Update ECR/Docker naming conventions and enable cost anomaly detection

[forstmeier]

Overview

Changes

• update Docker image tags/stages
• update associated Mask commands
• update Pulumi variable/export names
• add cost anomaly detection resource

Context

Some random stuff.

Summary by CodeRabbit

• New Features

  • Added cost anomaly detection with real-time alerts for unusual spending patterns (threshold: $25).

• Chores

  • Updated Docker image repository naming conventions for improved organization.
  • Refactored build pipeline with namespace-based organization for container images.
  • Updated infrastructure configuration references to align with new naming structure.

[coderabbitai]

Warning

Rate limit exceeded

@forstmeier has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 43 minutes and 53 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 43 minutes and 53 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 63ea7f35-f4be-400d-ac62-f8cff8f556e8

📥 Commits

Reviewing files that changed from the base of the PR and between 9a19da5 and e7165fe.

📒 Files selected for processing (2)

• infrastructure/notifications.py
• libraries/python/tests/test_infrastructure_notifications.py

📝 Walkthrough

Walkthrough

This PR reorganizes Docker image namespacing and ECR repository naming across the infrastructure. It renames the Tide model-runner to "runner", restructures ECR repository names to distinguish between "applications" and "models" namespaces, updates corresponding Pulumi exports, and introduces namespace-based build logic in the build script. Additionally, cost anomaly detection resources are added to monitor AWS spending.

Changes

Cohort / File(s)	Summary
Cost Anomaly Detection infrastructure/notifications.py	Added AWS Cost Explorer anomaly monitoring with AnomalyMonitor and AnomalySubscription resources; triggers IMMEDIATE notifications when absolute impact exceeds $25; provisions email subscribers via pulumi.Output.apply.
ECR Repository and Image Naming infrastructure/storage.py, infrastructure/__main__.py	Renamed ECR repositories from fund/data-manager-server to fund/applications-data-manager-server (and similarly for portfolio/ensemble managers); renamed fund/tide-model-runner to fund/models-tide-runner; updated corresponding Pulumi exports; added lifecycle policy rule to expire git-* tagged images beyond 10 recent images.
Build Script Namespace Logic maskfile.md	Introduced namespace detection: uses models namespace for models/${package_name}/Dockerfile, otherwise uses applications namespace; updated repository naming to include namespace as fund/${namespace}-${package_name}-${stage_name}; updated Pulumi model deploy output reference.
Docker Build Stage and Training Integration models/tide/Dockerfile, infrastructure/training.py	Changed Docker build stage alias from model-runner to runner; updated ECS task definition to reference tide_runner_image_uri instead of tide_model_runner_image_uri.
CI/CD Workflow Configuration .github/workflows/launch_infrastructure.yaml	Updated GitHub Actions workflow job matrix stage from model-runner to runner for the tide application.
Test Updates libraries/python/tests/test_infrastructure_storage.py, models/tide/tests/test_deploy.py	Updated test assertions to match renamed ECR lifecycle policy resource key (tide_runner_repository_lifecycle) and image reference (.../fund/models-tide-runner:latest).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Cleanup ECR resources and Docker image handling #813: Directly related; both PRs modify the same ECR naming, Pulumi exports, workflow matrix stage, and Dockerfile build stage identifiers for the tide runner component.
• Remove non-ECR tag on "build image" Mask command #652: Related through containerization and build pipeline changes in maskfile.md where both PRs adjust container tagging and repository naming logic.
• Cleanup Docker image handling, ECS service management, and model training resources #793: Related; both PRs rename the Tide build stage from model-runner to runner and update corresponding ECR repository/image variable names and workflow configuration.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the two main changes: updating ECR/Docker naming conventions and enabling cost anomaly detection, both of which are prominently reflected throughout the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ecr-and-docker-naming-updates

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR renames ECR repositories and Dockerfile stages to a namespace-prefixed convention (applications-<service>-<stage>, models-<service>-<stage>), updates all associated Pulumi exports and Mask commands, and adds a new AWS Cost Anomaly Detection monitor/subscription. The infrastructure, workflow, and test changes are internally consistent — but devenv.nix still references the old un-prefixed ECR repository names, which will cause the ecr-push development script to push to repositories that no longer exist after this change merges.

Confidence Score: 4/5

Safe to merge after fixing the stale ECR repo names in devenv.nix; all infrastructure changes are internally consistent.

One P1 finding: devenv.nix retains the old un-prefixed ECR repository names (fund/data-manager-server etc.) while storage.py now provisions fund/applications-data-manager-server etc. The ecr-push devenv script uses these values directly to build image URIs, so local image pushes will fail with a repository-not-found error. All other changed files are consistently updated.

devenv.nix — ecrRepo values at lines 11, 16, 21 need the applications- prefix added

Important Files Changed

Filename	Overview
devenv.nix	ECR repo names in ecrRepo fields were not updated to match the new applications- prefixed naming convention; ecr-push will fail at runtime
infrastructure/notifications.py	Adds cost anomaly monitor and subscription with correct CE expression syntax (plural Dimensions key); prior review concerns addressed
infrastructure/storage.py	ECR repository names updated to namespace-prefixed convention and lifecycle policy extended with git-tagged image retention rule
infrastructure/main.py	Pulumi export names updated consistently to match new ECR naming convention
maskfile.md	build-and-push command updated with namespace-based repo naming; GHA cache scope updated to include namespace prefix
.github/workflows/launch_infrastructure.yaml	Tide build matrix stage renamed from model-runner to runner, consistent with Dockerfile stage rename
models/tide/Dockerfile	Final build stage renamed from model-runner to runner
libraries/python/tests/test_infrastructure_notifications.py	New test file covering cost anomaly monitor, subscription, and budget resources following existing string-based test pattern
libraries/python/tests/test_infrastructure_storage.py	Updated lifecycle policy assertion from tide_model_runner_repository_lifecycle to tide_runner_repository_lifecycle
models/tide/tests/test_deploy.py	Image URI in test updated from fund/tide-model-runner to fund/models-tide-runner

Comments Outside Diff (1)

1. devenv.nix, line 11-21 (link)

   Stale ECR repository names not updated

   The ecrRepo values here still use the old repository names without the applications- namespace prefix. The ecr-push script at line 156 uses these values to build the full image URI and push to ECR, so running ecr-push after this PR merges will attempt to push to fund/data-manager-server, fund/ensemble-manager-server, and fund/portfolio-manager-server — repositories that no longer exist. The actual repos are now named fund/applications-data-manager-server, etc.

   Prompt To Fix With AI

   This is a comment left during a code review.
   Path: devenv.nix
   Line: 11-21
   
   Comment:
   **Stale ECR repository names not updated**
   
   The `ecrRepo` values here still use the old repository names without the `applications-` namespace prefix. The `ecr-push` script at line 156 uses these values to build the full image URI and push to ECR, so running `ecr-push` after this PR merges will attempt to push to `fund/data-manager-server`, `fund/ensemble-manager-server`, and `fund/portfolio-manager-server` — repositories that no longer exist. The actual repos are now named `fund/applications-data-manager-server`, etc.
   
   How can I resolve this? If you propose a fix, please make it concise.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: devenv.nix
Line: 11-21

Comment:
**Stale ECR repository names not updated**

The `ecrRepo` values here still use the old repository names without the `applications-` namespace prefix. The `ecr-push` script at line 156 uses these values to build the full image URI and push to ECR, so running `ecr-push` after this PR merges will attempt to push to `fund/data-manager-server`, `fund/ensemble-manager-server`, and `fund/portfolio-manager-server` — repositories that no longer exist. The actual repos are now named `fund/applications-data-manager-server`, etc.

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (2): Last reviewed commit: "Address PR #825 feedback: fix CE Express..." | Re-trigger Greptile}

[Copilot]

Pull request overview

This PR standardizes Docker/ECR naming across models and applications and extends the Pulumi infrastructure stack to include AWS Cost Explorer anomaly detection notifications.

Changes:

• Renames the Tide model Docker build stage/tagging from model-runner to runner and updates related references (tests, workflow matrix, Mask tasks).
• Updates ECR repository naming to include a models- / applications- namespace prefix and renames corresponding Pulumi variables/exports.
• Adds Cost Explorer anomaly monitor + subscription resources to the infrastructure notifications module.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
models/tide/tests/test_deploy.py	Updates expected ECR image URI to the new models-tide-runner repository name.
models/tide/Dockerfile	Renames the final build stage to runner to match the new convention.
maskfile.md	Updates image build/push logic to add models/applications namespace and updates Pulumi output key used for Tide deploys.
libraries/python/tests/test_infrastructure_storage.py	Updates assertions for renamed ECR lifecycle policy resource IDs.
infrastructure/training.py	Switches ECS task definition image reference to the renamed Tide image URI output.
infrastructure/storage.py	Adds lifecycle rule for tagged images and renames ECR repositories/resources for new naming convention.
infrastructure/notifications.py	Adds Cost Explorer anomaly monitor/subscription resources for cost anomaly detection.
infrastructure/main.py	Renames Pulumi exports for ECR image/repository outputs to match new naming convention.
.github/workflows/launch_infrastructure.yaml	Updates Tide build target stage from model-runner to runner.

Comments suppressed due to low confidence (1)

maskfile.md:88

• The repository_name now targets new ECR repositories (e.g. fund/models-tide-runner, fund/applications-*-server). In CI, the workflow runs the build/push job before pulumi up, so these repositories may not exist yet on the first run after this rename and docker buildx --push will fail. Ensure the repository exists before pushing (e.g., create it if missing in this script, or reorder the workflow so Pulumi provisions ECR before the build/push step).

repository_name="fund/${namespace}-${package_name}-${stage_name}"
image_reference="${aws_account_id}.dkr.ecr.${aws_region}.amazonaws.com/${repository_name}"

echo "Logging into ECR"
aws ecr get-login-password --region ${aws_region} | docker login \

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coveralls]

coverage: 77.462% (+0.2%) from 77.252% — ecr-and-docker-naming-updates into master

[coderabbitai]

Warning

CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.

Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.

👉 Steps to fix this

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/launch_infrastructure.yaml:
- Around line 31-33: Update both paths-filter blocks so naming-only changes
trigger image rebuilds: add this workflow filename, maskfile.md, and
infrastructure/storage.py to the include list in the existing paths-filter that
controls the image jobs, and mirror the same additions in the deploy_images
job's paths-filter block so renames (e.g., the stage/application naming changes
such as "application: tide") cause the image jobs to run.

In `@infrastructure/notifications.py`:
- Around line 50-57: The threshold_expression JSON uses the wrong key
"Dimension" which causes Pulumi/AWS to reject the AnomalySubscription; update
the JSON under threshold_expression to use the plural key "Dimensions" instead
of "Dimension" and keep the same inner structure (Key, Values, MatchOptions) so
the AnomalySubscription creation succeeds; locate the threshold_expression
assignment in the code (the json.dumps block) and change the key to
"Dimensions".

In `@infrastructure/storage.py`:
- Around line 122-123: The ECR rename (changing repository name
"fund/applications-data-manager-server") must be performed as a staged migration
rather than an in-place change: first add and provision the new ECR resource(s)
(so Pulumi creates the new physical repositories) and backfill them by running
build_and_push_images to push images to the new repo(s); then update
producers/consumers to use the new repo names and add Pulumi aliases on the ECR
resource(s) in the infrastructure/storage.py resource declaration to preserve
state continuity during rename; only after consumers are switched and images are
verified, remove the old repository resources (avoiding force_delete
replacements that would delete existing images). Run pulumi preview --diff
against production before merging to confirm the replacement semantics.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 22ef75ce-4d95-4b07-85f8-b364cd905e0b

📥 Commits

Reviewing files that changed from the base of the PR and between c1acfa0 and 9a19da5.

📒 Files selected for processing (9)

• .github/workflows/launch_infrastructure.yaml
• infrastructure/__main__.py
• infrastructure/notifications.py
• infrastructure/storage.py
• infrastructure/training.py
• libraries/python/tests/test_infrastructure_storage.py
• maskfile.md
• models/tide/Dockerfile
• models/tide/tests/test_deploy.py