Skip to content
Arda Platform Documentation

Suggestions

1. Add Cleanup Script for Development Environments

Section titled “1. Add Cleanup Script for Development Environments”

Context: Failed deployments leave RETAIN resources (S3 bucket, Secrets Manager secret, CloudFront PublicKey/KeyGroup) that block redeployment. Manual cleanup is error-prone and order-dependent.

Suggestion: Create tools/cleanup-image-storage.sh that accepts a partition prefix and deletes all orphaned resources in the correct order.

Effort: Small (1-2 hours). Priority: Medium.

2. Fix Pre-Existing CORS Logic in UploadBucket

Section titled “2. Fix Pre-Existing CORS Logic in UploadBucket”

Context: The CORS branch condition in public-upload-bucket.ts is inverted (same bug we fixed in ImageAssetBucket). Empty appUrls list creates CORS with empty origins instead of omitting CORS.

Suggestion: Apply the same fix pattern from image-asset-bucket.ts. Tracked in: infrastructure#433.

3. Fix Hardcoded Domain Regex in Certificate Cleanup

Section titled “3. Fix Hardcoded Domain Regex in Certificate Cleanup”

Context: All 4 Route53RegexDelete instances use a hardcoded arda.cards regex. Won’t work with overrideDomainName.

Suggestion: Build regex from baselineDomainName or use ^_.*$ (scoped to zone anyway). Tracked in: infrastructure#436.

4. Add Root Targets to CI

Section titled “4. Add Root Targets to CI”

Context: ci-root-check.js exists but isn’t part of the CI workflow. Root configuration changes aren’t validated in PR checks.

Suggestion: Add a ci-root-check job to ci.yaml, or integrate it into the existing build job.

Effort: Small. Priority: Medium.

5. Add Hash Sanitization for Snapshot Tests

Section titled “5. Add Hash Sanitization for Snapshot Tests”

Context: Lambda asset hashes differ between local and CI, making snapshot tests for stacks with Lambdas environment-dependent.

Suggestion: Add a snapshot serializer that replaces asset hash patterns with stable placeholders before comparison.

Effort: Small. Priority: Low (deferred to #433).

6. Consider CDK Aspects for Security Policy Enforcement

Section titled “6. Consider CDK Aspects for Security Policy Enforcement”

Context: Security properties (BlockPublicAccess, SSE-S3, enforceSSL) are manually set per construct. No automated enforcement.

Suggestion: Implement CDK Aspects that validate all S3 buckets have BlockPublicAccess, all IAM roles have bounded permissions, etc. cdk-nag (now installed) covers some of this, but custom Aspects can enforce Arda-specific policies.

Effort: Medium. Priority: Low (tracked in #433, #434).

7. Automate verify-image-cdn.ts Parameter Resolution

Section titled “7. Automate verify-image-cdn.ts Parameter Resolution”

Context: The verification script requires 5-6 CLI parameters that must be manually collected from CloudFormation exports.

Suggestion: Add a --auto-resolve flag that reads exports directly from CloudFormation given the infrastructure and partition IDs.

Effort: Small. Priority: Low.

Copyright: (c) Arda Systems 2025-2026, All rights reserved

Copyright: © Arda Systems 2025-2026, All rights reserved