aws-samples
diff --git a/‎infra/cdk/src/main/java/sample/com/constructs/Eks.java‎
Lines changed: 12 additions & 7 deletions b/‎infra/cdk/src/main/java/sample/com/constructs/Eks.java‎
Lines changed: 12 additions & 7 deletions
diff --git a/‎infra/cdk/src/main/java/sample/com/constructs/Ide.java‎
Lines changed: 4 additions & 2 deletions b/‎infra/cdk/src/main/java/sample/com/constructs/Ide.java‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎infra/cdk/src/main/resources/iam-policy.json‎
Lines changed: 10 additions & 0 deletions b/‎infra/cdk/src/main/resources/iam-policy.json‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎infra/cfn/base-stack.yaml‎
Lines changed: 21 additions & 21 deletions b/‎infra/cfn/base-stack.yaml‎
Lines changed: 21 additions & 21 deletions
diff --git a/‎infra/cfn/java-ai-agents-stack.yaml‎
Lines changed: 24 additions & 17 deletions b/‎infra/cfn/java-ai-agents-stack.yaml‎
Lines changed: 24 additions & 17 deletions
@@ -83,13 +83,6 @@ private Role createCloudWatchAgentRole(String prefix) {
                 .build()
         );
 
-        // Export role ARN for workshop content
-        CfnOutput.Builder.create(this, "CloudWatchAgentRoleArn")
-            .value(role.getRoleArn())
-            .description("CloudWatch Agent Pod Identity Role ARN")
-            .exportName(prefix + "-eks-cloudwatch-agent-role-arn")
-            .build();
-
         return role;
     }
 
@@ -132,6 +125,18 @@ private void createAccessEntries(EksProps props) {
                 .accessPolicies(List.of(clusterAdminPolicy))
                 .build();
         }
+
+        // Workshop Studio Participant Role Access Entry
+        // This grants the WSParticipantRole cluster admin permissions for local kubectl access
+        String accountId = software.amazon.awscdk.Stack.of(this).getAccount();
+        String participantRoleArn = "arn:aws:iam::" + accountId + ":role/WSParticipantRole";
+
+        AccessEntry.Builder.create(this, "ParticipantAccessEntry")
+            .cluster(cluster)
+            .principal(participantRoleArn)
+            .accessEntryType(AccessEntryType.STANDARD)
+            .accessPolicies(List.of(clusterAdminPolicy))
+            .build();
     }
 
     // Getters
 
@@ -417,13 +417,15 @@ public Ide(final Construct scope, final String id, final IdeProps props) {
             ideUrl = "https://" + distribution.getDistributionDomainName();
         }
 
-        CfnOutput.Builder.create(this, "Url")
+        // Create outputs at stack level with stable logical IDs for Workshop Studio
+        var stack = software.amazon.awscdk.Stack.of(this);
+        CfnOutput.Builder.create(stack, "IdeUrl")
             .value(ideUrl)
             .description("Workshop IDE Url")
             .exportName(instanceName + "-url")
             .build();
 
-        var idePasswordOutput = CfnOutput.Builder.create(this, "Password")
+        var idePasswordOutput = CfnOutput.Builder.create(stack, "IdePassword")
             .value(getIdePassword(instanceName))
             .description("Workshop IDE Password")
             .exportName(instanceName + "-password")
 
@@ -34,6 +34,7 @@
 				"application-autoscaling:*",
 				"application-signals:*",
 				"cloudformation:*",
+				"cloudtrail:*",
 				"cloudwatch:*",
 				"codewhisperer:*",
 				"ec2:*",
@@ -68,6 +69,15 @@
 				"arn:aws:iam::{{.AccountId}}:role/workshop-*"
 			]
 		},
+		{
+			"Sid": "CreateServiceLinkedRole",
+			"Effect": "Allow",
+			"Action": [
+				"iam:CreateServiceLinkedRole",
+				"iam:GetRole"
+			],
+			"Resource": "*"
+		},
 		{
 			"Sid": "DenyXXLInstances",
 			"Effect": "Deny",
 
@@ -676,6 +676,19 @@ Resources:
         Fn::GetAtt:
           - IdeInstanceLauncherFunction803C5A2A
           - Arn
+      InstanceTypes: m6a.xlarge,m7a.xlarge
+      InstanceName: ide
+      IamInstanceProfileArn:
+        Fn::GetAtt:
+          - IdeInstanceProfile61B92038
+          - Arn
+      VolumeSize: "50"
+      SubnetIds:
+        Fn::Join:
+          - ""
+          - - Ref: VpcPublicSubnet1Subnet8E8DEDC0
+            - ","
+            - Ref: VpcPublicSubnet2SubnetA811849C
       SecurityGroupIds:
         Fn::Join:
           - ""
@@ -686,19 +699,8 @@ Resources:
             - Fn::GetAtt:
                 - IdeInternalSecurityGroupB0A5D76B
                 - GroupId
-      SubnetIds:
-        Fn::Join:
-          - ""
-          - - Ref: VpcPublicSubnet1Subnet8E8DEDC0
-            - ","
-            - Ref: VpcPublicSubnet2SubnetA811849C
-      VolumeSize: "50"
-      IamInstanceProfileArn:
-        Fn::GetAtt:
-          - IdeInstanceProfile61B92038
-          - Arn
-      InstanceName: ide
-      InstanceTypes: m6a.xlarge,m7a.xlarge
+      ImageId:
+        Ref: SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61x8664C96584B6F00A464EAD1953AFF4B05118Parameter
       UserData:
         Fn::Base64:
           Fn::Join:
@@ -835,8 +837,6 @@ Resources:
                 "
                     exit 1
                 fi
-      ImageId:
-        Ref: SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61x8664C96584B6F00A464EAD1953AFF4B05118Parameter
     UpdateReplacePolicy: Delete
     DeletionPolicy: Delete
   IdeEipAssociationDFF81215:
@@ -1057,8 +1057,12 @@ Resources:
                             - Ref: IdePasswordSecretF907B9F2
     UpdateReplacePolicy: Delete
     DeletionPolicy: Delete
+Parameters:
+  SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61x8664C96584B6F00A464EAD1953AFF4B05118Parameter:
+    Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
+    Default: /aws/service/ami-amazon-linux-latest/al2023-ami-kernel-6.1-x86_64
 Outputs:
-  IdeUrl45274C27:
+  IdeUrl:
     Description: Workshop IDE Url
     Value:
       Fn::Join:
@@ -1073,16 +1077,12 @@ Outputs:
               - password
     Export:
       Name: ide-url
-  IdePassword51C06AAD:
+  IdePassword:
     Description: Workshop IDE Password
     Value:
       Fn::GetAtt:
         - IdePasswordResource07883F17
         - password
     Export:
       Name: ide-password
-Parameters:
-  SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61x8664C96584B6F00A464EAD1953AFF4B05118Parameter:
-    Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
-    Default: /aws/service/ami-amazon-linux-latest/al2023-ami-kernel-6.1-x86_64
 
@@ -364,6 +364,7 @@ Resources:
               - bedrock-agentcore:*
               - bedrock:*
               - cloudformation:*
+              - cloudtrail:*
               - cloudwatch:*
               - codewhisperer:*
               - ec2:*
@@ -393,6 +394,12 @@ Resources:
               - !Sub arn:aws:iam::${AWS::AccountId}:role/unicorn*
               - !Sub arn:aws:iam::${AWS::AccountId}:role/workshop-*
             Sid: PassRole
+          - Action:
+              - iam:CreateServiceLinkedRole
+              - iam:GetRole
+            Effect: Allow
+            Resource: "*"
+            Sid: CreateServiceLinkedRole
           - Action: ec2:RunInstances
             Condition:
               StringLike:
@@ -761,6 +768,17 @@ Resources:
         Fn::GetAtt:
           - IdeInstanceLauncherFunction803C5A2A
           - Arn
+      IamInstanceProfileArn:
+        Fn::GetAtt:
+          - IdeInstanceProfile61B92038
+          - Arn
+      VolumeSize: "50"
+      SubnetIds:
+        Fn::Join:
+          - ""
+          - - Ref: VpcPublicSubnet1Subnet8E8DEDC0
+            - ","
+            - Ref: VpcPublicSubnet2SubnetA811849C
       SecurityGroupIds:
         Fn::Join:
           - ""
@@ -911,17 +929,6 @@ Resources:
                 fi
       InstanceTypes: m6a.xlarge,m7a.xlarge
       InstanceName: ide
-      IamInstanceProfileArn:
-        Fn::GetAtt:
-          - IdeInstanceProfile61B92038
-          - Arn
-      VolumeSize: "50"
-      SubnetIds:
-        Fn::Join:
-          - ""
-          - - Ref: VpcPublicSubnet1Subnet8E8DEDC0
-            - ","
-            - Ref: VpcPublicSubnet2SubnetA811849C
     UpdateReplacePolicy: Delete
     DeletionPolicy: Delete
   IdeEipAssociationDFF81215:
@@ -1142,8 +1149,12 @@ Resources:
                             - Ref: IdePasswordSecretF907B9F2
     UpdateReplacePolicy: Delete
     DeletionPolicy: Delete
+Parameters:
+  SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61x8664C96584B6F00A464EAD1953AFF4B05118Parameter:
+    Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
+    Default: /aws/service/ami-amazon-linux-latest/al2023-ami-kernel-6.1-x86_64
 Outputs:
-  IdeUrl45274C27:
+  IdeUrl:
     Description: Workshop IDE Url
     Value:
       Fn::Join:
@@ -1158,16 +1169,12 @@ Outputs:
               - password
     Export:
       Name: ide-url
-  IdePassword51C06AAD:
+  IdePassword:
     Description: Workshop IDE Password
     Value:
       Fn::GetAtt:
         - IdePasswordResource07883F17
         - password
     Export:
       Name: ide-password
-Parameters:
-  SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61x8664C96584B6F00A464EAD1953AFF4B05118Parameter:
-    Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
-    Default: /aws/service/ami-amazon-linux-latest/al2023-ami-kernel-6.1-x86_64