Feature: Deploy BADGERS Frontend as Authenticated Web Application (ECS Fargate + Cognito)

[rbpotter-aws]

Deploy BADGERS Frontend as Authenticated Web Application (ECS Fargate + Cognito)

Description

Add a deployment path for running the BADGERS Gradio frontend as a shared, authenticated web application using ECS Fargate, ALB, and Cognito.

Currently the frontend runs locally. This issue covers packaging it for multi-user access with infrastructure-layer authentication so no auth code changes are needed in the application itself.

Scope

• Dockerfile for the Gradio frontend (Python 3.12-slim, port 7860, health check)
• One-line app change: bind server_name="0.0.0.0" in demo.launch()
• Cognito User Pool with admin-only registration, MFA, and hosted UI domain
• ALB with HTTPS listener, Cognito authenticate-cognito action, HTTP→HTTPS redirect
• ECS Fargate service in private subnets behind the ALB
• IAM task role scoped to S3 buckets, Bedrock AgentCore, SSM parameters, and CloudWatch Logs
• Task definition pulling config values from SSM/Secrets Manager (no hardcoded secrets)
• VPC networking: ALB in public subnets, Fargate tasks and AgentCore Runtime in private subnets, NAT gateway for outbound
• AgentCore Runtime deployed in VPC mode (networkMode: "VPC") sharing the frontend VPC for private connectivity
• PrivateLink VPC endpoints for AgentCore data plane (com.amazonaws.region.bedrock-agentcore), Gateway (com.amazonaws.region.bedrock-agentcore.gateway), and control plane (com.amazonaws.region.bedrock-agentcore-control) — all AgentCore traffic stays on the AWS backbone
• JWT verification utility (x-amzn-oidc-data header) for per-user identity in Gradio handlers
• Per-user session tracking: correlate Gradio sessions with authenticated user identity (sub / email from the ALB-injected JWT) for audit logging and usage attribution
• CDK stack(s) for the full infrastructure (VPC, ALB, Cognito, ECS, IAM, ECR) consistent with the existing deployment/stacks/ pattern, including the existing deployment_tags tagging convention (_apply_common_tags on all resources, _apply_resource_tags per resource)
• TLS: self-signed ACM certificate generated by default so cdk deploy works out of the box; optional CDK context parameter to supply a custom ACM cert ARN or domain for production use
• Security hardening defaults in the CDK stack: WAF on the ALB (rate limiting, bot mitigation), read-only root filesystem on Fargate tasks, non-root container user, ECR image scanning enabled on push, ECS Exec disabled
• Optional CDK context flag for VPC Flow Logs (off by default due to cost; documented as recommended for production)
• Configuration file (frontend-cdk-deployment-config.json) with sensible defaults so cdk deploy works out of the box — customers only override what they need:

{
  "frontend": {
    "acm_certificate_arn": "",
    "custom_domain": "",
    "vpc_flow_logs": false,
    "log_retention_days": 30,
    "allowed_cidrs": ["0.0.0.0/0"],
    "fargate_cpu": 512,
    "fargate_memory": 1024,
    "desired_count": 1
  }
}

• Documentation covering: building and pushing the Docker image to ECR, cdk deploy usage and required context parameters, how to supply a custom ACM certificate or domain, creating and managing Cognito users, corporate SSO/SAML/OIDC integration with the Cognito User Pool, how to use a direct OIDC provider (e.g. Okta) via the ALB's authenticate-oidc action as an alternative to Cognito, how per-user identity flows from ALB headers into the application, and a "cost items to watch" section covering VPC endpoints, NAT gateway data transfer, WAF, VPC Flow Logs, and CloudWatch log retention

Architecture

Browser → HTTPS → ALB (port 443)
                    ├─ Unauthenticated → Cognito Hosted UI → login
                    └─ Authenticated → ECS Fargate (port 7860) → BADGERS Gradio UI
                                         ├─ IAM Task Role → S3, SSM
                                         └─ PrivateLink VPC Endpoints → AgentCore Runtime, Gateway

Out of Scope

Auto-scaling policies.