Skip to content

Fix stale API endpoint cache and improve deploy UX#16

Closed
carlosinfantes wants to merge 3 commits into
mainfrom
fix/stale-endpoint-cache
Closed

Fix stale API endpoint cache and improve deploy UX#16
carlosinfantes wants to merge 3 commits into
mainfrom
fix/stale-endpoint-cache

Conversation

@carlosinfantes
Copy link
Copy Markdown
Owner

@carlosinfantes carlosinfantes commented Mar 5, 2026

Summary

  • Fix stale endpoint cache: After a destroy+redeploy, the CLI used a cached API Gateway URL that no longer exists, causing DNS resolution failures. Now CloudFormation is queried first (always fresh), with cache as fallback only when CFN is unavailable. Profile is included in the cache key to prevent cross-profile collisions.
  • Add ./deploy.sh --setup-role: One-command assessment role creation with deterministic External ID and ready-to-paste assess command output.
  • Improve post-deploy next steps: Copy-pasteable commands with actual profile, account ID, role ARN, and external ID filled in.
  • Add CLI uninstall hint: destroy.sh now shows pip uninstall cloudsecure in the teardown summary.

Test plan

  • Full lifecycle tested: destroy → deploy → setup-role → assess → report → teardown (profile lkf, account 748901516722)
  • Verified stale cache no longer causes failures after redeploy
  • Shell syntax validation (bash -n) passes
  • Pre-commit hooks pass

🤖 Generated with Claude Code

Carlos Infantes and others added 3 commits March 5, 2026 09:55
@claude
Add deploy.sh --upgrade for non-interactive component upgrades
bf3c4cf 
Add --upgrade flag to deploy.sh that reads existing .env config and
upgrades specific components without interactive prompts. Supports:
  --upgrade all      (infra + prowler + cli)
  --upgrade infra    (CDK stacks)
  --upgrade prowler  (Docker Hub → ECR + Lambda redeploy)
  --upgrade cli      (PyPI upgrade)

Includes visual version indicators showing installed vs latest
versions with color-coded status (up to date / update available).
Queries PyPI for CLI and Docker Hub for Prowler latest versions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@claude
Fix Prowler upgrade to use direct Lambda update instead of CDK deploy
19a0bf7 
Avoids cross-stack SharedLayer export conflict by using
aws lambda update-function-code directly for Prowler image updates.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@claude
Fix stale API endpoint cache and improve deploy UX
e7e438b 
The CLI cached the API Gateway endpoint indefinitely in
~/.cloudsecure/config.json. After a destroy+redeploy the API Gateway ID
changes but the stale cached URL was used, causing DNS resolution failures.

Fix: Invert resolution priority — always query CloudFormation first for a
fresh endpoint, fall back to cache only when CFN is unavailable (offline or
lacking permissions). Also include the AWS profile in the cache key to
prevent cross-profile collisions.

Additionally improves the first-time user experience:
- Add ./deploy.sh --setup-role to automate assessment role creation
- Improve post-deploy next steps with copy-pasteable commands
- Add CLI uninstall hint to destroy.sh teardown summary

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jorgemarti jorgemarti Awaiting requested review from jorgemarti jorgemarti is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@carlosinfantes