feat: add existing VPC import support + fix Route53 hosted zone lookup

.github/ACTIONS-REFERENCE.md

@@ -34,6 +34,11 @@ GitHub provides two mechanisms for storing configuration values:
 | CDK_CERTIFICATE_ARN | Variable | No | None | Infrastructure | ACM certificate ARN for HTTPS on ALB |
 | CDK_CORS_ORIGINS | Variable | No | None | All | Additional CORS origins appended to the auto-derived `https://{CDK_DOMAIN_NAME}`. Comma-separated. Use for localhost during local dev (e.g., `http://localhost:4200`) or extra domains. |
 | CDK_DOMAIN_NAME | Variable | No | None | All | Primary domain name (e.g., 'alpha.boisestate.ai'). Auto-applied as `https://{value}` to CORS origins for every stack. This is the primary mechanism for CORS configuration. |
+| CDK_EXISTING_VPC_ID | Variable | No | None | Infrastructure | VPC ID of a pre-existing VPC to import instead of creating a new one (e.g., `vpc-0abc123def456`). When set, the stack uses `Vpc.fromVpcAttributes()` and skips VPC creation. |
+| CDK_EXISTING_VPC_AZS | Variable | No | None | Infrastructure | Comma-separated availability zones for the existing VPC (e.g., `us-west-2a,us-west-2b`). Required when `CDK_EXISTING_VPC_ID` is set. |
+| CDK_EXISTING_VPC_PUBLIC_SUBNET_IDS | Variable | No | None | Infrastructure | Comma-separated public subnet IDs for the existing VPC (e.g., `subnet-0a1b2c3d4e5f6,subnet-0f6e5d4c3b2a1`). Required when `CDK_EXISTING_VPC_ID` is set. |
+| CDK_EXISTING_VPC_PRIVATE_SUBNET_IDS | Variable | No | None | Infrastructure | Comma-separated private subnet IDs for the existing VPC (e.g., `subnet-0aabbccddee11,subnet-0ffeeddccbbaa`). Required when `CDK_EXISTING_VPC_ID` is set. |
+| CDK_EXISTING_VPC_CIDR | Variable | No | None | Infrastructure | CIDR block of the existing VPC (e.g., `10.0.0.0/16`). Optional; used for the SSM vpc-cidr parameter when importing a VPC. |
 | CDK_FILE_UPLOAD_CORS_ORIGINS | Variable | No | None | Infrastructure | Additional CORS origins for the file upload S3 bucket only (appended to global CORS origins) |
 | CDK_FILE_UPLOAD_MAX_SIZE_MB | Variable | No | `10` | Infrastructure, App API | Maximum file upload size in megabytes |
 | CDK_FINE_TUNING_ENABLED | Variable | No | `false` | SageMaker Fine-Tuning, App API | Enable SageMaker fine-tuning stack and App API fine-tuning routes. Must be `true` before deploying the SageMaker Fine-Tuning workflow. |

.github/docs/deploy/step-03-github-config.md

@@ -101,6 +101,21 @@ This prefix is prepended to all AWS resource names to avoid conflicts. Use somet
 |---------------|---------|-------------|
 | `CDK_FINE_TUNING_ENABLED` | `false` | Set to `true` to enable the SageMaker Fine-Tuning stack. Must be set before running the fine-tuning deployment workflow in Step 4. |
 
+### Existing VPC (Optional)
+
+To import a pre-existing VPC instead of creating a new one, add these variables:
+
+| Variable Name | Example | Description |
+|---------------|---------|-------------|
+| `CDK_EXISTING_VPC_ID` | `vpc-0abc123def456` | VPC ID to import |
+| `CDK_EXISTING_VPC_AZS` | `us-east-1a,us-east-1b` | Comma-separated availability zones |
+| `CDK_EXISTING_VPC_PUBLIC_SUBNET_IDS` | `subnet-0a1b2c3d4e5f6,subnet-0f6e5d4c3b2a1` | Comma-separated public subnet IDs |
+| `CDK_EXISTING_VPC_PRIVATE_SUBNET_IDS` | `subnet-0aabbccddee11,subnet-0ffeeddccbbaa` | Comma-separated private subnet IDs |
+| `CDK_EXISTING_VPC_CIDR` | `192.168.0.0/16` | VPC CIDR block (optional) |
+
+> [!NOTE]
+> The number of public and private subnets must match the number of availability zones. When these variables are not set, the infrastructure stack creates a new VPC automatically.
+
 ---
 
 ## 3c. Authentication

.github/workflows/frontend.yml

@@ -228,6 +228,7 @@ jobs:
       CDK_PRODUCTION: ${{ vars.CDK_PRODUCTION }}
       CDK_DOMAIN_NAME: ${{ vars.CDK_DOMAIN_NAME }}
       CDK_CORS_ORIGINS: ${{ vars.CDK_CORS_ORIGINS }}
+      CDK_HOSTED_ZONE_DOMAIN: ${{ vars.CDK_HOSTED_ZONE_DOMAIN }}
       CDK_FRONTEND_ENABLED: ${{ vars.CDK_FRONTEND_ENABLED }}
       CDK_FRONTEND_CLOUDFRONT_PRICE_CLASS: ${{ vars.CDK_FRONTEND_CLOUDFRONT_PRICE_CLASS }}
       CDK_RETAIN_DATA_ON_DELETE: ${{ vars.CDK_RETAIN_DATA_ON_DELETE }}
@@ -357,6 +358,7 @@ jobs:
       CDK_PRODUCTION: ${{ vars.CDK_PRODUCTION }}
       CDK_DOMAIN_NAME: ${{ vars.CDK_DOMAIN_NAME }}
       CDK_CORS_ORIGINS: ${{ vars.CDK_CORS_ORIGINS }}
+      CDK_HOSTED_ZONE_DOMAIN: ${{ vars.CDK_HOSTED_ZONE_DOMAIN }}
       CDK_FRONTEND_ENABLED: ${{ vars.CDK_FRONTEND_ENABLED }}
       CDK_FRONTEND_CLOUDFRONT_PRICE_CLASS: ${{ vars.CDK_FRONTEND_CLOUDFRONT_PRICE_CLASS }}
       CDK_RETAIN_DATA_ON_DELETE: ${{ vars.CDK_RETAIN_DATA_ON_DELETE }}

.github/workflows/gateway.yml

@@ -169,6 +169,7 @@ jobs:
       CDK_PROJECT_PREFIX: ${{ vars.CDK_PROJECT_PREFIX }}
       CDK_DOMAIN_NAME: ${{ vars.CDK_DOMAIN_NAME }}
       CDK_CORS_ORIGINS: ${{ vars.CDK_CORS_ORIGINS }}
+      CDK_HOSTED_ZONE_DOMAIN: ${{ vars.CDK_HOSTED_ZONE_DOMAIN }}
       CDK_RETAIN_DATA_ON_DELETE: ${{ vars.CDK_RETAIN_DATA_ON_DELETE }}
       CDK_GATEWAY_ENABLED: ${{ vars.CDK_GATEWAY_ENABLED }}
       CDK_GATEWAY_API_TYPE: ${{ vars.CDK_GATEWAY_API_TYPE }}
@@ -232,6 +233,7 @@ jobs:
       CDK_PROJECT_PREFIX: ${{ vars.CDK_PROJECT_PREFIX }}
       CDK_DOMAIN_NAME: ${{ vars.CDK_DOMAIN_NAME }}
       CDK_CORS_ORIGINS: ${{ vars.CDK_CORS_ORIGINS }}
+      CDK_HOSTED_ZONE_DOMAIN: ${{ vars.CDK_HOSTED_ZONE_DOMAIN }}
       CDK_RETAIN_DATA_ON_DELETE: ${{ vars.CDK_RETAIN_DATA_ON_DELETE }}
       CDK_GATEWAY_ENABLED: ${{ vars.CDK_GATEWAY_ENABLED }}
       CDK_GATEWAY_API_TYPE: ${{ vars.CDK_GATEWAY_API_TYPE }}
@@ -305,6 +307,7 @@ jobs:
       CDK_PROJECT_PREFIX: ${{ vars.CDK_PROJECT_PREFIX }}
       CDK_DOMAIN_NAME: ${{ vars.CDK_DOMAIN_NAME }}
       CDK_CORS_ORIGINS: ${{ vars.CDK_CORS_ORIGINS }}
+      CDK_HOSTED_ZONE_DOMAIN: ${{ vars.CDK_HOSTED_ZONE_DOMAIN }}
       CDK_RETAIN_DATA_ON_DELETE: ${{ vars.CDK_RETAIN_DATA_ON_DELETE }}
       CDK_GATEWAY_ENABLED: ${{ vars.CDK_GATEWAY_ENABLED }}
       CDK_GATEWAY_API_TYPE: ${{ vars.CDK_GATEWAY_API_TYPE }}

.github/workflows/infrastructure.yml

@@ -165,6 +165,12 @@ jobs:
       CDK_FILE_UPLOAD_MAX_SIZE_MB: ${{ vars.CDK_FILE_UPLOAD_MAX_SIZE_MB }}
       CDK_COGNITO_DOMAIN_PREFIX: ${{ vars.CDK_COGNITO_DOMAIN_PREFIX }}
       CDK_AWS_ACCOUNT: ${{ vars.CDK_AWS_ACCOUNT }}
+      # Existing VPC (optional — import a pre-existing VPC instead of creating one)
+      CDK_EXISTING_VPC_ID: ${{ vars.CDK_EXISTING_VPC_ID }}
+      CDK_EXISTING_VPC_AZS: ${{ vars.CDK_EXISTING_VPC_AZS }}
+      CDK_EXISTING_VPC_PUBLIC_SUBNET_IDS: ${{ vars.CDK_EXISTING_VPC_PUBLIC_SUBNET_IDS }}
+      CDK_EXISTING_VPC_PRIVATE_SUBNET_IDS: ${{ vars.CDK_EXISTING_VPC_PRIVATE_SUBNET_IDS }}
+      CDK_EXISTING_VPC_CIDR: ${{ vars.CDK_EXISTING_VPC_CIDR }}
       AWS_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }}
       AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
       AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@@ -240,6 +246,12 @@ jobs:
       CDK_FILE_UPLOAD_MAX_SIZE_MB: ${{ vars.CDK_FILE_UPLOAD_MAX_SIZE_MB }}
       CDK_COGNITO_DOMAIN_PREFIX: ${{ vars.CDK_COGNITO_DOMAIN_PREFIX }}
       CDK_AWS_ACCOUNT: ${{ vars.CDK_AWS_ACCOUNT }}
+      # Existing VPC (optional — import a pre-existing VPC instead of creating one)
+      CDK_EXISTING_VPC_ID: ${{ vars.CDK_EXISTING_VPC_ID }}
+      CDK_EXISTING_VPC_AZS: ${{ vars.CDK_EXISTING_VPC_AZS }}
+      CDK_EXISTING_VPC_PUBLIC_SUBNET_IDS: ${{ vars.CDK_EXISTING_VPC_PUBLIC_SUBNET_IDS }}
+      CDK_EXISTING_VPC_PRIVATE_SUBNET_IDS: ${{ vars.CDK_EXISTING_VPC_PRIVATE_SUBNET_IDS }}
+      CDK_EXISTING_VPC_CIDR: ${{ vars.CDK_EXISTING_VPC_CIDR }}
       AWS_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }}
       AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
       AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@@ -327,6 +339,12 @@ jobs:
       CDK_INFERENCE_API_MEMORY: ${{ vars.CDK_INFERENCE_API_MEMORY }}
       CDK_COGNITO_DOMAIN_PREFIX: ${{ vars.CDK_COGNITO_DOMAIN_PREFIX }}
       CDK_AWS_ACCOUNT: ${{ vars.CDK_AWS_ACCOUNT }}
+      # Existing VPC (optional — import a pre-existing VPC instead of creating one)
+      CDK_EXISTING_VPC_ID: ${{ vars.CDK_EXISTING_VPC_ID }}
+      CDK_EXISTING_VPC_AZS: ${{ vars.CDK_EXISTING_VPC_AZS }}
+      CDK_EXISTING_VPC_PUBLIC_SUBNET_IDS: ${{ vars.CDK_EXISTING_VPC_PUBLIC_SUBNET_IDS }}
+      CDK_EXISTING_VPC_PRIVATE_SUBNET_IDS: ${{ vars.CDK_EXISTING_VPC_PRIVATE_SUBNET_IDS }}
+      CDK_EXISTING_VPC_CIDR: ${{ vars.CDK_EXISTING_VPC_CIDR }}
       AWS_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }}
       AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
       AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

.kiro/specs/existing-vpc-support/.config.kiro

@@ -0,0 +1 @@
+{"specId": "a5cb1565-4744-4c7d-83d7-d948907b60f0", "workflowType": "requirements-first", "specType": "feature"}