Setup
This guide takes you from zero to a running instance of AIDLC Collaborative. The platform requires AWS infrastructure for authentication, APIs, and agent execution, so setup involves both local configuration and cloud deployment.
Clone the repository
git clone https://github.com/aws-samples/sample-collaborative-ai-dlc.git
cd sample-collaborative-ai-dlc
Deploy the AWS infrastructure
Bootstrap the Terraform state backend
The bootstrap script creates an Amazon S3 bucket for Terraform state storage. Run it once per environment.
export AWS_PROFILE=your-profile-name
./scripts/bootstrap.sh dev
This creates an S3 bucket with a unique name and updates terraform/environments/dev/backend.tf with the bucket reference.
Configure the Terraform variables
cp terraform/environments/dev/terraform.tfvars.example terraform/environments/dev/terraform.tfvars
Edit terraform/environments/dev/terraform.tfvars to set your configuration.
| Variable | Description |
|---|---|
project_name |
Resource naming prefix |
environment |
Environment name (dev or prod) |
vpc_cidr |
VPC CIDR block |
neptune_instance_class |
Neptune instance size |
agent_pool_size |
Number of agent workers |
Deploy infrastructure
./scripts/deploy-terraform.sh dev
The deployment takes 15-30 minutes. Neptune DB cluster creation takes the longest.
After deployment, configure agent authentication in the platform UI by entering either a Kiro CLI API key or Bedrock credentials (for Claude Code / OpenCode setups). Check the agent pool DynamoDB table or ECS task logs to confirm agents are authenticated and ready.
Configure provider OAuth apps
The platform integrates with external providers as code hosts (GitHub, GitLab) and issue trackers (GitHub Issues, GitLab Issues, Jira Cloud) so a sprint can be started from a tracker issue. For each provider you want to enable, register an OAuth app and paste the credentials into Admin → Tracker OAuth Apps in the deployed app.
For GitHub and GitLab a single OAuth app serves both the code host and that provider's issue tracker. Jira Cloud is a tracker only. All providers are optional — skip a section if you don't need that provider; the corresponding Connect buttons in the UI stay disabled with a hint pointing to this admin panel.
GitHub (code host + GitHub Issues)
- Open GitHub Developer Settings → OAuth Apps → New OAuth App. Choose an OAuth App, not a GitHub App — the flow expects OAuth App semantics.
- Set:
- Homepage URL:
https://<your-cloudfront-domain> - Authorization callback URL:
https://<your-cloudfront-domain>/github/callback - Copy the Client ID and generate a Client Secret.
- In the deployed app, sign in and open Admin → Tracker OAuth Apps → GitHub Issues. Paste both values and click Save.
GitLab (code host + GitLab Issues)
- Open GitLab → User Settings → Applications → Add new application.
- Set:
- Redirect URI:
https://<your-cloudfront-domain>/gitlab/callback - Scopes:
apiandread_user - Leave Confidential enabled.
- Save, then copy the Application ID (Client ID) and Secret.
- In the deployed app, sign in and open Admin → Tracker OAuth Apps → GitLab Issues. Paste both values and click Save.
Jira Cloud
- Open the Atlassian Developer Console and create an OAuth 2.0 integration.
- Under Permissions, add the Jira API with scopes:
read:jira-workread:jira-useroffline_access(required for refresh tokens — don't skip)- Under Authorization, set the callback URL to
https://<your-cloudfront-domain>/trackers/callback/jira-cloud. - Open the Settings tab of the app and copy the Client ID and Client Secret.
- In the deployed app, sign in and open Admin → Tracker OAuth Apps → Jira Cloud. Paste both values and click Save.
Rotating credentials later is the same flow — paste new values and Save overwrites the stored secret.
CLI fallback for fully-automated deploys
The Admin UI is a wrapper around AWS Secrets Manager. To populate the secrets in your provisioning pipeline:
```bash
aws secretsmanager put-secret-value \
--secret-id $(terraform -chdir=terraform output -raw github_oauth_secret_name) \
--secret-string '{"client_id":"...","client_secret":"..."}'
aws secretsmanager put-secret-value \
--secret-id $(terraform -chdir=terraform output -raw gitlab_oauth_secret_name) \
--secret-string '{"client_id":"...","client_secret":"..."}'
aws secretsmanager put-secret-value \
--secret-id $(terraform -chdir=terraform output -raw jira_oauth_secret_name) \
--secret-string '{"client_id":"...","client_secret":"..."}'
```
Create users
Get the User Pool ID and create a user:
cd terraform/environments/dev
terraform output user_pool_id
aws cognito-idp admin-create-user \
--user-pool-id <user-pool-id> \
--username user@example.com \
--user-attributes Name=email,Value=user@example.com Name=email_verified,Value=true
aws cognito-idp admin-add-user-to-group \
--user-pool-id <user-pool-id> \
--username user@example.com \
--group-name approver
Available groups:
| Group | Permissions |
|---|---|
member |
View and edit specs, run agents |
approver |
Member permissions plus approve phase transitions |
owner |
Full access including project settings |
Set up the frontend
Install dependencies
cd frontend
npm install
Configure environment variables
cp .env.example .env
Edit .env with values from your Terraform deployment.
Deploy to S3 and CloudFront
cd ..
./scripts/deploy-frontend.sh dev
This builds the frontend, uploads it to S3, and invalidates the CloudFront cache.
Access the application
cd terraform/environments/dev
terraform output cloudfront_domain_name
Open the domain in your browser to reach the sign-in page.
Local frontend development
For iterating on the frontend locally (while connected to the deployed AWS backend):
cd frontend
npm run dev
This starts the Vite development server on http://localhost:5173.
Updating a deployment
| What changed | Command |
|---|---|
| Backend (Lambda, agents, infra) | ./scripts/deploy-terraform.sh dev |
| Frontend only | ./scripts/deploy-frontend.sh dev |
One-time tracker-data migration (only relevant for installs with pre-#194 data)
If you're upgrading an install that ran before issue #194 (tracker provider abstraction) landed, existing projects keep working without intervention — but to bind Jira (or any future tracker) to them, their sprint and project records need a one-time backfill onto the new polymorphic shape.
Operators have two equivalent paths, both idempotent:
- Admin UI: open Admin → Tracker Migration in the deployed app. The card displays a live count of legacy projects + sprints; click Migrate all when ready.
- CLI: invoke the
migrate-tracker-fieldsLambda directly. Supports a dry-run for previewing.
aws lambda invoke \
--function-name "$(terraform output -raw migrate_tracker_fields_lambda_name)" \
--payload '{"dryRun":true}' --cli-binary-format raw-in-base64-out /tmp/out.json
Both paths share the same shared core, so the result is identical. Migration is never automatic — operators run it on demand. See Git and Tracker Integration → Migrating from legacy issue integration for full context, including why nothing is removed and the migration tooling stays deployed permanently.
Destroy infrastructure
To remove all deployed resources:
./scripts/destroy.sh dev
Data loss
This permanently deletes all data including DynamoDB tables, Neptune databases, and S3 buckets. This action cannot be undone.
To also remove the Terraform state bucket (created during bootstrap):
grep bucket terraform/environments/dev/backend.tf
aws s3 rb s3://<bucket-name> --force
Troubleshooting
Terraform init fails with backend errors
Make sure the bootstrap script completed successfully and that backend.tf contains the correct bucket name.
ECS tasks fail to start
Check CloudWatch Logs for the ECS service. Common issues: missing IAM permissions, ECR image not found, resource limits exceeded.
Frontend shows authentication errors
Verify User Pool ID and App Client ID match Terraform outputs, and that the user exists in the correct group.
Provider integration not working (GitHub, GitLab, or Jira)
In the deployed app, open Admin → Tracker OAuth Apps. Each provider should show Configured; if it shows Not configured, finish the OAuth-app setup and paste the credentials. Also confirm the OAuth app's Authorization callback URL matches the values listed above for your CloudFront domain — provider apps reject mismatched callbacks at sign-in time.