code-dot-org · cat5inthecradle · Jul 30, 2025 · Jul 30, 2025 · Jul 30, 2025 · Jul 30, 2025
diff --git a/.ruby-version b/.ruby-version
@@ -1 +1 @@
-2.7.8
+3.3.8
diff --git a/api-gateway-routes/Gemfile b/api-gateway-routes/Gemfile
@@ -1,7 +1,7 @@
 # Gemfile
 source 'https://rubygems.org'
 
-ruby '~> 2.7'
+ruby '~> 3.3'
 
 gem 'aws-sdk-lambda', '1.39.0'
 gem 'aws-sdk-sqs', '1.38.0'

diff --git a/api-gateway-routes/Gemfile.lock b/api-gateway-routes/Gemfile.lock
@@ -1,34 +1,41 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    aws-eventstream (1.1.1)
-    aws-partitions (1.443.0)
-    aws-sdk-core (3.113.1)
-      aws-eventstream (~> 1, >= 1.0.2)
-      aws-partitions (~> 1, >= 1.239.0)
-      aws-sigv4 (~> 1.1)
-      jmespath (~> 1.0)
+    aws-eventstream (1.4.0)
+    aws-partitions (1.1139.0)
+    aws-sdk-core (3.228.0)
+      aws-eventstream (~> 1, >= 1.3.0)
+      aws-partitions (~> 1, >= 1.992.0)
+      aws-sigv4 (~> 1.9)
+      base64
+      bigdecimal
+      jmespath (~> 1, >= 1.6.1)
+      logger
     aws-sdk-lambda (1.39.0)
       aws-sdk-core (~> 3, >= 3.71.0)
       aws-sigv4 (~> 1.1)
     aws-sdk-sqs (1.38.0)
       aws-sdk-core (~> 3, >= 3.112.0)
       aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.2.3)
+    aws-sigv4 (1.12.1)
       aws-eventstream (~> 1, >= 1.0.2)
-    jmespath (1.4.0)
-    minitest (5.15.0)
+    base64 (0.3.0)
+    bigdecimal (3.2.2)
+    jmespath (1.6.2)
+    logger (1.7.0)
+    minitest (5.25.5)
 
 PLATFORMS
   ruby
+  x86_64-linux
 
 DEPENDENCIES
   aws-sdk-lambda (= 1.39.0)
   aws-sdk-sqs (= 1.38.0)
   minitest (~> 5.5)
 
 RUBY VERSION
-   ruby 2.7.4p191
+   ruby 3.3.8p144
 
 BUNDLED WITH
-   1.17.3
+   2.5.22
diff --git a/cicd/3-app/javabuilder/buildspec.yml b/cicd/3-app/javabuilder/buildspec.yml
@@ -2,7 +2,7 @@ version: 0.2
 phases:
   install:
     runtime-versions:
-      ruby: 2.7
+      ruby: 3.3.8
       java: corretto11
       python: 3.8
     commands:

diff --git a/cicd/3-app/javabuilder/pr-buildspec.yml b/cicd/3-app/javabuilder/pr-buildspec.yml
@@ -2,7 +2,7 @@ version: 0.2
 phases:
   install:
     runtime-versions:
-      ruby: 2.7
+      ruby: 3.3.8
       java: corretto11
       python: 3.8
     commands:

diff --git a/cicd/3-app/javabuilder/template.yml.erb b/cicd/3-app/javabuilder/template.yml.erb
@@ -65,7 +65,7 @@ JAVALAB_APP_TYPES = %w(
 -%>
 Globals:
   Function:
-    Runtime: ruby2.7
+    Runtime: ruby3.3
     Timeout: 30
     MemorySize: 256
     Tracing: Active
@@ -407,8 +407,6 @@ Resources:
 
   <%=name%>AuthorizerPermission:
     Type: AWS::Lambda::Permission
-    DependsOn:
-      - <%=name%>Authorizer
     Properties:
       Action: lambda:InvokeFunction
       FunctionName: !Ref <%=config[:LambdaName]%>AuthorizerLambda
@@ -498,7 +496,11 @@ Resources:
         - Action: ['s3:GetObject']
           Effect: Allow
           Resource: !Sub "arn:aws:s3:::${ContentBucket}/*"
-          Principal: '*'
+          Principal:
+            Service: cloudfront.amazonaws.com
+          Condition:
+            StringEquals:
+              "AWS:SourceArn": !Sub "arn:aws:cloudfront::${AWS::AccountId}:distribution/${ContentCDN}"
 
   ContentApiCertificate:
     Type: AWS::CertificateManager::Certificate
@@ -519,6 +521,15 @@ Resources:
         DNSName: !GetAtt ContentCDN.DomainName
         HostedZoneId: Z2FDTNDATAQYW2 # static ID for cloudfront aliases
 
+  ContentBucketOAC:
+    Type: AWS::CloudFront::OriginAccessControl
+    Properties:
+      OriginAccessControlConfig:
+        Name: !Sub "${SubdomainName}-content-oac"
+        OriginAccessControlOriginType: s3
+        SigningBehavior: always
+        SigningProtocol: sigv4
+
   ContentCDN:
     Type: AWS::CloudFront::Distribution
     Properties:
@@ -540,7 +551,9 @@ Resources:
         Origins:
           - Id: ContentBucket
             DomainName: !GetAtt ContentBucket.DomainName
-            S3OriginConfig: {}
+            S3OriginConfig:
+              OriginAccessIdentity: ""
+            OriginAccessControlId: !Ref ContentBucketOAC
         DefaultCacheBehavior:
           TargetOriginId: ContentBucket
           AllowedMethods: [DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT]

diff --git a/cicd/3-app/load-test/load-test.buildspec.yml b/cicd/3-app/load-test/load-test.buildspec.yml
@@ -2,7 +2,7 @@ version: 0.2
 phases:
   install:
     runtime-versions:
-      ruby: 2.7
+      ruby: 3.3.8
       java: corretto11
       python: 3.8
     commands:

diff --git a/cicd/README.md b/cicd/README.md
@@ -38,8 +38,6 @@ Finally, all of the above need some Roles to exist in the AWS accounts before we
 
 ### Deploying the `main` CI/CD Pipeline
 
-_Note: If you receive errors with the 'aws-google' gem, you may need to switch to Ruby 2.7.5 first, via `rbenv local 2.7.5`._
-
 1. Create/Update the Setup stack (one time, or when changes to the Setup stack occur)
    `cicd/1-setup/deploy-cicd-dependencies.sh` (with elevated AWS permissions)
 2. Create/Update the CI/CD stack (one time, or when changes to the CI/CD stack occur)
@@ -96,7 +94,7 @@ Because of some nuances of our AWS SSO integration and tooling, you might need t
 Error when retrieving credentials from custom-process: rbenv: aws-google: command not found
 
 The `aws-google' command exists in these Ruby versions:
-  2.7.5
+  3.1.0
 ```
 
-If this occurs, you can simply run `rbenv local 2.7.5` or whatever version is suggested (should be the same version used in the code-dot-org/code-dot-org repository) and try running the script again.
+If this occurs, you can try `gem install aws-google` to try installing into your current Ruby version (ideally the one in ".ruby-version") or run `rbenv local 3.1.0` or whatever version is suggested (should be the same version used in the code-dot-org/code-dot-org repository) and try running the script again.
diff --git a/javabuilder-authorizer/Gemfile b/javabuilder-authorizer/Gemfile
@@ -1,7 +1,7 @@
 # Gemfile
 source 'https://rubygems.org'
 
-ruby '~> 2.7'
+ruby '~> 3.3'
 
 gem 'aws-sdk-lambda', '1.39.0'
 gem 'jwt'

diff --git a/javabuilder-authorizer/Gemfile.lock b/javabuilder-authorizer/Gemfile.lock
@@ -1,30 +1,38 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    aws-eventstream (1.1.1)
-    aws-partitions (1.441.0)
-    aws-sdk-cloudwatch (1.52.0)
-      aws-sdk-core (~> 3, >= 3.112.0)
-      aws-sigv4 (~> 1.1)
-    aws-sdk-core (3.113.1)
-      aws-eventstream (~> 1, >= 1.0.2)
-      aws-partitions (~> 1, >= 1.239.0)
-      aws-sigv4 (~> 1.1)
-      jmespath (~> 1.0)
-    aws-sdk-dynamodb (1.60.0)
-      aws-sdk-core (~> 3, >= 3.112.0)
-      aws-sigv4 (~> 1.1)
+    aws-eventstream (1.4.0)
+    aws-partitions (1.1139.0)
+    aws-sdk-cloudwatch (1.118.0)
+      aws-sdk-core (~> 3, >= 3.228.0)
+      aws-sigv4 (~> 1.5)
+    aws-sdk-core (3.228.0)
+      aws-eventstream (~> 1, >= 1.3.0)
+      aws-partitions (~> 1, >= 1.992.0)
+      aws-sigv4 (~> 1.9)
+      base64
+      bigdecimal
+      jmespath (~> 1, >= 1.6.1)
+      logger
+    aws-sdk-dynamodb (1.148.0)
+      aws-sdk-core (~> 3, >= 3.228.0)
+      aws-sigv4 (~> 1.5)
     aws-sdk-lambda (1.39.0)
       aws-sdk-core (~> 3, >= 3.71.0)
       aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.2.3)
+    aws-sigv4 (1.12.1)
       aws-eventstream (~> 1, >= 1.0.2)
-    jmespath (1.4.0)
-    jwt (2.2.2)
-    minitest (5.15.0)
+    base64 (0.3.0)
+    bigdecimal (3.2.2)
+    jmespath (1.6.2)
+    jwt (3.1.2)
+      base64
+    logger (1.7.0)
+    minitest (5.25.5)
 
 PLATFORMS
   ruby
+  x86_64-linux
 
 DEPENDENCIES
   aws-sdk-cloudwatch (~> 1.52)
@@ -34,7 +42,7 @@ DEPENDENCIES
   minitest (~> 5.5)
 
 RUBY VERSION
-   ruby 2.7.4p191
+   ruby 3.3.8p144
 
 BUNDLED WITH
-   2.1.4
+   2.5.22