CBIIT · michael-fleming-nih · Apr 8, 2026 · Apr 17, 2026
diff --git a/awscdk/.env_example b/awscdk/.env_example
@@ -0,0 +1,4 @@
+default_region=us-east-1
+default_account=
+aws_access_key_id=
+aws_secret_access_key=
diff --git a/awscdk/.gitignore b/awscdk/.gitignore
@@ -0,0 +1,20 @@
+dist/
+*.pyo
+*.pyc
+creds/*
+imports/*
+*.egg-info/
+!imports/__init__.py
+.venv
+.env
+*/test.py
+cdk.out
+*.ini*
+*.pem
+.DS_Store
+
+# Ignore debug
+*.bak
+
+# Ignore files used to drive AI implementation
+AI
diff --git a/awscdk/README_docker_compose.md b/awscdk/README_docker_compose.md
@@ -0,0 +1,51 @@
+# Bento cdk project:  Bento AWS
+
+## Prerequisites
+
+This project was built based on the python implementation detailed at:
+- https://docs.aws.amazon.com/cdk/latest/guide/getting_started.html
+
+The project can be built using the included docker-compose file to install prerequisites or they can be installed locally. 
+
+
+### Using docker-compose
+
+Once the repo has been cloned a dev container can be started from the cdk/awscdk folder using the following command:
+
+```bash
+docker-compose run aws-cdk sh
+docker compose run aws-cdk sh
+```
+
+This will start a container with all required applications installed and map the awscdk/bento folder as its workspace.
+
+
+## Initialize the bento cdk project
+
+In order to build the bento cdk files you will need to get the required python modules (this command should be run in the bento folder):
+
+```bash
+pip3 install --ignore-installed --break-system-packages -r requirements.txt
+```
+
+
+## Configure the config.ini file
+
+The CDK script get configuration settings from a config.ini file, in order to properly run this project you will need to create this file with the proper values populated. This file can be created by copying the included config.ini.template file and adding in values for any missing information.
+
+
+## Build Cloudformation scripts for the bento cdk project
+
+After modules are installed you can run cdk commands on your stack:
+
+```bash
+cdk synth
+cdk bootstrap
+cdk deploy
+cdk diff
+cdk destroy
+```
+
+To skip approval step:  --require-approval never
+
+* Note: an appropriate tier must be specified in bento.properties in order to build the bento scripts - if valid tiers are created or removed for this project getArgs.py must be updated to reflect these changes
diff --git a/awscdk/docker-compose.yml b/awscdk/docker-compose.yml
@@ -0,0 +1,15 @@
+#version: '3.4'
+services:
+  aws-cdk:
+    container_name: aws-cdk
+    build:
+      context: .
+      dockerfile: ./dockerfiles/cdk_python
+    environment:
+      - AWS_ACCESS_KEY_ID=${aws_access_key_id}
+      - AWS_SECRET_ACCESS_KEY=${aws_secret_access_key}
+      - AWS_SESSION_TOKEN=${aws_session_token}
+      - AWS_DEFAULT_REGION=${default_region}
+      - AWS_DEFAULT_ACCOUNT=${default_account}
+    volumes:
+      - ./:/app
diff --git a/awscdk/dockerfiles/cdk_python b/awscdk/dockerfiles/cdk_python
@@ -0,0 +1,14 @@
+FROM node:20.17.0-alpine3.20
+#FROM node:20.15.1-alpine3.20
+
+# Update to the latest npm
+RUN npm install npm@latest -g
+#RUN npm install -g npm@10.7.0
+
+# add python and pip
+RUN apk add --no-cache python3 py3-pip
+
+# install aws-cdk and set its log level to debug
+RUN npm install -g aws-cdk@2.155.0
+
+WORKDIR /app
diff --git a/awscdk/phoenix/.gitignore b/awscdk/phoenix/.gitignore
@@ -0,0 +1,11 @@
+*.swp
+package-lock.json
+__pycache__
+.pytest_cache
+.venv
+.env
+*.egg-info
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out
diff --git a/awscdk/phoenix/README.md b/awscdk/phoenix/README.md
@@ -0,0 +1,58 @@
+
+# Welcome to your CDK Python project!
+
+This is a blank project for CDK development with Python.
+
+The `cdk.json` file tells the CDK Toolkit how to execute your app.
+
+This project is set up like a standard Python project.  The initialization
+process also creates a virtualenv within this project, stored under the `.venv`
+directory.  To create the virtualenv it assumes that there is a `python3`
+(or `python` for Windows) executable in your path with access to the `venv`
+package. If for any reason the automatic creation of the virtualenv fails,
+you can create the virtualenv manually.
+
+To manually create a virtualenv on MacOS and Linux:
+
+```
+$ python3 -m venv .venv
+```
+
+After the init process completes and the virtualenv is created, you can use the following
+step to activate your virtualenv.
+
+```
+$ source .venv/bin/activate
+```
+
+If you are a Windows platform, you would activate the virtualenv like this:
+
+```
+% .venv\Scripts\activate.bat
+```
+
+Once the virtualenv is activated, you can install the required dependencies.
+
+```
+$ pip install -r requirements.txt
+```
+
+At this point you can now synthesize the CloudFormation template for this code.
+
+```
+$ cdk synth
+```
+
+To add additional dependencies, for example other CDK libraries, just add
+them to your `setup.py` file and rerun the `pip install -r requirements.txt`
+command.
+
+## Useful commands
+
+ * `cdk ls`          list all stacks in the app
+ * `cdk synth`       emits the synthesized CloudFormation template
+ * `cdk deploy`      deploy this stack to your default AWS account/region
+ * `cdk diff`        compare deployed stack with current state
+ * `cdk docs`        open CDK documentation
+
+Enjoy!
diff --git a/awscdk/phoenix/README_docker_compose.md b/awscdk/phoenix/README_docker_compose.md
@@ -0,0 +1,51 @@
+# Bento cdk project:  Bento AWS
+
+## Prerequisites
+
+This project was built based on the python implementation detailed at:
+- https://docs.aws.amazon.com/cdk/latest/guide/getting_started.html
+
+The project can be built using the included docker-compose file to install prerequisites or they can be installed locally. 
+
+
+### Using docker-compose
+
+Once the repo has been cloned a dev container can be started from the cdk/awscdk folder using the following command:
+
+```bash
+docker-compose run aws-cdk sh
+docker compose run aws-cdk sh
+```
+
+This will start a container with all required applications installed and map the awscdk/bento folder as its workspace.
+
+
+## Initialize the bento cdk project
+
+In order to build the bento cdk files you will need to get the required python modules (this command should be run in the bento folder):
+
+```bash
+pip3 install --ignore-installed --break-system-packages -r requirements.txt
+```
+
+
+## Configure the config.ini file
+
+The CDK script get configuration settings from a config.ini file, in order to properly run this project you will need to create this file with the proper values populated. This file can be created by copying the included config.ini.template file and adding in values for any missing information.
+
+
+## Build Cloudformation scripts for the bento cdk project
+
+After modules are installed you can run cdk commands on your stack:
+
+```bash
+cdk synth
+cdk bootstrap
+cdk deploy
+cdk diff
+cdk destroy
+```
+
+To skip approval step:  --require-approval never
+
+* Note: an appropriate tier must be specified in bento.properties in order to build the bento scripts - if valid tiers are created or removed for this project getArgs.py must be updated to reflect these changes
diff --git a/awscdk/phoenix/app.py b/awscdk/phoenix/app.py
@@ -0,0 +1,70 @@
+#!/usr/bin/env python3
+import os, sys
+import logging
+import aws_cdk as cdk
+
+from configparser import ConfigParser, ExtendedInterpolation
+from aws_cdk import aws_iam as iam
+
+from app.stack import Stack
+from app.aspects import MyAspect
+
+# Read config
+config = ConfigParser(interpolation=ExtendedInterpolation())
+config.read("config.ini")
+
+if __name__=="__main__":
+  logging.basicConfig(format='%(asctime)s [%(levelname)5s] %(message)s',
+                        datefmt='%Y-%m-%dT%H:%M:%S',
+                        level=logging.NOTSET)
+
+  if config.has_option('iam', 'role_prefix'):
+    synthesizer = cdk.DefaultStackSynthesizer(
+        # ARN of the role assumed by the CLI and Pipeline to deploy here
+        deploy_role_arn="arn:${AWS::Partition}:iam::${AWS::AccountId}:role/" + config['iam']['role_prefix'] + "-cdk-${Qualifier}-deploy-role-${AWS::Region}",
+
+        # ARN of the role used for file asset publishing (assumed from the CLI role)
+        file_asset_publishing_role_arn="arn:${AWS::Partition}:iam::${AWS::AccountId}:role/" + config['iam']['role_prefix'] + "-cdk-${Qualifier}-file-publishing-role-${AWS::Region}",
+
+        # ARN of the role used for Docker asset publishing (assumed from the CLI role)
+        image_asset_publishing_role_arn="arn:${AWS::Partition}:iam::${AWS::AccountId}:role/" + config['iam']['role_prefix'] + "-cdk-${Qualifier}-image-publishing-role-${AWS::Region}",
+
+        # ARN of the role passed to CloudFormation to execute the deployments
+        cloud_formation_execution_role="arn:${AWS::Partition}:iam::${AWS::AccountId}:role/" + config['iam']['role_prefix'] + "-cdk-${Qualifier}-cfn-exec-role-${AWS::Region}",
+
+        # ARN of the role used to look up context information in an environment
+        lookup_role_arn="arn:${AWS::Partition}:iam::${AWS::AccountId}:role/" + config['iam']['role_prefix'] + "-cdk-${Qualifier}-lookup-role-${AWS::Region}",
+      )
+  else:
+    synthesizer = cdk.DefaultStackSynthesizer()
+
+  app = cdk.App()
+
+  stack_name="{}-{}".format(config['main']['resource_prefix'], config['main']['tier'])
+  stack = Stack(
+    app,
+    stack_name,
+    synthesizer=synthesizer,
+    env=cdk.Environment(
+      account=config['main']['account_id'],
+      region=config['main']['region']
+    ),
+  ) 
+
+  # Rename all roles to add role prefix
+  cdk.Aspects.of(stack).add(MyAspect())
+
+  # set permission boundary on all roles
+  if config.has_option('iam', 'permission_boundary'):
+    boundary = iam.ManagedPolicy.from_managed_policy_arn(stack, "Boundary", config['iam']['permission_boundary'])
+    iam.PermissionsBoundary.of(stack).apply(boundary)
+
+  config_tags = dict(s.split(':') for s in config['main']['tags'].split(","))
+  env_tags = {'Environment': config['main']['tier']}
+  tags = config_tags | env_tags
+
+
+  for tag,value in tags.items():
+    cdk.Tags.of(stack).add(tag, value)
+
+  app.synth()
diff --git a/awscdk/phoenix/app/__init__.py b/awscdk/phoenix/app/__init__.py
diff --git a/awscdk/phoenix/app/aspects.py b/awscdk/phoenix/app/aspects.py
@@ -0,0 +1,20 @@
+import aws_cdk as cdk
+import jsii
+from constructs import Construct, IConstruct
+from configparser import ConfigParser, ExtendedInterpolation
+from aws_cdk import aws_iam as iam
+
+# Read config
+config = ConfigParser(interpolation=ExtendedInterpolation())
+config.read("config.ini")
+
+@jsii.implements(cdk.IAspect)
+class MyAspect:
+    def visit(self, node):
+
+        if isinstance(node, iam.CfnRole):
+            if config.has_option('iam', 'role_prefix'):
+                resolvedLogicalId = cdk.Stack.of(node).resolve(node.logical_id)
+                roleName = config['iam']['role_prefix'] + '-' + resolvedLogicalId
+                roleName = roleName[:64]  # Ensure the role name is within the 64 character limit
+                node.role_name = roleName