feat(infrastructure): Inject API URL into frontend build via CI/CD

- Add build-args to Dockerfile.prod for dynamic API URL injection from GitHub Secrets
- Update Bedrock client initialization to use AWS SDK's default credential chain for credential resolution
- Enhance client configuration for improved security and flexibility in production environments

Author: chandra447

.github/workflows/deploy-infrastructure.yml

@@ -178,6 +178,8 @@ jobs:
           tags: |
             ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_FRONTEND_REPO }}:${{ github.sha }}
             ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_FRONTEND_REPO }}:latest
+          build-args: |
+            NEXT_PUBLIC_API_URL=${{ secrets.FASTAPI_BACKEND }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
 

backend/routers/voice_simple.py

@@ -16,7 +16,6 @@
 from aws_sdk_bedrock_runtime.client import BedrockRuntimeClient, InvokeModelWithBidirectionalStreamOperationInput
 from aws_sdk_bedrock_runtime.models import InvokeModelWithBidirectionalStreamInputChunk, BidirectionalInputPayloadPart
 from aws_sdk_bedrock_runtime.config import Config
-from smithy_aws_core.identity.environment import EnvironmentCredentialsResolver
 
 from config import settings
 from services.agent_service import AgentService
@@ -203,17 +202,32 @@ def __init__(self, voice_prompt: str, agent_id: str, user_id: str, session_id: s
         logger.info(f"[NovaSonic] Initialized with prompt_name={self.prompt_name}, agent_id={agent_id}")
 
     def _initialize_client(self):
-        """Initialize the Bedrock client."""
-        # Config with environment credentials (no IMDS for local dev)
-        credentials_resolver = EnvironmentCredentialsResolver()
+        """Initialize the Bedrock client with proper credential resolution.
+        
+        Uses AWS SDK's default credential chain which automatically handles:
+        - Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) for local dev
+        - ECS Task Role credentials via container metadata endpoint for production
+        - IAM instance profile for EC2
+        """
+        from smithy_aws_core.identity.chain import create_default_chain
+        from smithy_http.aio.aiohttp import AIOHTTPClient
+        
+        # Create HTTP client for credential resolution (needed by ContainerCredentialsResolver)
+        http_client = AIOHTTPClient()
+        
+        # Create default credential chain that tries in order:
+        # 1. Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
+        # 2. ECS container credentials (via AWS_CONTAINER_CREDENTIALS_RELATIVE_URI)
+        # 3. EC2 instance metadata service (IMDS)
+        credentials_resolver = create_default_chain(http_client)
 
         config = Config(
             region=settings.AWS_REGION,
-            aws_credentials_identity_resolver=EnvironmentCredentialsResolver(),
-             endpoint_uri=f"https://bedrock-runtime.{settings.AWS_REGION}.amazonaws.com",
+            aws_credentials_identity_resolver=credentials_resolver,
+            endpoint_uri=f"https://bedrock-runtime.{settings.AWS_REGION}.amazonaws.com",
         )
         self.client = BedrockRuntimeClient(config=config)
-        logger.info("[NovaSonic] Bedrock client initialized")
+        logger.info("[NovaSonic] Bedrock client initialized with default credential chain")
 
     async def send_event(self, event_json: str):
         """Send an event to the stream."""

frontend/Dockerfile.prod

@@ -11,13 +11,13 @@ FROM node:20-alpine AS builder
 WORKDIR /app
 ENV NODE_ENV=production
 ENV NEXT_TELEMETRY_DISABLED=1
-# Bake the API URL directly into the build
-ARG NEXT_PUBLIC_API_URL=https://d3cp7cujulcncl.cloudfront.net
+# API URL will be injected via build-arg from CI/CD (GitHub Secrets)
+ARG NEXT_PUBLIC_API_URL
 ENV NEXT_PUBLIC_API_URL=$NEXT_PUBLIC_API_URL
 COPY --from=deps /app/node_modules ./node_modules
 COPY . .
 
-# Build Next.js app with API URL baked in
+# Build Next.js app with API URL baked in from build-arg
 RUN npm run build
 
 FROM node:20-alpine AS runner