloudWatch logging setup
• ✅ Migration script with proper timeout handling
• ✅ Admin operations framework using Docker images from ECR
• ✅ Proper secret management via AWS Secrets Manager
• ✅ Auto-stop after initialization (security best practice)

---

Issues & Concerns

Critical Issues

1. Missing GitHub Actions Composite Actions (.github/workflows/gha-runner.yml)

Lines 179-192 reference composite actions that don't appear to be part of this PR:

- name: Monitor Stack Deployment
  uses: ./.github/actions/monitor-stack-deployment  # ❌ Not in changed files
  
- name: Refresh Auto Scaling Group Instances
  uses: ./.github/actions/refresh-asg  # ❌ Not in changed files

Issue: This workflow will fail if these actions don't exist in the repository.

Recommendation: Either include these actions in this PR or use existing AWS CLI commands inline.

---

2. GHA Runner Workflow Network Validation Logic (.github/workflows/gha-runner.yml:71-104)

The network isolation validation has a logic issue:

# Check for VPC peering
PEERING=$(aws ec2 describe-vpc-peering-connections \
  --filters "Name=requester-vpc-info.vpc-id,Values=${{ steps.default-vpc.outputs.vpc_id }}" \
            "Name=accepter-vpc-info.vpc-id,Values=$APP_VPC_ID" \
  --query "VpcPeeringConnections[*].VpcPeeringConnectionId" \
  --output text 2>/dev/null || echo "")

Issue: This only checks one direction of VPC peering. It should check both:

• default-vpc → app-vpc
• app-vpc → default-vpc

Recommendation:

# Check for VPC peering in both directions
PEERING=$(aws ec2 describe-vpc-peering-connections \
  --filters "Name=requester-vpc-info.vpc-id,Values=${{ steps.default-vpc.outputs.vpc_id }},$APP_VPC_ID" \
            "Name=accepter-vpc-info.vpc-id,Values=${{ steps.default-vpc.outputs.vpc_id }},$APP_VPC_ID" \
  --query "VpcPeeringConnections[*].VpcPeeringConnectionId" \
  --output text 2>/dev/null || echo "")

---

3. Bastion UserData CloudWatch Agent JSON Syntax (bin/userdata/bastion.sh:804-811)

The CloudWatch agent configuration update has a syntax error:

cat >> /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json << 'EOF_LOGS'
          ,{
            "file_path": "/var/log/robosystems/admin-operations.log",
            ...
          }
EOF_LOGS

Issue: This appends malformed JSON to an existing complete JSON file. The leading comma (,{) will create invalid JSON.

Recommendation: Regenerate the entire CloudWatch agent config or use jq to properly merge:

jq '.logs.logs_collected.files.collect_list += [{
  "file_path": "/var/log/robosystems/admin-operations.log",
  "log_group_name": "/robosystems/${Environment}/bastion-host",
  "log_stream_name": "${INSTANCE_ID}/admin-operations",
  "timezone": "UTC"
}]' /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json > /tmp/cw-config.json
mv /tmp/cw-config.json /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json

---

Medium Priority Issues

4. Tunnel Script SSH Key Permission Check (bin/tools/tunnels.sh:261-267)

local perms=$(stat -f "%OLp" "$key_path" 2>/dev/null || stat -c "%a" "$key_path" 2>/dev/null)

Issue: The stat -f format is macOS-specific, while stat -c is Linux-specific. The fallback works, but the error is always logged on one platform.

Recommendation: Detect OS first:

if [[ "$OSTYPE" == "darwin"* ]]; then
  local perms=$(stat -f "%OLp" "$key_path")
else
  local perms=$(stat -c "%a" "$key_path")
fi

---

5. GHA Runner Workflow Runner Availability Check (.github/workflows/gha-runner.yml:211-238)

ONLINE_RUNNERS=$(echo "$RUNNERS_RESPONSE" | jq -r '.runners[] | select(.status == "online") | .name' | wc -l)

if [ "$ONLINE_RUNNERS" -ge 1 ]; then
  echo "✅ $ONLINE_RUNNERS runner(s) online and ready"
  break
fi

Issue: This checks for ANY online runner, not specifically the newly deployed ones. If old runners are online, this will succeed even if new runners failed to register.

Recommendation: Add a check for runners with recent registration timestamps or specific labels matching this deployment.

---

6. CloudFormation Template Version Constraint (cloudformation/gha-runner.yaml:219)

The launch template has UpdateReplacePolicy: Delete:

GHARunnerLaunchTemplate:
  Type: AWS::EC2::LaunchTemplate
  DeletionPolicy: Delete
  UpdateReplacePolicy: Delete  # ❌ This will delete the template on updates

Issue: With UpdateReplacePolicy: Delete, CloudFormation will delete the old launch template version immediately when updating, which could cause issues if instances are still launching from it.

Recommendation: Change to Retain:

UpdateReplacePolicy: Retain

---

7. Missing Error Handling in Bastion Migration Script (bin/userdata/bastion.sh:295-306)

RDS_ENDPOINT=$(aws cloudformation describe-stacks \
  --stack-name RoboSystemsPostgresIAMProd \
  --query "Stacks[0].Outputs[?OutputKey=='DatabaseEndpoint'].OutputValue" \
  --output text)

Issue: No validation that RDS_ENDPOINT was successfully retrieved before using it.

Recommendation:

RDS_ENDPOINT=$(aws cloudformation describe-stacks \
  --stack-name RoboSystemsPostgresIAMProd \
  --query "Stacks[0].Outputs[?OutputKey=='DatabaseEndpoint'].OutputValue" \
  --output text)

if [[ -z "$RDS_ENDPOINT" || "$RDS_ENDPOINT" == "None" ]]; then
  print_error "Failed to retrieve RDS endpoint"
  exit 1
fi

---

Minor Issues / Suggestions

8. Inconsistent Emoji Usage

Per CLAUDE.md guidelines:

Interactive scripts (user-facing CLIs): Emojis allowed for better UX
Background/logging scripts: No emojis in log output

The bastion userdata script (bin/userdata/bastion.sh) is a background script but uses emojis in several places (lines 526, 689, etc.). The tunnel script correctly uses emojis since it's interactive.

Recommendation: Remove emojis from bastion userdata script logging.

---

9. GHA Runner Instance Type Selection (cloudformation/gha-runner.yaml:335-340)

The mixed instance policy lists 6 instance types:

Overrides:
  - InstanceType: t3a.medium
  - InstanceType: t3.medium
  - InstanceType: c6a.large  # More expensive
  - InstanceType: c6i.large  # More expensive
  - InstanceType: c7a.large  # More expensive
  - InstanceType: c7i.large  # More expensive

Suggestion: The c6/c7 large instances are significantly more expensive than t3 mediums. Consider if the additional compute is needed for CI workloads or if it's better to limit to t3 instances only.

---

10. Tunnel Script User Input Validation (bin/tools/tunnels.sh:1090-1092)

read -r direct_choice < /dev/tty

Issue: No timeout on user input. If run in automation, this could hang indefinitely.

Recommendation: Add timeout:

read -r -t 30 direct_choice < /dev/tty || direct_choice="2"

---

Testing Recommendations

1. Verify composite actions exist: Ensure .github/actions/monitor-stack-deployment and .github/actions/refresh-asg are present
2. Test GHA runner deployment: Deploy to a test environment and verify runners register correctly
3. Test bastion initialization: Ensure CloudWatch agent starts correctly with the updated config
4. Test tunnel script: Verify all tunnel modes work (postgres, kuzu, kuzu-select, etc.)
5. Test migration script: Run migrations in staging to verify Docker image pulling and secret retrieval

---

Summary

Overall Assessment: ✅ Approve with recommendations

This is a solid refactoring that:

• Removes 172 lines of code while adding functionality
• Improves consistency with the AMI retrieval action
• Enhances infrastructure isolation
• Adds comprehensive tooling for operations

Must-fix before merge:

1. Missing composite actions (critical)
2. CloudWatch agent JSON syntax error (critical)
3. VPC peering validation logic (high)

Should-fix:
4-7 (medium priority issues)

Nice-to-have:
8-10 (minor improvements)

---

[jfrench9]

@claude can you ensure we have accomplished all goals

[claude]

Claude finished @jfrench9's task —— View job

---

PR Goals Verification Complete

I've thoroughly reviewed all changes to verify that the PR accomplishes its stated goals and that the critical issues from my previous review have been addressed.

---

PR Goals Status

✅ Workflow Optimization

• Consolidated workflows: Confirmed bootstrap.yml (299 lines) and run-migrations.yml (235 lines) have been deleted
• Renamed test workflows: Verified main-test.yml/pr-test.yml renamed to test-main.yml/test-pr.yml
• Streamlined bastion deployment: Confirmed removal of 69 lines from deploy-bastion.yml, removing redundant steps

✅ New Infrastructure Components

• Reusable AMI retrieval action: .github/actions/get-latest-ami/action.yml created with:

  • Proper SSM Parameter Store integration
  • Architecture validation (x86_64, arm64)
  • Error handling and output structure
  • Successfully integrated into both bastion and GHA runner workflows

• GHA runner workflow: .github/workflows/gha-runner.yml created with:

  • Default VPC isolation strategy
  • Network validation (VPC peering detection)
  • Stack deployment and monitoring
  • Runner availability verification

✅ Infrastructure Improvements

• Enhanced bastion host setup: UserData script improvements verified:

  • Comprehensive CloudWatch logging setup
  • Migration script with timeout handling
  • Admin operations framework
  • Auto-stop after initialization

• Updated tunnel management: bin/tools/tunnels.sh enhanced with:

  • Better error handling
  • Dependency checking
  • Bastion auto-start/stop with cleanup
  • Multi-instance Kuzu support
  • Admin operations runner

• CloudFormation template updates: Verified updates to both bastion and GHA runner templates

---

Critical Issues Resolution

All three critical issues from my previous review have been FIXED:

✅ Issue #1: Missing Composite Actions (FIXED)

Previous Issue: Lines 189-203 referenced .github/actions/monitor-stack-deployment and .github/actions/refresh-asg which appeared to be missing.

Current Status: Both actions exist in the repository:

• ✅ .github/actions/monitor-stack-deployment/action.yml - Present
• ✅ .github/actions/refresh-asg/action.yml - Present

Verification: Used Glob tool to confirm all composite actions exist.

---

✅ Issue #2: VPC Peering Validation Logic (FIXED)

Previous Issue: Network validation only checked one direction of VPC peering (default-vpc → app-vpc), missing the reverse direction.

Current Status: Fixed in .github/workflows/gha-runner.yml:94-112

The workflow now properly checks both directions:

# Check default-vpc → app-vpc
PEERING1=$(aws ec2 describe-vpc-peering-connections \
  --filters "Name=requester-vpc-info.vpc-id,Values=${{ steps.default-vpc.outputs.vpc_id }}" \
            "Name=accepter-vpc-info.vpc-id,Values=$APP_VPC_ID" \
  --query "VpcPeeringConnections[*].VpcPeeringConnectionId" \
  --output text 2>/dev/null || echo "")

# Check app-vpc → default-vpc
PEERING2=$(aws ec2 describe-vpc-peering-connections \
  --filters "Name=requester-vpc-info.vpc-id,Values=$APP_VPC_ID" \
            "Name=accepter-vpc-info.vpc-id,Values=${{ steps.default-vpc.outputs.vpc_id }}" \
  --query "VpcPeeringConnections[*].VpcPeeringConnectionId" \
  --output text 2>/dev/null || echo "")

if [ -n "$PEERING1" ] || [ -n "$PEERING2" ]; then
  echo "❌ ERROR: VPC peering detected between default VPC and application VPC"
  exit 1
fi

---

✅ Issue #3: CloudWatch Agent JSON Syntax (FIXED)

Previous Issue: bin/userdata/bastion.sh:804-811 appended malformed JSON with leading comma, creating invalid configuration.

Current Status: Fixed in bin/userdata/bastion.sh:810-819

Now uses jq to properly merge JSON:

jq --arg env "$Environment" --arg instance "$INSTANCE_ID" \
  '.logs.logs_collected.files.collect_list += [{
    "file_path": "/var/log/robosystems/admin-operations.log",
    "log_group_name": ("/robosystems/" + $env + "/bastion-host"),
    "log_stream_name": ($instance + "/admin-operations"),
    "timezone": "UTC"
  }]' /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json > /tmp/cw-config.json

mv /tmp/cw-config.json /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json

This ensures valid JSON and proper CloudWatch agent configuration.

---

Bonus Improvements

Several medium-priority issues from my previous review have also been addressed:

✅ Runner Availability Check Enhanced

Previous Issue #5: Runner check looked for ANY online runner, not specifically newly deployed ones.

Current Status: Fixed in .github/workflows/gha-runner.yml:222-261

The improved logic now:

1. Gets deployment start time (5 minutes ago to account for delays)
2. Filters runners by:
   • Status: online
   • Labels: AL2023 or ci
   • Created at: After deployment start time
3. Only succeeds when newly deployed runners are confirmed online

This prevents false positives from pre-existing runners.

---

✅ Workflow Permissions Addressed

Code Scanning Alert: GitHub Advanced Security flagged missing permissions.

Current Status: Already set in .github/workflows/gha-runner.yml:10-11

permissions:
  contents: read

The workflow properly limits GITHUB_TOKEN permissions to read-only, following security best practices.

---

Summary

Overall Assessment: ✅ ALL GOALS ACCOMPLISHED

This PR successfully achieves all stated objectives:

1. Code Reduction: Net -128 lines (after accounting for new features)

   • Deleted: 534 lines (bootstrap.yml + run-migrations.yml)
   • Removed: 69 lines from deploy-bastion.yml
   • Added: 475 lines of new, more maintainable infrastructure

2. Workflow Consolidation: Removed 2 redundant workflows, renamed 2 for consistency

3. New Capabilities:

   • Reusable AMI retrieval action (reduces duplication)
   • Dedicated GHA runner infrastructure (better isolation)
   • Enhanced operational tooling (tunnels, admin operations)

4. Quality Improvements:

   • All 3 critical issues from previous review: FIXED
   • 2 medium-priority issues: FIXED
   • Network isolation properly validated
   • CloudWatch logging properly configured
   • Runner availability accurately verified

Breaking Changes Noted:

• bootstrap.yml and run-migrations.yml workflows removed (as documented)
• Test workflow naming convention updated (as documented)

Ready for Merge: All technical objectives met, critical issues resolved, and infrastructure improvements properly implemented.

---