Merge branch 'main' into enhance-deploy-on-aws

Author: krokoko

.claude-plugin/marketplace.json

@@ -1,7 +1,7 @@
 {
   "metadata": {
     "description": "Agent Plugins for AWS equip AI coding agents with the skills to help you architect, deploy, and operate on AWS.",
-    "version": "1.0.0"
+    "version": "1.1.0"
   },
   "name": "agent-plugins-for-aws",
   "owner": {

docs/TROUBLESHOOTING.md

@@ -178,6 +178,40 @@ If issues persist:
    - Include your collected information
    - Describe steps to reproduce the issue
 
+## CI / GitHub Actions
+
+### Re-running Failed Jobs
+
+GitHub Actions workflows can occasionally fail due to intermittent issues (network timeouts, flaky upstream services, etc.). If you believe a failure is not related to your changes:
+
+#### Via the GitHub UI
+
+1. Open the failed check from your pull request's **Checks** tab.
+2. Click **Re-run failed jobs**.
+
+See [Re-running workflows and jobs](https://docs.github.com/en/actions/managing-workflow-runs/re-running-workflows-and-jobs) for details.
+
+#### Via the `gh` CLI
+
+See [Re-run failed jobs from a workflow run](https://docs.github.com/en/rest/actions/workflow-runs?apiVersion=2022-11-28#re-run-failed-jobs-from-a-workflow-run).
+
+```sh
+RUN_ID=0
+
+gh api \
+  --method POST \
+  -H "Accept: application/vnd.github+json" \
+  -H "X-GitHub-Api-Version: 2022-11-28" \
+  /repos/awslabs/agent-plugins/actions/runs/${RUN_ID:-0}/rerun-failed-jobs
+```
+
+Replace `RUN_ID` with the workflow run ID from your pull request's **Checks** tab or from `gh run list --branch <your-branch>`.
+
+#### Required Permissions
+
+- **Repository collaborators** (write access) can re-run workflows directly.
+- **Fork contributors** cannot re-run workflows on the upstream repo. Ask a maintainer to re-run the failed jobs, or push an empty commit (`git commit --allow-empty -m "retry CI"`) to trigger a fresh run.
+
 ## Other AI Assistants
 
 Support for additional AI assistants will be added here as the plugin system expands.

mise.toml

@@ -7,6 +7,7 @@ min_version = "2026.2.4"
 node = "24"
 "npm:markdownlint-cli2" = "0.17"
 "npm:ajv-cli" = "5"
+"npm:dprint" = "0.51"
 "pipx:pre-commit" = "4"
 "pipx:bandit[sarif]" = "1"
 "pipx:checkov" = "3"
@@ -30,11 +31,11 @@ run = [
 
 [tasks.fmt]
 description = "Format all files"
-run = "npx dprint fmt"
+run = "dprint fmt"
 
 [tasks."fmt:check"]
 description = "Check formatting (CI)"
-run = "npx dprint check"
+run = "dprint check"
 
 [tasks."lint:md"]
 description = "Lint Markdown files (includes SKILL.md validation)"

plugins/deploy-on-aws/skills/deploy/references/cost-estimation.md

@@ -17,6 +17,7 @@ Use the **awspricing** MCP server to get accurate cost estimates before generati
 | Aurora PostgreSQL | `AmazonRDS`         | Filter: `databaseEngine` = "Aurora PostgreSQL" |
 | Aurora MySQL      | `AmazonRDS`         | Filter: `databaseEngine` = "Aurora MySQL"      |
 | RDS PostgreSQL    | `AmazonRDS`         | Filter: `databaseEngine` = "PostgreSQL"        |
+| DocumentDB        | `AmazonDocDB`       | MongoDB-compatible managed database            |
 | ALB               | `AWSELB`            | Application Load Balancer                      |
 | S3                | `AmazonS3`          | Storage and requests                           |
 | CloudFront        | `AmazonCloudFront`  | CDN distribution                               |
@@ -53,13 +54,34 @@ Aurora Serverless v2 charges per ACU-hour (Aurora Capacity Unit).
 
 - ~$180-360/month depending on load
 
+## DocumentDB Serverless Pricing
+
+DocumentDB Serverless charges per DCU-hour (DocumentDB Capacity Unit),
+storage (GB-month), and I/O (standard config only).
+
+- Minimum: 0.5 DCU
+- 1 DCU ≈ 2 GiB memory
+
+**Dev estimate (0.5-2 DCU range, 10GB storage):**
+
+- ~$35-120/month depending on usage patterns (scales to 0.5 DCU when idle)
+
+**Production estimate (2-8 DCU range, 100GB storage, multi-AZ):**
+
+- ~$130-400/month depending on load
+
 ## Quick Reference Estimates
 
 **Small web app (Fargate + Aurora Serverless v2 + ALB):**
 
 - Dev: ~$70-100/month
 - Production: ~$200-400/month
 
+**Small web app (Fargate + DocumentDB Serverless + ALB):**
+
+- Dev: ~$70-155/month
+- Production: ~$200-450/month
+
 **Static site / SPA (Amplify Hosting):**
 
 - Low traffic: ~$0-5/month (free tier covers most small sites)

plugins/deploy-on-aws/skills/deploy/references/defaults.md

@@ -30,20 +30,30 @@ Use `amplify_docs` topic in awsknowledge MCP for framework-specific guidance
 
 ## Database
 
-| Data Pattern      | Default (Dev)          | Default (Prod)         | Override Trigger   |
-| ----------------- | ---------------------- | ---------------------- | ------------------ |
-| PostgreSQL        | Aurora Serverless v2   | Aurora Serverless v2   | "simple RDS" → RDS |
-| MySQL             | Aurora Serverless v2   | Aurora Serverless v2   | "simple RDS" → RDS |
-| NoSQL / Key-Value | DynamoDB               | DynamoDB               | -                  |
-| Redis / Caching   | ElastiCache Serverless | ElastiCache Serverless | -                  |
-| Full-text search  | OpenSearch Serverless  | OpenSearch Serverless  | -                  |
+| Data Pattern         | Default (Dev)          | Default (Prod)         | Override Trigger                       |
+| -------------------- | ---------------------- | ---------------------- | -------------------------------------- |
+| PostgreSQL           | Aurora Serverless v2   | Aurora Serverless v2   | "simple RDS" → RDS                     |
+| MySQL                | Aurora Serverless v2   | Aurora Serverless v2   | "simple RDS" → RDS                     |
+| DocumentDB / MongoDB | DocumentDB Serverless  | DocumentDB Serverless  | "provisioned" → DocumentDB provisioned |
+| NoSQL / Key-Value    | DynamoDB               | DynamoDB               | -                                      |
+| Redis / Caching      | ElastiCache Serverless | ElastiCache Serverless | -                                      |
+| Full-text search     | OpenSearch Serverless  | OpenSearch Serverless  | -                                      |
 
 ### Why Aurora Serverless v2
 
 Scales to near-zero in dev (0.5 ACU minimum), scales up automatically for production.
 Single choice works for both environments. Only use provisioned RDS if user has
 specific cost constraints or compliance requirements.
 
+### Why DocumentDB Serverless for MongoDB
+
+DocumentDB Serverless is the on-demand, auto-scaling configuration of Amazon DocumentDB.
+It dynamically adjusts capacity based on application demand so you only pay for what you
+use. Ideal for dev/test, variable workloads, and new applications where capacity needs
+are unknown. Compatible with MongoDB 3.6, 4.0, 5.0 and 8.0 APIs.
+Use provisioned DocumentDB only when you have predictable, steady-state workloads
+or specific compliance requirements that need fixed instance sizing.
+
 ## Storage
 
 | Pattern       | Default         |

plugins/deploy-on-aws/skills/deploy/references/security.md

@@ -25,6 +25,7 @@ Apply these patterns automatically when generating IaC:
 | --------------- | --------------------------- | -------------------------- | ---------------- |
 | S3 buckets      | SSE-S3 (AES-256)            | SSE-KMS (customer-managed) | "no encryption"  |
 | RDS/Aurora      | Encrypted (AWS-managed key) | Encrypted (CMK)            | -                |
+| DocumentDB      | Encrypted (AWS-managed key) | Encrypted (CMK)            | -                |
 | EBS volumes     | Encrypted                   | Encrypted                  | -                |
 | ALB             | TLS 1.2+ only               | TLS 1.2+ only              | -                |
 | Secrets Manager | AWS-managed key             | CMK                        | -                |
@@ -60,6 +61,7 @@ When serving static content via CloudFront:
 | Fargate tasks | Private subnet + NAT Gateway     | Private subnet + NAT Gateway     |
 | ALB           | Public subnet                    | Public subnet                    |
 | RDS/Aurora    | Private subnet (no public IP)    | Private subnet (no public IP)    |
+| DocumentDB    | Private subnet (no public IP)    | Private subnet (no public IP)    |
 | Lambda        | VPC-attached if DB access needed | VPC-attached if DB access needed |
 
 ### Why private subnets for compute
@@ -96,6 +98,7 @@ Consult `awsiac` MCP for IAM policy patterns by service.
 | ALB          | 443 from 0.0.0.0/0           | Fargate SG only    |
 | Fargate      | ALB SG only (on app port)    | 443 (HTTPS), DB SG |
 | RDS/Aurora   | Fargate SG only (on DB port) | None               |
+| DocumentDB   | Fargate SG only (port 27017) | None               |
 | Lambda (VPC) | None                         | 443, DB SG         |
 
 ### Why deny-by-default
@@ -160,6 +163,7 @@ Before deployment, run available checks:
 | ALB Access Logs | Disabled               | Enabled (S3 destination)   |
 | Container logs  | CloudWatch Logs        | CloudWatch Logs            |
 | RDS/Aurora logs | Error log only         | Error + slow query + audit |
+| DocumentDB logs | Profiler (slow ops)    | Profiler + audit           |
 | S3 Access Logs  | Disabled               | Enabled                    |
 
 ### Why minimal logging in dev
@@ -176,6 +180,7 @@ When user requests "production" or "prod", additionally enable:
 - [ ] ALB Access Logs
 - [ ] S3 Access Logs
 - [ ] RDS Performance Insights
+- [ ] DocumentDB profiler + audit logs exported to CloudWatch Logs
 - [ ] AWS WAF on ALB (if public-facing web app)
 - [ ] GuardDuty (recommend, don't auto-enable)
 - [ ] Run `checkov` or `cfn-nag` before deployment