Infrastructure Stream — Changelog

Authoritative artefacts:

infrastructure PR #451 — Phase-2 env-var pipeline + inline BuildSpec cleanup (merged 2026-05-08).
infrastructure PR #452 — amm.sh cross-region fix (PDEV-452, merged 2026-05-11).

Added (PR #451)

partitionSecrets.cfn.yaml: new AmazonCreatorsApi parameter (JSON string, MinLength:1, NoEcho:true), AmazonCreatorsApiSecret resource (${Infrastructure}-${Partition}-AmazonCreatorsApi), and AmazonCreatorsApiArn output exported as ${Infrastructure}-${Partition}-I-AmazonCreatorsApiArn.
amplify.cfn.yaml: four new EnvironmentVariables entries (AMAZON_CREATORS_CREDENTIAL_ID, AMAZON_CREATORS_CREDENTIAL_SECRET, AMAZON_CREATORS_CREDENTIAL_VERSION, AMAZON_ASSOCIATE_TAG) resolving via {{resolve:secretsmanager:...:SecretString:::}} — applies to full-IaC partitions only (Alpha001:demo).
amm.sh:
- resolve_amazon_credentials() reads four fields from op://${VAULT}/Amazon Creators API/{field}, validates non-empty, and produces a JSON string via jq -n.
- partitionSecrets CFN deploy now passes AmazonCreatorsApi=$AMAZON_CREATORS_API_JSON.
- Partial-IaC jq-merge block (Step 2.5.3) extended to fetch ${infrastructure}-${partition}-AmazonCreatorsApi from Secrets Manager and inject all four AMAZON_* env vars into the Amplify app alongside the existing CLOUDFRONT_KEY_PAIR_ID conditional.
- Inline-BuildSpec drift check at the top of each partition’s deploy loop fails fast with a remediation command if a non-empty inline BuildSpec is detected.
.github/workflows/amm.yml: installs the op CLI via 1password/install-cli-action@v1 before the “Apply AMM” step; exposes OP_SERVICE_ACCOUNT_TOKEN (already-provisioned GH Org secret). 1Password remains the single source of truth — no parallel AMAZON_CREATORS_API_JSON_<partition> GH-secret pattern was introduced.
One-time out-of-band action (Task 8b, completed before merge): all four Amplify apps had their inline BuildSpec cleared to whitespace, so future builds read amplify.yml from the connected branch.

Fixed (PR #451 — incidental cleanups in scope)

PARTITION_VAULT_MAP[prod] corrected from SystemsOAM to ProdOAM, aligning the production partition’s credential lookup with the actual vault that holds production secrets. In scope because this PR introduces the first new prod-vault reads.
Drift check now treats both the AWS CLI --output text null marker (None) and JSON null as empty, preventing false-positive drift failures on partitions where buildSpec is unset.
SSO login moved before the drift-check AWS calls so an expired local session produces an explicit auth error rather than a silently-skipped check.
Partial-IaC Amazon credential merge validates each jq-extracted field (credentialId, credentialSecret, version, associateTag) is non-empty and not null before updating Amplify env vars.
AMAZON_CREATORS_API_JSON cleared at the start of each partition iteration so a multi-partition all invocation resolves credentials from the correct per-partition vault rather than reusing the first partition’s.
Amazon credential values registered with the GitHub Actions log redactor (::add-mask::) before any code path can echo them.

Fixed (PR #452 — PDEV-452 follow-up)

amm.sh targets the correct AWS region on every internal aws amplify ... call by resolving a per-partition amplify_region from AMPLIFY_REGION_OVERRIDES (with the script’s AWS_REGION as default) and passing it explicitly via --region at every call site. Surfaced during the v1 prod rollout: Alpha001:prod’s Amplify app is in us-east-2 while the rest of Alpha001 is in us-east-1, so the drift check and env-var update had been silently failing against prod with NotFoundException. Resolution priority is now --region flag > AWS_REGION env > AWS_DEFAULT_REGION env > active profile’s default region; the resolution runs after the auto-derived AWS_DEFAULT_PROFILE so the profile-default lookup targets the same profile the rest of the script uses.