Skip to content

fix: allow stackName to change#70

Merged
scottschreckengaust merged 10 commits into
mainfrom
feat/context-stack-name
May 11, 2026
Merged

fix: allow stackName to change#70
scottschreckengaust merged 10 commits into
mainfrom
feat/context-stack-name

Conversation

@scottschreckengaust
Copy link
Copy Markdown
Contributor

@scottschreckengaust scottschreckengaust commented May 9, 2026
edited
Loading

Summary

Fixes multi-stack name collisions by making each resource self-guard its own name length, rather than imposing a central stackName length limit.

Problem

Deploying a second named stack (e.g. commit-fa647ca...) in the same account fails because several resources use hardcoded names with account-level uniqueness:

  • Bedrock Guardrail: task-input-guardrail (per-account per-region unique)
  • AgentCore Memory: bgagent_memory (per-account per-region unique)
  • AgentCore Runtime: was jean_cloude (per-account per-region unique)
  • Model Invocation Logging: account-level singleton — onDelete in one stack disables logging for all stacks

Fix

Resource Name derivation Guard
Runtime stackName → sanitize non-alphanumeric to _, ensure starts with letter .slice(0, 48)
Guardrail ${stackName}-guardrail .slice(0, 50)
Memory mem_${stackName} (sanitized) .slice(0, 48)
Model Invocation Logging Remove onDelete — account-level singleton shouldn't be torn down by one stack N/A

The 40-character stackName input validation is removed — each resource truncates to its own API limit independently.

Also included

  • Gitleaks allowlist: test-signing-secret-abc123 in Slack verification test was triggering false positive

Test plan

  • mise //cdk:compile passes
  • mise //cdk:test — 1170 tests pass, 68 suites
  • Gitleaks clean
  • Deploy two stacks in same account without name collisions

🤖 Generated with Claude Code

@scottschreckengaust scottschreckengaust marked this pull request as ready for review May 9, 2026 00:16
@scottschreckengaust scottschreckengaust requested a review from a team as a code owner May 9, 2026 00:16
@scottschreckengaust
Copy link
Copy Markdown
Contributor Author

scottschreckengaust commented May 9, 2026
edited
Loading

Upon trial:

InputGuardrailMyGuardrail37FA9C23: "Another guardrail in your account already has this name. Retry your request with a different name"

cdk/src/stacks/agent.ts — need these 3 changes:

  1. Guardrail name (line 167): 'task-input-guardrail' → ${this.stackName}-guardrail.slice(0, 50)
  2. Log group name (line 621): '/aws/bedrock/model-invocation-logs' → /aws/bedrock/model-invocation-logs/${this.stackName}
  3. Model invocation logging onDelete (lines 674-679): Removed the deleteModelInvocationLoggingConfiguration block — replaced with a comment
    explaining why (account-level singleton; one stack's teardown shouldn't kill another's logging)

cdk/src/constructs/agent-memory.ts — 2 changes:

  1. Added Stack to imports: import { Duration } from 'aws-cdk-lib' → import { Duration, Stack } from 'aws-cdk-lib'
  2. Memory name (line 73): 'bgagent_memory' → mem_${Stack.of(this).stackName.replace(/-/g, '_')}.slice(0, 48)

cdk/test/constructs/agent-memory.test.ts — test updated:

  • Assertion changed from Name: 'bgagent_memory' → Name: 'mem_TestStack'

scottschreckengaust
scottschreckengaust commented May 9, 2026
View reviewed changes
Comment thread cdk/src/stacks/agent.ts Outdated
scottschreckengaust
scottschreckengaust commented May 9, 2026
View reviewed changes
Comment thread cdk/src/stacks/agent.ts Outdated
@scottschreckengaust
Copy link
Copy Markdown
Contributor Author

scottschreckengaust commented May 9, 2026

Tested in AWS Account in one region for successful deployment in one region (functional testing not performed - just deployment to stacks with unique resources)

scottschreckengaust
scottschreckengaust commented May 9, 2026
View reviewed changes
Comment thread cdk/src/constructs/agent-memory.ts Outdated
This was referenced May 9, 2026
Open
Open
krokoko
krokoko reviewed May 11, 2026
View reviewed changes
Comment thread cdk/src/constructs/agent-memory.ts
krokoko
krokoko reviewed May 11, 2026
View reviewed changes
Comment thread cdk/src/stacks/agent.ts Outdated
scottschreckengaust and others added 7 commits May 11, 2026 19:15
@scottschreckengaust
fix: allow stackName to change
9505446 
Signed-off-by: bgagent <scottschreckengaust@users.noreply.github.com>
@scottschreckengaust @claude
fix: self-guard resource names to prevent multi-stack collisions
d2773bd 
Each resource with a name uniqueness constraint now truncates to its
own API limit, removing the need for a central stackName length check:
- Guardrail: ${stackName}-guardrail (.slice(0, 50))
- Memory: mem_${stackName} (.slice(0, 48))
- Runtime: sanitize + .slice(0, 48), ensure starts with letter
- Model invocation logging: remove onDelete (account-level singleton)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@scottschreckengaust @claude
fix(security): allowlist test fixture in gitleaks
940e232 
The Slack verification test uses 'test-signing-secret-abc123' which
triggers gitleaks generic-api-key rule. Not a real credential.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@scottschreckengaust
fix: keep name similar
8ec9334
@scottschreckengaust
fix: jean cloude
00e6f4c
@scottschreckengaust
fix: bgagent_memory
74987b0
@scottschreckengaust @claude
fix(test): update memory name assertion to match new prefix
a3686cf 
The default memory name changed from `mem_` to `bgagent_memory_` prefix.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@mayakost mayakost mentioned this pull request May 11, 2026
Open
3 tasks
@scottschreckengaust @claude
fix: let CDK auto-generate Runtime and Memory names
8d0a110 
Remove explicit runtimeName and memoryName — the L2 constructs
auto-generate unique names via Names.uniqueResourceName() from
the construct path (which includes the stack name), eliminating
name collisions entirely without manual .slice() guards.

Only the guardrail name remains explicit (required by the L2 API).
Log group names retain stackName for operational discoverability.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@scottschreckengaust scottschreckengaust force-pushed the feat/context-stack-name branch from ac4efbb to 8d0a110 Compare May 11, 2026 19:24
@krokoko krokoko self-requested a review May 11, 2026 20:53
@scottschreckengaust scottschreckengaust added this pull request to the merge queue May 11, 2026
Merged via the queue into main with commit 50b3ac8 May 11, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@krokoko krokoko krokoko approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@scottschreckengaust @krokoko