Verification: Frontend Deployment Pipeline

Traceability Matrix

Requirement	Verification	Run	Status
REQ-INFRA-001	Demo Amplify app exists, connected to `demo` branch, auto-build disabled, site loads at `demo.alpha001.app.arda.cards`	1	Pending
REQ-INFRA-002	`amplifyBranch.cfn.yaml` validates with `EnableAutoBuild` parameter; Kyle deployment unaffected (auto-build still `true`)	1	Pending
REQ-INFRA-003	CloudFormation export `Alpha001-demo-I-AmplifyBranchName` available after stack deployment	1	Pending
REQ-INFRA-004	`amplifyExports.cfn.yaml` validates; produces correct exports when deployed with test parameters	4	Pending
REQ-INFRA-005	`amm.sh` contains all four mapping constants; gate condition allows `Alpha001/demo` and `SandboxKyle002/kyle`; blocks other pairs	1	Pending
REQ-INFRA-006	`amm.yml` workflow uses `secrets[format('ARDA_API_KEY_{0}', partition)]`; demo deployment receives correct API key	1	Pending
REQ-INFRA-007	IAM role exists in both accounts; `aws iam get-role` succeeds; OIDC assumption works from `arda-frontend-app` `demo` branch	1	Pending
REQ-WF-001	`deploy.yaml` triggers on `demo` branch, deploys to demo partition, Amplify build succeeds	2	Pending
REQ-WF-002	`redeploy.yaml` deploys a specific SHA to demo; CI check gate functions correctly	3	Pending
REQ-WF-003	Reusable workflow: purpose-config fetch, OIDC assume, CloudFormation export read, `StartJob`, `GetJob` poll all succeed	2	Pending
REQ-WF-004	GitHub environments exist with correct protection rules; `stage`/`prod` pause for approval	2	Pending
REQ-CUT-001	Each partition migrated and verified individually: auto-build disabled, deployment succeeds, site functional	4	Pending
REQ-CUT-002	Test PR triggers Amplify preview build; preview URL posted on PR; sign-in works; cleanup on PR close	4	Pending
REQ-CUT-003	Rollback dry-run: `redeploy.yaml` deploys previous SHA to `dev` successfully	4	Pending
REQ-CUT-004	`deploy.yaml` on `main` triggers via `workflow_run` on CI success; `workflow_dispatch` also works	4	Pending
REQ-DOC-001	Frontend development guide exists at expected path; covers all required topics	4	Pending
REQ-DOC-002	`rollback-plan.md` exists with per-partition commands before cutover begins	4	Pending
REQ-DOC-003	`post-cutover-instructions.md` exists with all deferred procedures documented	4	Pending

Verification Commands

Infrastructure (Run 1)

# REQ-INFRA-001: Demo Amplify app exists
aws amplify get-app --app-id "$(aws cloudformation list-exports \
  --region us-east-1 --output text \
  --query "Exports[?Name=='Alpha001-demo-I-AmplifyAppId'].Value")" \
  --region us-east-1

# REQ-INFRA-001: Auto-build disabled
aws amplify get-branch --app-id {demo-app-id} --branch-name demo \
  --region us-east-1 \
  --query "branch.enableAutoBuild"
# Expected: false

# REQ-INFRA-002: Template validates
aws cloudformation validate-template \
  --template-body file://src/main/cfn/amplifyBranch.cfn.yaml

# REQ-INFRA-003: Branch name export available
aws cloudformation list-exports --region us-east-1 --output text \
  --query "Exports[?Name=='Alpha001-demo-I-AmplifyBranchName'].Value"
# Expected: demo

# REQ-INFRA-004: Export template validates
aws cloudformation validate-template \
  --template-body file://src/main/cfn/amplifyExports.cfn.yaml

# REQ-INFRA-007: IAM role exists (Alpha001)
aws iam get-role --role-name Alpha001-API-GitHubActionFrontEnd
# REQ-INFRA-007: IAM role exists (Alpha002)
aws iam get-role --role-name Alpha002-API-GitHubActionFrontEnd

Workflows (Run 2)

# REQ-WF-001/003: Trigger deploy.yaml on demo branch via GitHub Actions UI
# Verify in workflow logs:
#   - purpose-config fetch succeeded
#   - OIDC role assumption succeeded (aws sts get-caller-identity)
#   - StartJob returned a jobId
#   - GetJob polling shows SUCCEED
#   - demo.alpha001.app.arda.cards loads

# REQ-WF-004: Environments exist
gh api repos/Arda-cards/arda-frontend-app/environments

Validation (Run 3)

# REQ-WF-002: Redeploy with specific SHA
# Trigger redeploy.yaml with an older commit SHA from demo branch
# Verify Amplify Console shows the specified commit in the build log

# REQ-CUT-003: CI check gate
# Attempt redeploy with a SHA that has no CI status
# Verify workflow handles it (runs CI inline or aborts)

Cutover (Run 4)

# REQ-CUT-001: Auto-build disabled per partition
aws amplify get-branch --app-id d38w5m1ngjza76 --branch-name dev \
  --region us-east-1 --query "branch.enableAutoBuild"
aws amplify get-branch --app-id d1kbrvra79y8sc --branch-name stage \
  --region us-east-1 --query "branch.enableAutoBuild"
aws amplify get-branch --app-id duhexavnwh88g --branch-name main \
  --region us-east-2 --query "branch.enableAutoBuild"
# All expected: false

# REQ-CUT-001: Export stacks deployed (all in us-east-1)
aws cloudformation list-exports --region us-east-1 --output text \
  --query "Exports[?Name=='Alpha002-dev-I-AmplifyAppId'].Value"
aws cloudformation list-exports --region us-east-1 --output text \
  --query "Exports[?Name=='Alpha002-stage-I-AmplifyAppId'].Value"
aws cloudformation list-exports --region us-east-1 --output text \
  --query "Exports[?Name=='Alpha001-prod-I-AmplifyAppId'].Value"

# REQ-CUT-002: PR preview enabled (automated check)
aws amplify get-branch --app-id d38w5m1ngjza76 --branch-name dev \
  --region us-east-1 --query "branch.enablePullRequestPreview"
# Expected: true

# REQ-CUT-002: PR preview functional (manual verification)
# 1. Open a test PR against `main` in arda-frontend-app
# 2. Wait for Amplify to build the PR branch (webhook-triggered, independent of GHA)
# 3. Verify Amplify posts the preview URL as a comment on the PR
#    (e.g., pr-{N}.d38w5m1ngjza76.amplifyapp.com)
# 4. Visit the preview URL — page loads without errors
# 5. Sign in with test credentials — sign-in works (USER_PASSWORD_AUTH, no callback URL needed)
# 6. Push a new commit to the PR branch — verify it redeploys to the same URL
# 7. Close the PR — verify the preview deployment is deleted