diff --git a/.github/ISSUE_TEMPLATE/bug-report.yml b/.github/ISSUE_TEMPLATE/bug-report.yml index c3843d23481d8..7512a919e56fb 100644 --- a/.github/ISSUE_TEMPLATE/bug-report.yml +++ b/.github/ISSUE_TEMPLATE/bug-report.yml @@ -20,6 +20,21 @@ body: description: What is the problem? A clear and concise description of the bug. validations: required: true + - type: checkboxes + id: regression + attributes: + label: Regression Issue + description: What is a regression? If it worked in a previous version but doesn’t in the latest version, it’s considered a regression. In this case, please provide specific version number in the report. + options: + - label: Select this option if this issue appears to be a regression. + required: false + - type: input + id: working-version + attributes: + label: Last Known Working CDK Version + description: Specify the last known CDK version where this code was functioning as expected (if applicable). + validations: + required: false - type: textarea id: expected attributes: diff --git a/.github/workflows/issue-regression-labeler.yml b/.github/workflows/issue-regression-labeler.yml new file mode 100644 index 0000000000000..bd000719d101b --- /dev/null +++ b/.github/workflows/issue-regression-labeler.yml @@ -0,0 +1,32 @@ +# Apply potential regression label on issues +name: issue-regression-label +on: + issues: + types: [opened, edited] +jobs: + add-regression-label: + runs-on: ubuntu-latest + permissions: + issues: write + steps: + - name: Fetch template body + id: check_regression + uses: actions/github-script@v7 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + TEMPLATE_BODY: ${{ github.event.issue.body }} + with: + script: | + const regressionPattern = /\[x\] Select this option if this issue appears to be a regression\./i; + const template = `${process.env.TEMPLATE_BODY}` + const match = regressionPattern.test(template); + core.setOutput('is_regression', match); + - name: Manage regression label + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + if [ "${{ steps.check_regression.outputs.is_regression }}" == "true" ]; then + gh issue edit ${{ github.event.issue.number }} --add-label "potential-regression" -R ${{ github.repository }} + else + gh issue edit ${{ github.event.issue.number }} --remove-label "potential-regression" -R ${{ github.repository }} + fi diff --git a/.github/workflows/request-cli-integ-test.yml b/.github/workflows/request-cli-integ-test.yml index a75209adcfb84..e1148002e2481 100644 --- a/.github/workflows/request-cli-integ-test.yml +++ b/.github/workflows/request-cli-integ-test.yml @@ -19,7 +19,7 @@ jobs: persist-credentials: false - name: Find changed cli files id: changed-cli-files - uses: tj-actions/changed-files@6b2903bdce6310cfbddd87c418f253cf29b2dec9 + uses: tj-actions/changed-files@c65cd883420fd2eb864698a825fc4162dd94482c with: base_sha: ${{ github.event.pull_request.base.sha }} files_yaml: | @@ -27,13 +27,6 @@ jobs: - packages/aws-cdk/bin/** - packages/aws-cdk/lib/** - packages/aws-cdk/test/** - - packages/cdk-assets/bin/** - - packages/cdk-assets/lib/** - - packages/cdk-assets/test/** - - packages/aws-cdk-lib/cloud-assembly-schema/lib/** - - packages/aws-cdk-lib/cloud-assembly-schema/schema/** - - packages/aws-cdk-lib/cloud-assembly-schema/scripts/** - - packages/aws-cdk-lib/cloud-assembly-schema/test/** - packages/@aws-cdk/cloudformation-diff/lib/** - packages/@aws-cdk/cloudformation-diff/test/** - packages/@aws-cdk-testing/cli-integ/bin/** diff --git a/CHANGELOG.v2.alpha.md b/CHANGELOG.v2.alpha.md index 94457cf9680b6..47daad06b72ef 100644 --- a/CHANGELOG.v2.alpha.md +++ b/CHANGELOG.v2.alpha.md @@ -2,6 +2,10 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. +## [2.152.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.151.1-alpha.0...v2.152.0-alpha.0) (2024-08-14) + +## [2.151.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.151.0-alpha.0...v2.151.1-alpha.0) (2024-08-14) + ## [2.151.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.150.0-alpha.0...v2.151.0-alpha.0) (2024-08-01) diff --git a/CHANGELOG.v2.md b/CHANGELOG.v2.md index 267f5ddf5f99a..072c1c8adad4b 100644 --- a/CHANGELOG.v2.md +++ b/CHANGELOG.v2.md @@ -2,6 +2,20 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. +## [2.152.0](https://github.com/aws/aws-cdk/compare/v2.151.1...v2.152.0) (2024-08-14) + + +### Features + +* **lambda:** support filter criteria encryption ([6aa72a2](https://github.com/aws/aws-cdk/commit/6aa72a215859ab96e9fd8b4ccee0d40bda753200)) + +## [2.151.1](https://github.com/aws/aws-cdk/compare/v2.151.0...v2.151.1) (2024-08-14) + + +### Reverts + +* feat(ecs): add validation checks to memory cpu combinations of FARGATE compatible task definitions ([#31110](https://github.com/aws/aws-cdk/issues/31110)) ([8fdf015](https://github.com/aws/aws-cdk/commit/8fdf015fdc310d6d62cec31b6d89e1ff1decb8b6)) + ## [2.151.0](https://github.com/aws/aws-cdk/compare/v2.150.0...v2.151.0) (2024-08-01) diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md index 5d85f5628d34b..a85d24901e71d 100644 --- a/CONTRIBUTORS.md +++ b/CONTRIBUTORS.md @@ -12,11 +12,11 @@ Shout out to our top contributors! - [shivlaks](https://github.com/shivlaks) - [otaviomacedo](https://github.com/otaviomacedo) - [mrgrain](https://github.com/mrgrain) -- [madeline-k](https://github.com/madeline-k) - [pahud](https://github.com/pahud) +- [madeline-k](https://github.com/madeline-k) - [comcalvi](https://github.com/comcalvi) -- [NetaNir](https://github.com/NetaNir) - [TheRealAmazonKendra](https://github.com/TheRealAmazonKendra) +- [NetaNir](https://github.com/NetaNir) - [robertd](https://github.com/robertd) - [MrArnoldPalmer](https://github.com/MrArnoldPalmer) - [go-to-k](https://github.com/go-to-k) @@ -24,9 +24,9 @@ Shout out to our top contributors! - [peterwoodworth](https://github.com/peterwoodworth) - [colifran](https://github.com/colifran) - [msambol](https://github.com/msambol) -- [nija-at](https://github.com/nija-at) - [watany-dev](https://github.com/watany-dev) +- [nija-at](https://github.com/nija-at) - [hoegertn](https://github.com/hoegertn) -_Last updated: Mon, 01 Jul 24 00:11:02 +0000_ \ No newline at end of file +_Last updated: Thu, 01 Aug 24 00:10:57 +0000_ \ No newline at end of file diff --git a/lerna.json b/lerna.json index 9a431094ac9a7..45baeccd2d79d 100644 --- a/lerna.json +++ b/lerna.json @@ -2,7 +2,6 @@ "npmClient": "yarn", "packages": [ "packages/aws-cdk-lib", - "packages/cdk-assets", "packages/aws-cdk", "packages/cdk", "packages/@aws-cdk/*", @@ -25,4 +24,4 @@ "rejectCycles": true, "version": "0.0.0", "$schema": "node_modules/lerna/schemas/lerna-schema.json" -} +} \ No newline at end of file diff --git a/package.json b/package.json index 4b07be0640957..f51133d9ca754 100644 --- a/package.json +++ b/package.json @@ -25,9 +25,9 @@ "fs-extra": "^9.1.0", "graceful-fs": "^4.2.11", "jest-junit": "^13.2.0", - "jsii-diff": "1.101.0", - "jsii-pacmak": "1.101.0", - "jsii-reflect": "1.101.0", + "jsii-diff": "1.102.0", + "jsii-pacmak": "1.102.0", + "jsii-reflect": "1.102.0", "lerna": "^8.1.5", "nx": "^19.4.0", "patch-package": "^6.5.1", @@ -72,7 +72,6 @@ "packages/aws-cdk-lib", "packages/aws-cdk", "packages/cdk", - "packages/cdk-assets", "packages/@aws-cdk/*", "packages/awslint", "packages/@aws-cdk-testing/*", diff --git a/packages/@aws-cdk-testing/cli-integ/tests/cli-integ-tests/cli.integtest.ts b/packages/@aws-cdk-testing/cli-integ/tests/cli-integ-tests/cli.integtest.ts index f323110eecfa4..609cf50d297c6 100644 --- a/packages/@aws-cdk-testing/cli-integ/tests/cli-integ-tests/cli.integtest.ts +++ b/packages/@aws-cdk-testing/cli-integ/tests/cli-integ-tests/cli.integtest.ts @@ -102,6 +102,12 @@ integTest('cdk synth', withDefaultFixture(async (fixture) => { }, })); + expect(await fixture.cdkSynth({ + options: [fixture.fullStackName('test-1')], + })).not.toEqual(expect.stringContaining(` +Rules: + CheckBootstrapVersion:`)); + await fixture.cdk(['synth', fixture.fullStackName('test-2')], { verbose: false }); expect(fixture.template('test-2')).toEqual(expect.objectContaining({ Resources: { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/aws-ecs-fargate-task-def.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/aws-ecs-fargate-task-def.template.json deleted file mode 100644 index 17d20d29f57ef..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/aws-ecs-fargate-task-def.template.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "Resources": { - "TaskDefTaskRole1EDB4A67": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "ecs-tasks.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TaskDef54694570": { - "Type": "AWS::ECS::TaskDefinition", - "Properties": { - "ContainerDefinitions": [ - { - "Essential": true, - "Image": "amazon/amazon-ecs-sample", - "Name": "SampleContainer", - "PortMappings": [ - { - "ContainerPort": 80, - "HostPort": 80, - "Protocol": "tcp" - } - ] - } - ], - "Cpu": "256", - "Family": "awsecsfargatetaskdefTaskDef69F258AC", - "Memory": "512", - "NetworkMode": "awsvpc", - "RequiresCompatibilities": [ - "FARGATE" - ], - "TaskRoleArn": { - "Fn::GetAtt": [ - "TaskDefTaskRole1EDB4A67", - "Arn" - ] - } - } - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/integ.json deleted file mode 100644 index 1a97105790686..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/integ.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "version": "36.0.0", - "testCases": { - "FargateTaskDefinition/DefaultTest": { - "stacks": [ - "aws-ecs-fargate-task-def" - ], - "assertionStack": "FargateTaskDefinition/DefaultTest/DeployAssert", - "assertionStackName": "FargateTaskDefinitionDefaultTestDeployAssertD76B1D35" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/tree.json deleted file mode 100644 index 063f35b7938f7..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/tree.json +++ /dev/null @@ -1,202 +0,0 @@ -{ - "version": "tree-0.1", - "tree": { - "id": "App", - "path": "", - "children": { - "aws-ecs-fargate-task-def": { - "id": "aws-ecs-fargate-task-def", - "path": "aws-ecs-fargate-task-def", - "children": { - "TaskDef": { - "id": "TaskDef", - "path": "aws-ecs-fargate-task-def/TaskDef", - "children": { - "TaskRole": { - "id": "TaskRole", - "path": "aws-ecs-fargate-task-def/TaskDef/TaskRole", - "children": { - "ImportTaskRole": { - "id": "ImportTaskRole", - "path": "aws-ecs-fargate-task-def/TaskDef/TaskRole/ImportTaskRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "aws-ecs-fargate-task-def/TaskDef/TaskRole/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "ecs-tasks.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "aws-ecs-fargate-task-def/TaskDef/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::ECS::TaskDefinition", - "aws:cdk:cloudformation:props": { - "containerDefinitions": [ - { - "essential": true, - "image": "amazon/amazon-ecs-sample", - "name": "SampleContainer", - "portMappings": [ - { - "containerPort": 80, - "hostPort": 80, - "protocol": "tcp" - } - ] - } - ], - "cpu": "256", - "family": "awsecsfargatetaskdefTaskDef69F258AC", - "memory": "512", - "networkMode": "awsvpc", - "requiresCompatibilities": [ - "FARGATE" - ], - "taskRoleArn": { - "Fn::GetAtt": [ - "TaskDefTaskRole1EDB4A67", - "Arn" - ] - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_ecs.CfnTaskDefinition", - "version": "0.0.0" - } - }, - "SampleContainer": { - "id": "SampleContainer", - "path": "aws-ecs-fargate-task-def/TaskDef/SampleContainer", - "constructInfo": { - "fqn": "aws-cdk-lib.aws_ecs.ContainerDefinition", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_ecs.FargateTaskDefinition", - "version": "0.0.0" - } - }, - "BootstrapVersion": { - "id": "BootstrapVersion", - "path": "aws-ecs-fargate-task-def/BootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" - } - }, - "CheckBootstrapVersion": { - "id": "CheckBootstrapVersion", - "path": "aws-ecs-fargate-task-def/CheckBootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" - } - }, - "FargateTaskDefinition": { - "id": "FargateTaskDefinition", - "path": "FargateTaskDefinition", - "children": { - "DefaultTest": { - "id": "DefaultTest", - "path": "FargateTaskDefinition/DefaultTest", - "children": { - "Default": { - "id": "Default", - "path": "FargateTaskDefinition/DefaultTest/Default", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "DeployAssert": { - "id": "DeployAssert", - "path": "FargateTaskDefinition/DefaultTest/DeployAssert", - "children": { - "BootstrapVersion": { - "id": "BootstrapVersion", - "path": "FargateTaskDefinition/DefaultTest/DeployAssert/BootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" - } - }, - "CheckBootstrapVersion": { - "id": "CheckBootstrapVersion", - "path": "FargateTaskDefinition/DefaultTest/DeployAssert/CheckBootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", - "version": "0.0.0" - } - }, - "Tree": { - "id": "Tree", - "path": "Tree", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.App", - "version": "0.0.0" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.ts deleted file mode 100644 index 46be63397f340..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.ts +++ /dev/null @@ -1,25 +0,0 @@ -import * as cdk from 'aws-cdk-lib'; -import * as ecs from 'aws-cdk-lib/aws-ecs'; -import { IntegTest } from '@aws-cdk/integ-tests-alpha'; - -const app = new cdk.App(); -const stack = new cdk.Stack(app, 'aws-ecs-fargate-task-def'); - -const taskDefinition = new ecs.FargateTaskDefinition(stack, 'TaskDef', { - cpu: 256, - memoryLimitMiB: 512, -}); - -taskDefinition.addContainer('SampleContainer', { - image: ecs.ContainerImage.fromRegistry('amazon/amazon-ecs-sample'), - essential: true, - portMappings: [ - { containerPort: 80, hostPort: 80, protocol: ecs.Protocol.TCP }, - ], -}); - -new IntegTest(app, 'FargateTaskDefinition', { - testCases: [stack], -}); - -app.synth(); \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/aws-ecs-task-def.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/aws-ecs-task-def.template.json deleted file mode 100644 index 9b0e24807ea39..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/aws-ecs-task-def.template.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "Resources": { - "TaskDefTaskRole1EDB4A67": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "ecs-tasks.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TaskDef54694570": { - "Type": "AWS::ECS::TaskDefinition", - "Properties": { - "ContainerDefinitions": [ - { - "Essential": true, - "Image": "amazon/amazon-ecs-sample", - "Name": "SampleContainer", - "PortMappings": [ - { - "ContainerPort": 80, - "HostPort": 80, - "Protocol": "tcp" - } - ] - } - ], - "Cpu": "256", - "Family": "awsecstaskdefTaskDefDBCEF036", - "Memory": "512", - "NetworkMode": "awsvpc", - "RequiresCompatibilities": [ - "EC2", - "FARGATE" - ], - "TaskRoleArn": { - "Fn::GetAtt": [ - "TaskDefTaskRole1EDB4A67", - "Arn" - ] - } - } - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/integ.json deleted file mode 100644 index d996244d1508f..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/integ.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "version": "36.0.0", - "testCases": { - "TaskDefinition/DefaultTest": { - "stacks": [ - "aws-ecs-task-def" - ], - "assertionStack": "TaskDefinition/DefaultTest/DeployAssert", - "assertionStackName": "TaskDefinitionDefaultTestDeployAssertF13B2133" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/tree.json deleted file mode 100644 index e2a89e9602c30..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/tree.json +++ /dev/null @@ -1,203 +0,0 @@ -{ - "version": "tree-0.1", - "tree": { - "id": "App", - "path": "", - "children": { - "aws-ecs-task-def": { - "id": "aws-ecs-task-def", - "path": "aws-ecs-task-def", - "children": { - "TaskDef": { - "id": "TaskDef", - "path": "aws-ecs-task-def/TaskDef", - "children": { - "TaskRole": { - "id": "TaskRole", - "path": "aws-ecs-task-def/TaskDef/TaskRole", - "children": { - "ImportTaskRole": { - "id": "ImportTaskRole", - "path": "aws-ecs-task-def/TaskDef/TaskRole/ImportTaskRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "aws-ecs-task-def/TaskDef/TaskRole/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "ecs-tasks.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "aws-ecs-task-def/TaskDef/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::ECS::TaskDefinition", - "aws:cdk:cloudformation:props": { - "containerDefinitions": [ - { - "essential": true, - "image": "amazon/amazon-ecs-sample", - "name": "SampleContainer", - "portMappings": [ - { - "containerPort": 80, - "hostPort": 80, - "protocol": "tcp" - } - ] - } - ], - "cpu": "256", - "family": "awsecstaskdefTaskDefDBCEF036", - "memory": "512", - "networkMode": "awsvpc", - "requiresCompatibilities": [ - "EC2", - "FARGATE" - ], - "taskRoleArn": { - "Fn::GetAtt": [ - "TaskDefTaskRole1EDB4A67", - "Arn" - ] - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_ecs.CfnTaskDefinition", - "version": "0.0.0" - } - }, - "SampleContainer": { - "id": "SampleContainer", - "path": "aws-ecs-task-def/TaskDef/SampleContainer", - "constructInfo": { - "fqn": "aws-cdk-lib.aws_ecs.ContainerDefinition", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_ecs.TaskDefinition", - "version": "0.0.0" - } - }, - "BootstrapVersion": { - "id": "BootstrapVersion", - "path": "aws-ecs-task-def/BootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" - } - }, - "CheckBootstrapVersion": { - "id": "CheckBootstrapVersion", - "path": "aws-ecs-task-def/CheckBootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" - } - }, - "TaskDefinition": { - "id": "TaskDefinition", - "path": "TaskDefinition", - "children": { - "DefaultTest": { - "id": "DefaultTest", - "path": "TaskDefinition/DefaultTest", - "children": { - "Default": { - "id": "Default", - "path": "TaskDefinition/DefaultTest/Default", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "DeployAssert": { - "id": "DeployAssert", - "path": "TaskDefinition/DefaultTest/DeployAssert", - "children": { - "BootstrapVersion": { - "id": "BootstrapVersion", - "path": "TaskDefinition/DefaultTest/DeployAssert/BootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" - } - }, - "CheckBootstrapVersion": { - "id": "CheckBootstrapVersion", - "path": "TaskDefinition/DefaultTest/DeployAssert/CheckBootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", - "version": "0.0.0" - } - }, - "Tree": { - "id": "Tree", - "path": "Tree", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.App", - "version": "0.0.0" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.ts deleted file mode 100644 index e9f4780343816..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.ts +++ /dev/null @@ -1,26 +0,0 @@ -import * as cdk from 'aws-cdk-lib'; -import * as ecs from 'aws-cdk-lib/aws-ecs'; -import { IntegTest } from '@aws-cdk/integ-tests-alpha'; - -const app = new cdk.App(); -const stack = new cdk.Stack(app, 'aws-ecs-task-def'); - -const taskDefinition = new ecs.TaskDefinition(stack, 'TaskDef', { - compatibility: ecs.Compatibility.EC2_AND_FARGATE, - cpu: '256', - memoryMiB: '512', -}); - -taskDefinition.addContainer('SampleContainer', { - image: ecs.ContainerImage.fromRegistry('amazon/amazon-ecs-sample'), - essential: true, - portMappings: [ - { containerPort: 80, hostPort: 80, protocol: ecs.Protocol.TCP }, - ], -}); - -new IntegTest(app, 'TaskDefinition', { - testCases: [stack], -}); - -app.synth(); \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/TaskDefinitionDefaultTestDeployAssertF13B2133.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2-targets/test/integ.alb-listner-target.js.snapshot/IntegDefaultTestDeployAssert4E6713E1.assets.json similarity index 88% rename from packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/TaskDefinitionDefaultTestDeployAssertF13B2133.assets.json rename to packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2-targets/test/integ.alb-listner-target.js.snapshot/IntegDefaultTestDeployAssert4E6713E1.assets.json index c36858976d347..2af610f0d4a39 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/TaskDefinitionDefaultTestDeployAssertF13B2133.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2-targets/test/integ.alb-listner-target.js.snapshot/IntegDefaultTestDeployAssert4E6713E1.assets.json @@ -3,7 +3,7 @@ "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { - "path": "TaskDefinitionDefaultTestDeployAssertF13B2133.template.json", + "path": "IntegDefaultTestDeployAssert4E6713E1.template.json", "packaging": "file" }, "destinations": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/FargateTaskDefinitionDefaultTestDeployAssertD76B1D35.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2-targets/test/integ.alb-listner-target.js.snapshot/IntegDefaultTestDeployAssert4E6713E1.template.json similarity index 100% rename from packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/FargateTaskDefinitionDefaultTestDeployAssertD76B1D35.template.json rename to packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2-targets/test/integ.alb-listner-target.js.snapshot/IntegDefaultTestDeployAssert4E6713E1.template.json diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2-targets/test/integ.alb-listner-target.js.snapshot/cdk.out similarity index 100% rename from packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/cdk.out rename to packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2-targets/test/integ.alb-listner-target.js.snapshot/cdk.out diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2-targets/test/integ.alb-listner-target.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2-targets/test/integ.alb-listner-target.js.snapshot/integ.json new file mode 100644 index 0000000000000..2c45ac2312a61 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2-targets/test/integ.alb-listner-target.js.snapshot/integ.json @@ -0,0 +1,12 @@ +{ + "version": "36.0.0", + "testCases": { + "Integ/DefaultTest": { + "stacks": [ + "nlb-alb-listner-stack" + ], + "assertionStack": "Integ/DefaultTest/DeployAssert", + "assertionStackName": "IntegDefaultTestDeployAssert4E6713E1" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2-targets/test/integ.alb-listner-target.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2-targets/test/integ.alb-listner-target.js.snapshot/manifest.json new file mode 100644 index 0000000000000..396335d45801d --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2-targets/test/integ.alb-listner-target.js.snapshot/manifest.json @@ -0,0 +1,281 @@ +{ + "version": "36.0.0", + "artifacts": { + "nlb-alb-listner-stack.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "nlb-alb-listner-stack.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "nlb-alb-listner-stack": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "nlb-alb-listner-stack.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/24394092400f6a02c210490a7acaf10236a1fa2c0101836651065d233e2d2c44.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "nlb-alb-listner-stack.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "nlb-alb-listner-stack.assets" + ], + "metadata": { + "/nlb-alb-listner-stack/VPC/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCB9E5F0B4" + } + ], + "/nlb-alb-listner-stack/VPC/PublicSubnet1/Subnet": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPublicSubnet1SubnetB4246D30" + } + ], + "/nlb-alb-listner-stack/VPC/PublicSubnet1/RouteTable": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPublicSubnet1RouteTableFEE4B781" + } + ], + "/nlb-alb-listner-stack/VPC/PublicSubnet1/RouteTableAssociation": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPublicSubnet1RouteTableAssociation0B0896DC" + } + ], + "/nlb-alb-listner-stack/VPC/PublicSubnet1/DefaultRoute": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPublicSubnet1DefaultRoute91CEF279" + } + ], + "/nlb-alb-listner-stack/VPC/PublicSubnet1/EIP": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPublicSubnet1EIP6AD938E8" + } + ], + "/nlb-alb-listner-stack/VPC/PublicSubnet1/NATGateway": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPublicSubnet1NATGatewayE0556630" + } + ], + "/nlb-alb-listner-stack/VPC/PublicSubnet2/Subnet": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPublicSubnet2Subnet74179F39" + } + ], + "/nlb-alb-listner-stack/VPC/PublicSubnet2/RouteTable": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPublicSubnet2RouteTable6F1A15F1" + } + ], + "/nlb-alb-listner-stack/VPC/PublicSubnet2/RouteTableAssociation": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPublicSubnet2RouteTableAssociation5A808732" + } + ], + "/nlb-alb-listner-stack/VPC/PublicSubnet2/DefaultRoute": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPublicSubnet2DefaultRouteB7481BBA" + } + ], + "/nlb-alb-listner-stack/VPC/PublicSubnet2/EIP": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPublicSubnet2EIP4947BC00" + } + ], + "/nlb-alb-listner-stack/VPC/PublicSubnet2/NATGateway": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPublicSubnet2NATGateway3C070193" + } + ], + "/nlb-alb-listner-stack/VPC/PrivateSubnet1/Subnet": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPrivateSubnet1Subnet8BCA10E0" + } + ], + "/nlb-alb-listner-stack/VPC/PrivateSubnet1/RouteTable": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPrivateSubnet1RouteTableBE8A6027" + } + ], + "/nlb-alb-listner-stack/VPC/PrivateSubnet1/RouteTableAssociation": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPrivateSubnet1RouteTableAssociation347902D1" + } + ], + "/nlb-alb-listner-stack/VPC/PrivateSubnet1/DefaultRoute": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPrivateSubnet1DefaultRouteAE1D6490" + } + ], + "/nlb-alb-listner-stack/VPC/PrivateSubnet2/Subnet": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPrivateSubnet2SubnetCFCDAA7A" + } + ], + "/nlb-alb-listner-stack/VPC/PrivateSubnet2/RouteTable": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPrivateSubnet2RouteTable0A19E10E" + } + ], + "/nlb-alb-listner-stack/VPC/PrivateSubnet2/RouteTableAssociation": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPrivateSubnet2RouteTableAssociation0C73D413" + } + ], + "/nlb-alb-listner-stack/VPC/PrivateSubnet2/DefaultRoute": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPrivateSubnet2DefaultRouteF4F5CFD2" + } + ], + "/nlb-alb-listner-stack/VPC/IGW": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCIGWB7E252D3" + } + ], + "/nlb-alb-listner-stack/VPC/VPCGW": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCVPCGW99B986DC" + } + ], + "/nlb-alb-listner-stack/ALB/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ALBAEE750D2" + } + ], + "/nlb-alb-listner-stack/ALB/SecurityGroup/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ALBSecurityGroup8B8624F8" + } + ], + "/nlb-alb-listner-stack/ALB/ALBListener/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ALBALBListenerDB80B4FD" + } + ], + "/nlb-alb-listner-stack/NLB/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "NLB55158F82" + } + ], + "/nlb-alb-listner-stack/NLB/Listener/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "NLBListener96C8170F" + } + ], + "/nlb-alb-listner-stack/NLB/Listener/TargetsGroup/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "NLBListenerTargetsGroupB42DD77B" + } + ], + "/nlb-alb-listner-stack/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/nlb-alb-listner-stack/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "nlb-alb-listner-stack" + }, + "IntegDefaultTestDeployAssert4E6713E1.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "IntegDefaultTestDeployAssert4E6713E1.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "IntegDefaultTestDeployAssert4E6713E1": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "IntegDefaultTestDeployAssert4E6713E1.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "IntegDefaultTestDeployAssert4E6713E1.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "IntegDefaultTestDeployAssert4E6713E1.assets" + ], + "metadata": { + "/Integ/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/Integ/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "Integ/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/aws-ecs-task-def.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2-targets/test/integ.alb-listner-target.js.snapshot/nlb-alb-listner-stack.assets.json similarity index 66% rename from packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/aws-ecs-task-def.assets.json rename to packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2-targets/test/integ.alb-listner-target.js.snapshot/nlb-alb-listner-stack.assets.json index 0c6a62c1ef756..ea7fdc5da45ba 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/aws-ecs-task-def.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2-targets/test/integ.alb-listner-target.js.snapshot/nlb-alb-listner-stack.assets.json @@ -1,15 +1,15 @@ { "version": "36.0.0", "files": { - "69e8cabd26b07a22fe937a35822c9447fa44ce785d99d44da971c9f953f701da": { + "24394092400f6a02c210490a7acaf10236a1fa2c0101836651065d233e2d2c44": { "source": { - "path": "aws-ecs-task-def.template.json", + "path": "nlb-alb-listner-stack.template.json", "packaging": "file" }, "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "69e8cabd26b07a22fe937a35822c9447fa44ce785d99d44da971c9f953f701da.json", + "objectKey": "24394092400f6a02c210490a7acaf10236a1fa2c0101836651065d233e2d2c44.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2-targets/test/integ.alb-listner-target.js.snapshot/nlb-alb-listner-stack.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2-targets/test/integ.alb-listner-target.js.snapshot/nlb-alb-listner-stack.template.json new file mode 100644 index 0000000000000..f68b564ec2c22 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2-targets/test/integ.alb-listner-target.js.snapshot/nlb-alb-listner-stack.template.json @@ -0,0 +1,564 @@ +{ + "Resources": { + "VPCB9E5F0B4": { + "Type": "AWS::EC2::VPC", + "Properties": { + "CidrBlock": "10.0.0.0/16", + "EnableDnsHostnames": true, + "EnableDnsSupport": true, + "InstanceTenancy": "default", + "Tags": [ + { + "Key": "Name", + "Value": "nlb-alb-listner-stack/VPC" + } + ] + } + }, + "VPCPublicSubnet1SubnetB4246D30": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "AvailabilityZone": { + "Fn::Select": [ + 0, + { + "Fn::GetAZs": "" + } + ] + }, + "CidrBlock": "10.0.0.0/18", + "MapPublicIpOnLaunch": true, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Public" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Public" + }, + { + "Key": "Name", + "Value": "nlb-alb-listner-stack/VPC/PublicSubnet1" + } + ], + "VpcId": { + "Ref": "VPCB9E5F0B4" + } + } + }, + "VPCPublicSubnet1RouteTableFEE4B781": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": "nlb-alb-listner-stack/VPC/PublicSubnet1" + } + ], + "VpcId": { + "Ref": "VPCB9E5F0B4" + } + } + }, + "VPCPublicSubnet1RouteTableAssociation0B0896DC": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VPCPublicSubnet1RouteTableFEE4B781" + }, + "SubnetId": { + "Ref": "VPCPublicSubnet1SubnetB4246D30" + } + } + }, + "VPCPublicSubnet1DefaultRoute91CEF279": { + "Type": "AWS::EC2::Route", + "Properties": { + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "VPCIGWB7E252D3" + }, + "RouteTableId": { + "Ref": "VPCPublicSubnet1RouteTableFEE4B781" + } + }, + "DependsOn": [ + "VPCVPCGW99B986DC" + ] + }, + "VPCPublicSubnet1EIP6AD938E8": { + "Type": "AWS::EC2::EIP", + "Properties": { + "Domain": "vpc", + "Tags": [ + { + "Key": "Name", + "Value": "nlb-alb-listner-stack/VPC/PublicSubnet1" + } + ] + } + }, + "VPCPublicSubnet1NATGatewayE0556630": { + "Type": "AWS::EC2::NatGateway", + "Properties": { + "AllocationId": { + "Fn::GetAtt": [ + "VPCPublicSubnet1EIP6AD938E8", + "AllocationId" + ] + }, + "SubnetId": { + "Ref": "VPCPublicSubnet1SubnetB4246D30" + }, + "Tags": [ + { + "Key": "Name", + "Value": "nlb-alb-listner-stack/VPC/PublicSubnet1" + } + ] + }, + "DependsOn": [ + "VPCPublicSubnet1DefaultRoute91CEF279", + "VPCPublicSubnet1RouteTableAssociation0B0896DC" + ] + }, + "VPCPublicSubnet2Subnet74179F39": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "AvailabilityZone": { + "Fn::Select": [ + 1, + { + "Fn::GetAZs": "" + } + ] + }, + "CidrBlock": "10.0.64.0/18", + "MapPublicIpOnLaunch": true, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Public" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Public" + }, + { + "Key": "Name", + "Value": "nlb-alb-listner-stack/VPC/PublicSubnet2" + } + ], + "VpcId": { + "Ref": "VPCB9E5F0B4" + } + } + }, + "VPCPublicSubnet2RouteTable6F1A15F1": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": "nlb-alb-listner-stack/VPC/PublicSubnet2" + } + ], + "VpcId": { + "Ref": "VPCB9E5F0B4" + } + } + }, + "VPCPublicSubnet2RouteTableAssociation5A808732": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VPCPublicSubnet2RouteTable6F1A15F1" + }, + "SubnetId": { + "Ref": "VPCPublicSubnet2Subnet74179F39" + } + } + }, + "VPCPublicSubnet2DefaultRouteB7481BBA": { + "Type": "AWS::EC2::Route", + "Properties": { + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "VPCIGWB7E252D3" + }, + "RouteTableId": { + "Ref": "VPCPublicSubnet2RouteTable6F1A15F1" + } + }, + "DependsOn": [ + "VPCVPCGW99B986DC" + ] + }, + "VPCPublicSubnet2EIP4947BC00": { + "Type": "AWS::EC2::EIP", + "Properties": { + "Domain": "vpc", + "Tags": [ + { + "Key": "Name", + "Value": "nlb-alb-listner-stack/VPC/PublicSubnet2" + } + ] + } + }, + "VPCPublicSubnet2NATGateway3C070193": { + "Type": "AWS::EC2::NatGateway", + "Properties": { + "AllocationId": { + "Fn::GetAtt": [ + "VPCPublicSubnet2EIP4947BC00", + "AllocationId" + ] + }, + "SubnetId": { + "Ref": "VPCPublicSubnet2Subnet74179F39" + }, + "Tags": [ + { + "Key": "Name", + "Value": "nlb-alb-listner-stack/VPC/PublicSubnet2" + } + ] + }, + "DependsOn": [ + "VPCPublicSubnet2DefaultRouteB7481BBA", + "VPCPublicSubnet2RouteTableAssociation5A808732" + ] + }, + "VPCPrivateSubnet1Subnet8BCA10E0": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "AvailabilityZone": { + "Fn::Select": [ + 0, + { + "Fn::GetAZs": "" + } + ] + }, + "CidrBlock": "10.0.128.0/18", + "MapPublicIpOnLaunch": false, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Private" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Private" + }, + { + "Key": "Name", + "Value": "nlb-alb-listner-stack/VPC/PrivateSubnet1" + } + ], + "VpcId": { + "Ref": "VPCB9E5F0B4" + } + } + }, + "VPCPrivateSubnet1RouteTableBE8A6027": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": "nlb-alb-listner-stack/VPC/PrivateSubnet1" + } + ], + "VpcId": { + "Ref": "VPCB9E5F0B4" + } + } + }, + "VPCPrivateSubnet1RouteTableAssociation347902D1": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VPCPrivateSubnet1RouteTableBE8A6027" + }, + "SubnetId": { + "Ref": "VPCPrivateSubnet1Subnet8BCA10E0" + } + } + }, + "VPCPrivateSubnet1DefaultRouteAE1D6490": { + "Type": "AWS::EC2::Route", + "Properties": { + "DestinationCidrBlock": "0.0.0.0/0", + "NatGatewayId": { + "Ref": "VPCPublicSubnet1NATGatewayE0556630" + }, + "RouteTableId": { + "Ref": "VPCPrivateSubnet1RouteTableBE8A6027" + } + } + }, + "VPCPrivateSubnet2SubnetCFCDAA7A": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "AvailabilityZone": { + "Fn::Select": [ + 1, + { + "Fn::GetAZs": "" + } + ] + }, + "CidrBlock": "10.0.192.0/18", + "MapPublicIpOnLaunch": false, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Private" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Private" + }, + { + "Key": "Name", + "Value": "nlb-alb-listner-stack/VPC/PrivateSubnet2" + } + ], + "VpcId": { + "Ref": "VPCB9E5F0B4" + } + } + }, + "VPCPrivateSubnet2RouteTable0A19E10E": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": "nlb-alb-listner-stack/VPC/PrivateSubnet2" + } + ], + "VpcId": { + "Ref": "VPCB9E5F0B4" + } + } + }, + "VPCPrivateSubnet2RouteTableAssociation0C73D413": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VPCPrivateSubnet2RouteTable0A19E10E" + }, + "SubnetId": { + "Ref": "VPCPrivateSubnet2SubnetCFCDAA7A" + } + } + }, + "VPCPrivateSubnet2DefaultRouteF4F5CFD2": { + "Type": "AWS::EC2::Route", + "Properties": { + "DestinationCidrBlock": "0.0.0.0/0", + "NatGatewayId": { + "Ref": "VPCPublicSubnet2NATGateway3C070193" + }, + "RouteTableId": { + "Ref": "VPCPrivateSubnet2RouteTable0A19E10E" + } + } + }, + "VPCIGWB7E252D3": { + "Type": "AWS::EC2::InternetGateway", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": "nlb-alb-listner-stack/VPC" + } + ] + } + }, + "VPCVPCGW99B986DC": { + "Type": "AWS::EC2::VPCGatewayAttachment", + "Properties": { + "InternetGatewayId": { + "Ref": "VPCIGWB7E252D3" + }, + "VpcId": { + "Ref": "VPCB9E5F0B4" + } + } + }, + "ALBAEE750D2": { + "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "Properties": { + "LoadBalancerAttributes": [ + { + "Key": "deletion_protection.enabled", + "Value": "false" + } + ], + "Scheme": "internal", + "SecurityGroups": [ + { + "Fn::GetAtt": [ + "ALBSecurityGroup8B8624F8", + "GroupId" + ] + } + ], + "Subnets": [ + { + "Ref": "VPCPrivateSubnet1Subnet8BCA10E0" + }, + { + "Ref": "VPCPrivateSubnet2SubnetCFCDAA7A" + } + ], + "Type": "application" + } + }, + "ALBSecurityGroup8B8624F8": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Automatically created Security Group for ELB nlbalblistnerstackALBE6EE71F4", + "SecurityGroupEgress": [ + { + "CidrIp": "255.255.255.255/32", + "Description": "Disallow all traffic", + "FromPort": 252, + "IpProtocol": "icmp", + "ToPort": 86 + } + ], + "SecurityGroupIngress": [ + { + "CidrIp": "0.0.0.0/0", + "Description": "Allow from anyone on port 80", + "FromPort": 80, + "IpProtocol": "tcp", + "ToPort": 80 + } + ], + "VpcId": { + "Ref": "VPCB9E5F0B4" + } + } + }, + "ALBALBListenerDB80B4FD": { + "Type": "AWS::ElasticLoadBalancingV2::Listener", + "Properties": { + "DefaultActions": [ + { + "FixedResponseConfig": { + "StatusCode": "200" + }, + "Type": "fixed-response" + } + ], + "LoadBalancerArn": { + "Ref": "ALBAEE750D2" + }, + "Port": 80, + "Protocol": "HTTP" + } + }, + "NLB55158F82": { + "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "Properties": { + "LoadBalancerAttributes": [ + { + "Key": "deletion_protection.enabled", + "Value": "false" + } + ], + "Scheme": "internal", + "Subnets": [ + { + "Ref": "VPCPrivateSubnet1Subnet8BCA10E0" + }, + { + "Ref": "VPCPrivateSubnet2SubnetCFCDAA7A" + } + ], + "Type": "network" + } + }, + "NLBListener96C8170F": { + "Type": "AWS::ElasticLoadBalancingV2::Listener", + "Properties": { + "DefaultActions": [ + { + "TargetGroupArn": { + "Ref": "NLBListenerTargetsGroupB42DD77B" + }, + "Type": "forward" + } + ], + "LoadBalancerArn": { + "Ref": "NLB55158F82" + }, + "Port": 80, + "Protocol": "TCP" + } + }, + "NLBListenerTargetsGroupB42DD77B": { + "Type": "AWS::ElasticLoadBalancingV2::TargetGroup", + "Properties": { + "Port": 80, + "Protocol": "TCP", + "TargetType": "alb", + "Targets": [ + { + "Id": { + "Ref": "ALBAEE750D2" + }, + "Port": 80 + } + ], + "VpcId": { + "Ref": "VPCB9E5F0B4" + } + }, + "DependsOn": [ + "ALBALBListenerDB80B4FD" + ] + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2-targets/test/integ.alb-listner-target.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2-targets/test/integ.alb-listner-target.js.snapshot/tree.json new file mode 100644 index 0000000000000..e35c5c7661743 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2-targets/test/integ.alb-listner-target.js.snapshot/tree.json @@ -0,0 +1,984 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "nlb-alb-listner-stack": { + "id": "nlb-alb-listner-stack", + "path": "nlb-alb-listner-stack", + "children": { + "VPC": { + "id": "VPC", + "path": "nlb-alb-listner-stack/VPC", + "children": { + "Resource": { + "id": "Resource", + "path": "nlb-alb-listner-stack/VPC/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::VPC", + "aws:cdk:cloudformation:props": { + "cidrBlock": "10.0.0.0/16", + "enableDnsHostnames": true, + "enableDnsSupport": true, + "instanceTenancy": "default", + "tags": [ + { + "key": "Name", + "value": "nlb-alb-listner-stack/VPC" + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnVPC", + "version": "0.0.0" + } + }, + "PublicSubnet1": { + "id": "PublicSubnet1", + "path": "nlb-alb-listner-stack/VPC/PublicSubnet1", + "children": { + "Subnet": { + "id": "Subnet", + "path": "nlb-alb-listner-stack/VPC/PublicSubnet1/Subnet", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::Subnet", + "aws:cdk:cloudformation:props": { + "availabilityZone": { + "Fn::Select": [ + 0, + { + "Fn::GetAZs": "" + } + ] + }, + "cidrBlock": "10.0.0.0/18", + "mapPublicIpOnLaunch": true, + "tags": [ + { + "key": "aws-cdk:subnet-name", + "value": "Public" + }, + { + "key": "aws-cdk:subnet-type", + "value": "Public" + }, + { + "key": "Name", + "value": "nlb-alb-listner-stack/VPC/PublicSubnet1" + } + ], + "vpcId": { + "Ref": "VPCB9E5F0B4" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", + "version": "0.0.0" + } + }, + "Acl": { + "id": "Acl", + "path": "nlb-alb-listner-stack/VPC/PublicSubnet1/Acl", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "RouteTable": { + "id": "RouteTable", + "path": "nlb-alb-listner-stack/VPC/PublicSubnet1/RouteTable", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::RouteTable", + "aws:cdk:cloudformation:props": { + "tags": [ + { + "key": "Name", + "value": "nlb-alb-listner-stack/VPC/PublicSubnet1" + } + ], + "vpcId": { + "Ref": "VPCB9E5F0B4" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", + "version": "0.0.0" + } + }, + "RouteTableAssociation": { + "id": "RouteTableAssociation", + "path": "nlb-alb-listner-stack/VPC/PublicSubnet1/RouteTableAssociation", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::SubnetRouteTableAssociation", + "aws:cdk:cloudformation:props": { + "routeTableId": { + "Ref": "VPCPublicSubnet1RouteTableFEE4B781" + }, + "subnetId": { + "Ref": "VPCPublicSubnet1SubnetB4246D30" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", + "version": "0.0.0" + } + }, + "DefaultRoute": { + "id": "DefaultRoute", + "path": "nlb-alb-listner-stack/VPC/PublicSubnet1/DefaultRoute", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::Route", + "aws:cdk:cloudformation:props": { + "destinationCidrBlock": "0.0.0.0/0", + "gatewayId": { + "Ref": "VPCIGWB7E252D3" + }, + "routeTableId": { + "Ref": "VPCPublicSubnet1RouteTableFEE4B781" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "version": "0.0.0" + } + }, + "EIP": { + "id": "EIP", + "path": "nlb-alb-listner-stack/VPC/PublicSubnet1/EIP", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::EIP", + "aws:cdk:cloudformation:props": { + "domain": "vpc", + "tags": [ + { + "key": "Name", + "value": "nlb-alb-listner-stack/VPC/PublicSubnet1" + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnEIP", + "version": "0.0.0" + } + }, + "NATGateway": { + "id": "NATGateway", + "path": "nlb-alb-listner-stack/VPC/PublicSubnet1/NATGateway", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::NatGateway", + "aws:cdk:cloudformation:props": { + "allocationId": { + "Fn::GetAtt": [ + "VPCPublicSubnet1EIP6AD938E8", + "AllocationId" + ] + }, + "subnetId": { + "Ref": "VPCPublicSubnet1SubnetB4246D30" + }, + "tags": [ + { + "key": "Name", + "value": "nlb-alb-listner-stack/VPC/PublicSubnet1" + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnNatGateway", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.PublicSubnet", + "version": "0.0.0" + } + }, + "PublicSubnet2": { + "id": "PublicSubnet2", + "path": "nlb-alb-listner-stack/VPC/PublicSubnet2", + "children": { + "Subnet": { + "id": "Subnet", + "path": "nlb-alb-listner-stack/VPC/PublicSubnet2/Subnet", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::Subnet", + "aws:cdk:cloudformation:props": { + "availabilityZone": { + "Fn::Select": [ + 1, + { + "Fn::GetAZs": "" + } + ] + }, + "cidrBlock": "10.0.64.0/18", + "mapPublicIpOnLaunch": true, + "tags": [ + { + "key": "aws-cdk:subnet-name", + "value": "Public" + }, + { + "key": "aws-cdk:subnet-type", + "value": "Public" + }, + { + "key": "Name", + "value": "nlb-alb-listner-stack/VPC/PublicSubnet2" + } + ], + "vpcId": { + "Ref": "VPCB9E5F0B4" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", + "version": "0.0.0" + } + }, + "Acl": { + "id": "Acl", + "path": "nlb-alb-listner-stack/VPC/PublicSubnet2/Acl", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "RouteTable": { + "id": "RouteTable", + "path": "nlb-alb-listner-stack/VPC/PublicSubnet2/RouteTable", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::RouteTable", + "aws:cdk:cloudformation:props": { + "tags": [ + { + "key": "Name", + "value": "nlb-alb-listner-stack/VPC/PublicSubnet2" + } + ], + "vpcId": { + "Ref": "VPCB9E5F0B4" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", + "version": "0.0.0" + } + }, + "RouteTableAssociation": { + "id": "RouteTableAssociation", + "path": "nlb-alb-listner-stack/VPC/PublicSubnet2/RouteTableAssociation", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::SubnetRouteTableAssociation", + "aws:cdk:cloudformation:props": { + "routeTableId": { + "Ref": "VPCPublicSubnet2RouteTable6F1A15F1" + }, + "subnetId": { + "Ref": "VPCPublicSubnet2Subnet74179F39" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", + "version": "0.0.0" + } + }, + "DefaultRoute": { + "id": "DefaultRoute", + "path": "nlb-alb-listner-stack/VPC/PublicSubnet2/DefaultRoute", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::Route", + "aws:cdk:cloudformation:props": { + "destinationCidrBlock": "0.0.0.0/0", + "gatewayId": { + "Ref": "VPCIGWB7E252D3" + }, + "routeTableId": { + "Ref": "VPCPublicSubnet2RouteTable6F1A15F1" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "version": "0.0.0" + } + }, + "EIP": { + "id": "EIP", + "path": "nlb-alb-listner-stack/VPC/PublicSubnet2/EIP", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::EIP", + "aws:cdk:cloudformation:props": { + "domain": "vpc", + "tags": [ + { + "key": "Name", + "value": "nlb-alb-listner-stack/VPC/PublicSubnet2" + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnEIP", + "version": "0.0.0" + } + }, + "NATGateway": { + "id": "NATGateway", + "path": "nlb-alb-listner-stack/VPC/PublicSubnet2/NATGateway", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::NatGateway", + "aws:cdk:cloudformation:props": { + "allocationId": { + "Fn::GetAtt": [ + "VPCPublicSubnet2EIP4947BC00", + "AllocationId" + ] + }, + "subnetId": { + "Ref": "VPCPublicSubnet2Subnet74179F39" + }, + "tags": [ + { + "key": "Name", + "value": "nlb-alb-listner-stack/VPC/PublicSubnet2" + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnNatGateway", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.PublicSubnet", + "version": "0.0.0" + } + }, + "PrivateSubnet1": { + "id": "PrivateSubnet1", + "path": "nlb-alb-listner-stack/VPC/PrivateSubnet1", + "children": { + "Subnet": { + "id": "Subnet", + "path": "nlb-alb-listner-stack/VPC/PrivateSubnet1/Subnet", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::Subnet", + "aws:cdk:cloudformation:props": { + "availabilityZone": { + "Fn::Select": [ + 0, + { + "Fn::GetAZs": "" + } + ] + }, + "cidrBlock": "10.0.128.0/18", + "mapPublicIpOnLaunch": false, + "tags": [ + { + "key": "aws-cdk:subnet-name", + "value": "Private" + }, + { + "key": "aws-cdk:subnet-type", + "value": "Private" + }, + { + "key": "Name", + "value": "nlb-alb-listner-stack/VPC/PrivateSubnet1" + } + ], + "vpcId": { + "Ref": "VPCB9E5F0B4" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", + "version": "0.0.0" + } + }, + "Acl": { + "id": "Acl", + "path": "nlb-alb-listner-stack/VPC/PrivateSubnet1/Acl", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "RouteTable": { + "id": "RouteTable", + "path": "nlb-alb-listner-stack/VPC/PrivateSubnet1/RouteTable", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::RouteTable", + "aws:cdk:cloudformation:props": { + "tags": [ + { + "key": "Name", + "value": "nlb-alb-listner-stack/VPC/PrivateSubnet1" + } + ], + "vpcId": { + "Ref": "VPCB9E5F0B4" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", + "version": "0.0.0" + } + }, + "RouteTableAssociation": { + "id": "RouteTableAssociation", + "path": "nlb-alb-listner-stack/VPC/PrivateSubnet1/RouteTableAssociation", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::SubnetRouteTableAssociation", + "aws:cdk:cloudformation:props": { + "routeTableId": { + "Ref": "VPCPrivateSubnet1RouteTableBE8A6027" + }, + "subnetId": { + "Ref": "VPCPrivateSubnet1Subnet8BCA10E0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", + "version": "0.0.0" + } + }, + "DefaultRoute": { + "id": "DefaultRoute", + "path": "nlb-alb-listner-stack/VPC/PrivateSubnet1/DefaultRoute", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::Route", + "aws:cdk:cloudformation:props": { + "destinationCidrBlock": "0.0.0.0/0", + "natGatewayId": { + "Ref": "VPCPublicSubnet1NATGatewayE0556630" + }, + "routeTableId": { + "Ref": "VPCPrivateSubnet1RouteTableBE8A6027" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.PrivateSubnet", + "version": "0.0.0" + } + }, + "PrivateSubnet2": { + "id": "PrivateSubnet2", + "path": "nlb-alb-listner-stack/VPC/PrivateSubnet2", + "children": { + "Subnet": { + "id": "Subnet", + "path": "nlb-alb-listner-stack/VPC/PrivateSubnet2/Subnet", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::Subnet", + "aws:cdk:cloudformation:props": { + "availabilityZone": { + "Fn::Select": [ + 1, + { + "Fn::GetAZs": "" + } + ] + }, + "cidrBlock": "10.0.192.0/18", + "mapPublicIpOnLaunch": false, + "tags": [ + { + "key": "aws-cdk:subnet-name", + "value": "Private" + }, + { + "key": "aws-cdk:subnet-type", + "value": "Private" + }, + { + "key": "Name", + "value": "nlb-alb-listner-stack/VPC/PrivateSubnet2" + } + ], + "vpcId": { + "Ref": "VPCB9E5F0B4" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", + "version": "0.0.0" + } + }, + "Acl": { + "id": "Acl", + "path": "nlb-alb-listner-stack/VPC/PrivateSubnet2/Acl", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "RouteTable": { + "id": "RouteTable", + "path": "nlb-alb-listner-stack/VPC/PrivateSubnet2/RouteTable", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::RouteTable", + "aws:cdk:cloudformation:props": { + "tags": [ + { + "key": "Name", + "value": "nlb-alb-listner-stack/VPC/PrivateSubnet2" + } + ], + "vpcId": { + "Ref": "VPCB9E5F0B4" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", + "version": "0.0.0" + } + }, + "RouteTableAssociation": { + "id": "RouteTableAssociation", + "path": "nlb-alb-listner-stack/VPC/PrivateSubnet2/RouteTableAssociation", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::SubnetRouteTableAssociation", + "aws:cdk:cloudformation:props": { + "routeTableId": { + "Ref": "VPCPrivateSubnet2RouteTable0A19E10E" + }, + "subnetId": { + "Ref": "VPCPrivateSubnet2SubnetCFCDAA7A" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", + "version": "0.0.0" + } + }, + "DefaultRoute": { + "id": "DefaultRoute", + "path": "nlb-alb-listner-stack/VPC/PrivateSubnet2/DefaultRoute", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::Route", + "aws:cdk:cloudformation:props": { + "destinationCidrBlock": "0.0.0.0/0", + "natGatewayId": { + "Ref": "VPCPublicSubnet2NATGateway3C070193" + }, + "routeTableId": { + "Ref": "VPCPrivateSubnet2RouteTable0A19E10E" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.PrivateSubnet", + "version": "0.0.0" + } + }, + "IGW": { + "id": "IGW", + "path": "nlb-alb-listner-stack/VPC/IGW", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::InternetGateway", + "aws:cdk:cloudformation:props": { + "tags": [ + { + "key": "Name", + "value": "nlb-alb-listner-stack/VPC" + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnInternetGateway", + "version": "0.0.0" + } + }, + "VPCGW": { + "id": "VPCGW", + "path": "nlb-alb-listner-stack/VPC/VPCGW", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::VPCGatewayAttachment", + "aws:cdk:cloudformation:props": { + "internetGatewayId": { + "Ref": "VPCIGWB7E252D3" + }, + "vpcId": { + "Ref": "VPCB9E5F0B4" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnVPCGatewayAttachment", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.Vpc", + "version": "0.0.0" + } + }, + "ALB": { + "id": "ALB", + "path": "nlb-alb-listner-stack/ALB", + "children": { + "Resource": { + "id": "Resource", + "path": "nlb-alb-listner-stack/ALB/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "aws:cdk:cloudformation:props": { + "loadBalancerAttributes": [ + { + "key": "deletion_protection.enabled", + "value": "false" + } + ], + "scheme": "internal", + "securityGroups": [ + { + "Fn::GetAtt": [ + "ALBSecurityGroup8B8624F8", + "GroupId" + ] + } + ], + "subnets": [ + { + "Ref": "VPCPrivateSubnet1Subnet8BCA10E0" + }, + { + "Ref": "VPCPrivateSubnet2SubnetCFCDAA7A" + } + ], + "type": "application" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.CfnLoadBalancer", + "version": "0.0.0" + } + }, + "SecurityGroup": { + "id": "SecurityGroup", + "path": "nlb-alb-listner-stack/ALB/SecurityGroup", + "children": { + "Resource": { + "id": "Resource", + "path": "nlb-alb-listner-stack/ALB/SecurityGroup/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::SecurityGroup", + "aws:cdk:cloudformation:props": { + "groupDescription": "Automatically created Security Group for ELB nlbalblistnerstackALBE6EE71F4", + "securityGroupEgress": [ + { + "cidrIp": "255.255.255.255/32", + "description": "Disallow all traffic", + "ipProtocol": "icmp", + "fromPort": 252, + "toPort": 86 + } + ], + "securityGroupIngress": [ + { + "cidrIp": "0.0.0.0/0", + "ipProtocol": "tcp", + "fromPort": 80, + "toPort": 80, + "description": "Allow from anyone on port 80" + } + ], + "vpcId": { + "Ref": "VPCB9E5F0B4" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnSecurityGroup", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.SecurityGroup", + "version": "0.0.0" + } + }, + "ALBListener": { + "id": "ALBListener", + "path": "nlb-alb-listner-stack/ALB/ALBListener", + "children": { + "Resource": { + "id": "Resource", + "path": "nlb-alb-listner-stack/ALB/ALBListener/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::ElasticLoadBalancingV2::Listener", + "aws:cdk:cloudformation:props": { + "defaultActions": [ + { + "type": "fixed-response", + "fixedResponseConfig": { + "statusCode": "200" + } + } + ], + "loadBalancerArn": { + "Ref": "ALBAEE750D2" + }, + "port": 80, + "protocol": "HTTP" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.CfnListener", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationListener", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationLoadBalancer", + "version": "0.0.0" + } + }, + "NLB": { + "id": "NLB", + "path": "nlb-alb-listner-stack/NLB", + "children": { + "Resource": { + "id": "Resource", + "path": "nlb-alb-listner-stack/NLB/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "aws:cdk:cloudformation:props": { + "loadBalancerAttributes": [ + { + "key": "deletion_protection.enabled", + "value": "false" + } + ], + "scheme": "internal", + "subnets": [ + { + "Ref": "VPCPrivateSubnet1Subnet8BCA10E0" + }, + { + "Ref": "VPCPrivateSubnet2SubnetCFCDAA7A" + } + ], + "type": "network" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.CfnLoadBalancer", + "version": "0.0.0" + } + }, + "Listener": { + "id": "Listener", + "path": "nlb-alb-listner-stack/NLB/Listener", + "children": { + "Resource": { + "id": "Resource", + "path": "nlb-alb-listner-stack/NLB/Listener/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::ElasticLoadBalancingV2::Listener", + "aws:cdk:cloudformation:props": { + "defaultActions": [ + { + "type": "forward", + "targetGroupArn": { + "Ref": "NLBListenerTargetsGroupB42DD77B" + } + } + ], + "loadBalancerArn": { + "Ref": "NLB55158F82" + }, + "port": 80, + "protocol": "TCP" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.CfnListener", + "version": "0.0.0" + } + }, + "TargetsGroup": { + "id": "TargetsGroup", + "path": "nlb-alb-listner-stack/NLB/Listener/TargetsGroup", + "children": { + "Resource": { + "id": "Resource", + "path": "nlb-alb-listner-stack/NLB/Listener/TargetsGroup/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::ElasticLoadBalancingV2::TargetGroup", + "aws:cdk:cloudformation:props": { + "port": 80, + "protocol": "TCP", + "targets": [ + { + "id": { + "Ref": "ALBAEE750D2" + }, + "port": 80 + } + ], + "targetType": "alb", + "vpcId": { + "Ref": "VPCB9E5F0B4" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.CfnTargetGroup", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.NetworkTargetGroup", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.NetworkListener", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.NetworkLoadBalancer", + "version": "0.0.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "nlb-alb-listner-stack/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "nlb-alb-listner-stack/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + }, + "Integ": { + "id": "Integ", + "path": "Integ", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "Integ/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "Integ/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "Integ/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "Integ/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "Integ/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2-targets/test/integ.alb-listner-target.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2-targets/test/integ.alb-listner-target.ts new file mode 100644 index 0000000000000..8315ade0f3d1c --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2-targets/test/integ.alb-listner-target.ts @@ -0,0 +1,36 @@ +import * as ec2 from 'aws-cdk-lib/aws-ec2'; +import * as cdk from 'aws-cdk-lib'; +import { Construct } from 'constructs'; +import * as elbv2 from 'aws-cdk-lib/aws-elasticloadbalancingv2'; +import { IntegTest } from '@aws-cdk/integ-tests-alpha'; +import * as targets from 'aws-cdk-lib/aws-elasticloadbalancingv2-targets'; + +// WHEN +const app = new cdk.App(); + +// GIVEN +class ALBListenerStack extends cdk.Stack { + constructor(scope: Construct, id: string, props?: cdk.StackProps) { + super(scope, id, props); + + const vpc = new ec2.Vpc(this, 'VPC', { restrictDefaultSecurityGroup: false }); + const alb = new elbv2.ApplicationLoadBalancer(this, 'ALB', { vpc }); + const albListener = alb.addListener('ALBListener', { + port: 80, + defaultAction: elbv2.ListenerAction.fixedResponse(200), + }); + const nlb = new elbv2.NetworkLoadBalancer(this, 'NLB', { vpc }); + const listener = nlb.addListener('Listener', { port: 80 }); + listener.addTargets('Targets', { + targets: [new targets.AlbListenerTarget(albListener)], + port: 80, + }); + } +} + +// EXPECT +const stack = new ALBListenerStack(app, 'nlb-alb-listner-stack'); +new IntegTest(app, 'Integ', { + testCases: [stack], +}); +app.synth(); diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.extended.log.js.snapshot/aws-cdk-elbv2-integ.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.extended.log.js.snapshot/aws-cdk-elbv2-integ.assets.json index 5f6c1f273d748..627c94b6f11d6 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.extended.log.js.snapshot/aws-cdk-elbv2-integ.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.extended.log.js.snapshot/aws-cdk-elbv2-integ.assets.json @@ -1,7 +1,7 @@ { - "version": "33.0.0", + "version": "36.0.0", "files": { - "07df570609ba80d7ccc6a61dc96229756a5e4fc6a10d9a68ac076b94a8ce3e55": { + "dd9140945011edcbce692a37f5f7cbd8334730c6955bb30907758d7bda777b77": { "source": { "path": "aws-cdk-elbv2-integ.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-us-west-2": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-us-west-2", - "objectKey": "07df570609ba80d7ccc6a61dc96229756a5e4fc6a10d9a68ac076b94a8ce3e55.json", + "objectKey": "dd9140945011edcbce692a37f5f7cbd8334730c6955bb30907758d7bda777b77.json", "region": "us-west-2", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-us-west-2" } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.extended.log.js.snapshot/aws-cdk-elbv2-integ.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.extended.log.js.snapshot/aws-cdk-elbv2-integ.template.json index ce3d2ff8e018f..428814b9ed734 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.extended.log.js.snapshot/aws-cdk-elbv2-integ.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.extended.log.js.snapshot/aws-cdk-elbv2-integ.template.json @@ -412,6 +412,20 @@ { "Key": "access_logs.s3.prefix", "Value": "" + }, + { + "Key": "connection_logs.s3.enabled", + "Value": "true" + }, + { + "Key": "connection_logs.s3.bucket", + "Value": { + "Ref": "LBALBConnectionLogsBucket4BFA48DB" + } + }, + { + "Key": "connection_logs.s3.prefix", + "Value": "" } ], "Scheme": "internet-facing", @@ -434,7 +448,8 @@ "Type": "application" }, "DependsOn": [ - "LBALBAccessLogsBucket6AE92937", + "LBALBAccessLogsBucketPolicy1E4EBAFE", + "LBALBConnectionLogsBucketPolicy62509153", "VPCPublicSubnet1DefaultRoute91CEF279", "VPCPublicSubnet1RouteTableAssociation0B0896DC", "VPCPublicSubnet2DefaultRouteB7481BBA", @@ -647,6 +662,185 @@ } } }, + "LBALBConnectionLogsBucket4BFA48DB": { + "Type": "AWS::S3::Bucket", + "Properties": { + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256" + } + } + ] + }, + "LoggingConfiguration": { + "LogFilePrefix": "selflog/" + }, + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + }, + "VersioningConfiguration": { + "Status": "Enabled" + } + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" + }, + "LBALBConnectionLogsBucketPolicy62509153": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "LBALBConnectionLogsBucket4BFA48DB" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": "s3:*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::GetAtt": [ + "LBALBConnectionLogsBucket4BFA48DB", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "LBALBConnectionLogsBucket4BFA48DB", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + }, + { + "Action": "s3:PutObject", + "Condition": { + "ArnLike": { + "aws:SourceArn": { + "Fn::GetAtt": [ + "LBALBConnectionLogsBucket4BFA48DB", + "Arn" + ] + } + }, + "StringEquals": { + "aws:SourceAccount": { + "Ref": "AWS::AccountId" + } + } + }, + "Effect": "Allow", + "Principal": { + "Service": "logging.s3.amazonaws.com" + }, + "Resource": { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "LBALBConnectionLogsBucket4BFA48DB", + "Arn" + ] + }, + "/selflog/*" + ] + ] + } + }, + { + "Action": "s3:PutObject", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::797873946194:root" + }, + "Resource": { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "LBALBConnectionLogsBucket4BFA48DB", + "Arn" + ] + }, + "/AWSLogs/", + { + "Ref": "AWS::AccountId" + }, + "/*" + ] + ] + } + }, + { + "Action": "s3:PutObject", + "Condition": { + "StringEquals": { + "s3:x-amz-acl": "bucket-owner-full-control" + } + }, + "Effect": "Allow", + "Principal": { + "Service": "delivery.logs.amazonaws.com" + }, + "Resource": { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "LBALBConnectionLogsBucket4BFA48DB", + "Arn" + ] + }, + "/AWSLogs/", + { + "Ref": "AWS::AccountId" + }, + "/*" + ] + ] + } + }, + { + "Action": "s3:GetBucketAcl", + "Effect": "Allow", + "Principal": { + "Service": "delivery.logs.amazonaws.com" + }, + "Resource": { + "Fn::GetAtt": [ + "LBALBConnectionLogsBucket4BFA48DB", + "Arn" + ] + } + } + ], + "Version": "2012-10-17" + } + } + }, "LBListener49E825B4": { "Type": "AWS::ElasticLoadBalancingV2::Listener", "Properties": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.extended.log.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.extended.log.js.snapshot/cdk.out index 560dae10d018f..1f0068d32659a 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.extended.log.js.snapshot/cdk.out +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.extended.log.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"33.0.0"} \ No newline at end of file +{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.extended.log.js.snapshot/cdkintegalbextendedlogDefaultTestDeployAssertAEFAB19B.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.extended.log.js.snapshot/cdkintegalbextendedlogDefaultTestDeployAssertAEFAB19B.assets.json index c98fca8690504..dc7f5be9c0bd5 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.extended.log.js.snapshot/cdkintegalbextendedlogDefaultTestDeployAssertAEFAB19B.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.extended.log.js.snapshot/cdkintegalbextendedlogDefaultTestDeployAssertAEFAB19B.assets.json @@ -1,5 +1,5 @@ { - "version": "33.0.0", + "version": "36.0.0", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.extended.log.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.extended.log.js.snapshot/integ.json index b013204787762..28a35b8f9fe2f 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.extended.log.js.snapshot/integ.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.extended.log.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "33.0.0", + "version": "36.0.0", "testCases": { "cdk-integ-alb-extended-log/DefaultTest": { "stacks": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.extended.log.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.extended.log.js.snapshot/manifest.json index e13264e6591cb..0e3250c83fd85 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.extended.log.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.extended.log.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "33.0.0", + "version": "36.0.0", "artifacts": { "aws-cdk-elbv2-integ.assets": { "type": "cdk:asset-manifest", @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-us-west-2", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-us-west-2", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-us-west-2/07df570609ba80d7ccc6a61dc96229756a5e4fc6a10d9a68ac076b94a8ce3e55.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-us-west-2/dd9140945011edcbce692a37f5f7cbd8334730c6955bb30907758d7bda777b77.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -196,6 +196,18 @@ "data": "LBALBAccessLogsBucketPolicy1E4EBAFE" } ], + "/aws-cdk-elbv2-integ/LB/ALBConnectionLogsBucket/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "LBALBConnectionLogsBucket4BFA48DB" + } + ], + "/aws-cdk-elbv2-integ/LB/ALBConnectionLogsBucket/Policy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "LBALBConnectionLogsBucketPolicy62509153" + } + ], "/aws-cdk-elbv2-integ/LB/Listener/Resource": [ { "type": "aws:cdk:logicalId", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.extended.log.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.extended.log.js.snapshot/tree.json index 42f17234eebb4..c87d487493897 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.extended.log.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.extended.log.js.snapshot/tree.json @@ -679,6 +679,20 @@ { "key": "access_logs.s3.prefix", "value": "" + }, + { + "key": "connection_logs.s3.enabled", + "value": "true" + }, + { + "key": "connection_logs.s3.bucket", + "value": { + "Ref": "LBALBConnectionLogsBucket4BFA48DB" + } + }, + { + "key": "connection_logs.s3.prefix", + "value": "" } ], "scheme": "internet-facing", @@ -964,6 +978,219 @@ "version": "0.0.0" } }, + "ALBConnectionLogsBucket": { + "id": "ALBConnectionLogsBucket", + "path": "aws-cdk-elbv2-integ/LB/ALBConnectionLogsBucket", + "children": { + "Resource": { + "id": "Resource", + "path": "aws-cdk-elbv2-integ/LB/ALBConnectionLogsBucket/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::S3::Bucket", + "aws:cdk:cloudformation:props": { + "bucketEncryption": { + "serverSideEncryptionConfiguration": [ + { + "serverSideEncryptionByDefault": { + "sseAlgorithm": "AES256" + } + } + ] + }, + "loggingConfiguration": { + "logFilePrefix": "selflog/" + }, + "publicAccessBlockConfiguration": { + "blockPublicAcls": true, + "blockPublicPolicy": true, + "ignorePublicAcls": true, + "restrictPublicBuckets": true + }, + "versioningConfiguration": { + "status": "Enabled" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_s3.CfnBucket", + "version": "0.0.0" + } + }, + "Policy": { + "id": "Policy", + "path": "aws-cdk-elbv2-integ/LB/ALBConnectionLogsBucket/Policy", + "children": { + "Resource": { + "id": "Resource", + "path": "aws-cdk-elbv2-integ/LB/ALBConnectionLogsBucket/Policy/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::S3::BucketPolicy", + "aws:cdk:cloudformation:props": { + "bucket": { + "Ref": "LBALBConnectionLogsBucket4BFA48DB" + }, + "policyDocument": { + "Statement": [ + { + "Action": "s3:*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::GetAtt": [ + "LBALBConnectionLogsBucket4BFA48DB", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "LBALBConnectionLogsBucket4BFA48DB", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + }, + { + "Action": "s3:PutObject", + "Condition": { + "ArnLike": { + "aws:SourceArn": { + "Fn::GetAtt": [ + "LBALBConnectionLogsBucket4BFA48DB", + "Arn" + ] + } + }, + "StringEquals": { + "aws:SourceAccount": { + "Ref": "AWS::AccountId" + } + } + }, + "Effect": "Allow", + "Principal": { + "Service": "logging.s3.amazonaws.com" + }, + "Resource": { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "LBALBConnectionLogsBucket4BFA48DB", + "Arn" + ] + }, + "/selflog/*" + ] + ] + } + }, + { + "Action": "s3:PutObject", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::797873946194:root" + }, + "Resource": { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "LBALBConnectionLogsBucket4BFA48DB", + "Arn" + ] + }, + "/AWSLogs/", + { + "Ref": "AWS::AccountId" + }, + "/*" + ] + ] + } + }, + { + "Action": "s3:PutObject", + "Condition": { + "StringEquals": { + "s3:x-amz-acl": "bucket-owner-full-control" + } + }, + "Effect": "Allow", + "Principal": { + "Service": "delivery.logs.amazonaws.com" + }, + "Resource": { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "LBALBConnectionLogsBucket4BFA48DB", + "Arn" + ] + }, + "/AWSLogs/", + { + "Ref": "AWS::AccountId" + }, + "/*" + ] + ] + } + }, + { + "Action": "s3:GetBucketAcl", + "Effect": "Allow", + "Principal": { + "Service": "delivery.logs.amazonaws.com" + }, + "Resource": { + "Fn::GetAtt": [ + "LBALBConnectionLogsBucket4BFA48DB", + "Arn" + ] + } + } + ], + "Version": "2012-10-17" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_s3.CfnBucketPolicy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_s3.BucketPolicy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_s3.Bucket", + "version": "0.0.0" + } + }, "Listener": { "id": "Listener", "path": "aws-cdk-elbv2-integ/LB/Listener", @@ -1089,7 +1316,7 @@ "path": "cdk-integ-alb-extended-log/DefaultTest/Default", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.2.70" + "version": "10.3.0" } }, "DeployAssert": { @@ -1135,7 +1362,7 @@ "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.2.70" + "version": "10.3.0" } } }, diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.extended.log.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.extended.log.ts index 17b1a0009461e..5fc676d118357 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.extended.log.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.extended.log.ts @@ -18,8 +18,16 @@ class ExtendedLB extends elbv2.ApplicationLoadBalancer { serverAccessLogsPrefix: 'selflog/', enforceSSL: true, }); - this.logAccessLogs(accessLogsBucket); + + const connectionLogsBucket = new s3.Bucket(this, 'ALBConnectionLogsBucket', { + blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL, + encryption: s3.BucketEncryption.S3_MANAGED, + versioned: true, + serverAccessLogsPrefix: 'selflog/', + enforceSSL: true, + }); + this.logConnectionLogs(connectionLogsBucket); } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.js.snapshot/aws-cdk-alb-log-imported-bucket-integ.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.js.snapshot/aws-cdk-alb-log-imported-bucket-integ.assets.json index 3e91c58d25201..9234509c27957 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.js.snapshot/aws-cdk-alb-log-imported-bucket-integ.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.js.snapshot/aws-cdk-alb-log-imported-bucket-integ.assets.json @@ -1,7 +1,7 @@ { - "version": "34.0.0", + "version": "36.0.0", "files": { - "d102d01a93a63d71a570164bdea30b0eca472ac745027643a4a1b0adb9b0640b": { + "7bcbcac4ed21e823d8252892771a6da060dd1d6110cdf42e73693f1e5c831046": { "source": { "path": "aws-cdk-alb-log-imported-bucket-integ.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-us-west-2": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-us-west-2", - "objectKey": "d102d01a93a63d71a570164bdea30b0eca472ac745027643a4a1b0adb9b0640b.json", + "objectKey": "7bcbcac4ed21e823d8252892771a6da060dd1d6110cdf42e73693f1e5c831046.json", "region": "us-west-2", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-us-west-2" } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.js.snapshot/aws-cdk-alb-log-imported-bucket-integ.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.js.snapshot/aws-cdk-alb-log-imported-bucket-integ.template.json index e596a9c1e41e8..ff10559471e6d 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.js.snapshot/aws-cdk-alb-log-imported-bucket-integ.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.js.snapshot/aws-cdk-alb-log-imported-bucket-integ.template.json @@ -438,6 +438,47 @@ "Principal": { "Service": "delivery.logs.amazonaws.com" }, + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:aws:s3:::", + { + "Ref": "Bucket83908E77" + }, + "/prefix-connection-log/AWSLogs/", + { + "Ref": "AWS::AccountId" + }, + "/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:aws:s3:::", + { + "Ref": "Bucket83908E77" + }, + "/prefix/AWSLogs/", + { + "Ref": "AWS::AccountId" + }, + "/*" + ] + ] + } + ] + }, + { + "Action": "s3:GetBucketAcl", + "Effect": "Allow", + "Principal": { + "Service": "delivery.logs.amazonaws.com" + }, "Resource": { "Fn::Join": [ "", @@ -445,21 +486,16 @@ "arn:aws:s3:::", { "Ref": "Bucket83908E77" - }, - "/prefix/AWSLogs/", - { - "Ref": "AWS::AccountId" - }, - "/*" + } ] ] } }, { - "Action": "s3:GetBucketAcl", + "Action": "s3:PutObject", "Effect": "Allow", "Principal": { - "Service": "delivery.logs.amazonaws.com" + "AWS": "arn:aws:iam::797873946194:root" }, "Resource": { "Fn::Join": [ @@ -468,7 +504,12 @@ "arn:aws:s3:::", { "Ref": "Bucket83908E77" - } + }, + "/prefix-connection-log/AWSLogs/", + { + "Ref": "AWS::AccountId" + }, + "/*" ] ] } @@ -499,6 +540,20 @@ { "Key": "access_logs.s3.prefix", "Value": "prefix" + }, + { + "Key": "connection_logs.s3.enabled", + "Value": "true" + }, + { + "Key": "connection_logs.s3.bucket", + "Value": { + "Ref": "Bucket83908E77" + } + }, + { + "Key": "connection_logs.s3.prefix", + "Value": "prefix-connection-log" } ], "Scheme": "internet-facing", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.js.snapshot/cdk.out index 2313ab5436501..1f0068d32659a 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.js.snapshot/cdk.out +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"34.0.0"} \ No newline at end of file +{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.js.snapshot/cdkintegalblogimportedbucketDefaultTestDeployAssert163162C1.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.js.snapshot/cdkintegalblogimportedbucketDefaultTestDeployAssert163162C1.assets.json index e45f2e7f3aa99..33278825135ec 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.js.snapshot/cdkintegalblogimportedbucketDefaultTestDeployAssert163162C1.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.js.snapshot/cdkintegalblogimportedbucketDefaultTestDeployAssert163162C1.assets.json @@ -1,5 +1,5 @@ { - "version": "34.0.0", + "version": "36.0.0", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.js.snapshot/integ.json index 5198aa8d08cc7..c2f7d046cc525 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.js.snapshot/integ.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "34.0.0", + "version": "36.0.0", "testCases": { "cdk-integ-alb-log-imported-bucket/DefaultTest": { "stacks": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.js.snapshot/manifest.json index 4c9a325295e57..e0362c5216bff 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "34.0.0", + "version": "36.0.0", "artifacts": { "aws-cdk-alb-log-imported-bucket-integ.assets": { "type": "cdk:asset-manifest", @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-us-west-2", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-us-west-2", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-us-west-2/d102d01a93a63d71a570164bdea30b0eca472ac745027643a4a1b0adb9b0640b.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-us-west-2/7bcbcac4ed21e823d8252892771a6da060dd1d6110cdf42e73693f1e5c831046.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -178,10 +178,10 @@ "data": "Bucket83908E77" } ], - "/aws-cdk-alb-log-imported-bucket-integ/ImportedBucket/Policy/Resource": [ + "/aws-cdk-alb-log-imported-bucket-integ/ImportedBucketPolicy/Resource": [ { "type": "aws:cdk:logicalId", - "data": "ImportedBucketPolicy71C80354" + "data": "ImportedBucketPolicyAE50CA2C" } ], "/aws-cdk-alb-log-imported-bucket-integ/LB/Resource": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.js.snapshot/tree.json index ebc9d24af07a2..f5423598f7b90 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.js.snapshot/tree.json @@ -676,110 +676,149 @@ "ImportedBucket": { "id": "ImportedBucket", "path": "aws-cdk-alb-log-imported-bucket-integ/ImportedBucket", + "constructInfo": { + "fqn": "aws-cdk-lib.aws_s3.BucketBase", + "version": "0.0.0" + } + }, + "ImportedBucketPolicy": { + "id": "ImportedBucketPolicy", + "path": "aws-cdk-alb-log-imported-bucket-integ/ImportedBucketPolicy", "children": { - "Policy": { - "id": "Policy", - "path": "aws-cdk-alb-log-imported-bucket-integ/ImportedBucket/Policy", - "children": { - "Resource": { - "id": "Resource", - "path": "aws-cdk-alb-log-imported-bucket-integ/ImportedBucket/Policy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::S3::BucketPolicy", - "aws:cdk:cloudformation:props": { - "bucket": { - "Ref": "Bucket83908E77" + "Resource": { + "id": "Resource", + "path": "aws-cdk-alb-log-imported-bucket-integ/ImportedBucketPolicy/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::S3::BucketPolicy", + "aws:cdk:cloudformation:props": { + "bucket": { + "Ref": "Bucket83908E77" + }, + "policyDocument": { + "Statement": [ + { + "Action": "s3:PutObject", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::797873946194:root" + }, + "Resource": { + "Fn::Join": [ + "", + [ + "arn:aws:s3:::", + { + "Ref": "Bucket83908E77" + }, + "/prefix/AWSLogs/", + { + "Ref": "AWS::AccountId" + }, + "/*" + ] + ] + } }, - "policyDocument": { - "Statement": [ + { + "Action": "s3:PutObject", + "Condition": { + "StringEquals": { + "s3:x-amz-acl": "bucket-owner-full-control" + } + }, + "Effect": "Allow", + "Principal": { + "Service": "delivery.logs.amazonaws.com" + }, + "Resource": [ { - "Action": "s3:PutObject", - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::797873946194:root" - }, - "Resource": { - "Fn::Join": [ - "", - [ - "arn:aws:s3:::", - { - "Ref": "Bucket83908E77" - }, - "/prefix/AWSLogs/", - { - "Ref": "AWS::AccountId" - }, - "/*" - ] + "Fn::Join": [ + "", + [ + "arn:aws:s3:::", + { + "Ref": "Bucket83908E77" + }, + "/prefix-connection-log/AWSLogs/", + { + "Ref": "AWS::AccountId" + }, + "/*" ] - } + ] }, { - "Action": "s3:PutObject", - "Condition": { - "StringEquals": { - "s3:x-amz-acl": "bucket-owner-full-control" - } - }, - "Effect": "Allow", - "Principal": { - "Service": "delivery.logs.amazonaws.com" - }, - "Resource": { - "Fn::Join": [ - "", - [ - "arn:aws:s3:::", - { - "Ref": "Bucket83908E77" - }, - "/prefix/AWSLogs/", - { - "Ref": "AWS::AccountId" - }, - "/*" - ] + "Fn::Join": [ + "", + [ + "arn:aws:s3:::", + { + "Ref": "Bucket83908E77" + }, + "/prefix/AWSLogs/", + { + "Ref": "AWS::AccountId" + }, + "/*" ] - } - }, - { - "Action": "s3:GetBucketAcl", - "Effect": "Allow", - "Principal": { - "Service": "delivery.logs.amazonaws.com" - }, - "Resource": { - "Fn::Join": [ - "", - [ - "arn:aws:s3:::", - { - "Ref": "Bucket83908E77" - } - ] - ] - } + ] } - ], - "Version": "2012-10-17" + ] + }, + { + "Action": "s3:GetBucketAcl", + "Effect": "Allow", + "Principal": { + "Service": "delivery.logs.amazonaws.com" + }, + "Resource": { + "Fn::Join": [ + "", + [ + "arn:aws:s3:::", + { + "Ref": "Bucket83908E77" + } + ] + ] + } + }, + { + "Action": "s3:PutObject", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::797873946194:root" + }, + "Resource": { + "Fn::Join": [ + "", + [ + "arn:aws:s3:::", + { + "Ref": "Bucket83908E77" + }, + "/prefix-connection-log/AWSLogs/", + { + "Ref": "AWS::AccountId" + }, + "/*" + ] + ] + } } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.CfnBucketPolicy", - "version": "0.0.0" + ], + "Version": "2012-10-17" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.BucketPolicy", + "fqn": "aws-cdk-lib.aws_s3.CfnBucketPolicy", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.BucketBase", + "fqn": "aws-cdk-lib.aws_s3.BucketPolicy", "version": "0.0.0" } }, @@ -811,6 +850,20 @@ { "key": "access_logs.s3.prefix", "value": "prefix" + }, + { + "key": "connection_logs.s3.enabled", + "value": "true" + }, + { + "key": "connection_logs.s3.bucket", + "value": { + "Ref": "Bucket83908E77" + } + }, + { + "key": "connection_logs.s3.prefix", + "value": "prefix-connection-log" } ], "scheme": "internet-facing", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.ts index 0aefeaa37378e..cd79500605179 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.imported-bucket.ts @@ -27,6 +27,7 @@ const lb = new elbv2.ApplicationLoadBalancer(stack, 'LB', { }); lb.logAccessLogs(importedBucket, 'prefix'); +lb.logConnectionLogs(importedBucket, 'prefix-connection-log'); const listener = lb.addListener('Listener', { port: 80, diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.js.snapshot/aws-cdk-elbv2-integ.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.js.snapshot/aws-cdk-elbv2-integ.assets.json index 462409afac89d..19a55187da880 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.js.snapshot/aws-cdk-elbv2-integ.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.js.snapshot/aws-cdk-elbv2-integ.assets.json @@ -15,7 +15,7 @@ } } }, - "e8dcef11b871328ec18d29401ebba343dec78affd3ec6055ab6d8be5b9223c97": { + "c4df03d0ac9684e50da08e315219cabc9dd964956b22ef483cb737334b396ac8": { "source": { "path": "aws-cdk-elbv2-integ.template.json", "packaging": "file" @@ -23,7 +23,7 @@ "destinations": { "current_account-us-west-2": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-us-west-2", - "objectKey": "e8dcef11b871328ec18d29401ebba343dec78affd3ec6055ab6d8be5b9223c97.json", + "objectKey": "c4df03d0ac9684e50da08e315219cabc9dd964956b22ef483cb737334b396ac8.json", "region": "us-west-2", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-us-west-2" } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.js.snapshot/aws-cdk-elbv2-integ.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.js.snapshot/aws-cdk-elbv2-integ.template.json index 49fdcd32c9472..77f2b0a8c6b32 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.js.snapshot/aws-cdk-elbv2-integ.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.js.snapshot/aws-cdk-elbv2-integ.template.json @@ -487,6 +487,64 @@ "Principal": { "Service": "delivery.logs.amazonaws.com" }, + "Resource": [ + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Bucket83908E77", + "Arn" + ] + }, + "/prefix-connection-log/AWSLogs/", + { + "Ref": "AWS::AccountId" + }, + "/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Bucket83908E77", + "Arn" + ] + }, + "/prefix/AWSLogs/", + { + "Ref": "AWS::AccountId" + }, + "/*" + ] + ] + } + ] + }, + { + "Action": "s3:GetBucketAcl", + "Effect": "Allow", + "Principal": { + "Service": "delivery.logs.amazonaws.com" + }, + "Resource": { + "Fn::GetAtt": [ + "Bucket83908E77", + "Arn" + ] + } + }, + { + "Action": "s3:PutObject", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::797873946194:root" + }, "Resource": { "Fn::Join": [ "", @@ -497,7 +555,7 @@ "Arn" ] }, - "/prefix/AWSLogs/", + "/prefix-connection-log/AWSLogs/", { "Ref": "AWS::AccountId" }, @@ -505,19 +563,6 @@ ] ] } - }, - { - "Action": "s3:GetBucketAcl", - "Effect": "Allow", - "Principal": { - "Service": "delivery.logs.amazonaws.com" - }, - "Resource": { - "Fn::GetAtt": [ - "Bucket83908E77", - "Arn" - ] - } } ], "Version": "2012-10-17" @@ -622,6 +667,20 @@ { "Key": "access_logs.s3.prefix", "Value": "prefix" + }, + { + "Key": "connection_logs.s3.enabled", + "Value": "true" + }, + { + "Key": "connection_logs.s3.bucket", + "Value": { + "Ref": "Bucket83908E77" + } + }, + { + "Key": "connection_logs.s3.prefix", + "Value": "prefix-connection-log" } ], "Scheme": "internet-facing", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.js.snapshot/manifest.json index 0cd90bc7f55a6..1fe10a574fc59 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.js.snapshot/manifest.json @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-us-west-2", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-us-west-2", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-us-west-2/e8dcef11b871328ec18d29401ebba343dec78affd3ec6055ab6d8be5b9223c97.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-us-west-2/c4df03d0ac9684e50da08e315219cabc9dd964956b22ef483cb737334b396ac8.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.js.snapshot/tree.json index 90720258641d3..819371b497c9a 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.js.snapshot/tree.json @@ -764,6 +764,64 @@ "Principal": { "Service": "delivery.logs.amazonaws.com" }, + "Resource": [ + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Bucket83908E77", + "Arn" + ] + }, + "/prefix-connection-log/AWSLogs/", + { + "Ref": "AWS::AccountId" + }, + "/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Bucket83908E77", + "Arn" + ] + }, + "/prefix/AWSLogs/", + { + "Ref": "AWS::AccountId" + }, + "/*" + ] + ] + } + ] + }, + { + "Action": "s3:GetBucketAcl", + "Effect": "Allow", + "Principal": { + "Service": "delivery.logs.amazonaws.com" + }, + "Resource": { + "Fn::GetAtt": [ + "Bucket83908E77", + "Arn" + ] + } + }, + { + "Action": "s3:PutObject", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::797873946194:root" + }, "Resource": { "Fn::Join": [ "", @@ -774,7 +832,7 @@ "Arn" ] }, - "/prefix/AWSLogs/", + "/prefix-connection-log/AWSLogs/", { "Ref": "AWS::AccountId" }, @@ -782,19 +840,6 @@ ] ] } - }, - { - "Action": "s3:GetBucketAcl", - "Effect": "Allow", - "Principal": { - "Service": "delivery.logs.amazonaws.com" - }, - "Resource": { - "Fn::GetAtt": [ - "Bucket83908E77", - "Arn" - ] - } } ], "Version": "2012-10-17" @@ -898,6 +943,20 @@ { "key": "access_logs.s3.prefix", "value": "prefix" + }, + { + "key": "connection_logs.s3.enabled", + "value": "true" + }, + { + "key": "connection_logs.s3.bucket", + "value": { + "Ref": "Bucket83908E77" + } + }, + { + "key": "connection_logs.s3.prefix", + "value": "prefix-connection-log" } ], "scheme": "internet-facing", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.ts index cab793d0e6a35..69a96e98340f6 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.ts @@ -25,6 +25,7 @@ const lb = new elbv2.ApplicationLoadBalancer(stack, 'LB', { }); lb.logAccessLogs(bucket, 'prefix'); +lb.logConnectionLogs(bucket, 'prefix-connection-log'); const listener = lb.addListener('Listener', { port: 80, diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/DynamoDBFilterCriteriaDefaultTestDeployAssert448231D5.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/DynamoDBFilterCriteriaDefaultTestDeployAssert448231D5.assets.json index a9f8c01bbffc7..042d7b3416bbf 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/DynamoDBFilterCriteriaDefaultTestDeployAssert448231D5.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/DynamoDBFilterCriteriaDefaultTestDeployAssert448231D5.assets.json @@ -1,5 +1,5 @@ { - "version": "34.0.0", + "version": "36.0.0", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/cdk.out index 2313ab5436501..1f0068d32659a 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/cdk.out +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"34.0.0"} \ No newline at end of file +{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/integ.json index 9e170621e743b..f4a60fafc3e3e 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/integ.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "34.0.0", + "version": "36.0.0", "testCases": { "DynamoDBFilterCriteria/DefaultTest": { "stacks": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/lambda-event-source-filter-criteria-dynamodb.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/lambda-event-source-filter-criteria-dynamodb.assets.json index f67fb7e688555..60c69bab59474 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/lambda-event-source-filter-criteria-dynamodb.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/lambda-event-source-filter-criteria-dynamodb.assets.json @@ -1,7 +1,7 @@ { - "version": "34.0.0", + "version": "36.0.0", "files": { - "12820430413ecb3acc272c29391ccb7d4852423d6630831ad3a1816e5ba6a66b": { + "635e0224ecca17d5512ed1bef8cfa79b63a3d53803e96c4382c47fe9408eb0c7": { "source": { "path": "lambda-event-source-filter-criteria-dynamodb.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "12820430413ecb3acc272c29391ccb7d4852423d6630831ad3a1816e5ba6a66b.json", + "objectKey": "635e0224ecca17d5512ed1bef8cfa79b63a3d53803e96c4382c47fe9408eb0c7.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/lambda-event-source-filter-criteria-dynamodb.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/lambda-event-source-filter-criteria-dynamodb.template.json index 51ecc3d8a5a7f..08858d9a49aef 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/lambda-event-source-filter-criteria-dynamodb.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/lambda-event-source-filter-criteria-dynamodb.template.json @@ -134,6 +134,166 @@ }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" + }, + "fctestkeyname524AF060": { + "Type": "AWS::KMS::Key", + "Properties": { + "Description": "KMS key for test fc encryption", + "KeyPolicy": { + "Statement": [ + { + "Action": "kms:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + }, + { + "Action": "kms:Decrypt", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "PendingWindowInDays": 7 + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "F5ServiceRole2E897519": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + } + ] + } + }, + "F5ServiceRoleDefaultPolicyF3745DE6": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": "dynamodb:ListStreams", + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "dynamodb:DescribeStream", + "dynamodb:GetRecords", + "dynamodb:GetShardIterator" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "TD925BC7E", + "StreamArn" + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "F5ServiceRoleDefaultPolicyF3745DE6", + "Roles": [ + { + "Ref": "F5ServiceRole2E897519" + } + ] + } + }, + "F5B560B5F9": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "ZipFile": "exports.handler = async function handler(event) {\n console.log('event:', JSON.stringify(event, undefined, 2));\n return { event };\n}" + }, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "F5ServiceRole2E897519", + "Arn" + ] + }, + "Runtime": "nodejs18.x" + }, + "DependsOn": [ + "F5ServiceRoleDefaultPolicyF3745DE6", + "F5ServiceRole2E897519" + ] + }, + "F5DynamoDBEventSourcelambdaeventsourcefiltercriteriadynamodbT9CFE7D0688700B50": { + "Type": "AWS::Lambda::EventSourceMapping", + "Properties": { + "BatchSize": 5, + "EventSourceArn": { + "Fn::GetAtt": [ + "TD925BC7E", + "StreamArn" + ] + }, + "FilterCriteria": { + "Filters": [ + { + "Pattern": "{\"eventName\":[\"INSERT\"],\"dynamodb\":{\"Keys\":{\"id\":{\"S\":[{\"exists\":true}]}}}}" + } + ] + }, + "FunctionName": { + "Ref": "F5B560B5F9" + }, + "KmsKeyArn": { + "Fn::GetAtt": [ + "fctestkeyname524AF060", + "Arn" + ] + }, + "StartingPosition": "LATEST" + } } }, "Parameters": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/manifest.json index 4bb3cd7d7c817..0b300d7ca1f56 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "34.0.0", + "version": "36.0.0", "artifacts": { "lambda-event-source-filter-criteria-dynamodb.assets": { "type": "cdk:asset-manifest", @@ -14,10 +14,11 @@ "environment": "aws://unknown-account/unknown-region", "properties": { "templateFile": "lambda-event-source-filter-criteria-dynamodb.template.json", + "terminationProtection": false, "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/12820430413ecb3acc272c29391ccb7d4852423d6630831ad3a1816e5ba6a66b.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/635e0224ecca17d5512ed1bef8cfa79b63a3d53803e96c4382c47fe9408eb0c7.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -63,6 +64,36 @@ "data": "TD925BC7E" } ], + "/lambda-event-source-filter-criteria-dynamodb/fc-test-key-name/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "fctestkeyname524AF060" + } + ], + "/lambda-event-source-filter-criteria-dynamodb/F5/ServiceRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "F5ServiceRole2E897519" + } + ], + "/lambda-event-source-filter-criteria-dynamodb/F5/ServiceRole/DefaultPolicy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "F5ServiceRoleDefaultPolicyF3745DE6" + } + ], + "/lambda-event-source-filter-criteria-dynamodb/F5/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "F5B560B5F9" + } + ], + "/lambda-event-source-filter-criteria-dynamodb/F5/DynamoDBEventSource:lambdaeventsourcefiltercriteriadynamodbT9CFE7D06/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "F5DynamoDBEventSourcelambdaeventsourcefiltercriteriadynamodbT9CFE7D0688700B50" + } + ], "/lambda-event-source-filter-criteria-dynamodb/BootstrapVersion": [ { "type": "aws:cdk:logicalId", @@ -91,6 +122,7 @@ "environment": "aws://unknown-account/unknown-region", "properties": { "templateFile": "DynamoDBFilterCriteriaDefaultTestDeployAssert448231D5.template.json", + "terminationProtection": false, "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/tree.json index 4674ff49a526f..757ace67fce4e 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/tree.json @@ -183,7 +183,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_lambda.EventSourceMapping", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } } @@ -243,6 +243,258 @@ "version": "0.0.0" } }, + "fc-test-key-name": { + "id": "fc-test-key-name", + "path": "lambda-event-source-filter-criteria-dynamodb/fc-test-key-name", + "children": { + "Resource": { + "id": "Resource", + "path": "lambda-event-source-filter-criteria-dynamodb/fc-test-key-name/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::KMS::Key", + "aws:cdk:cloudformation:props": { + "description": "KMS key for test fc encryption", + "keyPolicy": { + "Statement": [ + { + "Action": "kms:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + }, + { + "Action": "kms:Decrypt", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "pendingWindowInDays": 7 + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_kms.CfnKey", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_kms.Key", + "version": "0.0.0" + } + }, + "F5": { + "id": "F5", + "path": "lambda-event-source-filter-criteria-dynamodb/F5", + "children": { + "ServiceRole": { + "id": "ServiceRole", + "path": "lambda-event-source-filter-criteria-dynamodb/F5/ServiceRole", + "children": { + "ImportServiceRole": { + "id": "ImportServiceRole", + "path": "lambda-event-source-filter-criteria-dynamodb/F5/ServiceRole/ImportServiceRole", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "lambda-event-source-filter-criteria-dynamodb/F5/ServiceRole/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:props": { + "assumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "managedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" + } + }, + "DefaultPolicy": { + "id": "DefaultPolicy", + "path": "lambda-event-source-filter-criteria-dynamodb/F5/ServiceRole/DefaultPolicy", + "children": { + "Resource": { + "id": "Resource", + "path": "lambda-event-source-filter-criteria-dynamodb/F5/ServiceRole/DefaultPolicy/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Policy", + "aws:cdk:cloudformation:props": { + "policyDocument": { + "Statement": [ + { + "Action": "dynamodb:ListStreams", + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "dynamodb:DescribeStream", + "dynamodb:GetRecords", + "dynamodb:GetShardIterator" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "TD925BC7E", + "StreamArn" + ] + } + } + ], + "Version": "2012-10-17" + }, + "policyName": "F5ServiceRoleDefaultPolicyF3745DE6", + "roles": [ + { + "Ref": "F5ServiceRole2E897519" + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Policy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "lambda-event-source-filter-criteria-dynamodb/F5/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Lambda::Function", + "aws:cdk:cloudformation:props": { + "code": { + "zipFile": "exports.handler = async function handler(event) {\n console.log('event:', JSON.stringify(event, undefined, 2));\n return { event };\n}" + }, + "handler": "index.handler", + "role": { + "Fn::GetAtt": [ + "F5ServiceRole2E897519", + "Arn" + ] + }, + "runtime": "nodejs18.x" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.CfnFunction", + "version": "0.0.0" + } + }, + "DynamoDBEventSource:lambdaeventsourcefiltercriteriadynamodbT9CFE7D06": { + "id": "DynamoDBEventSource:lambdaeventsourcefiltercriteriadynamodbT9CFE7D06", + "path": "lambda-event-source-filter-criteria-dynamodb/F5/DynamoDBEventSource:lambdaeventsourcefiltercriteriadynamodbT9CFE7D06", + "children": { + "Resource": { + "id": "Resource", + "path": "lambda-event-source-filter-criteria-dynamodb/F5/DynamoDBEventSource:lambdaeventsourcefiltercriteriadynamodbT9CFE7D06/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Lambda::EventSourceMapping", + "aws:cdk:cloudformation:props": { + "batchSize": 5, + "eventSourceArn": { + "Fn::GetAtt": [ + "TD925BC7E", + "StreamArn" + ] + }, + "filterCriteria": { + "filters": [ + { + "pattern": "{\"eventName\":[\"INSERT\"],\"dynamodb\":{\"Keys\":{\"id\":{\"S\":[{\"exists\":true}]}}}}" + } + ] + }, + "functionName": { + "Ref": "F5B560B5F9" + }, + "kmsKeyArn": { + "Fn::GetAtt": [ + "fctestkeyname524AF060", + "Arn" + ] + }, + "startingPosition": "LATEST" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.CfnEventSourceMapping", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.Function", + "version": "0.0.0" + } + }, "BootstrapVersion": { "id": "BootstrapVersion", "path": "lambda-event-source-filter-criteria-dynamodb/BootstrapVersion", @@ -278,7 +530,7 @@ "path": "DynamoDBFilterCriteria/DefaultTest/Default", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.2.70" + "version": "10.3.0" } }, "DeployAssert": { @@ -324,7 +576,7 @@ "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.2.70" + "version": "10.3.0" } } }, diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.ts index 544290074e7f6..fcc180a696a81 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.ts @@ -4,6 +4,7 @@ import * as cdk from 'aws-cdk-lib'; import * as integ from '@aws-cdk/integ-tests-alpha'; import { TestFunction } from './test-function'; import { DynamoEventSource } from 'aws-cdk-lib/aws-lambda-event-sources'; +import { Key } from 'aws-cdk-lib/aws-kms'; const app = new cdk.App(); @@ -36,6 +37,32 @@ fn.addEventSource(new DynamoEventSource(table, { ], })); +const myKey = new Key(stack, 'fc-test-key-name', { + removalPolicy: cdk.RemovalPolicy.DESTROY, + pendingWindow: cdk.Duration.days(7), + description: 'KMS key for test fc encryption', +}); + +const fn2 = new TestFunction(stack, 'F5'); + +fn2.addEventSource(new DynamoEventSource(table, { + batchSize: 5, + startingPosition: lambda.StartingPosition.LATEST, + filters: [ + lambda.FilterCriteria.filter({ + eventName: lambda.FilterRule.isEqual('INSERT'), + dynamodb: { + Keys: { + id: { + S: lambda.FilterRule.exists(), + }, + }, + }, + }), + ], + filterEncryption: myKey, +})); + new integ.IntegTest(app, 'DynamoDBFilterCriteria', { testCases: [stack], }); diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/LambdaEventSourceKafkaSelfManagedTestDefaultTestDeployAssertAF78BD0F.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/LambdaEventSourceKafkaSelfManagedTestDefaultTestDeployAssertAF78BD0F.assets.json index 2f132e5215478..a01ffb4d5f4c8 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/LambdaEventSourceKafkaSelfManagedTestDefaultTestDeployAssertAF78BD0F.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/LambdaEventSourceKafkaSelfManagedTestDefaultTestDeployAssertAF78BD0F.assets.json @@ -1,5 +1,5 @@ { - "version": "34.0.0", + "version": "36.0.0", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/cdk.out index 2313ab5436501..1f0068d32659a 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/cdk.out +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"34.0.0"} \ No newline at end of file +{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/integ.json index be64da9864e1b..eb53722c5afaf 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/integ.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "34.0.0", + "version": "36.0.0", "testCases": { "LambdaEventSourceKafkaSelfManagedTest/DefaultTest": { "stacks": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/lambda-event-source-kafka-self-managed.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/lambda-event-source-kafka-self-managed.assets.json index d67485e3551c0..cb4ec6e990114 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/lambda-event-source-kafka-self-managed.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/lambda-event-source-kafka-self-managed.assets.json @@ -1,7 +1,7 @@ { - "version": "34.0.0", + "version": "36.0.0", "files": { - "138a217a9e2d3bad4739ea506408a27aca8886a97c0fbacffcba80f39d2d26b0": { + "4bf07b5cad381e52a796b0a42748934cce430e155ffe31f0366eef200d40356f": { "source": { "path": "lambda-event-source-kafka-self-managed.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "138a217a9e2d3bad4739ea506408a27aca8886a97c0fbacffcba80f39d2d26b0.json", + "objectKey": "4bf07b5cad381e52a796b0a42748934cce430e155ffe31f0366eef200d40356f.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/lambda-event-source-kafka-self-managed.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/lambda-event-source-kafka-self-managed.template.json index 88cf96bcf5d69..dd921a80f1344 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/lambda-event-source-kafka-self-managed.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/lambda-event-source-kafka-self-managed.template.json @@ -143,6 +143,185 @@ }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" + }, + "fctestkeyname524AF060": { + "Type": "AWS::KMS::Key", + "Properties": { + "Description": "KMS key for test fc encryption", + "KeyPolicy": { + "Statement": [ + { + "Action": "kms:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + }, + { + "Action": "kms:Decrypt", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "PendingWindowInDays": 7 + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "F2ServiceRole7F7C6006": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + } + ] + } + }, + "F2ServiceRoleDefaultPolicy999D30A8": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "secretsmanager:DescribeSecret", + "secretsmanager:GetSecretValue" + ], + "Effect": "Allow", + "Resource": [ + { + "Ref": "S509448A1" + }, + { + "Ref": "SC0855C491" + } + ] + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "F2ServiceRoleDefaultPolicy999D30A8", + "Roles": [ + { + "Ref": "F2ServiceRole7F7C6006" + } + ] + } + }, + "F23BAC7B9C": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "ZipFile": "exports.handler = async function handler(event) {\n console.log('event:', JSON.stringify(event, undefined, 2));\n return { event };\n}" + }, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "F2ServiceRole7F7C6006", + "Arn" + ] + }, + "Runtime": "nodejs18.x" + }, + "DependsOn": [ + "F2ServiceRoleDefaultPolicy999D30A8", + "F2ServiceRole7F7C6006" + ] + }, + "F2KafkaEventSource838c4d5ff3c99c1a617120adfca83e5bmytesttopic20A678189": { + "Type": "AWS::Lambda::EventSourceMapping", + "Properties": { + "BatchSize": 100, + "FilterCriteria": { + "Filters": [ + { + "Pattern": "{\"numericEquals\":[{\"numeric\":[\"=\",2]}]}" + } + ] + }, + "FunctionName": { + "Ref": "F23BAC7B9C" + }, + "KmsKeyArn": { + "Fn::GetAtt": [ + "fctestkeyname524AF060", + "Arn" + ] + }, + "SelfManagedEventSource": { + "Endpoints": { + "KafkaBootstrapServers": [ + "my-self-hosted-kafka-broker-1:9092", + "my-self-hosted-kafka-broker-2:9092", + "my-self-hosted-kafka-broker-3:9092" + ] + } + }, + "SelfManagedKafkaEventSourceConfig": { + "ConsumerGroupId": "myTestConsumerGroup2" + }, + "SourceAccessConfigurations": [ + { + "Type": "CLIENT_CERTIFICATE_TLS_AUTH", + "URI": { + "Ref": "SC0855C491" + } + }, + { + "Type": "SERVER_ROOT_CA_CERTIFICATE", + "URI": { + "Ref": "S509448A1" + } + } + ], + "StartingPosition": "TRIM_HORIZON", + "Topics": [ + "my-test-topic2" + ] + } } }, "Parameters": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/manifest.json index 87b62f798b18b..06655a65cd8cb 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "34.0.0", + "version": "36.0.0", "artifacts": { "lambda-event-source-kafka-self-managed.assets": { "type": "cdk:asset-manifest", @@ -14,10 +14,11 @@ "environment": "aws://unknown-account/unknown-region", "properties": { "templateFile": "lambda-event-source-kafka-self-managed.template.json", + "terminationProtection": false, "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/138a217a9e2d3bad4739ea506408a27aca8886a97c0fbacffcba80f39d2d26b0.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/4bf07b5cad381e52a796b0a42748934cce430e155ffe31f0366eef200d40356f.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -69,6 +70,36 @@ "data": "SC0855C491" } ], + "/lambda-event-source-kafka-self-managed/fc-test-key-name/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "fctestkeyname524AF060" + } + ], + "/lambda-event-source-kafka-self-managed/F2/ServiceRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "F2ServiceRole7F7C6006" + } + ], + "/lambda-event-source-kafka-self-managed/F2/ServiceRole/DefaultPolicy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "F2ServiceRoleDefaultPolicy999D30A8" + } + ], + "/lambda-event-source-kafka-self-managed/F2/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "F23BAC7B9C" + } + ], + "/lambda-event-source-kafka-self-managed/F2/KafkaEventSource:838c4d5ff3c99c1a617120adfca83e5b:my-test-topic2/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "F2KafkaEventSource838c4d5ff3c99c1a617120adfca83e5bmytesttopic20A678189" + } + ], "/lambda-event-source-kafka-self-managed/BootstrapVersion": [ { "type": "aws:cdk:logicalId", @@ -97,6 +128,7 @@ "environment": "aws://unknown-account/unknown-region", "properties": { "templateFile": "LambdaEventSourceKafkaSelfManagedTestDefaultTestDeployAssertAF78BD0F.template.json", + "terminationProtection": false, "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/tree.json index 9bdb89aea6878..54543d8610b3a 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/tree.json @@ -260,6 +260,277 @@ "version": "0.0.0" } }, + "fc-test-key-name": { + "id": "fc-test-key-name", + "path": "lambda-event-source-kafka-self-managed/fc-test-key-name", + "children": { + "Resource": { + "id": "Resource", + "path": "lambda-event-source-kafka-self-managed/fc-test-key-name/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::KMS::Key", + "aws:cdk:cloudformation:props": { + "description": "KMS key for test fc encryption", + "keyPolicy": { + "Statement": [ + { + "Action": "kms:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + }, + { + "Action": "kms:Decrypt", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "pendingWindowInDays": 7 + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_kms.CfnKey", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_kms.Key", + "version": "0.0.0" + } + }, + "F2": { + "id": "F2", + "path": "lambda-event-source-kafka-self-managed/F2", + "children": { + "ServiceRole": { + "id": "ServiceRole", + "path": "lambda-event-source-kafka-self-managed/F2/ServiceRole", + "children": { + "ImportServiceRole": { + "id": "ImportServiceRole", + "path": "lambda-event-source-kafka-self-managed/F2/ServiceRole/ImportServiceRole", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "lambda-event-source-kafka-self-managed/F2/ServiceRole/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:props": { + "assumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "managedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" + } + }, + "DefaultPolicy": { + "id": "DefaultPolicy", + "path": "lambda-event-source-kafka-self-managed/F2/ServiceRole/DefaultPolicy", + "children": { + "Resource": { + "id": "Resource", + "path": "lambda-event-source-kafka-self-managed/F2/ServiceRole/DefaultPolicy/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Policy", + "aws:cdk:cloudformation:props": { + "policyDocument": { + "Statement": [ + { + "Action": [ + "secretsmanager:DescribeSecret", + "secretsmanager:GetSecretValue" + ], + "Effect": "Allow", + "Resource": [ + { + "Ref": "S509448A1" + }, + { + "Ref": "SC0855C491" + } + ] + } + ], + "Version": "2012-10-17" + }, + "policyName": "F2ServiceRoleDefaultPolicy999D30A8", + "roles": [ + { + "Ref": "F2ServiceRole7F7C6006" + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Policy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "lambda-event-source-kafka-self-managed/F2/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Lambda::Function", + "aws:cdk:cloudformation:props": { + "code": { + "zipFile": "exports.handler = async function handler(event) {\n console.log('event:', JSON.stringify(event, undefined, 2));\n return { event };\n}" + }, + "handler": "index.handler", + "role": { + "Fn::GetAtt": [ + "F2ServiceRole7F7C6006", + "Arn" + ] + }, + "runtime": "nodejs18.x" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.CfnFunction", + "version": "0.0.0" + } + }, + "KafkaEventSource:838c4d5ff3c99c1a617120adfca83e5b:my-test-topic2": { + "id": "KafkaEventSource:838c4d5ff3c99c1a617120adfca83e5b:my-test-topic2", + "path": "lambda-event-source-kafka-self-managed/F2/KafkaEventSource:838c4d5ff3c99c1a617120adfca83e5b:my-test-topic2", + "children": { + "Resource": { + "id": "Resource", + "path": "lambda-event-source-kafka-self-managed/F2/KafkaEventSource:838c4d5ff3c99c1a617120adfca83e5b:my-test-topic2/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Lambda::EventSourceMapping", + "aws:cdk:cloudformation:props": { + "batchSize": 100, + "filterCriteria": { + "filters": [ + { + "pattern": "{\"numericEquals\":[{\"numeric\":[\"=\",2]}]}" + } + ] + }, + "functionName": { + "Ref": "F23BAC7B9C" + }, + "kmsKeyArn": { + "Fn::GetAtt": [ + "fctestkeyname524AF060", + "Arn" + ] + }, + "selfManagedEventSource": { + "endpoints": { + "kafkaBootstrapServers": [ + "my-self-hosted-kafka-broker-1:9092", + "my-self-hosted-kafka-broker-2:9092", + "my-self-hosted-kafka-broker-3:9092" + ] + } + }, + "selfManagedKafkaEventSourceConfig": { + "consumerGroupId": "myTestConsumerGroup2" + }, + "sourceAccessConfigurations": [ + { + "type": "CLIENT_CERTIFICATE_TLS_AUTH", + "uri": { + "Ref": "SC0855C491" + } + }, + { + "type": "SERVER_ROOT_CA_CERTIFICATE", + "uri": { + "Ref": "S509448A1" + } + } + ], + "startingPosition": "TRIM_HORIZON", + "topics": [ + "my-test-topic2" + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.CfnEventSourceMapping", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.EventSourceMapping", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.Function", + "version": "0.0.0" + } + }, "BootstrapVersion": { "id": "BootstrapVersion", "path": "lambda-event-source-kafka-self-managed/BootstrapVersion", @@ -295,7 +566,7 @@ "path": "LambdaEventSourceKafkaSelfManagedTest/DefaultTest/Default", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.2.70" + "version": "10.3.0" } }, "DeployAssert": { @@ -341,7 +612,7 @@ "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.2.70" + "version": "10.3.0" } } }, diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.ts index 2ddbece1eee21..3af619c6f8bc2 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.ts @@ -4,6 +4,7 @@ import * as cdk from 'aws-cdk-lib'; import * as integ from '@aws-cdk/integ-tests-alpha'; import { TestFunction } from './test-function'; import { AuthenticationMethod, SelfManagedKafkaEventSource } from 'aws-cdk-lib/aws-lambda-event-sources'; +import { Key } from 'aws-cdk-lib/aws-kms'; class KafkaSelfManagedEventSourceTest extends cdk.Stack { constructor(scope: cdk.App, id: string) { @@ -60,6 +61,32 @@ zp2mwJn2NYB7AZ7+imp0azDZb+8YG2aUCiyqb6PnnA== ], }), ); + + const myKey = new Key(this, 'fc-test-key-name', { + removalPolicy: cdk.RemovalPolicy.DESTROY, + pendingWindow: cdk.Duration.days(7), + description: 'KMS key for test fc encryption', + }); + + const fn2 = new TestFunction(this, 'F2'); + rootCASecret.grantRead(fn2); + clientCertificatesSecret.grantRead(fn2); + + fn2.addEventSource(new SelfManagedKafkaEventSource({ + bootstrapServers, + topic: 'my-test-topic2', + consumerGroupId: 'myTestConsumerGroup2', + secret: clientCertificatesSecret, + authenticationMethod: AuthenticationMethod.CLIENT_CERTIFICATE_TLS_AUTH, + rootCACertificate: rootCASecret, + startingPosition: lambda.StartingPosition.TRIM_HORIZON, + filters: [ + lambda.FilterCriteria.filter({ + numericEquals: lambda.FilterRule.isEqual(2), + }), + ], + filterEncryption: myKey, + })); } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/SQSFilterCriteriaDefaultTestDeployAssert70A9A808.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/SQSFilterCriteriaDefaultTestDeployAssert70A9A808.assets.json index 29409e5062689..316f67625c262 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/SQSFilterCriteriaDefaultTestDeployAssert70A9A808.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/SQSFilterCriteriaDefaultTestDeployAssert70A9A808.assets.json @@ -1,5 +1,5 @@ { - "version": "34.0.0", + "version": "36.0.0", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/cdk.out index 2313ab5436501..1f0068d32659a 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/cdk.out +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"34.0.0"} \ No newline at end of file +{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/integ.json index cc01f8e83d5e0..4d9d3a1966196 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/integ.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "34.0.0", + "version": "36.0.0", "testCases": { "SQSFilterCriteria/DefaultTest": { "stacks": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/lambda-event-source-filter-criteria-sqs.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/lambda-event-source-filter-criteria-sqs.assets.json index 0a297a763dd0f..0491d75417637 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/lambda-event-source-filter-criteria-sqs.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/lambda-event-source-filter-criteria-sqs.assets.json @@ -1,7 +1,7 @@ { - "version": "34.0.0", + "version": "36.0.0", "files": { - "68d6842ea4469781d0a31e238982e6e384917b532b01a55bda819955e7d3beda": { + "b13ae7c9fc3e3d5e6921b00ac79b3ec76c7b8006a622b9b14fc849181dbce1e7": { "source": { "path": "lambda-event-source-filter-criteria-sqs.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "68d6842ea4469781d0a31e238982e6e384917b532b01a55bda819955e7d3beda.json", + "objectKey": "b13ae7c9fc3e3d5e6921b00ac79b3ec76c7b8006a622b9b14fc849181dbce1e7.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/lambda-event-source-filter-criteria-sqs.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/lambda-event-source-filter-criteria-sqs.template.json index f34c9cf70ac42..bbe7eda0090d2 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/lambda-event-source-filter-criteria-sqs.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/lambda-event-source-filter-criteria-sqs.template.json @@ -109,6 +109,162 @@ "Type": "AWS::SQS::Queue", "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" + }, + "fctestkeyname524AF060": { + "Type": "AWS::KMS::Key", + "Properties": { + "Description": "KMS key for test fc encryption", + "KeyPolicy": { + "Statement": [ + { + "Action": "kms:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + }, + { + "Action": "kms:Decrypt", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "PendingWindowInDays": 7 + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "F2ServiceRole7F7C6006": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + } + ] + } + }, + "F2ServiceRoleDefaultPolicy999D30A8": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "sqs:ChangeMessageVisibility", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl", + "sqs:ReceiveMessage" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "Q63C6E3AB", + "Arn" + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "F2ServiceRoleDefaultPolicy999D30A8", + "Roles": [ + { + "Ref": "F2ServiceRole7F7C6006" + } + ] + } + }, + "F23BAC7B9C": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "ZipFile": "exports.handler = async function handler(event) {\n console.log('event:', JSON.stringify(event, undefined, 2));\n return { event };\n}" + }, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "F2ServiceRole7F7C6006", + "Arn" + ] + }, + "Runtime": "nodejs18.x" + }, + "DependsOn": [ + "F2ServiceRoleDefaultPolicy999D30A8", + "F2ServiceRole7F7C6006" + ] + }, + "F2SqsEventSourcelambdaeventsourcefiltercriteriasqsQA0FC5C9369D735ED": { + "Type": "AWS::Lambda::EventSourceMapping", + "Properties": { + "BatchSize": 5, + "EventSourceArn": { + "Fn::GetAtt": [ + "Q63C6E3AB", + "Arn" + ] + }, + "FilterCriteria": { + "Filters": [ + { + "Pattern": "{\"body\":{\"id\":[{\"exists\":true}]}}" + } + ] + }, + "FunctionName": { + "Ref": "F23BAC7B9C" + }, + "KmsKeyArn": { + "Fn::GetAtt": [ + "fctestkeyname524AF060", + "Arn" + ] + } + } } }, "Parameters": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/manifest.json index 80e8bb91a4194..ab4927fa81244 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "34.0.0", + "version": "36.0.0", "artifacts": { "lambda-event-source-filter-criteria-sqs.assets": { "type": "cdk:asset-manifest", @@ -14,10 +14,11 @@ "environment": "aws://unknown-account/unknown-region", "properties": { "templateFile": "lambda-event-source-filter-criteria-sqs.template.json", + "terminationProtection": false, "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/68d6842ea4469781d0a31e238982e6e384917b532b01a55bda819955e7d3beda.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/b13ae7c9fc3e3d5e6921b00ac79b3ec76c7b8006a622b9b14fc849181dbce1e7.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -63,6 +64,36 @@ "data": "Q63C6E3AB" } ], + "/lambda-event-source-filter-criteria-sqs/fc-test-key-name/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "fctestkeyname524AF060" + } + ], + "/lambda-event-source-filter-criteria-sqs/F2/ServiceRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "F2ServiceRole7F7C6006" + } + ], + "/lambda-event-source-filter-criteria-sqs/F2/ServiceRole/DefaultPolicy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "F2ServiceRoleDefaultPolicy999D30A8" + } + ], + "/lambda-event-source-filter-criteria-sqs/F2/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "F23BAC7B9C" + } + ], + "/lambda-event-source-filter-criteria-sqs/F2/SqsEventSource:lambdaeventsourcefiltercriteriasqsQA0FC5C93/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "F2SqsEventSourcelambdaeventsourcefiltercriteriasqsQA0FC5C9369D735ED" + } + ], "/lambda-event-source-filter-criteria-sqs/BootstrapVersion": [ { "type": "aws:cdk:logicalId", @@ -74,6 +105,15 @@ "type": "aws:cdk:logicalId", "data": "CheckBootstrapVersion" } + ], + "fctestkeynameAliasEF6099A0": [ + { + "type": "aws:cdk:logicalId", + "data": "fctestkeynameAliasEF6099A0", + "trace": [ + "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" + ] + } ] }, "displayName": "lambda-event-source-filter-criteria-sqs" @@ -91,6 +131,7 @@ "environment": "aws://unknown-account/unknown-region", "properties": { "templateFile": "SQSFilterCriteriaDefaultTestDeployAssert70A9A808.template.json", + "terminationProtection": false, "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/tree.json index b0b978a2f835c..df8b30717c630 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/tree.json @@ -179,7 +179,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_lambda.EventSourceMapping", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } } @@ -211,6 +211,254 @@ "version": "0.0.0" } }, + "fc-test-key-name": { + "id": "fc-test-key-name", + "path": "lambda-event-source-filter-criteria-sqs/fc-test-key-name", + "children": { + "Resource": { + "id": "Resource", + "path": "lambda-event-source-filter-criteria-sqs/fc-test-key-name/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::KMS::Key", + "aws:cdk:cloudformation:props": { + "description": "KMS key for test fc encryption", + "keyPolicy": { + "Statement": [ + { + "Action": "kms:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + }, + { + "Action": "kms:Decrypt", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "pendingWindowInDays": 7 + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_kms.CfnKey", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_kms.Key", + "version": "0.0.0" + } + }, + "F2": { + "id": "F2", + "path": "lambda-event-source-filter-criteria-sqs/F2", + "children": { + "ServiceRole": { + "id": "ServiceRole", + "path": "lambda-event-source-filter-criteria-sqs/F2/ServiceRole", + "children": { + "ImportServiceRole": { + "id": "ImportServiceRole", + "path": "lambda-event-source-filter-criteria-sqs/F2/ServiceRole/ImportServiceRole", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "lambda-event-source-filter-criteria-sqs/F2/ServiceRole/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:props": { + "assumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "managedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" + } + }, + "DefaultPolicy": { + "id": "DefaultPolicy", + "path": "lambda-event-source-filter-criteria-sqs/F2/ServiceRole/DefaultPolicy", + "children": { + "Resource": { + "id": "Resource", + "path": "lambda-event-source-filter-criteria-sqs/F2/ServiceRole/DefaultPolicy/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Policy", + "aws:cdk:cloudformation:props": { + "policyDocument": { + "Statement": [ + { + "Action": [ + "sqs:ChangeMessageVisibility", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl", + "sqs:ReceiveMessage" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "Q63C6E3AB", + "Arn" + ] + } + } + ], + "Version": "2012-10-17" + }, + "policyName": "F2ServiceRoleDefaultPolicy999D30A8", + "roles": [ + { + "Ref": "F2ServiceRole7F7C6006" + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Policy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "lambda-event-source-filter-criteria-sqs/F2/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Lambda::Function", + "aws:cdk:cloudformation:props": { + "code": { + "zipFile": "exports.handler = async function handler(event) {\n console.log('event:', JSON.stringify(event, undefined, 2));\n return { event };\n}" + }, + "handler": "index.handler", + "role": { + "Fn::GetAtt": [ + "F2ServiceRole7F7C6006", + "Arn" + ] + }, + "runtime": "nodejs18.x" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.CfnFunction", + "version": "0.0.0" + } + }, + "SqsEventSource:lambdaeventsourcefiltercriteriasqsQA0FC5C93": { + "id": "SqsEventSource:lambdaeventsourcefiltercriteriasqsQA0FC5C93", + "path": "lambda-event-source-filter-criteria-sqs/F2/SqsEventSource:lambdaeventsourcefiltercriteriasqsQA0FC5C93", + "children": { + "Resource": { + "id": "Resource", + "path": "lambda-event-source-filter-criteria-sqs/F2/SqsEventSource:lambdaeventsourcefiltercriteriasqsQA0FC5C93/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Lambda::EventSourceMapping", + "aws:cdk:cloudformation:props": { + "batchSize": 5, + "eventSourceArn": { + "Fn::GetAtt": [ + "Q63C6E3AB", + "Arn" + ] + }, + "filterCriteria": { + "filters": [ + { + "pattern": "{\"body\":{\"id\":[{\"exists\":true}]}}" + } + ] + }, + "functionName": { + "Ref": "F23BAC7B9C" + }, + "kmsKeyArn": { + "Fn::GetAtt": [ + "fctestkeyname524AF060", + "Arn" + ] + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.CfnEventSourceMapping", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.Function", + "version": "0.0.0" + } + }, "BootstrapVersion": { "id": "BootstrapVersion", "path": "lambda-event-source-filter-criteria-sqs/BootstrapVersion", @@ -246,7 +494,7 @@ "path": "SQSFilterCriteria/DefaultTest/Default", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.2.70" + "version": "10.3.0" } }, "DeployAssert": { @@ -292,7 +540,7 @@ "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.2.70" + "version": "10.3.0" } } }, diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.ts index 3890428a70ff8..98d536b52e49f 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.ts @@ -4,6 +4,7 @@ import * as cdk from 'aws-cdk-lib'; import * as integ from '@aws-cdk/integ-tests-alpha'; import { TestFunction } from './test-function'; import { SqsEventSource } from 'aws-cdk-lib/aws-lambda-event-sources'; +import { Key } from 'aws-cdk-lib/aws-kms'; const app = new cdk.App(); @@ -23,6 +24,26 @@ fn.addEventSource(new SqsEventSource(queue, { ], })); +const myKey = new Key(stack, 'fc-test-key-name', { + removalPolicy: cdk.RemovalPolicy.DESTROY, + pendingWindow: cdk.Duration.days(7), + description: 'KMS key for test fc encryption', +}); + +const fn2 = new TestFunction(stack, 'F2'); + +fn2.addEventSource(new SqsEventSource(queue, { + batchSize: 5, + filters: [ + lambda.FilterCriteria.filter({ + body: { + id: lambda.FilterRule.exists(), + }, + }), + ], + filterEncryption: myKey, +})); + new integ.IntegTest(app, 'SQSFilterCriteria', { testCases: [stack], }); diff --git a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logGroup.js.snapshot/MyStack.assets.json b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logGroup.js.snapshot/MyStack.assets.json new file mode 100644 index 0000000000000..5a02d75ebe385 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logGroup.js.snapshot/MyStack.assets.json @@ -0,0 +1,58 @@ +{ + "version": "36.0.5", + "files": { + "3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961": { + "source": { + "path": "asset.3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961.zip", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961.zip", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + }, + "0158f40002a8c211635388a87874fd4dcc3d68f525fe08a0fe0f014069ae539c": { + "source": { + "path": "asset.0158f40002a8c211635388a87874fd4dcc3d68f525fe08a0fe0f014069ae539c", + "packaging": "zip" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "0158f40002a8c211635388a87874fd4dcc3d68f525fe08a0fe0f014069ae539c.zip", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + }, + "561a8b95d6d62d87513e3607a2de271376251555ee83cf7b93534b0e85c500c8": { + "source": { + "path": "asset.561a8b95d6d62d87513e3607a2de271376251555ee83cf7b93534b0e85c500c8", + "packaging": "zip" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "561a8b95d6d62d87513e3607a2de271376251555ee83cf7b93534b0e85c500c8.zip", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + }, + "e18944d0be1b04c77ec42f6036bf87609348dbd787c375da85e7bdbd979094a1": { + "source": { + "path": "MyStack.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "e18944d0be1b04c77ec42f6036bf87609348dbd787c375da85e7bdbd979094a1.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logGroup.js.snapshot/MyStack.template.json b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logGroup.js.snapshot/MyStack.template.json new file mode 100644 index 0000000000000..3be885e7b3501 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logGroup.js.snapshot/MyStack.template.json @@ -0,0 +1,263 @@ +{ + "Resources": { + "WebsiteBucket75C24D94": { + "Type": "AWS::S3::Bucket", + "Properties": { + "Tags": [ + { + "Key": "aws-cdk:cr-owned:156aa6de", + "Value": "true" + } + ] + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" + }, + "LogGroupF5B46931": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "RetentionInDays": 3653 + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" + }, + "s3deployAwsCliLayerD0CD1E6B": { + "Type": "AWS::Lambda::LayerVersion", + "Properties": { + "Content": { + "S3Bucket": { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "S3Key": "3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961.zip" + }, + "Description": "/opt/awscli/aws" + } + }, + "s3deployCustomResourceDB97D82D": { + "Type": "Custom::CDKBucketDeployment", + "Properties": { + "ServiceToken": { + "Fn::GetAtt": [ + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C81C01536", + "Arn" + ] + }, + "SourceBucketNames": [ + { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + } + ], + "SourceObjectKeys": [ + "561a8b95d6d62d87513e3607a2de271376251555ee83cf7b93534b0e85c500c8.zip" + ], + "SourceMarkers": [ + {} + ], + "DestinationBucketName": { + "Ref": "WebsiteBucket75C24D94" + }, + "Prune": true + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + } + ] + } + }, + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:GetBucket*", + "s3:GetObject*", + "s3:List*" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":s3:::", + { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":s3:::", + { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + } + ] + ] + } + ] + }, + { + "Action": [ + "s3:Abort*", + "s3:DeleteObject*", + "s3:GetBucket*", + "s3:GetObject*", + "s3:List*", + "s3:PutObject", + "s3:PutObjectLegalHold", + "s3:PutObjectRetention", + "s3:PutObjectTagging", + "s3:PutObjectVersionTagging" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "WebsiteBucket75C24D94", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "WebsiteBucket75C24D94", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF", + "Roles": [ + { + "Ref": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265" + } + ] + } + }, + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C81C01536": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "S3Bucket": { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "S3Key": "0158f40002a8c211635388a87874fd4dcc3d68f525fe08a0fe0f014069ae539c.zip" + }, + "Environment": { + "Variables": { + "AWS_CA_BUNDLE": "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" + } + }, + "Handler": "index.handler", + "Layers": [ + { + "Ref": "s3deployAwsCliLayerD0CD1E6B" + } + ], + "LoggingConfig": { + "LogGroup": { + "Ref": "LogGroupF5B46931" + } + }, + "Role": { + "Fn::GetAtt": [ + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265", + "Arn" + ] + }, + "Runtime": "python3.9", + "Timeout": 900 + }, + "DependsOn": [ + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF", + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265" + ] + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logGroup.js.snapshot/asset.0158f40002a8c211635388a87874fd4dcc3d68f525fe08a0fe0f014069ae539c/index.py b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logGroup.js.snapshot/asset.0158f40002a8c211635388a87874fd4dcc3d68f525fe08a0fe0f014069ae539c/index.py new file mode 100644 index 0000000000000..e4d3920e40c02 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logGroup.js.snapshot/asset.0158f40002a8c211635388a87874fd4dcc3d68f525fe08a0fe0f014069ae539c/index.py @@ -0,0 +1,336 @@ +import contextlib +import json +import logging +import os +import shutil +import subprocess +import tempfile +import urllib.parse +from urllib.request import Request, urlopen +from uuid import uuid4 +from zipfile import ZipFile + +import boto3 + +logger = logging.getLogger() +logger.setLevel(logging.INFO) + +cloudfront = boto3.client('cloudfront') +s3 = boto3.client('s3') + +CFN_SUCCESS = "SUCCESS" +CFN_FAILED = "FAILED" +ENV_KEY_MOUNT_PATH = "MOUNT_PATH" +ENV_KEY_SKIP_CLEANUP = "SKIP_CLEANUP" + +AWS_CLI_CONFIG_FILE = "/tmp/aws_cli_config" +CUSTOM_RESOURCE_OWNER_TAG = "aws-cdk:cr-owned" + +os.putenv('AWS_CONFIG_FILE', AWS_CLI_CONFIG_FILE) + +def handler(event, context): + + def cfn_error(message=None): + if message: + logger.error("| cfn_error: %s" % message.encode()) + cfn_send(event, context, CFN_FAILED, reason=message, physicalResourceId=event.get('PhysicalResourceId', None)) + + + try: + # We are not logging ResponseURL as this is a pre-signed S3 URL, and could be used to tamper + # with the response CloudFormation sees from this Custom Resource execution. + logger.info({ key:value for (key, value) in event.items() if key != 'ResponseURL'}) + + # cloudformation request type (create/update/delete) + request_type = event['RequestType'] + + # extract resource properties + props = event['ResourceProperties'] + old_props = event.get('OldResourceProperties', {}) + physical_id = event.get('PhysicalResourceId', None) + + try: + source_bucket_names = props['SourceBucketNames'] + source_object_keys = props['SourceObjectKeys'] + source_markers = props.get('SourceMarkers', None) + dest_bucket_name = props['DestinationBucketName'] + dest_bucket_prefix = props.get('DestinationBucketKeyPrefix', '') + extract = props.get('Extract', 'true') == 'true' + retain_on_delete = props.get('RetainOnDelete', "true") == "true" + distribution_id = props.get('DistributionId', '') + user_metadata = props.get('UserMetadata', {}) + system_metadata = props.get('SystemMetadata', {}) + prune = props.get('Prune', 'true').lower() == 'true' + exclude = props.get('Exclude', []) + include = props.get('Include', []) + sign_content = props.get('SignContent', 'false').lower() == 'true' + + # backwards compatibility - if "SourceMarkers" is not specified, + # assume all sources have an empty market map + if source_markers is None: + source_markers = [{} for i in range(len(source_bucket_names))] + + default_distribution_path = dest_bucket_prefix + if not default_distribution_path.endswith("/"): + default_distribution_path += "/" + if not default_distribution_path.startswith("/"): + default_distribution_path = "/" + default_distribution_path + default_distribution_path += "*" + + distribution_paths = props.get('DistributionPaths', [default_distribution_path]) + except KeyError as e: + cfn_error("missing request resource property %s. props: %s" % (str(e), props)) + return + + # configure aws cli options after resetting back to the defaults for each request + if os.path.exists(AWS_CLI_CONFIG_FILE): + os.remove(AWS_CLI_CONFIG_FILE) + if sign_content: + aws_command("configure", "set", "default.s3.payload_signing_enabled", "true") + + # treat "/" as if no prefix was specified + if dest_bucket_prefix == "/": + dest_bucket_prefix = "" + + s3_source_zips = list(map(lambda name, key: "s3://%s/%s" % (name, key), source_bucket_names, source_object_keys)) + s3_dest = "s3://%s/%s" % (dest_bucket_name, dest_bucket_prefix) + old_s3_dest = "s3://%s/%s" % (old_props.get("DestinationBucketName", ""), old_props.get("DestinationBucketKeyPrefix", "")) + + + # obviously this is not + if old_s3_dest == "s3:///": + old_s3_dest = None + + logger.info("| s3_dest: %s" % sanitize_message(s3_dest)) + logger.info("| old_s3_dest: %s" % sanitize_message(old_s3_dest)) + + # if we are creating a new resource, allocate a physical id for it + # otherwise, we expect physical id to be relayed by cloudformation + if request_type == "Create": + physical_id = "aws.cdk.s3deployment.%s" % str(uuid4()) + else: + if not physical_id: + cfn_error("invalid request: request type is '%s' but 'PhysicalResourceId' is not defined" % request_type) + return + + # delete or create/update (only if "retain_on_delete" is false) + if request_type == "Delete" and not retain_on_delete: + if not bucket_owned(dest_bucket_name, dest_bucket_prefix): + aws_command("s3", "rm", s3_dest, "--recursive") + + # if we are updating without retention and the destination changed, delete first + if request_type == "Update" and not retain_on_delete and old_s3_dest != s3_dest: + if not old_s3_dest: + logger.warn("cannot delete old resource without old resource properties") + return + + aws_command("s3", "rm", old_s3_dest, "--recursive") + + if request_type == "Update" or request_type == "Create": + s3_deploy(s3_source_zips, s3_dest, user_metadata, system_metadata, prune, exclude, include, source_markers, extract) + + if distribution_id: + cloudfront_invalidate(distribution_id, distribution_paths) + + cfn_send(event, context, CFN_SUCCESS, physicalResourceId=physical_id, responseData={ + # Passing through the ARN sequences dependencees on the deployment + 'DestinationBucketArn': props.get('DestinationBucketArn'), + 'SourceObjectKeys': props.get('SourceObjectKeys'), + }) + except KeyError as e: + cfn_error("invalid request. Missing key %s" % str(e)) + except Exception as e: + logger.exception(e) + cfn_error(str(e)) + +#--------------------------------------------------------------------------------------------------- +# Sanitize the message to mitigate CWE-117 and CWE-93 vulnerabilities +def sanitize_message(message): + if not message: + return message + + # Sanitize the message to prevent log injection and HTTP response splitting + sanitized_message = message.replace('\n', '').replace('\r', '') + + # Encode the message to handle special characters + encoded_message = urllib.parse.quote(sanitized_message) + + return encoded_message + +#--------------------------------------------------------------------------------------------------- +# populate all files from s3_source_zips to a destination bucket +def s3_deploy(s3_source_zips, s3_dest, user_metadata, system_metadata, prune, exclude, include, source_markers, extract): + # list lengths are equal + if len(s3_source_zips) != len(source_markers): + raise Exception("'source_markers' and 's3_source_zips' must be the same length") + + # create a temporary working directory in /tmp or if enabled an attached efs volume + if ENV_KEY_MOUNT_PATH in os.environ: + workdir = os.getenv(ENV_KEY_MOUNT_PATH) + "/" + str(uuid4()) + os.mkdir(workdir) + else: + workdir = tempfile.mkdtemp() + + logger.info("| workdir: %s" % workdir) + + # create a directory into which we extract the contents of the zip file + contents_dir=os.path.join(workdir, 'contents') + os.mkdir(contents_dir) + + try: + # download the archive from the source and extract to "contents" + for i in range(len(s3_source_zips)): + s3_source_zip = s3_source_zips[i] + markers = source_markers[i] + + if extract: + archive=os.path.join(workdir, str(uuid4())) + logger.info("archive: %s" % archive) + aws_command("s3", "cp", s3_source_zip, archive) + logger.info("| extracting archive to: %s\n" % contents_dir) + logger.info("| markers: %s" % markers) + extract_and_replace_markers(archive, contents_dir, markers) + else: + logger.info("| copying archive to: %s\n" % contents_dir) + aws_command("s3", "cp", s3_source_zip, contents_dir) + + # sync from "contents" to destination + + s3_command = ["s3", "sync"] + + if prune: + s3_command.append("--delete") + + if exclude: + for filter in exclude: + s3_command.extend(["--exclude", filter]) + + if include: + for filter in include: + s3_command.extend(["--include", filter]) + + s3_command.extend([contents_dir, s3_dest]) + s3_command.extend(create_metadata_args(user_metadata, system_metadata)) + aws_command(*s3_command) + finally: + if not os.getenv(ENV_KEY_SKIP_CLEANUP): + shutil.rmtree(workdir) + +#--------------------------------------------------------------------------------------------------- +# invalidate files in the CloudFront distribution edge caches +def cloudfront_invalidate(distribution_id, distribution_paths): + invalidation_resp = cloudfront.create_invalidation( + DistributionId=distribution_id, + InvalidationBatch={ + 'Paths': { + 'Quantity': len(distribution_paths), + 'Items': distribution_paths + }, + 'CallerReference': str(uuid4()), + }) + # by default, will wait up to 10 minutes + cloudfront.get_waiter('invalidation_completed').wait( + DistributionId=distribution_id, + Id=invalidation_resp['Invalidation']['Id']) + +#--------------------------------------------------------------------------------------------------- +# set metadata +def create_metadata_args(raw_user_metadata, raw_system_metadata): + if len(raw_user_metadata) == 0 and len(raw_system_metadata) == 0: + return [] + + format_system_metadata_key = lambda k: k.lower() + format_user_metadata_key = lambda k: k.lower() + + system_metadata = { format_system_metadata_key(k): v for k, v in raw_system_metadata.items() } + user_metadata = { format_user_metadata_key(k): v for k, v in raw_user_metadata.items() } + + flatten = lambda l: [item for sublist in l for item in sublist] + system_args = flatten([[f"--{k}", v] for k, v in system_metadata.items()]) + user_args = ["--metadata", json.dumps(user_metadata, separators=(',', ':'))] if len(user_metadata) > 0 else [] + + return system_args + user_args + ["--metadata-directive", "REPLACE"] + +#--------------------------------------------------------------------------------------------------- +# executes an "aws" cli command +def aws_command(*args): + aws="/opt/awscli/aws" # from AwsCliLayer + logger.info("| aws %s" % ' '.join(args)) + subprocess.check_call([aws] + list(args)) + +#--------------------------------------------------------------------------------------------------- +# sends a response to cloudformation +def cfn_send(event, context, responseStatus, responseData={}, physicalResourceId=None, noEcho=False, reason=None): + + responseUrl = event['ResponseURL'] + + responseBody = {} + responseBody['Status'] = responseStatus + responseBody['Reason'] = reason or ('See the details in CloudWatch Log Stream: ' + context.log_stream_name) + responseBody['PhysicalResourceId'] = physicalResourceId or context.log_stream_name + responseBody['StackId'] = event['StackId'] + responseBody['RequestId'] = event['RequestId'] + responseBody['LogicalResourceId'] = event['LogicalResourceId'] + responseBody['NoEcho'] = noEcho + responseBody['Data'] = responseData + + body = json.dumps(responseBody) + logger.info("| response body:\n" + body) + + headers = { + 'content-type' : '', + 'content-length' : str(len(body)) + } + + try: + request = Request(responseUrl, method='PUT', data=bytes(body.encode('utf-8')), headers=headers) + with contextlib.closing(urlopen(request)) as response: + logger.info("| status code: " + response.reason) + except Exception as e: + logger.error("| unable to send response to CloudFormation") + logger.exception(e) + + +#--------------------------------------------------------------------------------------------------- +# check if bucket is owned by a custom resource +# if it is then we don't want to delete content +def bucket_owned(bucketName, keyPrefix): + tag = CUSTOM_RESOURCE_OWNER_TAG + if keyPrefix != "": + tag = tag + ':' + keyPrefix + try: + request = s3.get_bucket_tagging( + Bucket=bucketName, + ) + return any((x["Key"].startswith(tag)) for x in request["TagSet"]) + except Exception as e: + logger.info("| error getting tags from bucket") + logger.exception(e) + return False + +# extract archive and replace markers in output files +def extract_and_replace_markers(archive, contents_dir, markers): + with ZipFile(archive, "r") as zip: + zip.extractall(contents_dir) + + # replace markers for this source + for file in zip.namelist(): + file_path = os.path.join(contents_dir, file) + if os.path.isdir(file_path): continue + replace_markers(file_path, markers) + +def replace_markers(filename, markers): + # convert the dict of string markers to binary markers + replace_tokens = dict([(k.encode('utf-8'), v.encode('utf-8')) for k, v in markers.items()]) + + outfile = filename + '.new' + with open(filename, 'rb') as fi, open(outfile, 'wb') as fo: + for line in fi: + for token in replace_tokens: + line = line.replace(token, replace_tokens[token]) + fo.write(line) + + # # delete the original file and rename the new one to the original + os.remove(filename) + os.rename(outfile, filename) + \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logGroup.js.snapshot/asset.3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961.zip b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logGroup.js.snapshot/asset.3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961.zip new file mode 100644 index 0000000000000..f624b92c63849 Binary files /dev/null and b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logGroup.js.snapshot/asset.3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961.zip differ diff --git a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logGroup.js.snapshot/asset.561a8b95d6d62d87513e3607a2de271376251555ee83cf7b93534b0e85c500c8/file.json b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logGroup.js.snapshot/asset.561a8b95d6d62d87513e3607a2de271376251555ee83cf7b93534b0e85c500c8/file.json new file mode 100644 index 0000000000000..7f228f99e61ae --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logGroup.js.snapshot/asset.561a8b95d6d62d87513e3607a2de271376251555ee83cf7b93534b0e85c500c8/file.json @@ -0,0 +1 @@ +{"a":"b"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logGroup.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logGroup.js.snapshot/cdk.out new file mode 100644 index 0000000000000..bd5311dc372de --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logGroup.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"36.0.5"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logGroup.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logGroup.js.snapshot/integ.json new file mode 100644 index 0000000000000..5a82b067ed84c --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logGroup.js.snapshot/integ.json @@ -0,0 +1,13 @@ +{ + "version": "36.0.5", + "testCases": { + "integ-test-custom-resource-config-logGroup/DefaultTest": { + "stacks": [ + "MyStack" + ], + "diffAssets": false, + "assertionStack": "integ-test-custom-resource-config-logGroup/DefaultTest/DeployAssert", + "assertionStackName": "integtestcustomresourceconfiglogGroupDefaultTestDeployAssert04698011" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.assets.json b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logGroup.js.snapshot/integtestcustomresourceconfiglogGroupDefaultTestDeployAssert04698011.assets.json similarity index 82% rename from packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.assets.json rename to packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logGroup.js.snapshot/integtestcustomresourceconfiglogGroupDefaultTestDeployAssert04698011.assets.json index 8f0029884a021..a229a89acb5f6 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logGroup.js.snapshot/integtestcustomresourceconfiglogGroupDefaultTestDeployAssert04698011.assets.json @@ -1,9 +1,9 @@ { - "version": "36.0.0", + "version": "36.0.5", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { - "path": "PipelineStackTestDefaultTestDeployAssertBC780F98.template.json", + "path": "integtestcustomresourceconfiglogGroupDefaultTestDeployAssert04698011.template.json", "packaging": "file" }, "destinations": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/TaskDefinitionDefaultTestDeployAssertF13B2133.template.json b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logGroup.js.snapshot/integtestcustomresourceconfiglogGroupDefaultTestDeployAssert04698011.template.json similarity index 100% rename from packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/TaskDefinitionDefaultTestDeployAssertF13B2133.template.json rename to packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logGroup.js.snapshot/integtestcustomresourceconfiglogGroupDefaultTestDeployAssert04698011.template.json diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logGroup.js.snapshot/manifest.json similarity index 53% rename from packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/manifest.json rename to packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logGroup.js.snapshot/manifest.json index ead60c3c0ea88..912db8404779d 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logGroup.js.snapshot/manifest.json @@ -1,28 +1,28 @@ { - "version": "36.0.0", + "version": "36.0.5", "artifacts": { - "aws-ecs-task-def.assets": { + "MyStack.assets": { "type": "cdk:asset-manifest", "properties": { - "file": "aws-ecs-task-def.assets.json", + "file": "MyStack.assets.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" } }, - "aws-ecs-task-def": { + "MyStack": { "type": "aws:cloudformation:stack", "environment": "aws://unknown-account/unknown-region", "properties": { - "templateFile": "aws-ecs-task-def.template.json", + "templateFile": "MyStack.template.json", "terminationProtection": false, "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/69e8cabd26b07a22fe937a35822c9447fa44ce785d99d44da971c9f953f701da.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/e18944d0be1b04c77ec42f6036bf87609348dbd787c375da85e7bdbd979094a1.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ - "aws-ecs-task-def.assets" + "MyStack.assets" ], "lookupRole": { "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", @@ -31,49 +31,91 @@ } }, "dependencies": [ - "aws-ecs-task-def.assets" + "MyStack.assets" ], "metadata": { - "/aws-ecs-task-def/TaskDef/TaskRole/Resource": [ + "/MyStack/WebsiteBucket/Resource": [ { "type": "aws:cdk:logicalId", - "data": "TaskDefTaskRole1EDB4A67" + "data": "WebsiteBucket75C24D94" } ], - "/aws-ecs-task-def/TaskDef/Resource": [ + "/MyStack/LogGroup": [ + { + "type": "aws:cdk:is-custom-resource-handler-logGroup", + "data": true + } + ], + "/MyStack/LogGroup/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "LogGroupF5B46931" + } + ], + "/MyStack/s3deploy/AwsCliLayer/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "s3deployAwsCliLayerD0CD1E6B" + } + ], + "/MyStack/s3deploy/CustomResource/Default": [ + { + "type": "aws:cdk:logicalId", + "data": "s3deployCustomResourceDB97D82D" + } + ], + "/MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C": [ + { + "type": "aws:cdk:is-custom-resource-handler-singleton", + "data": true + } + ], + "/MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265" + } + ], + "/MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/DefaultPolicy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF" + } + ], + "/MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/Resource": [ { "type": "aws:cdk:logicalId", - "data": "TaskDef54694570" + "data": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C81C01536" } ], - "/aws-ecs-task-def/BootstrapVersion": [ + "/MyStack/BootstrapVersion": [ { "type": "aws:cdk:logicalId", "data": "BootstrapVersion" } ], - "/aws-ecs-task-def/CheckBootstrapVersion": [ + "/MyStack/CheckBootstrapVersion": [ { "type": "aws:cdk:logicalId", "data": "CheckBootstrapVersion" } ] }, - "displayName": "aws-ecs-task-def" + "displayName": "MyStack" }, - "TaskDefinitionDefaultTestDeployAssertF13B2133.assets": { + "integtestcustomresourceconfiglogGroupDefaultTestDeployAssert04698011.assets": { "type": "cdk:asset-manifest", "properties": { - "file": "TaskDefinitionDefaultTestDeployAssertF13B2133.assets.json", + "file": "integtestcustomresourceconfiglogGroupDefaultTestDeployAssert04698011.assets.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" } }, - "TaskDefinitionDefaultTestDeployAssertF13B2133": { + "integtestcustomresourceconfiglogGroupDefaultTestDeployAssert04698011": { "type": "aws:cloudformation:stack", "environment": "aws://unknown-account/unknown-region", "properties": { - "templateFile": "TaskDefinitionDefaultTestDeployAssertF13B2133.template.json", + "templateFile": "integtestcustomresourceconfiglogGroupDefaultTestDeployAssert04698011.template.json", "terminationProtection": false, "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", @@ -82,7 +124,7 @@ "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ - "TaskDefinitionDefaultTestDeployAssertF13B2133.assets" + "integtestcustomresourceconfiglogGroupDefaultTestDeployAssert04698011.assets" ], "lookupRole": { "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", @@ -91,23 +133,23 @@ } }, "dependencies": [ - "TaskDefinitionDefaultTestDeployAssertF13B2133.assets" + "integtestcustomresourceconfiglogGroupDefaultTestDeployAssert04698011.assets" ], "metadata": { - "/TaskDefinition/DefaultTest/DeployAssert/BootstrapVersion": [ + "/integ-test-custom-resource-config-logGroup/DefaultTest/DeployAssert/BootstrapVersion": [ { "type": "aws:cdk:logicalId", "data": "BootstrapVersion" } ], - "/TaskDefinition/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + "/integ-test-custom-resource-config-logGroup/DefaultTest/DeployAssert/CheckBootstrapVersion": [ { "type": "aws:cdk:logicalId", "data": "CheckBootstrapVersion" } ] }, - "displayName": "TaskDefinition/DefaultTest/DeployAssert" + "displayName": "integ-test-custom-resource-config-logGroup/DefaultTest/DeployAssert" }, "Tree": { "type": "cdk:tree", diff --git a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logGroup.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logGroup.js.snapshot/tree.json new file mode 100644 index 0000000000000..77ee7d7819bff --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logGroup.js.snapshot/tree.json @@ -0,0 +1,520 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "MyStack": { + "id": "MyStack", + "path": "MyStack", + "children": { + "WebsiteBucket": { + "id": "WebsiteBucket", + "path": "MyStack/WebsiteBucket", + "children": { + "Resource": { + "id": "Resource", + "path": "MyStack/WebsiteBucket/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::S3::Bucket", + "aws:cdk:cloudformation:props": { + "tags": [ + { + "key": "aws-cdk:cr-owned:156aa6de", + "value": "true" + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_s3.CfnBucket", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_s3.Bucket", + "version": "0.0.0" + } + }, + "LogGroup": { + "id": "LogGroup", + "path": "MyStack/LogGroup", + "children": { + "Resource": { + "id": "Resource", + "path": "MyStack/LogGroup/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Logs::LogGroup", + "aws:cdk:cloudformation:props": { + "retentionInDays": 7 + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_logs.CfnLogGroup", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_logs.LogGroup", + "version": "0.0.0" + } + }, + "s3deploy": { + "id": "s3deploy", + "path": "MyStack/s3deploy", + "children": { + "AwsCliLayer": { + "id": "AwsCliLayer", + "path": "MyStack/s3deploy/AwsCliLayer", + "children": { + "Code": { + "id": "Code", + "path": "MyStack/s3deploy/AwsCliLayer/Code", + "children": { + "Stage": { + "id": "Stage", + "path": "MyStack/s3deploy/AwsCliLayer/Code/Stage", + "constructInfo": { + "fqn": "aws-cdk-lib.AssetStaging", + "version": "0.0.0" + } + }, + "AssetBucket": { + "id": "AssetBucket", + "path": "MyStack/s3deploy/AwsCliLayer/Code/AssetBucket", + "constructInfo": { + "fqn": "aws-cdk-lib.aws_s3.BucketBase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_s3_assets.Asset", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "MyStack/s3deploy/AwsCliLayer/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Lambda::LayerVersion", + "aws:cdk:cloudformation:props": { + "content": { + "s3Bucket": { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "s3Key": "3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961.zip" + }, + "description": "/opt/awscli/aws" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.CfnLayerVersion", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.lambda_layer_awscli.AwsCliLayer", + "version": "0.0.0" + } + }, + "CustomResourceHandler": { + "id": "CustomResourceHandler", + "path": "MyStack/s3deploy/CustomResourceHandler", + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.SingletonFunction", + "version": "0.0.0" + } + }, + "Asset1": { + "id": "Asset1", + "path": "MyStack/s3deploy/Asset1", + "children": { + "Stage": { + "id": "Stage", + "path": "MyStack/s3deploy/Asset1/Stage", + "constructInfo": { + "fqn": "aws-cdk-lib.AssetStaging", + "version": "0.0.0" + } + }, + "AssetBucket": { + "id": "AssetBucket", + "path": "MyStack/s3deploy/Asset1/AssetBucket", + "constructInfo": { + "fqn": "aws-cdk-lib.aws_s3.BucketBase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_s3_assets.Asset", + "version": "0.0.0" + } + }, + "CustomResource": { + "id": "CustomResource", + "path": "MyStack/s3deploy/CustomResource", + "children": { + "Default": { + "id": "Default", + "path": "MyStack/s3deploy/CustomResource/Default", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnResource", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.CustomResource", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_s3_deployment.BucketDeployment", + "version": "0.0.0" + } + }, + "Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C": { + "id": "Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C", + "path": "MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C", + "children": { + "ServiceRole": { + "id": "ServiceRole", + "path": "MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole", + "children": { + "ImportServiceRole": { + "id": "ImportServiceRole", + "path": "MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/ImportServiceRole", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:props": { + "assumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "managedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" + } + }, + "DefaultPolicy": { + "id": "DefaultPolicy", + "path": "MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/DefaultPolicy", + "children": { + "Resource": { + "id": "Resource", + "path": "MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/DefaultPolicy/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Policy", + "aws:cdk:cloudformation:props": { + "policyDocument": { + "Statement": [ + { + "Action": [ + "s3:GetBucket*", + "s3:GetObject*", + "s3:List*" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":s3:::", + { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":s3:::", + { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + } + ] + ] + } + ] + }, + { + "Action": [ + "s3:Abort*", + "s3:DeleteObject*", + "s3:GetBucket*", + "s3:GetObject*", + "s3:List*", + "s3:PutObject", + "s3:PutObjectLegalHold", + "s3:PutObjectRetention", + "s3:PutObjectTagging", + "s3:PutObjectVersionTagging" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "WebsiteBucket75C24D94", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "WebsiteBucket75C24D94", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + } + ], + "Version": "2012-10-17" + }, + "policyName": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF", + "roles": [ + { + "Ref": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265" + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Policy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0" + } + }, + "Code": { + "id": "Code", + "path": "MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/Code", + "children": { + "Stage": { + "id": "Stage", + "path": "MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/Code/Stage", + "constructInfo": { + "fqn": "aws-cdk-lib.AssetStaging", + "version": "0.0.0" + } + }, + "AssetBucket": { + "id": "AssetBucket", + "path": "MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/Code/AssetBucket", + "constructInfo": { + "fqn": "aws-cdk-lib.aws_s3.BucketBase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_s3_assets.Asset", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Lambda::Function", + "aws:cdk:cloudformation:props": { + "code": { + "s3Bucket": { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "s3Key": "0158f40002a8c211635388a87874fd4dcc3d68f525fe08a0fe0f014069ae539c.zip" + }, + "environment": { + "variables": { + "AWS_CA_BUNDLE": "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" + } + }, + "handler": "index.handler", + "layers": [ + { + "Ref": "s3deployAwsCliLayerD0CD1E6B" + } + ], + "loggingConfig": { + "logGroup": { + "Ref": "LogGroupF5B46931" + } + }, + "role": { + "Fn::GetAtt": [ + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265", + "Arn" + ] + }, + "runtime": "python3.9", + "timeout": 900 + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.CfnFunction", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.Function", + "version": "0.0.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "MyStack/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "MyStack/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + }, + "integ-test-custom-resource-config-logGroup": { + "id": "integ-test-custom-resource-config-logGroup", + "path": "integ-test-custom-resource-config-logGroup", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "integ-test-custom-resource-config-logGroup/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "integ-test-custom-resource-config-logGroup/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "integ-test-custom-resource-config-logGroup/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "integ-test-custom-resource-config-logGroup/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "integ-test-custom-resource-config-logGroup/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logGroup.ts b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logGroup.ts new file mode 100644 index 0000000000000..0b728a6940a6a --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logGroup.ts @@ -0,0 +1,27 @@ +import * as s3 from 'aws-cdk-lib/aws-s3'; +import * as logs from 'aws-cdk-lib/aws-logs'; +import * as cdk from 'aws-cdk-lib'; +import * as integ from '@aws-cdk/integ-tests-alpha'; +import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment'; +import { CustomResourceConfig } from 'aws-cdk-lib/custom-resources'; + +const app = new cdk.App(); +const stack = new cdk.Stack(app, 'MyStack'); + +let websiteBucket = new s3.Bucket(stack, 'WebsiteBucket', {}); + +new s3deploy.BucketDeployment(stack, 's3deploy', { + sources: [s3deploy.Source.jsonData('file.json', { a: 'b' })], + destinationBucket: websiteBucket, + logGroup: new logs.LogGroup(stack, 'LogGroup', { + retention: logs.RetentionDays.ONE_WEEK, + }), +}); + +const logRetentionDays = logs.RetentionDays.TEN_YEARS; +CustomResourceConfig.of(app).addLogRetentionLifetime(logRetentionDays); + +new integ.IntegTest(app, 'integ-test-custom-resource-config-logGroup', { + testCases: [stack], + diffAssets: false, +}); diff --git a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.js.snapshot/MyStack.assets.json b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.js.snapshot/MyStack.assets.json new file mode 100644 index 0000000000000..42d1f634bcab0 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.js.snapshot/MyStack.assets.json @@ -0,0 +1,71 @@ +{ + "version": "36.0.5", + "files": { + "3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961": { + "source": { + "path": "asset.3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961.zip", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961.zip", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + }, + "0158f40002a8c211635388a87874fd4dcc3d68f525fe08a0fe0f014069ae539c": { + "source": { + "path": "asset.0158f40002a8c211635388a87874fd4dcc3d68f525fe08a0fe0f014069ae539c", + "packaging": "zip" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "0158f40002a8c211635388a87874fd4dcc3d68f525fe08a0fe0f014069ae539c.zip", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + }, + "e4afb15788ec44ed9ff3377e1d131ba2768d7b2e2931bc000d1f2005879b3035": { + "source": { + "path": "asset.e4afb15788ec44ed9ff3377e1d131ba2768d7b2e2931bc000d1f2005879b3035", + "packaging": "zip" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "e4afb15788ec44ed9ff3377e1d131ba2768d7b2e2931bc000d1f2005879b3035.zip", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + }, + "561a8b95d6d62d87513e3607a2de271376251555ee83cf7b93534b0e85c500c8": { + "source": { + "path": "asset.561a8b95d6d62d87513e3607a2de271376251555ee83cf7b93534b0e85c500c8", + "packaging": "zip" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "561a8b95d6d62d87513e3607a2de271376251555ee83cf7b93534b0e85c500c8.zip", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + }, + "21b4d2ecb7821580fa7275de5e71e79a3134f1d31c696d13a198c4357127c530": { + "source": { + "path": "MyStack.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21b4d2ecb7821580fa7275de5e71e79a3134f1d31c696d13a198c4357127c530.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.js.snapshot/MyStack.template.json b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.js.snapshot/MyStack.template.json new file mode 100644 index 0000000000000..c0b4fe3d0766f --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.js.snapshot/MyStack.template.json @@ -0,0 +1,501 @@ +{ + "Resources": { + "WebsiteBucket75C24D94": { + "Type": "AWS::S3::Bucket", + "Properties": { + "Tags": [ + { + "Key": "aws-cdk:cr-owned:156aa6de", + "Value": "true" + } + ] + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" + }, + "s3deployAwsCliLayerD0CD1E6B": { + "Type": "AWS::Lambda::LayerVersion", + "Properties": { + "Content": { + "S3Bucket": { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "S3Key": "3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961.zip" + }, + "Description": "/opt/awscli/aws" + } + }, + "s3deployCustomResourceDB97D82D": { + "Type": "Custom::CDKBucketDeployment", + "Properties": { + "ServiceToken": { + "Fn::GetAtt": [ + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C81C01536", + "Arn" + ] + }, + "SourceBucketNames": [ + { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + } + ], + "SourceObjectKeys": [ + "561a8b95d6d62d87513e3607a2de271376251555ee83cf7b93534b0e85c500c8.zip" + ], + "SourceMarkers": [ + {} + ], + "DestinationBucketName": { + "Ref": "WebsiteBucket75C24D94" + }, + "Prune": true + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + } + ] + } + }, + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:GetBucket*", + "s3:GetObject*", + "s3:List*" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":s3:::", + { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":s3:::", + { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + } + ] + ] + } + ] + }, + { + "Action": [ + "s3:Abort*", + "s3:DeleteObject*", + "s3:GetBucket*", + "s3:GetObject*", + "s3:List*", + "s3:PutObject", + "s3:PutObjectLegalHold", + "s3:PutObjectRetention", + "s3:PutObjectTagging", + "s3:PutObjectVersionTagging" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "WebsiteBucket75C24D94", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "WebsiteBucket75C24D94", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF", + "Roles": [ + { + "Ref": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265" + } + ] + } + }, + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C81C01536": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "S3Bucket": { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "S3Key": "0158f40002a8c211635388a87874fd4dcc3d68f525fe08a0fe0f014069ae539c.zip" + }, + "Environment": { + "Variables": { + "AWS_CA_BUNDLE": "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" + } + }, + "Handler": "index.handler", + "Layers": [ + { + "Ref": "s3deployAwsCliLayerD0CD1E6B" + } + ], + "LoggingConfig": { + "LogGroup": { + "Ref": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756ClogGroupD6937F08" + } + }, + "Role": { + "Fn::GetAtt": [ + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265", + "Arn" + ] + }, + "Runtime": "python3.9", + "Timeout": 900 + }, + "DependsOn": [ + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF", + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265" + ] + }, + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756ClogGroupD6937F08": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "RetentionInDays": 3653 + }, + "DependsOn": [ + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF", + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265" + ], + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" + }, + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CLogRetention1948627D": { + "Type": "Custom::LogRetention", + "Properties": { + "ServiceToken": { + "Fn::GetAtt": [ + "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aFD4BFC8A", + "Arn" + ] + }, + "LogGroupName": { + "Fn::Join": [ + "", + [ + "/aws/lambda/", + { + "Ref": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C81C01536" + } + ] + ] + }, + "RetentionInDays": 3653 + } + }, + "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRole9741ECFB": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + } + ] + } + }, + "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRoleDefaultPolicyADDA7DEB": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "logs:DeleteRetentionPolicy", + "logs:PutRetentionPolicy" + ], + "Effect": "Allow", + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRoleDefaultPolicyADDA7DEB", + "Roles": [ + { + "Ref": "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRole9741ECFB" + } + ] + } + }, + "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aFD4BFC8A": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Runtime": { + "Fn::FindInMap": [ + "LatestNodeRuntimeMap", + { + "Ref": "AWS::Region" + }, + "value" + ] + }, + "Timeout": 900, + "Code": { + "S3Bucket": { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "S3Key": "e4afb15788ec44ed9ff3377e1d131ba2768d7b2e2931bc000d1f2005879b3035.zip" + }, + "Role": { + "Fn::GetAtt": [ + "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRole9741ECFB", + "Arn" + ] + } + }, + "DependsOn": [ + "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRoleDefaultPolicyADDA7DEB", + "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRole9741ECFB" + ] + } + }, + "Mappings": { + "LatestNodeRuntimeMap": { + "af-south-1": { + "value": "nodejs20.x" + }, + "ap-east-1": { + "value": "nodejs20.x" + }, + "ap-northeast-1": { + "value": "nodejs20.x" + }, + "ap-northeast-2": { + "value": "nodejs20.x" + }, + "ap-northeast-3": { + "value": "nodejs20.x" + }, + "ap-south-1": { + "value": "nodejs20.x" + }, + "ap-south-2": { + "value": "nodejs20.x" + }, + "ap-southeast-1": { + "value": "nodejs20.x" + }, + "ap-southeast-2": { + "value": "nodejs20.x" + }, + "ap-southeast-3": { + "value": "nodejs20.x" + }, + "ap-southeast-4": { + "value": "nodejs20.x" + }, + "ap-southeast-5": { + "value": "nodejs20.x" + }, + "ap-southeast-7": { + "value": "nodejs20.x" + }, + "ca-central-1": { + "value": "nodejs20.x" + }, + "ca-west-1": { + "value": "nodejs20.x" + }, + "cn-north-1": { + "value": "nodejs18.x" + }, + "cn-northwest-1": { + "value": "nodejs18.x" + }, + "eu-central-1": { + "value": "nodejs20.x" + }, + "eu-central-2": { + "value": "nodejs20.x" + }, + "eu-isoe-west-1": { + "value": "nodejs18.x" + }, + "eu-north-1": { + "value": "nodejs20.x" + }, + "eu-south-1": { + "value": "nodejs20.x" + }, + "eu-south-2": { + "value": "nodejs20.x" + }, + "eu-west-1": { + "value": "nodejs20.x" + }, + "eu-west-2": { + "value": "nodejs20.x" + }, + "eu-west-3": { + "value": "nodejs20.x" + }, + "il-central-1": { + "value": "nodejs20.x" + }, + "me-central-1": { + "value": "nodejs20.x" + }, + "me-south-1": { + "value": "nodejs20.x" + }, + "mx-central-1": { + "value": "nodejs20.x" + }, + "sa-east-1": { + "value": "nodejs20.x" + }, + "us-east-1": { + "value": "nodejs20.x" + }, + "us-east-2": { + "value": "nodejs20.x" + }, + "us-gov-east-1": { + "value": "nodejs18.x" + }, + "us-gov-west-1": { + "value": "nodejs18.x" + }, + "us-iso-east-1": { + "value": "nodejs18.x" + }, + "us-iso-west-1": { + "value": "nodejs18.x" + }, + "us-isob-east-1": { + "value": "nodejs18.x" + }, + "us-west-1": { + "value": "nodejs20.x" + }, + "us-west-2": { + "value": "nodejs20.x" + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.js.snapshot/asset.0158f40002a8c211635388a87874fd4dcc3d68f525fe08a0fe0f014069ae539c/index.py b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.js.snapshot/asset.0158f40002a8c211635388a87874fd4dcc3d68f525fe08a0fe0f014069ae539c/index.py new file mode 100644 index 0000000000000..e4d3920e40c02 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.js.snapshot/asset.0158f40002a8c211635388a87874fd4dcc3d68f525fe08a0fe0f014069ae539c/index.py @@ -0,0 +1,336 @@ +import contextlib +import json +import logging +import os +import shutil +import subprocess +import tempfile +import urllib.parse +from urllib.request import Request, urlopen +from uuid import uuid4 +from zipfile import ZipFile + +import boto3 + +logger = logging.getLogger() +logger.setLevel(logging.INFO) + +cloudfront = boto3.client('cloudfront') +s3 = boto3.client('s3') + +CFN_SUCCESS = "SUCCESS" +CFN_FAILED = "FAILED" +ENV_KEY_MOUNT_PATH = "MOUNT_PATH" +ENV_KEY_SKIP_CLEANUP = "SKIP_CLEANUP" + +AWS_CLI_CONFIG_FILE = "/tmp/aws_cli_config" +CUSTOM_RESOURCE_OWNER_TAG = "aws-cdk:cr-owned" + +os.putenv('AWS_CONFIG_FILE', AWS_CLI_CONFIG_FILE) + +def handler(event, context): + + def cfn_error(message=None): + if message: + logger.error("| cfn_error: %s" % message.encode()) + cfn_send(event, context, CFN_FAILED, reason=message, physicalResourceId=event.get('PhysicalResourceId', None)) + + + try: + # We are not logging ResponseURL as this is a pre-signed S3 URL, and could be used to tamper + # with the response CloudFormation sees from this Custom Resource execution. + logger.info({ key:value for (key, value) in event.items() if key != 'ResponseURL'}) + + # cloudformation request type (create/update/delete) + request_type = event['RequestType'] + + # extract resource properties + props = event['ResourceProperties'] + old_props = event.get('OldResourceProperties', {}) + physical_id = event.get('PhysicalResourceId', None) + + try: + source_bucket_names = props['SourceBucketNames'] + source_object_keys = props['SourceObjectKeys'] + source_markers = props.get('SourceMarkers', None) + dest_bucket_name = props['DestinationBucketName'] + dest_bucket_prefix = props.get('DestinationBucketKeyPrefix', '') + extract = props.get('Extract', 'true') == 'true' + retain_on_delete = props.get('RetainOnDelete', "true") == "true" + distribution_id = props.get('DistributionId', '') + user_metadata = props.get('UserMetadata', {}) + system_metadata = props.get('SystemMetadata', {}) + prune = props.get('Prune', 'true').lower() == 'true' + exclude = props.get('Exclude', []) + include = props.get('Include', []) + sign_content = props.get('SignContent', 'false').lower() == 'true' + + # backwards compatibility - if "SourceMarkers" is not specified, + # assume all sources have an empty market map + if source_markers is None: + source_markers = [{} for i in range(len(source_bucket_names))] + + default_distribution_path = dest_bucket_prefix + if not default_distribution_path.endswith("/"): + default_distribution_path += "/" + if not default_distribution_path.startswith("/"): + default_distribution_path = "/" + default_distribution_path + default_distribution_path += "*" + + distribution_paths = props.get('DistributionPaths', [default_distribution_path]) + except KeyError as e: + cfn_error("missing request resource property %s. props: %s" % (str(e), props)) + return + + # configure aws cli options after resetting back to the defaults for each request + if os.path.exists(AWS_CLI_CONFIG_FILE): + os.remove(AWS_CLI_CONFIG_FILE) + if sign_content: + aws_command("configure", "set", "default.s3.payload_signing_enabled", "true") + + # treat "/" as if no prefix was specified + if dest_bucket_prefix == "/": + dest_bucket_prefix = "" + + s3_source_zips = list(map(lambda name, key: "s3://%s/%s" % (name, key), source_bucket_names, source_object_keys)) + s3_dest = "s3://%s/%s" % (dest_bucket_name, dest_bucket_prefix) + old_s3_dest = "s3://%s/%s" % (old_props.get("DestinationBucketName", ""), old_props.get("DestinationBucketKeyPrefix", "")) + + + # obviously this is not + if old_s3_dest == "s3:///": + old_s3_dest = None + + logger.info("| s3_dest: %s" % sanitize_message(s3_dest)) + logger.info("| old_s3_dest: %s" % sanitize_message(old_s3_dest)) + + # if we are creating a new resource, allocate a physical id for it + # otherwise, we expect physical id to be relayed by cloudformation + if request_type == "Create": + physical_id = "aws.cdk.s3deployment.%s" % str(uuid4()) + else: + if not physical_id: + cfn_error("invalid request: request type is '%s' but 'PhysicalResourceId' is not defined" % request_type) + return + + # delete or create/update (only if "retain_on_delete" is false) + if request_type == "Delete" and not retain_on_delete: + if not bucket_owned(dest_bucket_name, dest_bucket_prefix): + aws_command("s3", "rm", s3_dest, "--recursive") + + # if we are updating without retention and the destination changed, delete first + if request_type == "Update" and not retain_on_delete and old_s3_dest != s3_dest: + if not old_s3_dest: + logger.warn("cannot delete old resource without old resource properties") + return + + aws_command("s3", "rm", old_s3_dest, "--recursive") + + if request_type == "Update" or request_type == "Create": + s3_deploy(s3_source_zips, s3_dest, user_metadata, system_metadata, prune, exclude, include, source_markers, extract) + + if distribution_id: + cloudfront_invalidate(distribution_id, distribution_paths) + + cfn_send(event, context, CFN_SUCCESS, physicalResourceId=physical_id, responseData={ + # Passing through the ARN sequences dependencees on the deployment + 'DestinationBucketArn': props.get('DestinationBucketArn'), + 'SourceObjectKeys': props.get('SourceObjectKeys'), + }) + except KeyError as e: + cfn_error("invalid request. Missing key %s" % str(e)) + except Exception as e: + logger.exception(e) + cfn_error(str(e)) + +#--------------------------------------------------------------------------------------------------- +# Sanitize the message to mitigate CWE-117 and CWE-93 vulnerabilities +def sanitize_message(message): + if not message: + return message + + # Sanitize the message to prevent log injection and HTTP response splitting + sanitized_message = message.replace('\n', '').replace('\r', '') + + # Encode the message to handle special characters + encoded_message = urllib.parse.quote(sanitized_message) + + return encoded_message + +#--------------------------------------------------------------------------------------------------- +# populate all files from s3_source_zips to a destination bucket +def s3_deploy(s3_source_zips, s3_dest, user_metadata, system_metadata, prune, exclude, include, source_markers, extract): + # list lengths are equal + if len(s3_source_zips) != len(source_markers): + raise Exception("'source_markers' and 's3_source_zips' must be the same length") + + # create a temporary working directory in /tmp or if enabled an attached efs volume + if ENV_KEY_MOUNT_PATH in os.environ: + workdir = os.getenv(ENV_KEY_MOUNT_PATH) + "/" + str(uuid4()) + os.mkdir(workdir) + else: + workdir = tempfile.mkdtemp() + + logger.info("| workdir: %s" % workdir) + + # create a directory into which we extract the contents of the zip file + contents_dir=os.path.join(workdir, 'contents') + os.mkdir(contents_dir) + + try: + # download the archive from the source and extract to "contents" + for i in range(len(s3_source_zips)): + s3_source_zip = s3_source_zips[i] + markers = source_markers[i] + + if extract: + archive=os.path.join(workdir, str(uuid4())) + logger.info("archive: %s" % archive) + aws_command("s3", "cp", s3_source_zip, archive) + logger.info("| extracting archive to: %s\n" % contents_dir) + logger.info("| markers: %s" % markers) + extract_and_replace_markers(archive, contents_dir, markers) + else: + logger.info("| copying archive to: %s\n" % contents_dir) + aws_command("s3", "cp", s3_source_zip, contents_dir) + + # sync from "contents" to destination + + s3_command = ["s3", "sync"] + + if prune: + s3_command.append("--delete") + + if exclude: + for filter in exclude: + s3_command.extend(["--exclude", filter]) + + if include: + for filter in include: + s3_command.extend(["--include", filter]) + + s3_command.extend([contents_dir, s3_dest]) + s3_command.extend(create_metadata_args(user_metadata, system_metadata)) + aws_command(*s3_command) + finally: + if not os.getenv(ENV_KEY_SKIP_CLEANUP): + shutil.rmtree(workdir) + +#--------------------------------------------------------------------------------------------------- +# invalidate files in the CloudFront distribution edge caches +def cloudfront_invalidate(distribution_id, distribution_paths): + invalidation_resp = cloudfront.create_invalidation( + DistributionId=distribution_id, + InvalidationBatch={ + 'Paths': { + 'Quantity': len(distribution_paths), + 'Items': distribution_paths + }, + 'CallerReference': str(uuid4()), + }) + # by default, will wait up to 10 minutes + cloudfront.get_waiter('invalidation_completed').wait( + DistributionId=distribution_id, + Id=invalidation_resp['Invalidation']['Id']) + +#--------------------------------------------------------------------------------------------------- +# set metadata +def create_metadata_args(raw_user_metadata, raw_system_metadata): + if len(raw_user_metadata) == 0 and len(raw_system_metadata) == 0: + return [] + + format_system_metadata_key = lambda k: k.lower() + format_user_metadata_key = lambda k: k.lower() + + system_metadata = { format_system_metadata_key(k): v for k, v in raw_system_metadata.items() } + user_metadata = { format_user_metadata_key(k): v for k, v in raw_user_metadata.items() } + + flatten = lambda l: [item for sublist in l for item in sublist] + system_args = flatten([[f"--{k}", v] for k, v in system_metadata.items()]) + user_args = ["--metadata", json.dumps(user_metadata, separators=(',', ':'))] if len(user_metadata) > 0 else [] + + return system_args + user_args + ["--metadata-directive", "REPLACE"] + +#--------------------------------------------------------------------------------------------------- +# executes an "aws" cli command +def aws_command(*args): + aws="/opt/awscli/aws" # from AwsCliLayer + logger.info("| aws %s" % ' '.join(args)) + subprocess.check_call([aws] + list(args)) + +#--------------------------------------------------------------------------------------------------- +# sends a response to cloudformation +def cfn_send(event, context, responseStatus, responseData={}, physicalResourceId=None, noEcho=False, reason=None): + + responseUrl = event['ResponseURL'] + + responseBody = {} + responseBody['Status'] = responseStatus + responseBody['Reason'] = reason or ('See the details in CloudWatch Log Stream: ' + context.log_stream_name) + responseBody['PhysicalResourceId'] = physicalResourceId or context.log_stream_name + responseBody['StackId'] = event['StackId'] + responseBody['RequestId'] = event['RequestId'] + responseBody['LogicalResourceId'] = event['LogicalResourceId'] + responseBody['NoEcho'] = noEcho + responseBody['Data'] = responseData + + body = json.dumps(responseBody) + logger.info("| response body:\n" + body) + + headers = { + 'content-type' : '', + 'content-length' : str(len(body)) + } + + try: + request = Request(responseUrl, method='PUT', data=bytes(body.encode('utf-8')), headers=headers) + with contextlib.closing(urlopen(request)) as response: + logger.info("| status code: " + response.reason) + except Exception as e: + logger.error("| unable to send response to CloudFormation") + logger.exception(e) + + +#--------------------------------------------------------------------------------------------------- +# check if bucket is owned by a custom resource +# if it is then we don't want to delete content +def bucket_owned(bucketName, keyPrefix): + tag = CUSTOM_RESOURCE_OWNER_TAG + if keyPrefix != "": + tag = tag + ':' + keyPrefix + try: + request = s3.get_bucket_tagging( + Bucket=bucketName, + ) + return any((x["Key"].startswith(tag)) for x in request["TagSet"]) + except Exception as e: + logger.info("| error getting tags from bucket") + logger.exception(e) + return False + +# extract archive and replace markers in output files +def extract_and_replace_markers(archive, contents_dir, markers): + with ZipFile(archive, "r") as zip: + zip.extractall(contents_dir) + + # replace markers for this source + for file in zip.namelist(): + file_path = os.path.join(contents_dir, file) + if os.path.isdir(file_path): continue + replace_markers(file_path, markers) + +def replace_markers(filename, markers): + # convert the dict of string markers to binary markers + replace_tokens = dict([(k.encode('utf-8'), v.encode('utf-8')) for k, v in markers.items()]) + + outfile = filename + '.new' + with open(filename, 'rb') as fi, open(outfile, 'wb') as fo: + for line in fi: + for token in replace_tokens: + line = line.replace(token, replace_tokens[token]) + fo.write(line) + + # # delete the original file and rename the new one to the original + os.remove(filename) + os.rename(outfile, filename) + \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.js.snapshot/asset.3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961.zip b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.js.snapshot/asset.3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961.zip new file mode 100644 index 0000000000000..f624b92c63849 Binary files /dev/null and b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.js.snapshot/asset.3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961.zip differ diff --git a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.js.snapshot/asset.561a8b95d6d62d87513e3607a2de271376251555ee83cf7b93534b0e85c500c8/file.json b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.js.snapshot/asset.561a8b95d6d62d87513e3607a2de271376251555ee83cf7b93534b0e85c500c8/file.json new file mode 100644 index 0000000000000..7f228f99e61ae --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.js.snapshot/asset.561a8b95d6d62d87513e3607a2de271376251555ee83cf7b93534b0e85c500c8/file.json @@ -0,0 +1 @@ +{"a":"b"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.js.snapshot/asset.e4afb15788ec44ed9ff3377e1d131ba2768d7b2e2931bc000d1f2005879b3035/index.js b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.js.snapshot/asset.e4afb15788ec44ed9ff3377e1d131ba2768d7b2e2931bc000d1f2005879b3035/index.js new file mode 100644 index 0000000000000..ae6165a46ea1e --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.js.snapshot/asset.e4afb15788ec44ed9ff3377e1d131ba2768d7b2e2931bc000d1f2005879b3035/index.js @@ -0,0 +1 @@ +"use strict";var h=Object.create;var d=Object.defineProperty;var w=Object.getOwnPropertyDescriptor;var f=Object.getOwnPropertyNames;var C=Object.getPrototypeOf,P=Object.prototype.hasOwnProperty;var b=(e,o)=>{for(var n in o)d(e,n,{get:o[n],enumerable:!0})},p=(e,o,n,t)=>{if(o&&typeof o=="object"||typeof o=="function")for(let r of f(o))!P.call(e,r)&&r!==n&&d(e,r,{get:()=>o[r],enumerable:!(t=w(o,r))||t.enumerable});return e};var S=(e,o,n)=>(n=e!=null?h(C(e)):{},p(o||!e||!e.__esModule?d(n,"default",{value:e,enumerable:!0}):n,e)),G=e=>p(d({},"__esModule",{value:!0}),e);var q={};b(q,{handler:()=>E});module.exports=G(q);var i=S(require("@aws-sdk/client-cloudwatch-logs"));async function R(e,o,n){await n(async()=>{try{let t={logGroupName:e},r=new i.CreateLogGroupCommand(t);await o.send(r)}catch(t){if(t.name==="ResourceAlreadyExistsException")return;throw t}})}async function x(e,o,n){await n(async()=>{try{let t={logGroupName:e},r=new i.DeleteLogGroupCommand(t);await o.send(r)}catch(t){if(t.name==="ResourceNotFoundException")return;throw t}})}async function y(e,o,n,t){await n(async()=>{if(t){let r={logGroupName:e,retentionInDays:t},s=new i.PutRetentionPolicyCommand(r);await o.send(s)}else{let r={logGroupName:e},s=new i.DeleteRetentionPolicyCommand(r);await o.send(s)}})}async function E(e,o){try{console.log(JSON.stringify({...e,ResponseURL:"..."}));let t=e.ResourceProperties.LogGroupName,r=e.ResourceProperties.LogGroupRegion,s=L(e.ResourceProperties.SdkRetry?.maxRetries)??5,a=I(s),m={logger:console,region:r,maxAttempts:Math.max(5,s)},c=new i.CloudWatchLogsClient(m);if((e.RequestType==="Create"||e.RequestType==="Update")&&(await R(t,c,a),await y(t,c,a,L(e.ResourceProperties.RetentionInDays)),e.RequestType==="Create")){let g=new i.CloudWatchLogsClient({logger:console,region:process.env.AWS_REGION});await R(`/aws/lambda/${o.functionName}`,g,a),await y(`/aws/lambda/${o.functionName}`,g,a,1)}e.RequestType==="Delete"&&e.ResourceProperties.RemovalPolicy==="destroy"&&await x(t,c,a),await n("SUCCESS","OK",t)}catch(t){console.log(t),await n("FAILED",t.message,e.ResourceProperties.LogGroupName)}function n(t,r,s){let a=JSON.stringify({Status:t,Reason:r,PhysicalResourceId:s,StackId:e.StackId,RequestId:e.RequestId,LogicalResourceId:e.LogicalResourceId,Data:{LogGroupName:e.ResourceProperties.LogGroupName}});console.log("Responding",a);let m=require("url").parse(e.ResponseURL),c={hostname:m.hostname,path:m.path,method:"PUT",headers:{"content-type":"","content-length":Buffer.byteLength(a,"utf8")}};return new Promise((g,l)=>{try{let u=require("https").request(c,g);u.on("error",l),u.write(a),u.end()}catch(u){l(u)}})}}function L(e,o=10){if(e!==void 0)return parseInt(e,o)}function I(e,o=100,n=10*1e3){return async t=>{let r=0;do try{return await t()}catch(s){if(s.name==="OperationAbortedException"||s.name==="ThrottlingException")if(rsetTimeout(a,k(r,o,n)));continue}else throw new Error("Out of attempts to change log group");throw s}while(!0)}}function k(e,o,n){return Math.round(Math.random()*Math.min(n,o*2**e))}0&&(module.exports={handler}); diff --git a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.js.snapshot/cdk.out new file mode 100644 index 0000000000000..bd5311dc372de --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"36.0.5"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.js.snapshot/integ.json new file mode 100644 index 0000000000000..99fa9f80212ca --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.js.snapshot/integ.json @@ -0,0 +1,13 @@ +{ + "version": "36.0.5", + "testCases": { + "integ-test-custom-resource-config-logRetention/DefaultTest": { + "stacks": [ + "MyStack" + ], + "diffAssets": false, + "assertionStack": "integ-test-custom-resource-config-logRetention/DefaultTest/DeployAssert", + "assertionStackName": "integtestcustomresourceconfiglogRetentionDefaultTestDeployAssert2A59B769" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.js.snapshot/integtestcustomresourceconfiglogRetentionDefaultTestDeployAssert2A59B769.assets.json b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.js.snapshot/integtestcustomresourceconfiglogRetentionDefaultTestDeployAssert2A59B769.assets.json new file mode 100644 index 0000000000000..7cafdede4642c --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.js.snapshot/integtestcustomresourceconfiglogRetentionDefaultTestDeployAssert2A59B769.assets.json @@ -0,0 +1,19 @@ +{ + "version": "36.0.5", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "source": { + "path": "integtestcustomresourceconfiglogRetentionDefaultTestDeployAssert2A59B769.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityTestDefaultTestDeployAssertEE246BCA.template.json b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.js.snapshot/integtestcustomresourceconfiglogRetentionDefaultTestDeployAssert2A59B769.template.json similarity index 100% rename from packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityTestDefaultTestDeployAssertEE246BCA.template.json rename to packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.js.snapshot/integtestcustomresourceconfiglogRetentionDefaultTestDeployAssert2A59B769.template.json diff --git a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.js.snapshot/manifest.json new file mode 100644 index 0000000000000..358e3816cd639 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.js.snapshot/manifest.json @@ -0,0 +1,197 @@ +{ + "version": "36.0.5", + "artifacts": { + "MyStack.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "MyStack.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "MyStack": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "MyStack.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21b4d2ecb7821580fa7275de5e71e79a3134f1d31c696d13a198c4357127c530.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "MyStack.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "MyStack.assets" + ], + "metadata": { + "/MyStack/WebsiteBucket/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "WebsiteBucket75C24D94" + } + ], + "/MyStack/s3deploy/AwsCliLayer/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "s3deployAwsCliLayerD0CD1E6B" + } + ], + "/MyStack/s3deploy/CustomResource/Default": [ + { + "type": "aws:cdk:logicalId", + "data": "s3deployCustomResourceDB97D82D" + } + ], + "/MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C": [ + { + "type": "aws:cdk:is-custom-resource-handler-singleton", + "data": true + } + ], + "/MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265" + } + ], + "/MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/DefaultPolicy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF" + } + ], + "/MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C81C01536" + } + ], + "/MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/Resource/logGroup": [ + { + "type": "aws:cdk:is-custom-resource-handler-logGroup", + "data": true + } + ], + "/MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/Resource/logGroup/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756ClogGroupD6937F08" + } + ], + "/MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/LogRetention": [ + { + "type": "aws:cdk:is-custom-resource-handler-logRetention", + "data": true + } + ], + "/MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/LogRetention/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CLogRetention1948627D" + } + ], + "/MyStack/LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8a/ServiceRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRole9741ECFB" + } + ], + "/MyStack/LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8a/ServiceRole/DefaultPolicy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRoleDefaultPolicyADDA7DEB" + } + ], + "/MyStack/LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8a/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aFD4BFC8A" + } + ], + "/MyStack/LatestNodeRuntimeMap": [ + { + "type": "aws:cdk:logicalId", + "data": "LatestNodeRuntimeMap" + } + ], + "/MyStack/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/MyStack/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "MyStack" + }, + "integtestcustomresourceconfiglogRetentionDefaultTestDeployAssert2A59B769.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "integtestcustomresourceconfiglogRetentionDefaultTestDeployAssert2A59B769.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "integtestcustomresourceconfiglogRetentionDefaultTestDeployAssert2A59B769": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "integtestcustomresourceconfiglogRetentionDefaultTestDeployAssert2A59B769.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "integtestcustomresourceconfiglogRetentionDefaultTestDeployAssert2A59B769.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "integtestcustomresourceconfiglogRetentionDefaultTestDeployAssert2A59B769.assets" + ], + "metadata": { + "/integ-test-custom-resource-config-logRetention/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/integ-test-custom-resource-config-logRetention/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "integ-test-custom-resource-config-logRetention/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.js.snapshot/tree.json new file mode 100644 index 0000000000000..ef2ff66cf017a --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.js.snapshot/tree.json @@ -0,0 +1,694 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "MyStack": { + "id": "MyStack", + "path": "MyStack", + "children": { + "WebsiteBucket": { + "id": "WebsiteBucket", + "path": "MyStack/WebsiteBucket", + "children": { + "Resource": { + "id": "Resource", + "path": "MyStack/WebsiteBucket/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::S3::Bucket", + "aws:cdk:cloudformation:props": { + "tags": [ + { + "key": "aws-cdk:cr-owned:156aa6de", + "value": "true" + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_s3.CfnBucket", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_s3.Bucket", + "version": "0.0.0" + } + }, + "s3deploy": { + "id": "s3deploy", + "path": "MyStack/s3deploy", + "children": { + "AwsCliLayer": { + "id": "AwsCliLayer", + "path": "MyStack/s3deploy/AwsCliLayer", + "children": { + "Code": { + "id": "Code", + "path": "MyStack/s3deploy/AwsCliLayer/Code", + "children": { + "Stage": { + "id": "Stage", + "path": "MyStack/s3deploy/AwsCliLayer/Code/Stage", + "constructInfo": { + "fqn": "aws-cdk-lib.AssetStaging", + "version": "0.0.0" + } + }, + "AssetBucket": { + "id": "AssetBucket", + "path": "MyStack/s3deploy/AwsCliLayer/Code/AssetBucket", + "constructInfo": { + "fqn": "aws-cdk-lib.aws_s3.BucketBase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_s3_assets.Asset", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "MyStack/s3deploy/AwsCliLayer/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Lambda::LayerVersion", + "aws:cdk:cloudformation:props": { + "content": { + "s3Bucket": { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "s3Key": "3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961.zip" + }, + "description": "/opt/awscli/aws" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.CfnLayerVersion", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.lambda_layer_awscli.AwsCliLayer", + "version": "0.0.0" + } + }, + "CustomResourceHandler": { + "id": "CustomResourceHandler", + "path": "MyStack/s3deploy/CustomResourceHandler", + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.SingletonFunction", + "version": "0.0.0" + } + }, + "Asset1": { + "id": "Asset1", + "path": "MyStack/s3deploy/Asset1", + "children": { + "Stage": { + "id": "Stage", + "path": "MyStack/s3deploy/Asset1/Stage", + "constructInfo": { + "fqn": "aws-cdk-lib.AssetStaging", + "version": "0.0.0" + } + }, + "AssetBucket": { + "id": "AssetBucket", + "path": "MyStack/s3deploy/Asset1/AssetBucket", + "constructInfo": { + "fqn": "aws-cdk-lib.aws_s3.BucketBase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_s3_assets.Asset", + "version": "0.0.0" + } + }, + "CustomResource": { + "id": "CustomResource", + "path": "MyStack/s3deploy/CustomResource", + "children": { + "Default": { + "id": "Default", + "path": "MyStack/s3deploy/CustomResource/Default", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnResource", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.CustomResource", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_s3_deployment.BucketDeployment", + "version": "0.0.0" + } + }, + "Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C": { + "id": "Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C", + "path": "MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C", + "children": { + "ServiceRole": { + "id": "ServiceRole", + "path": "MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole", + "children": { + "ImportServiceRole": { + "id": "ImportServiceRole", + "path": "MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/ImportServiceRole", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:props": { + "assumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "managedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" + } + }, + "DefaultPolicy": { + "id": "DefaultPolicy", + "path": "MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/DefaultPolicy", + "children": { + "Resource": { + "id": "Resource", + "path": "MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/DefaultPolicy/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Policy", + "aws:cdk:cloudformation:props": { + "policyDocument": { + "Statement": [ + { + "Action": [ + "s3:GetBucket*", + "s3:GetObject*", + "s3:List*" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":s3:::", + { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":s3:::", + { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + } + ] + ] + } + ] + }, + { + "Action": [ + "s3:Abort*", + "s3:DeleteObject*", + "s3:GetBucket*", + "s3:GetObject*", + "s3:List*", + "s3:PutObject", + "s3:PutObjectLegalHold", + "s3:PutObjectRetention", + "s3:PutObjectTagging", + "s3:PutObjectVersionTagging" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "WebsiteBucket75C24D94", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "WebsiteBucket75C24D94", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + } + ], + "Version": "2012-10-17" + }, + "policyName": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF", + "roles": [ + { + "Ref": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265" + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Policy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0" + } + }, + "Code": { + "id": "Code", + "path": "MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/Code", + "children": { + "Stage": { + "id": "Stage", + "path": "MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/Code/Stage", + "constructInfo": { + "fqn": "aws-cdk-lib.AssetStaging", + "version": "0.0.0" + } + }, + "AssetBucket": { + "id": "AssetBucket", + "path": "MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/Code/AssetBucket", + "constructInfo": { + "fqn": "aws-cdk-lib.aws_s3.BucketBase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_s3_assets.Asset", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/Resource", + "children": { + "logGroup": { + "id": "logGroup", + "path": "MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/Resource/logGroup", + "children": { + "Resource": { + "id": "Resource", + "path": "MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/Resource/logGroup/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Logs::LogGroup", + "aws:cdk:cloudformation:props": { + "retentionInDays": 3653 + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_logs.CfnLogGroup", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_logs.LogGroup", + "version": "0.0.0" + } + } + }, + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Lambda::Function", + "aws:cdk:cloudformation:props": { + "code": { + "s3Bucket": { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "s3Key": "0158f40002a8c211635388a87874fd4dcc3d68f525fe08a0fe0f014069ae539c.zip" + }, + "environment": { + "variables": { + "AWS_CA_BUNDLE": "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" + } + }, + "handler": "index.handler", + "layers": [ + { + "Ref": "s3deployAwsCliLayerD0CD1E6B" + } + ], + "role": { + "Fn::GetAtt": [ + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265", + "Arn" + ] + }, + "runtime": "python3.9", + "timeout": 900 + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.CfnFunction", + "version": "0.0.0" + } + }, + "LogRetention": { + "id": "LogRetention", + "path": "MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/LogRetention", + "children": { + "Resource": { + "id": "Resource", + "path": "MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/LogRetention/Resource", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnResource", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_logs.LogRetention", + "version": "0.0.0" + } + }, + "LogGroup": { + "id": "LogGroup", + "path": "MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/LogGroup", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.Function", + "version": "0.0.0" + } + }, + "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8a": { + "id": "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8a", + "path": "MyStack/LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8a", + "children": { + "Code": { + "id": "Code", + "path": "MyStack/LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8a/Code", + "children": { + "Stage": { + "id": "Stage", + "path": "MyStack/LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8a/Code/Stage", + "constructInfo": { + "fqn": "aws-cdk-lib.AssetStaging", + "version": "0.0.0" + } + }, + "AssetBucket": { + "id": "AssetBucket", + "path": "MyStack/LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8a/Code/AssetBucket", + "constructInfo": { + "fqn": "aws-cdk-lib.aws_s3.BucketBase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_s3_assets.Asset", + "version": "0.0.0" + } + }, + "ServiceRole": { + "id": "ServiceRole", + "path": "MyStack/LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8a/ServiceRole", + "children": { + "ImportServiceRole": { + "id": "ImportServiceRole", + "path": "MyStack/LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8a/ServiceRole/ImportServiceRole", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "MyStack/LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8a/ServiceRole/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:props": { + "assumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "managedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" + } + }, + "DefaultPolicy": { + "id": "DefaultPolicy", + "path": "MyStack/LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8a/ServiceRole/DefaultPolicy", + "children": { + "Resource": { + "id": "Resource", + "path": "MyStack/LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8a/ServiceRole/DefaultPolicy/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Policy", + "aws:cdk:cloudformation:props": { + "policyDocument": { + "Statement": [ + { + "Action": [ + "logs:DeleteRetentionPolicy", + "logs:PutRetentionPolicy" + ], + "Effect": "Allow", + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "policyName": "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRoleDefaultPolicyADDA7DEB", + "roles": [ + { + "Ref": "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRole9741ECFB" + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Policy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "MyStack/LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8a/Resource", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnResource", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "LatestNodeRuntimeMap": { + "id": "LatestNodeRuntimeMap", + "path": "MyStack/LatestNodeRuntimeMap", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnMapping", + "version": "0.0.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "MyStack/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "MyStack/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + }, + "integ-test-custom-resource-config-logRetention": { + "id": "integ-test-custom-resource-config-logRetention", + "path": "integ-test-custom-resource-config-logRetention", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "integ-test-custom-resource-config-logRetention/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "integ-test-custom-resource-config-logRetention/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "integ-test-custom-resource-config-logRetention/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "integ-test-custom-resource-config-logRetention/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "integ-test-custom-resource-config-logRetention/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.ts b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.ts new file mode 100644 index 0000000000000..83cdfa62a31bc --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-logRetention.ts @@ -0,0 +1,25 @@ +import * as s3 from 'aws-cdk-lib/aws-s3'; +import * as logs from 'aws-cdk-lib/aws-logs'; +import * as cdk from 'aws-cdk-lib'; +import * as integ from '@aws-cdk/integ-tests-alpha'; +import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment'; +import { CustomResourceConfig } from 'aws-cdk-lib/custom-resources'; + +const app = new cdk.App(); +const stack = new cdk.Stack(app, 'MyStack'); + +let websiteBucket = new s3.Bucket(stack, 'WebsiteBucket', {}); +new s3deploy.BucketDeployment(stack, 's3deploy', { + sources: [s3deploy.Source.jsonData('file.json', { a: 'b' })], + destinationBucket: websiteBucket, + logRetention: logs.RetentionDays.ONE_WEEK, +}); + +const logRetentionDays = logs.RetentionDays.TEN_YEARS; +CustomResourceConfig.of(app).addLogRetentionLifetime(logRetentionDays); + +new integ.IntegTest(app, 'integ-test-custom-resource-config-logRetention', { + testCases: [stack], + diffAssets: false, +}); + diff --git a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-undefined-log.js.snapshot/MyStack.assets.json b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-undefined-log.js.snapshot/MyStack.assets.json new file mode 100644 index 0000000000000..5bb13f8a8f326 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-undefined-log.js.snapshot/MyStack.assets.json @@ -0,0 +1,58 @@ +{ + "version": "36.0.0", + "files": { + "3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961": { + "source": { + "path": "asset.3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961.zip", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961.zip", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + }, + "0158f40002a8c211635388a87874fd4dcc3d68f525fe08a0fe0f014069ae539c": { + "source": { + "path": "asset.0158f40002a8c211635388a87874fd4dcc3d68f525fe08a0fe0f014069ae539c", + "packaging": "zip" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "0158f40002a8c211635388a87874fd4dcc3d68f525fe08a0fe0f014069ae539c.zip", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + }, + "561a8b95d6d62d87513e3607a2de271376251555ee83cf7b93534b0e85c500c8": { + "source": { + "path": "asset.561a8b95d6d62d87513e3607a2de271376251555ee83cf7b93534b0e85c500c8", + "packaging": "zip" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "561a8b95d6d62d87513e3607a2de271376251555ee83cf7b93534b0e85c500c8.zip", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + }, + "ce0a6bec1c9e10557d8436e3c5dc0e5f06542681dd67981a5fdc4daa2d9475ae": { + "source": { + "path": "MyStack.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "ce0a6bec1c9e10557d8436e3c5dc0e5f06542681dd67981a5fdc4daa2d9475ae.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-undefined-log.js.snapshot/MyStack.template.json b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-undefined-log.js.snapshot/MyStack.template.json new file mode 100644 index 0000000000000..5bfc4c6a2e5b7 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-undefined-log.js.snapshot/MyStack.template.json @@ -0,0 +1,267 @@ +{ + "Resources": { + "WebsiteBucket75C24D94": { + "Type": "AWS::S3::Bucket", + "Properties": { + "Tags": [ + { + "Key": "aws-cdk:cr-owned:c19d3033", + "Value": "true" + } + ] + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" + }, + "s3deployNoneAwsCliLayer8E653504": { + "Type": "AWS::Lambda::LayerVersion", + "Properties": { + "Content": { + "S3Bucket": { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "S3Key": "3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961.zip" + }, + "Description": "/opt/awscli/aws" + } + }, + "s3deployNoneCustomResource0EA66D66": { + "Type": "Custom::CDKBucketDeployment", + "Properties": { + "ServiceToken": { + "Fn::GetAtt": [ + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C81C01536", + "Arn" + ] + }, + "SourceBucketNames": [ + { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + } + ], + "SourceObjectKeys": [ + "561a8b95d6d62d87513e3607a2de271376251555ee83cf7b93534b0e85c500c8.zip" + ], + "SourceMarkers": [ + {} + ], + "DestinationBucketName": { + "Ref": "WebsiteBucket75C24D94" + }, + "Prune": true + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + } + ] + } + }, + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:GetBucket*", + "s3:GetObject*", + "s3:List*" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":s3:::", + { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":s3:::", + { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + } + ] + ] + } + ] + }, + { + "Action": [ + "s3:Abort*", + "s3:DeleteObject*", + "s3:GetBucket*", + "s3:GetObject*", + "s3:List*", + "s3:PutObject", + "s3:PutObjectLegalHold", + "s3:PutObjectRetention", + "s3:PutObjectTagging", + "s3:PutObjectVersionTagging" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "WebsiteBucket75C24D94", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "WebsiteBucket75C24D94", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF", + "Roles": [ + { + "Ref": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265" + } + ] + } + }, + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C81C01536": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "S3Bucket": { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "S3Key": "0158f40002a8c211635388a87874fd4dcc3d68f525fe08a0fe0f014069ae539c.zip" + }, + "Environment": { + "Variables": { + "AWS_CA_BUNDLE": "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" + } + }, + "Handler": "index.handler", + "Layers": [ + { + "Ref": "s3deployNoneAwsCliLayer8E653504" + } + ], + "LoggingConfig": { + "LogGroup": { + "Ref": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756ClogGroupD6937F08" + } + }, + "Role": { + "Fn::GetAtt": [ + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265", + "Arn" + ] + }, + "Runtime": "python3.9", + "Timeout": 900 + }, + "DependsOn": [ + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF", + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265" + ] + }, + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756ClogGroupD6937F08": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "RetentionInDays": 3653 + }, + "DependsOn": [ + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF", + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265" + ], + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-undefined-log.js.snapshot/asset.0158f40002a8c211635388a87874fd4dcc3d68f525fe08a0fe0f014069ae539c/index.py b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-undefined-log.js.snapshot/asset.0158f40002a8c211635388a87874fd4dcc3d68f525fe08a0fe0f014069ae539c/index.py new file mode 100644 index 0000000000000..e4d3920e40c02 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-undefined-log.js.snapshot/asset.0158f40002a8c211635388a87874fd4dcc3d68f525fe08a0fe0f014069ae539c/index.py @@ -0,0 +1,336 @@ +import contextlib +import json +import logging +import os +import shutil +import subprocess +import tempfile +import urllib.parse +from urllib.request import Request, urlopen +from uuid import uuid4 +from zipfile import ZipFile + +import boto3 + +logger = logging.getLogger() +logger.setLevel(logging.INFO) + +cloudfront = boto3.client('cloudfront') +s3 = boto3.client('s3') + +CFN_SUCCESS = "SUCCESS" +CFN_FAILED = "FAILED" +ENV_KEY_MOUNT_PATH = "MOUNT_PATH" +ENV_KEY_SKIP_CLEANUP = "SKIP_CLEANUP" + +AWS_CLI_CONFIG_FILE = "/tmp/aws_cli_config" +CUSTOM_RESOURCE_OWNER_TAG = "aws-cdk:cr-owned" + +os.putenv('AWS_CONFIG_FILE', AWS_CLI_CONFIG_FILE) + +def handler(event, context): + + def cfn_error(message=None): + if message: + logger.error("| cfn_error: %s" % message.encode()) + cfn_send(event, context, CFN_FAILED, reason=message, physicalResourceId=event.get('PhysicalResourceId', None)) + + + try: + # We are not logging ResponseURL as this is a pre-signed S3 URL, and could be used to tamper + # with the response CloudFormation sees from this Custom Resource execution. + logger.info({ key:value for (key, value) in event.items() if key != 'ResponseURL'}) + + # cloudformation request type (create/update/delete) + request_type = event['RequestType'] + + # extract resource properties + props = event['ResourceProperties'] + old_props = event.get('OldResourceProperties', {}) + physical_id = event.get('PhysicalResourceId', None) + + try: + source_bucket_names = props['SourceBucketNames'] + source_object_keys = props['SourceObjectKeys'] + source_markers = props.get('SourceMarkers', None) + dest_bucket_name = props['DestinationBucketName'] + dest_bucket_prefix = props.get('DestinationBucketKeyPrefix', '') + extract = props.get('Extract', 'true') == 'true' + retain_on_delete = props.get('RetainOnDelete', "true") == "true" + distribution_id = props.get('DistributionId', '') + user_metadata = props.get('UserMetadata', {}) + system_metadata = props.get('SystemMetadata', {}) + prune = props.get('Prune', 'true').lower() == 'true' + exclude = props.get('Exclude', []) + include = props.get('Include', []) + sign_content = props.get('SignContent', 'false').lower() == 'true' + + # backwards compatibility - if "SourceMarkers" is not specified, + # assume all sources have an empty market map + if source_markers is None: + source_markers = [{} for i in range(len(source_bucket_names))] + + default_distribution_path = dest_bucket_prefix + if not default_distribution_path.endswith("/"): + default_distribution_path += "/" + if not default_distribution_path.startswith("/"): + default_distribution_path = "/" + default_distribution_path + default_distribution_path += "*" + + distribution_paths = props.get('DistributionPaths', [default_distribution_path]) + except KeyError as e: + cfn_error("missing request resource property %s. props: %s" % (str(e), props)) + return + + # configure aws cli options after resetting back to the defaults for each request + if os.path.exists(AWS_CLI_CONFIG_FILE): + os.remove(AWS_CLI_CONFIG_FILE) + if sign_content: + aws_command("configure", "set", "default.s3.payload_signing_enabled", "true") + + # treat "/" as if no prefix was specified + if dest_bucket_prefix == "/": + dest_bucket_prefix = "" + + s3_source_zips = list(map(lambda name, key: "s3://%s/%s" % (name, key), source_bucket_names, source_object_keys)) + s3_dest = "s3://%s/%s" % (dest_bucket_name, dest_bucket_prefix) + old_s3_dest = "s3://%s/%s" % (old_props.get("DestinationBucketName", ""), old_props.get("DestinationBucketKeyPrefix", "")) + + + # obviously this is not + if old_s3_dest == "s3:///": + old_s3_dest = None + + logger.info("| s3_dest: %s" % sanitize_message(s3_dest)) + logger.info("| old_s3_dest: %s" % sanitize_message(old_s3_dest)) + + # if we are creating a new resource, allocate a physical id for it + # otherwise, we expect physical id to be relayed by cloudformation + if request_type == "Create": + physical_id = "aws.cdk.s3deployment.%s" % str(uuid4()) + else: + if not physical_id: + cfn_error("invalid request: request type is '%s' but 'PhysicalResourceId' is not defined" % request_type) + return + + # delete or create/update (only if "retain_on_delete" is false) + if request_type == "Delete" and not retain_on_delete: + if not bucket_owned(dest_bucket_name, dest_bucket_prefix): + aws_command("s3", "rm", s3_dest, "--recursive") + + # if we are updating without retention and the destination changed, delete first + if request_type == "Update" and not retain_on_delete and old_s3_dest != s3_dest: + if not old_s3_dest: + logger.warn("cannot delete old resource without old resource properties") + return + + aws_command("s3", "rm", old_s3_dest, "--recursive") + + if request_type == "Update" or request_type == "Create": + s3_deploy(s3_source_zips, s3_dest, user_metadata, system_metadata, prune, exclude, include, source_markers, extract) + + if distribution_id: + cloudfront_invalidate(distribution_id, distribution_paths) + + cfn_send(event, context, CFN_SUCCESS, physicalResourceId=physical_id, responseData={ + # Passing through the ARN sequences dependencees on the deployment + 'DestinationBucketArn': props.get('DestinationBucketArn'), + 'SourceObjectKeys': props.get('SourceObjectKeys'), + }) + except KeyError as e: + cfn_error("invalid request. Missing key %s" % str(e)) + except Exception as e: + logger.exception(e) + cfn_error(str(e)) + +#--------------------------------------------------------------------------------------------------- +# Sanitize the message to mitigate CWE-117 and CWE-93 vulnerabilities +def sanitize_message(message): + if not message: + return message + + # Sanitize the message to prevent log injection and HTTP response splitting + sanitized_message = message.replace('\n', '').replace('\r', '') + + # Encode the message to handle special characters + encoded_message = urllib.parse.quote(sanitized_message) + + return encoded_message + +#--------------------------------------------------------------------------------------------------- +# populate all files from s3_source_zips to a destination bucket +def s3_deploy(s3_source_zips, s3_dest, user_metadata, system_metadata, prune, exclude, include, source_markers, extract): + # list lengths are equal + if len(s3_source_zips) != len(source_markers): + raise Exception("'source_markers' and 's3_source_zips' must be the same length") + + # create a temporary working directory in /tmp or if enabled an attached efs volume + if ENV_KEY_MOUNT_PATH in os.environ: + workdir = os.getenv(ENV_KEY_MOUNT_PATH) + "/" + str(uuid4()) + os.mkdir(workdir) + else: + workdir = tempfile.mkdtemp() + + logger.info("| workdir: %s" % workdir) + + # create a directory into which we extract the contents of the zip file + contents_dir=os.path.join(workdir, 'contents') + os.mkdir(contents_dir) + + try: + # download the archive from the source and extract to "contents" + for i in range(len(s3_source_zips)): + s3_source_zip = s3_source_zips[i] + markers = source_markers[i] + + if extract: + archive=os.path.join(workdir, str(uuid4())) + logger.info("archive: %s" % archive) + aws_command("s3", "cp", s3_source_zip, archive) + logger.info("| extracting archive to: %s\n" % contents_dir) + logger.info("| markers: %s" % markers) + extract_and_replace_markers(archive, contents_dir, markers) + else: + logger.info("| copying archive to: %s\n" % contents_dir) + aws_command("s3", "cp", s3_source_zip, contents_dir) + + # sync from "contents" to destination + + s3_command = ["s3", "sync"] + + if prune: + s3_command.append("--delete") + + if exclude: + for filter in exclude: + s3_command.extend(["--exclude", filter]) + + if include: + for filter in include: + s3_command.extend(["--include", filter]) + + s3_command.extend([contents_dir, s3_dest]) + s3_command.extend(create_metadata_args(user_metadata, system_metadata)) + aws_command(*s3_command) + finally: + if not os.getenv(ENV_KEY_SKIP_CLEANUP): + shutil.rmtree(workdir) + +#--------------------------------------------------------------------------------------------------- +# invalidate files in the CloudFront distribution edge caches +def cloudfront_invalidate(distribution_id, distribution_paths): + invalidation_resp = cloudfront.create_invalidation( + DistributionId=distribution_id, + InvalidationBatch={ + 'Paths': { + 'Quantity': len(distribution_paths), + 'Items': distribution_paths + }, + 'CallerReference': str(uuid4()), + }) + # by default, will wait up to 10 minutes + cloudfront.get_waiter('invalidation_completed').wait( + DistributionId=distribution_id, + Id=invalidation_resp['Invalidation']['Id']) + +#--------------------------------------------------------------------------------------------------- +# set metadata +def create_metadata_args(raw_user_metadata, raw_system_metadata): + if len(raw_user_metadata) == 0 and len(raw_system_metadata) == 0: + return [] + + format_system_metadata_key = lambda k: k.lower() + format_user_metadata_key = lambda k: k.lower() + + system_metadata = { format_system_metadata_key(k): v for k, v in raw_system_metadata.items() } + user_metadata = { format_user_metadata_key(k): v for k, v in raw_user_metadata.items() } + + flatten = lambda l: [item for sublist in l for item in sublist] + system_args = flatten([[f"--{k}", v] for k, v in system_metadata.items()]) + user_args = ["--metadata", json.dumps(user_metadata, separators=(',', ':'))] if len(user_metadata) > 0 else [] + + return system_args + user_args + ["--metadata-directive", "REPLACE"] + +#--------------------------------------------------------------------------------------------------- +# executes an "aws" cli command +def aws_command(*args): + aws="/opt/awscli/aws" # from AwsCliLayer + logger.info("| aws %s" % ' '.join(args)) + subprocess.check_call([aws] + list(args)) + +#--------------------------------------------------------------------------------------------------- +# sends a response to cloudformation +def cfn_send(event, context, responseStatus, responseData={}, physicalResourceId=None, noEcho=False, reason=None): + + responseUrl = event['ResponseURL'] + + responseBody = {} + responseBody['Status'] = responseStatus + responseBody['Reason'] = reason or ('See the details in CloudWatch Log Stream: ' + context.log_stream_name) + responseBody['PhysicalResourceId'] = physicalResourceId or context.log_stream_name + responseBody['StackId'] = event['StackId'] + responseBody['RequestId'] = event['RequestId'] + responseBody['LogicalResourceId'] = event['LogicalResourceId'] + responseBody['NoEcho'] = noEcho + responseBody['Data'] = responseData + + body = json.dumps(responseBody) + logger.info("| response body:\n" + body) + + headers = { + 'content-type' : '', + 'content-length' : str(len(body)) + } + + try: + request = Request(responseUrl, method='PUT', data=bytes(body.encode('utf-8')), headers=headers) + with contextlib.closing(urlopen(request)) as response: + logger.info("| status code: " + response.reason) + except Exception as e: + logger.error("| unable to send response to CloudFormation") + logger.exception(e) + + +#--------------------------------------------------------------------------------------------------- +# check if bucket is owned by a custom resource +# if it is then we don't want to delete content +def bucket_owned(bucketName, keyPrefix): + tag = CUSTOM_RESOURCE_OWNER_TAG + if keyPrefix != "": + tag = tag + ':' + keyPrefix + try: + request = s3.get_bucket_tagging( + Bucket=bucketName, + ) + return any((x["Key"].startswith(tag)) for x in request["TagSet"]) + except Exception as e: + logger.info("| error getting tags from bucket") + logger.exception(e) + return False + +# extract archive and replace markers in output files +def extract_and_replace_markers(archive, contents_dir, markers): + with ZipFile(archive, "r") as zip: + zip.extractall(contents_dir) + + # replace markers for this source + for file in zip.namelist(): + file_path = os.path.join(contents_dir, file) + if os.path.isdir(file_path): continue + replace_markers(file_path, markers) + +def replace_markers(filename, markers): + # convert the dict of string markers to binary markers + replace_tokens = dict([(k.encode('utf-8'), v.encode('utf-8')) for k, v in markers.items()]) + + outfile = filename + '.new' + with open(filename, 'rb') as fi, open(outfile, 'wb') as fo: + for line in fi: + for token in replace_tokens: + line = line.replace(token, replace_tokens[token]) + fo.write(line) + + # # delete the original file and rename the new one to the original + os.remove(filename) + os.rename(outfile, filename) + \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-undefined-log.js.snapshot/asset.3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961.zip b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-undefined-log.js.snapshot/asset.3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961.zip new file mode 100644 index 0000000000000..f624b92c63849 Binary files /dev/null and b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-undefined-log.js.snapshot/asset.3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961.zip differ diff --git a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-undefined-log.js.snapshot/asset.561a8b95d6d62d87513e3607a2de271376251555ee83cf7b93534b0e85c500c8/file.json b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-undefined-log.js.snapshot/asset.561a8b95d6d62d87513e3607a2de271376251555ee83cf7b93534b0e85c500c8/file.json new file mode 100644 index 0000000000000..7f228f99e61ae --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-undefined-log.js.snapshot/asset.561a8b95d6d62d87513e3607a2de271376251555ee83cf7b93534b0e85c500c8/file.json @@ -0,0 +1 @@ +{"a":"b"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-undefined-log.js.snapshot/cdk.out similarity index 100% rename from packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/cdk.out rename to packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-undefined-log.js.snapshot/cdk.out diff --git a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-undefined-log.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-undefined-log.js.snapshot/integ.json new file mode 100644 index 0000000000000..fd6c4260d6b28 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-undefined-log.js.snapshot/integ.json @@ -0,0 +1,13 @@ +{ + "version": "36.0.0", + "testCases": { + "integ-test-custom-resource-config-undefined-log/DefaultTest": { + "stacks": [ + "MyStack" + ], + "diffAssets": false, + "assertionStack": "integ-test-custom-resource-config-undefined-log/DefaultTest/DeployAssert", + "assertionStackName": "integtestcustomresourceconfigundefinedlogDefaultTestDeployAssertE1DBC36D" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityTestDefaultTestDeployAssertEE246BCA.assets.json b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-undefined-log.js.snapshot/integtestcustomresourceconfigundefinedlogDefaultTestDeployAssertE1DBC36D.assets.json similarity index 85% rename from packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityTestDefaultTestDeployAssertEE246BCA.assets.json rename to packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-undefined-log.js.snapshot/integtestcustomresourceconfigundefinedlogDefaultTestDeployAssertE1DBC36D.assets.json index 2e1ece3c7c7a2..ff46d58217c91 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityTestDefaultTestDeployAssertEE246BCA.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-undefined-log.js.snapshot/integtestcustomresourceconfigundefinedlogDefaultTestDeployAssertE1DBC36D.assets.json @@ -3,7 +3,7 @@ "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { - "path": "PipelineSecurityTestDefaultTestDeployAssertEE246BCA.template.json", + "path": "integtestcustomresourceconfigundefinedlogDefaultTestDeployAssertE1DBC36D.template.json", "packaging": "file" }, "destinations": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.template.json b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-undefined-log.js.snapshot/integtestcustomresourceconfigundefinedlogDefaultTestDeployAssertE1DBC36D.template.json similarity index 100% rename from packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.template.json rename to packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-undefined-log.js.snapshot/integtestcustomresourceconfigundefinedlogDefaultTestDeployAssertE1DBC36D.template.json diff --git a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-undefined-log.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-undefined-log.js.snapshot/manifest.json new file mode 100644 index 0000000000000..6eb7867c0c4e9 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-undefined-log.js.snapshot/manifest.json @@ -0,0 +1,161 @@ +{ + "version": "36.0.0", + "artifacts": { + "MyStack.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "MyStack.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "MyStack": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "MyStack.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/ce0a6bec1c9e10557d8436e3c5dc0e5f06542681dd67981a5fdc4daa2d9475ae.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "MyStack.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "MyStack.assets" + ], + "metadata": { + "/MyStack/WebsiteBucket/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "WebsiteBucket75C24D94" + } + ], + "/MyStack/s3deployNone/AwsCliLayer/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "s3deployNoneAwsCliLayer8E653504" + } + ], + "/MyStack/s3deployNone/CustomResource/Default": [ + { + "type": "aws:cdk:logicalId", + "data": "s3deployNoneCustomResource0EA66D66" + } + ], + "/MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C": [ + { + "type": "aws:cdk:is-custom-resource-handler-singleton", + "data": true + } + ], + "/MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265" + } + ], + "/MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/DefaultPolicy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF" + } + ], + "/MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C81C01536" + } + ], + "/MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/Resource/logGroup": [ + { + "type": "aws:cdk:is-custom-resource-handler-logGroup", + "data": true + } + ], + "/MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/Resource/logGroup/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756ClogGroupD6937F08" + } + ], + "/MyStack/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/MyStack/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "MyStack" + }, + "integtestcustomresourceconfigundefinedlogDefaultTestDeployAssertE1DBC36D.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "integtestcustomresourceconfigundefinedlogDefaultTestDeployAssertE1DBC36D.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "integtestcustomresourceconfigundefinedlogDefaultTestDeployAssertE1DBC36D": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "integtestcustomresourceconfigundefinedlogDefaultTestDeployAssertE1DBC36D.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "integtestcustomresourceconfigundefinedlogDefaultTestDeployAssertE1DBC36D.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "integtestcustomresourceconfigundefinedlogDefaultTestDeployAssertE1DBC36D.assets" + ], + "metadata": { + "/integ-test-custom-resource-config-undefined-log/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/integ-test-custom-resource-config-undefined-log/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "integ-test-custom-resource-config-undefined-log/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-undefined-log.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-undefined-log.js.snapshot/tree.json new file mode 100644 index 0000000000000..352aac9ca4313 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-undefined-log.js.snapshot/tree.json @@ -0,0 +1,517 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "MyStack": { + "id": "MyStack", + "path": "MyStack", + "children": { + "WebsiteBucket": { + "id": "WebsiteBucket", + "path": "MyStack/WebsiteBucket", + "children": { + "Resource": { + "id": "Resource", + "path": "MyStack/WebsiteBucket/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::S3::Bucket", + "aws:cdk:cloudformation:props": { + "tags": [ + { + "key": "aws-cdk:cr-owned:c19d3033", + "value": "true" + } + ] + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "s3deployNone": { + "id": "s3deployNone", + "path": "MyStack/s3deployNone", + "children": { + "AwsCliLayer": { + "id": "AwsCliLayer", + "path": "MyStack/s3deployNone/AwsCliLayer", + "children": { + "Code": { + "id": "Code", + "path": "MyStack/s3deployNone/AwsCliLayer/Code", + "children": { + "Stage": { + "id": "Stage", + "path": "MyStack/s3deployNone/AwsCliLayer/Code/Stage", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "AssetBucket": { + "id": "AssetBucket", + "path": "MyStack/s3deployNone/AwsCliLayer/Code/AssetBucket", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "Resource": { + "id": "Resource", + "path": "MyStack/s3deployNone/AwsCliLayer/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Lambda::LayerVersion", + "aws:cdk:cloudformation:props": { + "content": { + "s3Bucket": { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "s3Key": "3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961.zip" + }, + "description": "/opt/awscli/aws" + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "CustomResourceHandler": { + "id": "CustomResourceHandler", + "path": "MyStack/s3deployNone/CustomResourceHandler", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "Asset1": { + "id": "Asset1", + "path": "MyStack/s3deployNone/Asset1", + "children": { + "Stage": { + "id": "Stage", + "path": "MyStack/s3deployNone/Asset1/Stage", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "AssetBucket": { + "id": "AssetBucket", + "path": "MyStack/s3deployNone/Asset1/AssetBucket", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "CustomResource": { + "id": "CustomResource", + "path": "MyStack/s3deployNone/CustomResource", + "children": { + "Default": { + "id": "Default", + "path": "MyStack/s3deployNone/CustomResource/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C": { + "id": "Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C", + "path": "MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C", + "children": { + "ServiceRole": { + "id": "ServiceRole", + "path": "MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole", + "children": { + "ImportServiceRole": { + "id": "ImportServiceRole", + "path": "MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/ImportServiceRole", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "Resource": { + "id": "Resource", + "path": "MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:props": { + "assumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "managedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + } + ] + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "DefaultPolicy": { + "id": "DefaultPolicy", + "path": "MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/DefaultPolicy", + "children": { + "Resource": { + "id": "Resource", + "path": "MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/DefaultPolicy/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Policy", + "aws:cdk:cloudformation:props": { + "policyDocument": { + "Statement": [ + { + "Action": [ + "s3:GetBucket*", + "s3:GetObject*", + "s3:List*" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":s3:::", + { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":s3:::", + { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + } + ] + ] + } + ] + }, + { + "Action": [ + "s3:Abort*", + "s3:DeleteObject*", + "s3:GetBucket*", + "s3:GetObject*", + "s3:List*", + "s3:PutObject", + "s3:PutObjectLegalHold", + "s3:PutObjectRetention", + "s3:PutObjectTagging", + "s3:PutObjectVersionTagging" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "WebsiteBucket75C24D94", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "WebsiteBucket75C24D94", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + } + ], + "Version": "2012-10-17" + }, + "policyName": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF", + "roles": [ + { + "Ref": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265" + } + ] + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "Code": { + "id": "Code", + "path": "MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/Code", + "children": { + "Stage": { + "id": "Stage", + "path": "MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/Code/Stage", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "AssetBucket": { + "id": "AssetBucket", + "path": "MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/Code/AssetBucket", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "Resource": { + "id": "Resource", + "path": "MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/Resource", + "children": { + "logGroup": { + "id": "logGroup", + "path": "MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/Resource/logGroup", + "children": { + "Resource": { + "id": "Resource", + "path": "MyStack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/Resource/logGroup/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Logs::LogGroup", + "aws:cdk:cloudformation:props": { + "retentionInDays": 3653 + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Lambda::Function", + "aws:cdk:cloudformation:props": { + "code": { + "s3Bucket": { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "s3Key": "0158f40002a8c211635388a87874fd4dcc3d68f525fe08a0fe0f014069ae539c.zip" + }, + "environment": { + "variables": { + "AWS_CA_BUNDLE": "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" + } + }, + "handler": "index.handler", + "layers": [ + { + "Ref": "s3deployNoneAwsCliLayer8E653504" + } + ], + "role": { + "Fn::GetAtt": [ + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265", + "Arn" + ] + }, + "runtime": "python3.9", + "timeout": 900 + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "MyStack/BootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "MyStack/CheckBootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "integ-test-custom-resource-config-undefined-log": { + "id": "integ-test-custom-resource-config-undefined-log", + "path": "integ-test-custom-resource-config-undefined-log", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "integ-test-custom-resource-config-undefined-log/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "integ-test-custom-resource-config-undefined-log/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "integ-test-custom-resource-config-undefined-log/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "integ-test-custom-resource-config-undefined-log/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "integ-test-custom-resource-config-undefined-log/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-undefined-log.ts b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-undefined-log.ts new file mode 100644 index 0000000000000..ef5c21e693273 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-undefined-log.ts @@ -0,0 +1,24 @@ +import * as s3 from 'aws-cdk-lib/aws-s3'; +import * as logs from 'aws-cdk-lib/aws-logs'; +import * as cdk from 'aws-cdk-lib'; +import * as integ from '@aws-cdk/integ-tests-alpha'; +import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment'; +import { CustomResourceConfig } from 'aws-cdk-lib/custom-resources'; + +const app = new cdk.App(); +const stack = new cdk.Stack(app, 'MyStack'); + +let websiteBucket = new s3.Bucket(stack, 'WebsiteBucket', {}); +new s3deploy.BucketDeployment(stack, 's3deployNone', { + sources: [s3deploy.Source.jsonData('file.json', { a: 'b' })], + destinationBucket: websiteBucket, +}); + +const logRetentionDays = logs.RetentionDays.TEN_YEARS; +CustomResourceConfig.of(app).addLogRetentionLifetime(logRetentionDays); + +new integ.IntegTest(app, 'integ-test-custom-resource-config-undefined-log', { + testCases: [stack], + diffAssets: false, +}); + diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityStack.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityStack.assets.json deleted file mode 100644 index f698f535c5907..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityStack.assets.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61": { - "source": { - "path": "asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61", - "packaging": "zip" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61.zip", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - }, - "c2adac8ea3baf51ce56c33ef5da361ea693f7ed128ddbc9777c557e9e7c741a6": { - "source": { - "path": "asset.c2adac8ea3baf51ce56c33ef5da361ea693f7ed128ddbc9777c557e9e7c741a6", - "packaging": "zip" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "c2adac8ea3baf51ce56c33ef5da361ea693f7ed128ddbc9777c557e9e7c741a6.zip", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - }, - "e9491d10b7f496e4aa18e0f88da57dc8e342c62cbfbb5190f663fc8039981448": { - "source": { - "path": "PipelineSecurityStack.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "e9491d10b7f496e4aa18e0f88da57dc8e342c62cbfbb5190f663fc8039981448.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityStack.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityStack.template.json deleted file mode 100644 index a9a989ab4a39e..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityStack.template.json +++ /dev/null @@ -1,3184 +0,0 @@ -{ - "Resources": { - "SourceBucketDDD2130A": { - "Type": "AWS::S3::Bucket", - "Properties": { - "Tags": [ - { - "Key": "aws-cdk:auto-delete-objects", - "Value": "true" - } - ] - }, - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "SourceBucketPolicy703DFBF9": { - "Type": "AWS::S3::BucketPolicy", - "Properties": { - "Bucket": { - "Ref": "SourceBucketDDD2130A" - }, - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:List*", - "s3:PutBucketPolicy" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", - "Arn" - ] - } - }, - "Resource": [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - } - } - }, - "SourceBucketAutoDeleteObjectsCustomResourceC68FC040": { - "Type": "Custom::S3AutoDeleteObjects", - "Properties": { - "ServiceToken": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", - "Arn" - ] - }, - "BucketName": { - "Ref": "SourceBucketDDD2130A" - } - }, - "DependsOn": [ - "SourceBucketPolicy703DFBF9" - ], - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ] - }, - "ManagedPolicyArns": [ - { - "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - } - ] - } - }, - "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { - "Type": "AWS::Lambda::Function", - "Properties": { - "Code": { - "S3Bucket": { - "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" - }, - "S3Key": "44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61.zip" - }, - "Timeout": 900, - "MemorySize": 128, - "Handler": "index.handler", - "Role": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", - "Arn" - ] - }, - "Runtime": { - "Fn::FindInMap": [ - "LatestNodeRuntimeMap", - { - "Ref": "AWS::Region" - }, - "value" - ] - }, - "Description": { - "Fn::Join": [ - "", - [ - "Lambda function for auto-deleting objects in ", - { - "Ref": "SourceBucketDDD2130A" - }, - " S3 bucket." - ] - ] - } - }, - "DependsOn": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092" - ] - }, - "TestPipelineArtifactsBucketEncryptionKey13258842": { - "Type": "AWS::KMS::Key", - "Properties": { - "KeyPolicy": { - "Statement": [ - { - "Action": "kms:*", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": "*" - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - }, - "Resource": "*" - } - ], - "Version": "2012-10-17" - } - }, - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "TestPipelineArtifactsBucketEncryptionKeyAliasE8D86DD3": { - "Type": "AWS::KMS::Alias", - "Properties": { - "AliasName": "alias/codepipeline-pipelinesecuritystack-testpipeline-f7060861", - "TargetKeyId": { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucketEncryptionKey13258842", - "Arn" - ] - } - }, - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "TestPipelineArtifactsBucket026AF2F9": { - "Type": "AWS::S3::Bucket", - "Properties": { - "BucketEncryption": { - "ServerSideEncryptionConfiguration": [ - { - "ServerSideEncryptionByDefault": { - "KMSMasterKeyID": { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucketEncryptionKey13258842", - "Arn" - ] - }, - "SSEAlgorithm": "aws:kms" - } - } - ] - }, - "PublicAccessBlockConfiguration": { - "BlockPublicAcls": true, - "BlockPublicPolicy": true, - "IgnorePublicAcls": true, - "RestrictPublicBuckets": true - } - }, - "UpdateReplacePolicy": "Retain", - "DeletionPolicy": "Retain" - }, - "TestPipelineArtifactsBucketPolicyDF75C611": { - "Type": "AWS::S3::BucketPolicy", - "Properties": { - "Bucket": { - "Ref": "TestPipelineArtifactsBucket026AF2F9" - }, - "PolicyDocument": { - "Statement": [ - { - "Action": "s3:*", - "Condition": { - "Bool": { - "aws:SecureTransport": "false" - } - }, - "Effect": "Deny", - "Principal": { - "AWS": "*" - }, - "Resource": [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - }, - "Resource": [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelineRole63C35BBD": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codepipeline.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelineRoleDefaultPolicyFA69BF2D": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucketEncryptionKey13258842", - "Arn" - ] - } - }, - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "TestPipelineBuildSynthCodePipelineActionRoleF7BF5926", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "TestPipelineNoSecurityCheckEnableSecurityCheckManualApprovalCodePipelineActionRole27FC4015", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "TestPipelineNoSecurityCheckEnableSecurityCheckSecurityCheckCodePipelineActionRole8D10AA6D", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "TestPipelinePreProductionPreProductionManualApprovalCodePipelineActionRole81B9C4F9", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "TestPipelinePreProductionPreProductionSecurityCheckCodePipelineActionRole4E54C194", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "TestPipelinePreProductionSafeProductionManualApprovalCodePipelineActionRole4F30C0D9", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "TestPipelinePreProductionSafeProductionSecurityCheckCodePipelineActionRole399C68A6", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "TestPipelineSourceS3CodePipelineActionRoleEF21D3A0", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "TestPipelineUnattachedStageSingleStageManualApprovalCodePipelineActionRoleF7A614C8", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "TestPipelineUnattachedStageSingleStageSecurityCheckCodePipelineActionRoleFF6E43E2", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "TestPipelineRoleDefaultPolicyFA69BF2D", - "Roles": [ - { - "Ref": "TestPipelineRole63C35BBD" - } - ] - } - }, - "TestPipeline34ACDBF9": { - "Type": "AWS::CodePipeline::Pipeline", - "Properties": { - "ArtifactStore": { - "EncryptionKey": { - "Id": { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucketEncryptionKey13258842", - "Arn" - ] - }, - "Type": "KMS" - }, - "Location": { - "Ref": "TestPipelineArtifactsBucket026AF2F9" - }, - "Type": "S3" - }, - "Name": "TestPipeline", - "RestartExecutionOnUpdate": true, - "RoleArn": { - "Fn::GetAtt": [ - "TestPipelineRole63C35BBD", - "Arn" - ] - }, - "Stages": [ - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Source", - "Owner": "AWS", - "Provider": "S3", - "Version": "1" - }, - "Configuration": { - "S3Bucket": { - "Ref": "SourceBucketDDD2130A" - }, - "S3ObjectKey": "key" - }, - "Name": "S3", - "OutputArtifacts": [ - { - "Name": "Artifact_Source_S3" - } - ], - "RoleArn": { - "Fn::GetAtt": [ - "TestPipelineSourceS3CodePipelineActionRoleEF21D3A0", - "Arn" - ] - }, - "RunOrder": 1 - } - ], - "Name": "Source" - }, - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Build", - "Owner": "AWS", - "Provider": "CodeBuild", - "Version": "1" - }, - "Configuration": { - "ProjectName": { - "Ref": "TestPipelineBuildSynthCdkBuildProject755D4B01" - }, - "EnvironmentVariables": "[{\"name\":\"_PROJECT_CONFIG_HASH\",\"type\":\"PLAINTEXT\",\"value\":\"8c69c5d954446d78352846c8ddc8ff911cec11c1f93f8aab1fac67556cf1a058\"}]" - }, - "InputArtifacts": [ - { - "Name": "Artifact_Source_S3" - } - ], - "Name": "Synth", - "OutputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "RoleArn": { - "Fn::GetAtt": [ - "TestPipelineBuildSynthCodePipelineActionRoleF7BF5926", - "Arn" - ] - }, - "RunOrder": 1 - } - ], - "Name": "Build" - }, - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Build", - "Owner": "AWS", - "Provider": "CodeBuild", - "Version": "1" - }, - "Configuration": { - "ProjectName": { - "Ref": "UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckADCE795B" - }, - "EnvironmentVariables": { - "Fn::Join": [ - "", - [ - "[{\"name\":\"STAGE_PATH\",\"type\":\"PLAINTEXT\",\"value\":\"PipelineSecurityStack/SingleStage\"},{\"name\":\"STAGE_NAME\",\"type\":\"PLAINTEXT\",\"value\":\"UnattachedStage\"},{\"name\":\"ACTION_NAME\",\"type\":\"PLAINTEXT\",\"value\":\"SingleStageManualApproval\"},{\"name\":\"NOTIFICATION_ARN\",\"type\":\"PLAINTEXT\",\"value\":\"", - { - "Ref": "SecurityChangesTopic9762A9B3" - }, - "\"},{\"name\":\"NOTIFICATION_SUBJECT\",\"type\":\"PLAINTEXT\",\"value\":\"Confirm permission broadening in SingleStage\"}]" - ] - ] - } - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "SingleStageSecurityCheck", - "Namespace": "SingleStageSecurityCheck", - "RoleArn": { - "Fn::GetAtt": [ - "TestPipelineUnattachedStageSingleStageSecurityCheckCodePipelineActionRoleFF6E43E2", - "Arn" - ] - }, - "RunOrder": 1 - }, - { - "ActionTypeId": { - "Category": "Approval", - "Owner": "AWS", - "Provider": "Manual", - "Version": "1" - }, - "Configuration": { - "CustomData": "#{SingleStageSecurityCheck.MESSAGE}", - "ExternalEntityLink": "#{SingleStageSecurityCheck.LINK}" - }, - "Name": "SingleStageManualApproval", - "RoleArn": { - "Fn::GetAtt": [ - "TestPipelineUnattachedStageSingleStageManualApprovalCodePipelineActionRoleF7A614C8", - "Arn" - ] - }, - "RunOrder": 2 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "SingleStage-MyStack", - "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-cfn-exec-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "ActionMode": "CHANGE_SET_REPLACE", - "ChangeSetName": "PipelineChange", - "TemplatePath": "CloudAsm::assembly-PipelineSecurityStack-SingleStage/PipelineSecurityStackSingleStageMyStack29962269.template.json" - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "SingleStage-MyStack.Prepare", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 3 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "SingleStage-MyStack", - "ActionMode": "CHANGE_SET_EXECUTE", - "ChangeSetName": "PipelineChange" - }, - "Name": "SingleStage-MyStack.Deploy", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 4 - } - ], - "Name": "UnattachedStage" - }, - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Build", - "Owner": "AWS", - "Provider": "CodeBuild", - "Version": "1" - }, - "Configuration": { - "ProjectName": { - "Ref": "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckBEE4547C" - }, - "EnvironmentVariables": { - "Fn::Join": [ - "", - [ - "[{\"name\":\"STAGE_PATH\",\"type\":\"PLAINTEXT\",\"value\":\"PipelineSecurityStack/PreProduction\"},{\"name\":\"STAGE_NAME\",\"type\":\"PLAINTEXT\",\"value\":\"PreProduction\"},{\"name\":\"ACTION_NAME\",\"type\":\"PLAINTEXT\",\"value\":\"PreProductionManualApproval\"},{\"name\":\"NOTIFICATION_ARN\",\"type\":\"PLAINTEXT\",\"value\":\"", - { - "Ref": "SecurityChangesTopic9762A9B3" - }, - "\"},{\"name\":\"NOTIFICATION_SUBJECT\",\"type\":\"PLAINTEXT\",\"value\":\"Confirm permission broadening in PreProduction\"}]" - ] - ] - } - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "PreProductionSecurityCheck", - "Namespace": "PreProductionSecurityCheck", - "RoleArn": { - "Fn::GetAtt": [ - "TestPipelinePreProductionPreProductionSecurityCheckCodePipelineActionRole4E54C194", - "Arn" - ] - }, - "RunOrder": 1 - }, - { - "ActionTypeId": { - "Category": "Approval", - "Owner": "AWS", - "Provider": "Manual", - "Version": "1" - }, - "Configuration": { - "CustomData": "#{PreProductionSecurityCheck.MESSAGE}", - "ExternalEntityLink": "#{PreProductionSecurityCheck.LINK}" - }, - "Name": "PreProductionManualApproval", - "RoleArn": { - "Fn::GetAtt": [ - "TestPipelinePreProductionPreProductionManualApprovalCodePipelineActionRole81B9C4F9", - "Arn" - ] - }, - "RunOrder": 2 - }, - { - "ActionTypeId": { - "Category": "Build", - "Owner": "AWS", - "Provider": "CodeBuild", - "Version": "1" - }, - "Configuration": { - "ProjectName": { - "Ref": "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckBEE4547C" - }, - "EnvironmentVariables": { - "Fn::Join": [ - "", - [ - "[{\"name\":\"STAGE_PATH\",\"type\":\"PLAINTEXT\",\"value\":\"PipelineSecurityStack/SafeProduction\"},{\"name\":\"STAGE_NAME\",\"type\":\"PLAINTEXT\",\"value\":\"PreProduction\"},{\"name\":\"ACTION_NAME\",\"type\":\"PLAINTEXT\",\"value\":\"SafeProductionManualApproval\"},{\"name\":\"NOTIFICATION_ARN\",\"type\":\"PLAINTEXT\",\"value\":\"", - { - "Ref": "SecurityChangesTopic9762A9B3" - }, - "\"},{\"name\":\"NOTIFICATION_SUBJECT\",\"type\":\"PLAINTEXT\",\"value\":\"Confirm permission broadening in SafeProduction\"}]" - ] - ] - } - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "SafeProductionSecurityCheck", - "Namespace": "SafeProductionSecurityCheck", - "RoleArn": { - "Fn::GetAtt": [ - "TestPipelinePreProductionSafeProductionSecurityCheckCodePipelineActionRole399C68A6", - "Arn" - ] - }, - "RunOrder": 5 - }, - { - "ActionTypeId": { - "Category": "Approval", - "Owner": "AWS", - "Provider": "Manual", - "Version": "1" - }, - "Configuration": { - "CustomData": "#{SafeProductionSecurityCheck.MESSAGE}", - "ExternalEntityLink": "#{SafeProductionSecurityCheck.LINK}" - }, - "Name": "SafeProductionManualApproval", - "RoleArn": { - "Fn::GetAtt": [ - "TestPipelinePreProductionSafeProductionManualApprovalCodePipelineActionRole4F30C0D9", - "Arn" - ] - }, - "RunOrder": 6 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "PreProduction-MyStack", - "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-cfn-exec-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "ActionMode": "CHANGE_SET_REPLACE", - "ChangeSetName": "PipelineChange", - "TemplatePath": "CloudAsm::assembly-PipelineSecurityStack-PreProduction/PipelineSecurityStackPreProductionMyStackDCCBB4EA.template.json" - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "MyStack.Prepare", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 3 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "PreProduction-MyStack", - "ActionMode": "CHANGE_SET_EXECUTE", - "ChangeSetName": "PipelineChange" - }, - "Name": "MyStack.Deploy", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 4 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "SafeProduction-MySafeStack", - "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-cfn-exec-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "ActionMode": "CHANGE_SET_REPLACE", - "ChangeSetName": "PipelineChange", - "TemplatePath": "CloudAsm::assembly-PipelineSecurityStack-SafeProduction/PipelineSecurityStackSafeProductionMySafeStackC0D87904.template.json" - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "SafeProduction-MySafeStack.Prepare", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 7 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "SafeProduction-MySafeStack", - "ActionMode": "CHANGE_SET_EXECUTE", - "ChangeSetName": "PipelineChange" - }, - "Name": "SafeProduction-MySafeStack.Deploy", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 8 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "DisableSecurityCheck-MySafeStack", - "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-cfn-exec-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "ActionMode": "CHANGE_SET_REPLACE", - "ChangeSetName": "PipelineChange", - "TemplatePath": "CloudAsm::assembly-PipelineSecurityStack-DisableSecurityCheck/PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.template.json" - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "DisableSecurityCheck-MySafeStack.Prepare", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 9 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "DisableSecurityCheck-MySafeStack", - "ActionMode": "CHANGE_SET_EXECUTE", - "ChangeSetName": "PipelineChange" - }, - "Name": "DisableSecurityCheck-MySafeStack.Deploy", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 10 - } - ], - "Name": "PreProduction" - }, - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Build", - "Owner": "AWS", - "Provider": "CodeBuild", - "Version": "1" - }, - "Configuration": { - "ProjectName": { - "Ref": "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckBEE4547C" - }, - "EnvironmentVariables": "[{\"name\":\"STAGE_PATH\",\"type\":\"PLAINTEXT\",\"value\":\"PipelineSecurityStack/EnableSecurityCheck\"},{\"name\":\"STAGE_NAME\",\"type\":\"PLAINTEXT\",\"value\":\"NoSecurityCheck\"},{\"name\":\"ACTION_NAME\",\"type\":\"PLAINTEXT\",\"value\":\"EnableSecurityCheckManualApproval\"}]" - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "EnableSecurityCheckSecurityCheck", - "Namespace": "EnableSecurityCheckSecurityCheck", - "RoleArn": { - "Fn::GetAtt": [ - "TestPipelineNoSecurityCheckEnableSecurityCheckSecurityCheckCodePipelineActionRole8D10AA6D", - "Arn" - ] - }, - "RunOrder": 3 - }, - { - "ActionTypeId": { - "Category": "Approval", - "Owner": "AWS", - "Provider": "Manual", - "Version": "1" - }, - "Configuration": { - "CustomData": "#{EnableSecurityCheckSecurityCheck.MESSAGE}", - "ExternalEntityLink": "#{EnableSecurityCheckSecurityCheck.LINK}" - }, - "Name": "EnableSecurityCheckManualApproval", - "RoleArn": { - "Fn::GetAtt": [ - "TestPipelineNoSecurityCheckEnableSecurityCheckManualApprovalCodePipelineActionRole27FC4015", - "Arn" - ] - }, - "RunOrder": 4 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "NoSecurityCheck-MyStack", - "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-cfn-exec-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "ActionMode": "CHANGE_SET_REPLACE", - "ChangeSetName": "PipelineChange", - "TemplatePath": "CloudAsm::assembly-PipelineSecurityStack-NoSecurityCheck/PipelineSecurityStackNoSecurityCheckMyStack3484019E.template.json" - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "MyStack.Prepare", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 1 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "NoSecurityCheck-MyStack", - "ActionMode": "CHANGE_SET_EXECUTE", - "ChangeSetName": "PipelineChange" - }, - "Name": "MyStack.Deploy", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 2 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "EnableSecurityCheck-MyStack", - "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-cfn-exec-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "ActionMode": "CHANGE_SET_REPLACE", - "ChangeSetName": "PipelineChange", - "TemplatePath": "CloudAsm::assembly-PipelineSecurityStack-EnableSecurityCheck/PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.template.json" - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "EnableSecurityCheck-MyStack.Prepare", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 5 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "EnableSecurityCheck-MyStack", - "ActionMode": "CHANGE_SET_EXECUTE", - "ChangeSetName": "PipelineChange" - }, - "Name": "EnableSecurityCheck-MyStack.Deploy", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 6 - } - ], - "Name": "NoSecurityCheck" - } - ], - "Tags": [ - { - "Key": "SECURITY_CHECK", - "Value": "ALLOW_APPROVE" - } - ] - }, - "DependsOn": [ - "TestPipelineRoleDefaultPolicyFA69BF2D", - "TestPipelineRole63C35BBD" - ] - }, - "TestPipelineSourceS3CodePipelineActionRoleEF21D3A0": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelineSourceS3CodePipelineActionRoleDefaultPolicy8B0350FD": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - "/key" - ] - ] - } - ] - }, - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucketEncryptionKey13258842", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "TestPipelineSourceS3CodePipelineActionRoleDefaultPolicy8B0350FD", - "Roles": [ - { - "Ref": "TestPipelineSourceS3CodePipelineActionRoleEF21D3A0" - } - ] - } - }, - "TestPipelineBuildSynthCodePipelineActionRoleF7BF5926": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelineBuildSynthCodePipelineActionRoleDefaultPolicy65DF5C76": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "TestPipelineBuildSynthCdkBuildProject755D4B01", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "TestPipelineBuildSynthCodePipelineActionRoleDefaultPolicy65DF5C76", - "Roles": [ - { - "Ref": "TestPipelineBuildSynthCodePipelineActionRoleF7BF5926" - } - ] - } - }, - "TestPipelineBuildSynthCdkBuildProjectRole4C6E5729": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelineBuildSynthCdkBuildProjectRoleDefaultPolicy73DC4481": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "TestPipelineBuildSynthCdkBuildProject755D4B01" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "TestPipelineBuildSynthCdkBuildProject755D4B01" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "TestPipelineBuildSynthCdkBuildProject755D4B01" - }, - "-*" - ] - ] - } - }, - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucketEncryptionKey13258842", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "TestPipelineBuildSynthCdkBuildProjectRoleDefaultPolicy73DC4481", - "Roles": [ - { - "Ref": "TestPipelineBuildSynthCdkBuildProjectRole4C6E5729" - } - ] - } - }, - "TestPipelineBuildSynthCdkBuildProject755D4B01": { - "Type": "AWS::CodeBuild::Project", - "Properties": { - "Artifacts": { - "Type": "CODEPIPELINE" - }, - "Cache": { - "Type": "NO_CACHE" - }, - "EncryptionKey": { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucketEncryptionKey13258842", - "Arn" - ] - }, - "Environment": { - "ComputeType": "BUILD_GENERAL1_SMALL", - "EnvironmentVariables": [ - { - "Name": "NPM_CONFIG_UNSAFE_PERM", - "Type": "PLAINTEXT", - "Value": "true" - } - ], - "Image": "aws/codebuild/standard:7.0", - "ImagePullCredentialsType": "CODEBUILD", - "PrivilegedMode": false, - "Type": "LINUX_CONTAINER" - }, - "ServiceRole": { - "Fn::GetAtt": [ - "TestPipelineBuildSynthCdkBuildProjectRole4C6E5729", - "Arn" - ] - }, - "Source": { - "BuildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"pre_build\": {\n \"commands\": [\n \"yarn install --frozen-lockfile\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"yarn build\",\n \"npx cdk synth\"\n ]\n }\n },\n \"artifacts\": {\n \"base-directory\": \"cdk.out\",\n \"files\": \"**/*\"\n }\n}", - "Type": "CODEPIPELINE" - } - } - }, - "TestPipelineUnattachedStageSingleStageSecurityCheckCodePipelineActionRoleFF6E43E2": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelineUnattachedStageSingleStageSecurityCheckCodePipelineActionRoleDefaultPolicyFC737D71": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckADCE795B", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "TestPipelineUnattachedStageSingleStageSecurityCheckCodePipelineActionRoleDefaultPolicyFC737D71", - "Roles": [ - { - "Ref": "TestPipelineUnattachedStageSingleStageSecurityCheckCodePipelineActionRoleFF6E43E2" - } - ] - } - }, - "TestPipelineUnattachedStageSingleStageManualApprovalCodePipelineActionRoleF7A614C8": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelinePreProductionPreProductionSecurityCheckCodePipelineActionRole4E54C194": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelinePreProductionPreProductionSecurityCheckCodePipelineActionRoleDefaultPolicy10D0864F": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckBEE4547C", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "TestPipelinePreProductionPreProductionSecurityCheckCodePipelineActionRoleDefaultPolicy10D0864F", - "Roles": [ - { - "Ref": "TestPipelinePreProductionPreProductionSecurityCheckCodePipelineActionRole4E54C194" - } - ] - } - }, - "TestPipelinePreProductionPreProductionManualApprovalCodePipelineActionRole81B9C4F9": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelinePreProductionSafeProductionSecurityCheckCodePipelineActionRole399C68A6": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelinePreProductionSafeProductionSecurityCheckCodePipelineActionRoleDefaultPolicyB836B566": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckBEE4547C", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "TestPipelinePreProductionSafeProductionSecurityCheckCodePipelineActionRoleDefaultPolicyB836B566", - "Roles": [ - { - "Ref": "TestPipelinePreProductionSafeProductionSecurityCheckCodePipelineActionRole399C68A6" - } - ] - } - }, - "TestPipelinePreProductionSafeProductionManualApprovalCodePipelineActionRole4F30C0D9": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelineNoSecurityCheckEnableSecurityCheckSecurityCheckCodePipelineActionRole8D10AA6D": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelineNoSecurityCheckEnableSecurityCheckSecurityCheckCodePipelineActionRoleDefaultPolicyE83A2CA1": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckBEE4547C", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "TestPipelineNoSecurityCheckEnableSecurityCheckSecurityCheckCodePipelineActionRoleDefaultPolicyE83A2CA1", - "Roles": [ - { - "Ref": "TestPipelineNoSecurityCheckEnableSecurityCheckSecurityCheckCodePipelineActionRole8D10AA6D" - } - ] - } - }, - "TestPipelineNoSecurityCheckEnableSecurityCheckManualApprovalCodePipelineActionRole27FC4015": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApproveServiceRole7594919D": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - }, - "ManagedPolicyArns": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ] - ] - } - ] - } - }, - "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApproveServiceRoleDefaultPolicyE47AE90F": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codepipeline:GetPipelineState", - "codepipeline:PutApprovalResult" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/SECURITY_CHECK": "ALLOW_APPROVE" - } - }, - "Effect": "Allow", - "Resource": "*" - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApproveServiceRoleDefaultPolicyE47AE90F", - "Roles": [ - { - "Ref": "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApproveServiceRole7594919D" - } - ] - } - }, - "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApprove1EE0AA81": { - "Type": "AWS::Lambda::Function", - "Properties": { - "Code": { - "S3Bucket": { - "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" - }, - "S3Key": "c2adac8ea3baf51ce56c33ef5da361ea693f7ed128ddbc9777c557e9e7c741a6.zip" - }, - "Handler": "index.handler", - "Role": { - "Fn::GetAtt": [ - "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApproveServiceRole7594919D", - "Arn" - ] - }, - "Runtime": { - "Fn::FindInMap": [ - "LatestNodeRuntimeMap", - { - "Ref": "AWS::Region" - }, - "value" - ] - }, - "Timeout": 300 - }, - "DependsOn": [ - "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApproveServiceRoleDefaultPolicyE47AE90F", - "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApproveServiceRole7594919D" - ] - }, - "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckRoleA54CF050": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckRoleDefaultPolicyF2137052": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckBEE4547C" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckBEE4547C" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckBEE4547C" - }, - "-*" - ] - ] - } - }, - { - "Action": "sts:AssumeRole", - "Condition": { - "ForAnyValue:StringEquals": { - "iam:ResourceTag/aws-cdk:bootstrap-role": [ - "deploy" - ] - } - }, - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": "lambda:InvokeFunction", - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApprove1EE0AA81", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApprove1EE0AA81", - "Arn" - ] - }, - ":*" - ] - ] - } - ] - }, - { - "Action": "sns:Publish", - "Effect": "Allow", - "Resource": { - "Ref": "SecurityChangesTopic9762A9B3" - } - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucketEncryptionKey13258842", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckRoleDefaultPolicyF2137052", - "Roles": [ - { - "Ref": "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckRoleA54CF050" - } - ] - } - }, - "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckBEE4547C": { - "Type": "AWS::CodeBuild::Project", - "Properties": { - "Artifacts": { - "Type": "NO_ARTIFACTS" - }, - "Cache": { - "Type": "NO_CACHE" - }, - "EncryptionKey": { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucketEncryptionKey13258842", - "Arn" - ] - }, - "Environment": { - "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:7.0", - "ImagePullCredentialsType": "CODEBUILD", - "PrivilegedMode": false, - "Type": "LINUX_CONTAINER" - }, - "ServiceRole": { - "Fn::GetAtt": [ - "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckRoleA54CF050", - "Arn" - ] - }, - "Source": { - "BuildSpec": { - "Fn::Join": [ - "", - [ - "{\n \"version\": 0.2,\n \"phases\": {\n \"build\": {\n \"commands\": [\n \"npm install -g aws-cdk\",\n \"export PIPELINE_NAME=\\\"$(node -pe '`${process.env.CODEBUILD_INITIATOR}`.split(\\\"/\\\")[1]')\\\"\",\n \"payload=\\\"$(node -pe 'JSON.stringify({ \\\"PipelineName\\\": process.env.PIPELINE_NAME, \\\"StageName\\\": process.env.STAGE_NAME, \\\"ActionName\\\": process.env.ACTION_NAME })' )\\\"\",\n \"ARN=$CODEBUILD_BUILD_ARN\",\n \"REGION=\\\"$(node -pe '`${process.env.ARN}`.split(\\\":\\\")[3]')\\\"\",\n \"ACCOUNT_ID=\\\"$(node -pe '`${process.env.ARN}`.split(\\\":\\\")[4]')\\\"\",\n \"PROJECT_NAME=\\\"$(node -pe '`${process.env.ARN}`.split(\\\":\\\")[5].split(\\\"/\\\")[1]')\\\"\",\n \"PROJECT_ID=\\\"$(node -pe '`${process.env.ARN}`.split(\\\":\\\")[6]')\\\"\",\n \"export LINK=\\\"https://$REGION.console.aws.amazon.com/codesuite/codebuild/$ACCOUNT_ID/projects/$PROJECT_NAME/build/$PROJECT_NAME:$PROJECT_ID/?region=$REGION\\\"\",\n \"export PIPELINE_LINK=\\\"https://$REGION.console.aws.amazon.com/codesuite/codepipeline/pipelines/$PIPELINE_NAME/view?region=$REGION\\\"\",\n \"if cdk diff -a . --security-only --fail $STAGE_PATH/\\\\*; then aws lambda invoke --function-name ", - { - "Ref": "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApprove1EE0AA81" - }, - " --invocation-type Event --cli-binary-format raw-in-base64-out --payload \\\"$payload\\\" lambda.out; export MESSAGE=\\\"No security-impacting changes detected.\\\"; else [ -z \\\"${NOTIFICATION_ARN}\\\" ] || aws sns publish --topic-arn $NOTIFICATION_ARN --subject \\\"$NOTIFICATION_SUBJECT\\\" --message \\\"An upcoming change would broaden security changes in $PIPELINE_NAME.\\nReview and approve the changes in CodePipeline to proceed with the deployment.\\n\\nReview the changes in CodeBuild:\\n\\n$LINK\\n\\nApprove the changes in CodePipeline (stage $STAGE_NAME, action $ACTION_NAME):\\n\\n$PIPELINE_LINK\\\"; export MESSAGE=\\\"Deployment would make security-impacting changes. Click the link below to inspect them, then click Approve if all changes are expected.\\\"; fi\"\n ]\n }\n },\n \"env\": {\n \"exported-variables\": [\n \"LINK\",\n \"MESSAGE\"\n ]\n }\n}" - ] - ] - }, - "Type": "NO_SOURCE" - } - } - }, - "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApproveServiceRole1358574A": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - }, - "ManagedPolicyArns": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ] - ] - } - ] - } - }, - "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApproveServiceRoleDefaultPolicy5AF69BD3": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codepipeline:GetPipelineState", - "codepipeline:PutApprovalResult" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/SECURITY_CHECK": "ALLOW_APPROVE" - } - }, - "Effect": "Allow", - "Resource": "*" - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApproveServiceRoleDefaultPolicy5AF69BD3", - "Roles": [ - { - "Ref": "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApproveServiceRole1358574A" - } - ] - } - }, - "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApprove249F82F9": { - "Type": "AWS::Lambda::Function", - "Properties": { - "Code": { - "S3Bucket": { - "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" - }, - "S3Key": "c2adac8ea3baf51ce56c33ef5da361ea693f7ed128ddbc9777c557e9e7c741a6.zip" - }, - "Handler": "index.handler", - "Role": { - "Fn::GetAtt": [ - "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApproveServiceRole1358574A", - "Arn" - ] - }, - "Runtime": { - "Fn::FindInMap": [ - "LatestNodeRuntimeMap", - { - "Ref": "AWS::Region" - }, - "value" - ] - }, - "Timeout": 300 - }, - "DependsOn": [ - "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApproveServiceRoleDefaultPolicy5AF69BD3", - "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApproveServiceRole1358574A" - ] - }, - "UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckRoleD3505CF0": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckRoleDefaultPolicy6F6EA2A6": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckADCE795B" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckADCE795B" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckADCE795B" - }, - "-*" - ] - ] - } - }, - { - "Action": "sts:AssumeRole", - "Condition": { - "ForAnyValue:StringEquals": { - "iam:ResourceTag/aws-cdk:bootstrap-role": [ - "deploy" - ] - } - }, - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": "lambda:InvokeFunction", - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApprove249F82F9", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApprove249F82F9", - "Arn" - ] - }, - ":*" - ] - ] - } - ] - }, - { - "Action": "sns:Publish", - "Effect": "Allow", - "Resource": { - "Ref": "SecurityChangesTopic9762A9B3" - } - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucketEncryptionKey13258842", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckRoleDefaultPolicy6F6EA2A6", - "Roles": [ - { - "Ref": "UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckRoleD3505CF0" - } - ] - } - }, - "UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckADCE795B": { - "Type": "AWS::CodeBuild::Project", - "Properties": { - "Artifacts": { - "Type": "NO_ARTIFACTS" - }, - "Cache": { - "Type": "NO_CACHE" - }, - "EncryptionKey": { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucketEncryptionKey13258842", - "Arn" - ] - }, - "Environment": { - "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:7.0", - "ImagePullCredentialsType": "CODEBUILD", - "PrivilegedMode": false, - "Type": "LINUX_CONTAINER" - }, - "ServiceRole": { - "Fn::GetAtt": [ - "UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckRoleD3505CF0", - "Arn" - ] - }, - "Source": { - "BuildSpec": { - "Fn::Join": [ - "", - [ - "{\n \"version\": 0.2,\n \"phases\": {\n \"build\": {\n \"commands\": [\n \"npm install -g aws-cdk\",\n \"export PIPELINE_NAME=\\\"$(node -pe '`${process.env.CODEBUILD_INITIATOR}`.split(\\\"/\\\")[1]')\\\"\",\n \"payload=\\\"$(node -pe 'JSON.stringify({ \\\"PipelineName\\\": process.env.PIPELINE_NAME, \\\"StageName\\\": process.env.STAGE_NAME, \\\"ActionName\\\": process.env.ACTION_NAME })' )\\\"\",\n \"ARN=$CODEBUILD_BUILD_ARN\",\n \"REGION=\\\"$(node -pe '`${process.env.ARN}`.split(\\\":\\\")[3]')\\\"\",\n \"ACCOUNT_ID=\\\"$(node -pe '`${process.env.ARN}`.split(\\\":\\\")[4]')\\\"\",\n \"PROJECT_NAME=\\\"$(node -pe '`${process.env.ARN}`.split(\\\":\\\")[5].split(\\\"/\\\")[1]')\\\"\",\n \"PROJECT_ID=\\\"$(node -pe '`${process.env.ARN}`.split(\\\":\\\")[6]')\\\"\",\n \"export LINK=\\\"https://$REGION.console.aws.amazon.com/codesuite/codebuild/$ACCOUNT_ID/projects/$PROJECT_NAME/build/$PROJECT_NAME:$PROJECT_ID/?region=$REGION\\\"\",\n \"export PIPELINE_LINK=\\\"https://$REGION.console.aws.amazon.com/codesuite/codepipeline/pipelines/$PIPELINE_NAME/view?region=$REGION\\\"\",\n \"if cdk diff -a . --security-only --fail $STAGE_PATH/\\\\*; then aws lambda invoke --function-name ", - { - "Ref": "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApprove249F82F9" - }, - " --invocation-type Event --cli-binary-format raw-in-base64-out --payload \\\"$payload\\\" lambda.out; export MESSAGE=\\\"No security-impacting changes detected.\\\"; else [ -z \\\"${NOTIFICATION_ARN}\\\" ] || aws sns publish --topic-arn $NOTIFICATION_ARN --subject \\\"$NOTIFICATION_SUBJECT\\\" --message \\\"An upcoming change would broaden security changes in $PIPELINE_NAME.\\nReview and approve the changes in CodePipeline to proceed with the deployment.\\n\\nReview the changes in CodeBuild:\\n\\n$LINK\\n\\nApprove the changes in CodePipeline (stage $STAGE_NAME, action $ACTION_NAME):\\n\\n$PIPELINE_LINK\\\"; export MESSAGE=\\\"Deployment would make security-impacting changes. Click the link below to inspect them, then click Approve if all changes are expected.\\\"; fi\"\n ]\n }\n },\n \"env\": {\n \"exported-variables\": [\n \"LINK\",\n \"MESSAGE\"\n ]\n }\n}" - ] - ] - }, - "Type": "NO_SOURCE" - } - } - }, - "SecurityChangesTopic9762A9B3": { - "Type": "AWS::SNS::Topic" - }, - "SecurityChangesTopictestemailcom7C32D452": { - "Type": "AWS::SNS::Subscription", - "Properties": { - "Endpoint": "test@email.com", - "Protocol": "email", - "TopicArn": { - "Ref": "SecurityChangesTopic9762A9B3" - } - } - } - }, - "Mappings": { - "LatestNodeRuntimeMap": { - "af-south-1": { - "value": "nodejs20.x" - }, - "ap-east-1": { - "value": "nodejs20.x" - }, - "ap-northeast-1": { - "value": "nodejs20.x" - }, - "ap-northeast-2": { - "value": "nodejs20.x" - }, - "ap-northeast-3": { - "value": "nodejs20.x" - }, - "ap-south-1": { - "value": "nodejs20.x" - }, - "ap-south-2": { - "value": "nodejs20.x" - }, - "ap-southeast-1": { - "value": "nodejs20.x" - }, - "ap-southeast-2": { - "value": "nodejs20.x" - }, - "ap-southeast-3": { - "value": "nodejs20.x" - }, - "ap-southeast-4": { - "value": "nodejs20.x" - }, - "ap-southeast-5": { - "value": "nodejs20.x" - }, - "ap-southeast-7": { - "value": "nodejs20.x" - }, - "ca-central-1": { - "value": "nodejs20.x" - }, - "ca-west-1": { - "value": "nodejs20.x" - }, - "cn-north-1": { - "value": "nodejs18.x" - }, - "cn-northwest-1": { - "value": "nodejs18.x" - }, - "eu-central-1": { - "value": "nodejs20.x" - }, - "eu-central-2": { - "value": "nodejs20.x" - }, - "eu-isoe-west-1": { - "value": "nodejs18.x" - }, - "eu-north-1": { - "value": "nodejs20.x" - }, - "eu-south-1": { - "value": "nodejs20.x" - }, - "eu-south-2": { - "value": "nodejs20.x" - }, - "eu-west-1": { - "value": "nodejs20.x" - }, - "eu-west-2": { - "value": "nodejs20.x" - }, - "eu-west-3": { - "value": "nodejs20.x" - }, - "il-central-1": { - "value": "nodejs20.x" - }, - "me-central-1": { - "value": "nodejs20.x" - }, - "me-south-1": { - "value": "nodejs20.x" - }, - "mx-central-1": { - "value": "nodejs20.x" - }, - "sa-east-1": { - "value": "nodejs20.x" - }, - "us-east-1": { - "value": "nodejs20.x" - }, - "us-east-2": { - "value": "nodejs20.x" - }, - "us-gov-east-1": { - "value": "nodejs18.x" - }, - "us-gov-west-1": { - "value": "nodejs18.x" - }, - "us-iso-east-1": { - "value": "nodejs18.x" - }, - "us-iso-west-1": { - "value": "nodejs18.x" - }, - "us-isob-east-1": { - "value": "nodejs18.x" - }, - "us-west-1": { - "value": "nodejs20.x" - }, - "us-west-2": { - "value": "nodejs20.x" - } - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.assets.json deleted file mode 100644 index 56bf2e32c37ca..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.assets.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "438cc177ec016e131365f2b864849c84dcb371e8e7ed718c21cc27d6569faf50": { - "source": { - "path": "PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "438cc177ec016e131365f2b864849c84dcb371e8e7ed718c21cc27d6569faf50.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.template.json deleted file mode 100644 index 25024d7cb74b1..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.template.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "Resources": { - "MySafeTopicCC243D11": { - "Type": "AWS::SNS::Topic" - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/manifest.json deleted file mode 100644 index 5c2441812122d..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/manifest.json +++ /dev/null @@ -1,60 +0,0 @@ -{ - "version": "36.0.0", - "artifacts": { - "PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.template.json", - "terminationProtection": false, - "validateOnSynth": true, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/438cc177ec016e131365f2b864849c84dcb371e8e7ed718c21cc27d6569faf50.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - }, - "stackName": "DisableSecurityCheck-MySafeStack" - }, - "dependencies": [ - "PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.assets" - ], - "metadata": { - "/PipelineSecurityStack/DisableSecurityCheck/MySafeStack/MySafeTopic/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "MySafeTopicCC243D11" - } - ], - "/PipelineSecurityStack/DisableSecurityCheck/MySafeStack/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/PipelineSecurityStack/DisableSecurityCheck/MySafeStack/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "PipelineSecurityStack/DisableSecurityCheck/MySafeStack" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.assets.json deleted file mode 100644 index 07f739c5f5923..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.assets.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "ffc5fc9cc4b8adb9a7f48881c59bb3fd49df23a11ccdd37bec21c8ca47cbf298": { - "source": { - "path": "PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "ffc5fc9cc4b8adb9a7f48881c59bb3fd49df23a11ccdd37bec21c8ca47cbf298.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.template.json deleted file mode 100644 index ed0acd6607770..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.template.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "Resources": { - "TopicBFC7AF6E": { - "Type": "AWS::SNS::Topic" - }, - "TopicPolicyA1747468": { - "Type": "AWS::SNS::TopicPolicy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": "sns:Publish", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": { - "Ref": "TopicBFC7AF6E" - }, - "Sid": "0" - } - ], - "Version": "2012-10-17" - }, - "Topics": [ - { - "Ref": "TopicBFC7AF6E" - } - ] - } - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/cdk.out deleted file mode 100644 index 1f0068d32659a..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/cdk.out +++ /dev/null @@ -1 +0,0 @@ -{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/manifest.json deleted file mode 100644 index 9f723f7ccb5fa..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/manifest.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "version": "36.0.0", - "artifacts": { - "PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.template.json", - "terminationProtection": false, - "validateOnSynth": true, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/ffc5fc9cc4b8adb9a7f48881c59bb3fd49df23a11ccdd37bec21c8ca47cbf298.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - }, - "stackName": "EnableSecurityCheck-MyStack" - }, - "dependencies": [ - "PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.assets" - ], - "metadata": { - "/PipelineSecurityStack/EnableSecurityCheck/MyStack/Topic/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "TopicBFC7AF6E" - } - ], - "/PipelineSecurityStack/EnableSecurityCheck/MyStack/Topic/Policy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "TopicPolicyA1747468" - } - ], - "/PipelineSecurityStack/EnableSecurityCheck/MyStack/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/PipelineSecurityStack/EnableSecurityCheck/MyStack/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "PipelineSecurityStack/EnableSecurityCheck/MyStack" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/PipelineSecurityStackNoSecurityCheckMyStack3484019E.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/PipelineSecurityStackNoSecurityCheckMyStack3484019E.assets.json deleted file mode 100644 index ff06078cec81f..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/PipelineSecurityStackNoSecurityCheckMyStack3484019E.assets.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "ffc5fc9cc4b8adb9a7f48881c59bb3fd49df23a11ccdd37bec21c8ca47cbf298": { - "source": { - "path": "PipelineSecurityStackNoSecurityCheckMyStack3484019E.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "ffc5fc9cc4b8adb9a7f48881c59bb3fd49df23a11ccdd37bec21c8ca47cbf298.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/PipelineSecurityStackNoSecurityCheckMyStack3484019E.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/PipelineSecurityStackNoSecurityCheckMyStack3484019E.template.json deleted file mode 100644 index ed0acd6607770..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/PipelineSecurityStackNoSecurityCheckMyStack3484019E.template.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "Resources": { - "TopicBFC7AF6E": { - "Type": "AWS::SNS::Topic" - }, - "TopicPolicyA1747468": { - "Type": "AWS::SNS::TopicPolicy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": "sns:Publish", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": { - "Ref": "TopicBFC7AF6E" - }, - "Sid": "0" - } - ], - "Version": "2012-10-17" - }, - "Topics": [ - { - "Ref": "TopicBFC7AF6E" - } - ] - } - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/cdk.out deleted file mode 100644 index 1f0068d32659a..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/cdk.out +++ /dev/null @@ -1 +0,0 @@ -{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/manifest.json deleted file mode 100644 index 2122aeedd21b5..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/manifest.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "version": "36.0.0", - "artifacts": { - "PipelineSecurityStackNoSecurityCheckMyStack3484019E.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "PipelineSecurityStackNoSecurityCheckMyStack3484019E.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "PipelineSecurityStackNoSecurityCheckMyStack3484019E": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "PipelineSecurityStackNoSecurityCheckMyStack3484019E.template.json", - "terminationProtection": false, - "validateOnSynth": true, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/ffc5fc9cc4b8adb9a7f48881c59bb3fd49df23a11ccdd37bec21c8ca47cbf298.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "PipelineSecurityStackNoSecurityCheckMyStack3484019E.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - }, - "stackName": "NoSecurityCheck-MyStack" - }, - "dependencies": [ - "PipelineSecurityStackNoSecurityCheckMyStack3484019E.assets" - ], - "metadata": { - "/PipelineSecurityStack/NoSecurityCheck/MyStack/Topic/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "TopicBFC7AF6E" - } - ], - "/PipelineSecurityStack/NoSecurityCheck/MyStack/Topic/Policy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "TopicPolicyA1747468" - } - ], - "/PipelineSecurityStack/NoSecurityCheck/MyStack/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/PipelineSecurityStack/NoSecurityCheck/MyStack/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "PipelineSecurityStack/NoSecurityCheck/MyStack" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/PipelineSecurityStackPreProductionMyStackDCCBB4EA.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/PipelineSecurityStackPreProductionMyStackDCCBB4EA.assets.json deleted file mode 100644 index 06bf236bec53b..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/PipelineSecurityStackPreProductionMyStackDCCBB4EA.assets.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "ffc5fc9cc4b8adb9a7f48881c59bb3fd49df23a11ccdd37bec21c8ca47cbf298": { - "source": { - "path": "PipelineSecurityStackPreProductionMyStackDCCBB4EA.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "ffc5fc9cc4b8adb9a7f48881c59bb3fd49df23a11ccdd37bec21c8ca47cbf298.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/PipelineSecurityStackPreProductionMyStackDCCBB4EA.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/PipelineSecurityStackPreProductionMyStackDCCBB4EA.template.json deleted file mode 100644 index ed0acd6607770..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/PipelineSecurityStackPreProductionMyStackDCCBB4EA.template.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "Resources": { - "TopicBFC7AF6E": { - "Type": "AWS::SNS::Topic" - }, - "TopicPolicyA1747468": { - "Type": "AWS::SNS::TopicPolicy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": "sns:Publish", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": { - "Ref": "TopicBFC7AF6E" - }, - "Sid": "0" - } - ], - "Version": "2012-10-17" - }, - "Topics": [ - { - "Ref": "TopicBFC7AF6E" - } - ] - } - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/cdk.out deleted file mode 100644 index 1f0068d32659a..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/cdk.out +++ /dev/null @@ -1 +0,0 @@ -{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/manifest.json deleted file mode 100644 index 9175443047e81..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/manifest.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "version": "36.0.0", - "artifacts": { - "PipelineSecurityStackPreProductionMyStackDCCBB4EA.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "PipelineSecurityStackPreProductionMyStackDCCBB4EA.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "PipelineSecurityStackPreProductionMyStackDCCBB4EA": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "PipelineSecurityStackPreProductionMyStackDCCBB4EA.template.json", - "terminationProtection": false, - "validateOnSynth": true, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/ffc5fc9cc4b8adb9a7f48881c59bb3fd49df23a11ccdd37bec21c8ca47cbf298.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "PipelineSecurityStackPreProductionMyStackDCCBB4EA.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - }, - "stackName": "PreProduction-MyStack" - }, - "dependencies": [ - "PipelineSecurityStackPreProductionMyStackDCCBB4EA.assets" - ], - "metadata": { - "/PipelineSecurityStack/PreProduction/MyStack/Topic/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "TopicBFC7AF6E" - } - ], - "/PipelineSecurityStack/PreProduction/MyStack/Topic/Policy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "TopicPolicyA1747468" - } - ], - "/PipelineSecurityStack/PreProduction/MyStack/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/PipelineSecurityStack/PreProduction/MyStack/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "PipelineSecurityStack/PreProduction/MyStack" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/PipelineSecurityStackSafeProductionMySafeStackC0D87904.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/PipelineSecurityStackSafeProductionMySafeStackC0D87904.assets.json deleted file mode 100644 index 8fb0d8df01aa2..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/PipelineSecurityStackSafeProductionMySafeStackC0D87904.assets.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "438cc177ec016e131365f2b864849c84dcb371e8e7ed718c21cc27d6569faf50": { - "source": { - "path": "PipelineSecurityStackSafeProductionMySafeStackC0D87904.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "438cc177ec016e131365f2b864849c84dcb371e8e7ed718c21cc27d6569faf50.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/PipelineSecurityStackSafeProductionMySafeStackC0D87904.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/PipelineSecurityStackSafeProductionMySafeStackC0D87904.template.json deleted file mode 100644 index 25024d7cb74b1..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/PipelineSecurityStackSafeProductionMySafeStackC0D87904.template.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "Resources": { - "MySafeTopicCC243D11": { - "Type": "AWS::SNS::Topic" - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/cdk.out deleted file mode 100644 index 1f0068d32659a..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/cdk.out +++ /dev/null @@ -1 +0,0 @@ -{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/manifest.json deleted file mode 100644 index 25c091b2d6bdc..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/manifest.json +++ /dev/null @@ -1,60 +0,0 @@ -{ - "version": "36.0.0", - "artifacts": { - "PipelineSecurityStackSafeProductionMySafeStackC0D87904.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "PipelineSecurityStackSafeProductionMySafeStackC0D87904.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "PipelineSecurityStackSafeProductionMySafeStackC0D87904": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "PipelineSecurityStackSafeProductionMySafeStackC0D87904.template.json", - "terminationProtection": false, - "validateOnSynth": true, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/438cc177ec016e131365f2b864849c84dcb371e8e7ed718c21cc27d6569faf50.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "PipelineSecurityStackSafeProductionMySafeStackC0D87904.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - }, - "stackName": "SafeProduction-MySafeStack" - }, - "dependencies": [ - "PipelineSecurityStackSafeProductionMySafeStackC0D87904.assets" - ], - "metadata": { - "/PipelineSecurityStack/SafeProduction/MySafeStack/MySafeTopic/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "MySafeTopicCC243D11" - } - ], - "/PipelineSecurityStack/SafeProduction/MySafeStack/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/PipelineSecurityStack/SafeProduction/MySafeStack/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "PipelineSecurityStack/SafeProduction/MySafeStack" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/PipelineSecurityStackSingleStageMyStack29962269.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/PipelineSecurityStackSingleStageMyStack29962269.assets.json deleted file mode 100644 index 8451cee8dc082..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/PipelineSecurityStackSingleStageMyStack29962269.assets.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "ffc5fc9cc4b8adb9a7f48881c59bb3fd49df23a11ccdd37bec21c8ca47cbf298": { - "source": { - "path": "PipelineSecurityStackSingleStageMyStack29962269.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "ffc5fc9cc4b8adb9a7f48881c59bb3fd49df23a11ccdd37bec21c8ca47cbf298.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/PipelineSecurityStackSingleStageMyStack29962269.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/PipelineSecurityStackSingleStageMyStack29962269.template.json deleted file mode 100644 index ed0acd6607770..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/PipelineSecurityStackSingleStageMyStack29962269.template.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "Resources": { - "TopicBFC7AF6E": { - "Type": "AWS::SNS::Topic" - }, - "TopicPolicyA1747468": { - "Type": "AWS::SNS::TopicPolicy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": "sns:Publish", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": { - "Ref": "TopicBFC7AF6E" - }, - "Sid": "0" - } - ], - "Version": "2012-10-17" - }, - "Topics": [ - { - "Ref": "TopicBFC7AF6E" - } - ] - } - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/cdk.out deleted file mode 100644 index 1f0068d32659a..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/cdk.out +++ /dev/null @@ -1 +0,0 @@ -{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/manifest.json deleted file mode 100644 index dbe924b8efbae..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/manifest.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "version": "36.0.0", - "artifacts": { - "PipelineSecurityStackSingleStageMyStack29962269.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "PipelineSecurityStackSingleStageMyStack29962269.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "PipelineSecurityStackSingleStageMyStack29962269": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "PipelineSecurityStackSingleStageMyStack29962269.template.json", - "terminationProtection": false, - "validateOnSynth": true, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/ffc5fc9cc4b8adb9a7f48881c59bb3fd49df23a11ccdd37bec21c8ca47cbf298.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "PipelineSecurityStackSingleStageMyStack29962269.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - }, - "stackName": "SingleStage-MyStack" - }, - "dependencies": [ - "PipelineSecurityStackSingleStageMyStack29962269.assets" - ], - "metadata": { - "/PipelineSecurityStack/SingleStage/MyStack/Topic/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "TopicBFC7AF6E" - } - ], - "/PipelineSecurityStack/SingleStage/MyStack/Topic/Policy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "TopicPolicyA1747468" - } - ], - "/PipelineSecurityStack/SingleStage/MyStack/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/PipelineSecurityStack/SingleStage/MyStack/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "PipelineSecurityStack/SingleStage/MyStack" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js deleted file mode 100644 index 1002ba018e9fb..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";var f=Object.create;var i=Object.defineProperty;var I=Object.getOwnPropertyDescriptor;var C=Object.getOwnPropertyNames;var w=Object.getPrototypeOf,P=Object.prototype.hasOwnProperty;var A=(t,e)=>{for(var o in e)i(t,o,{get:e[o],enumerable:!0})},d=(t,e,o,r)=>{if(e&&typeof e=="object"||typeof e=="function")for(let s of C(e))!P.call(t,s)&&s!==o&&i(t,s,{get:()=>e[s],enumerable:!(r=I(e,s))||r.enumerable});return t};var l=(t,e,o)=>(o=t!=null?f(w(t)):{},d(e||!t||!t.__esModule?i(o,"default",{value:t,enumerable:!0}):o,t)),B=t=>d(i({},"__esModule",{value:!0}),t);var q={};A(q,{autoDeleteHandler:()=>S,handler:()=>H});module.exports=B(q);var h=require("@aws-sdk/client-s3");var y=l(require("https")),m=l(require("url")),a={sendHttpRequest:D,log:T,includeStackTraces:!0,userHandlerIndex:"./index"},p="AWSCDK::CustomResourceProviderFramework::CREATE_FAILED",L="AWSCDK::CustomResourceProviderFramework::MISSING_PHYSICAL_ID";function R(t){return async(e,o)=>{let r={...e,ResponseURL:"..."};if(a.log(JSON.stringify(r,void 0,2)),e.RequestType==="Delete"&&e.PhysicalResourceId===p){a.log("ignoring DELETE event caused by a failed CREATE event"),await u("SUCCESS",e);return}try{let s=await t(r,o),n=k(e,s);await u("SUCCESS",n)}catch(s){let n={...e,Reason:a.includeStackTraces?s.stack:s.message};n.PhysicalResourceId||(e.RequestType==="Create"?(a.log("CREATE failed, responding with a marker physical resource id so that the subsequent DELETE will be ignored"),n.PhysicalResourceId=p):a.log(`ERROR: Malformed event. "PhysicalResourceId" is required: ${JSON.stringify(e)}`)),await u("FAILED",n)}}}function k(t,e={}){let o=e.PhysicalResourceId??t.PhysicalResourceId??t.RequestId;if(t.RequestType==="Delete"&&o!==t.PhysicalResourceId)throw new Error(`DELETE: cannot change the physical resource ID from "${t.PhysicalResourceId}" to "${e.PhysicalResourceId}" during deletion`);return{...t,...e,PhysicalResourceId:o}}async function u(t,e){let o={Status:t,Reason:e.Reason??t,StackId:e.StackId,RequestId:e.RequestId,PhysicalResourceId:e.PhysicalResourceId||L,LogicalResourceId:e.LogicalResourceId,NoEcho:e.NoEcho,Data:e.Data},r=m.parse(e.ResponseURL),s=`${r.protocol}//${r.hostname}/${r.pathname}?***`;a.log("submit response to cloudformation",s,o);let n=JSON.stringify(o),E={hostname:r.hostname,path:r.path,method:"PUT",headers:{"content-type":"","content-length":Buffer.byteLength(n,"utf8")}};await O({attempts:5,sleep:1e3},a.sendHttpRequest)(E,n)}async function D(t,e){return new Promise((o,r)=>{try{let s=y.request(t,n=>{n.resume(),!n.statusCode||n.statusCode>=400?r(new Error(`Unsuccessful HTTP response: ${n.statusCode}`)):o()});s.on("error",r),s.write(e),s.end()}catch(s){r(s)}})}function T(t,...e){console.log(t,...e)}function O(t,e){return async(...o)=>{let r=t.attempts,s=t.sleep;for(;;)try{return await e(...o)}catch(n){if(r--<=0)throw n;await b(Math.floor(Math.random()*s)),s*=2}}}async function b(t){return new Promise(e=>setTimeout(e,t))}var g="aws-cdk:auto-delete-objects",x=JSON.stringify({Version:"2012-10-17",Statement:[]}),c=new h.S3({}),H=R(S);async function S(t){switch(t.RequestType){case"Create":return;case"Update":return{PhysicalResourceId:(await F(t)).PhysicalResourceId};case"Delete":return N(t.ResourceProperties?.BucketName)}}async function F(t){let e=t,o=e.OldResourceProperties?.BucketName;return{PhysicalResourceId:e.ResourceProperties?.BucketName??o}}async function _(t){try{let e=(await c.getBucketPolicy({Bucket:t}))?.Policy??x,o=JSON.parse(e);o.Statement.push({Principal:"*",Effect:"Deny",Action:["s3:PutObject"],Resource:[`arn:aws:s3:::${t}/*`]}),await c.putBucketPolicy({Bucket:t,Policy:JSON.stringify(o)})}catch(e){if(e.name==="NoSuchBucket")throw e;console.log(`Could not set new object deny policy on bucket '${t}' prior to deletion.`)}}async function U(t){let e;do{e=await c.listObjectVersions({Bucket:t});let o=[...e.Versions??[],...e.DeleteMarkers??[]];if(o.length===0)return;let r=o.map(s=>({Key:s.Key,VersionId:s.VersionId}));await c.deleteObjects({Bucket:t,Delete:{Objects:r}})}while(e?.IsTruncated)}async function N(t){if(!t)throw new Error("No BucketName was provided.");try{if(!await W(t)){console.log(`Bucket does not have '${g}' tag, skipping cleaning.`);return}await _(t),await U(t)}catch(e){if(e.name==="NoSuchBucket"){console.log(`Bucket '${t}' does not exist.`);return}throw e}}async function W(t){return(await c.getBucketTagging({Bucket:t})).TagSet?.some(o=>o.Key===g&&o.Value==="true")}0&&(module.exports={autoDeleteHandler,handler}); diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/asset.c2adac8ea3baf51ce56c33ef5da361ea693f7ed128ddbc9777c557e9e7c741a6/index.js b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/asset.c2adac8ea3baf51ce56c33ef5da361ea693f7ed128ddbc9777c557e9e7c741a6/index.js deleted file mode 100644 index c9fe4b293ebbf..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/asset.c2adac8ea3baf51ce56c33ef5da361ea693f7ed128ddbc9777c557e9e7c741a6/index.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";var l=Object.defineProperty;var y=Object.getOwnPropertyDescriptor;var f=Object.getOwnPropertyNames;var w=Object.prototype.hasOwnProperty;var S=(t,e)=>{for(var n in e)l(t,n,{get:e[n],enumerable:!0})},v=(t,e,n,s)=>{if(e&&typeof e=="object"||typeof e=="function")for(let a of f(e))!w.call(t,a)&&a!==n&&l(t,a,{get:()=>e[a],enumerable:!(s=y(e,a))||s.enumerable});return t};var h=t=>v(l({},"__esModule",{value:!0}),t);var b={};S(b,{handler:()=>T});module.exports=h(b);var d=require("@aws-sdk/client-codepipeline"),u=new d.CodePipeline,A=5,P=t=>new Promise(e=>setTimeout(e,t*1e3));async function T(t,e){let{PipelineName:n,StageName:s,ActionName:a}=t;function g(o){let m=o.stageStates?.filter(r=>r.stageName===s),c=m.length&&m[0].actionStates.filter(r=>r.actionName===a),p=c&&c.length&&c[0].latestExecution;return p?p.token:void 0}let N=Date.now()+A*6e4;for(;Date.now() undefined, - stackOutputArtifact: () => undefined, - }, - }); - - const topic = new sns.Topic(this, 'SecurityChangesTopic'); - topic.addSubscription(new subscriptions.EmailSubscription('test@email.com')); - - unattachedStage.addApplication(new MyStage(this, 'SingleStage', { - }), { confirmBroadeningPermissions: true, securityNotificationTopic: topic }); - - const stage1 = pipeline.addApplicationStage(new MyStage(this, 'PreProduction', { - }), { confirmBroadeningPermissions: true, securityNotificationTopic: topic }); - - stage1.addApplication(new MySafeStage(this, 'SafeProduction', { - })); - - stage1.addApplication(new MySafeStage(this, 'DisableSecurityCheck', { - }), { confirmBroadeningPermissions: false }); - - const stage2 = pipeline.addApplicationStage(new MyStage(this, 'NoSecurityCheck', { - })); - - stage2.addApplication(new MyStage(this, 'EnableSecurityCheck', { }), { confirmBroadeningPermissions: true }); - } -} - -const app = new App({ - postCliContext: { - '@aws-cdk/core:newStyleStackSynthesis': 'true', - '@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2': false, - }, -}); -const stack = new TestCdkStack(app, 'PipelineSecurityStack', { - synthesizer: new DefaultStackSynthesizer(), -}); - -new integ.IntegTest(app, 'PipelineSecurityTest', { - testCases: [stack], - diffAssets: true, -}); - -app.synth(); diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStack.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStack.assets.json deleted file mode 100644 index 2c35bdd4a6304..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStack.assets.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61": { - "source": { - "path": "asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61", - "packaging": "zip" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61.zip", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - }, - "d638ba18659142158a20f892d018e0ed7ea71928d1859cbece1b4d50f7f514f5": { - "source": { - "path": "PipelineStack.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "d638ba18659142158a20f892d018e0ed7ea71928d1859cbece1b4d50f7f514f5.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStack.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStack.template.json deleted file mode 100644 index 3b4d32b92b138..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStack.template.json +++ /dev/null @@ -1,2148 +0,0 @@ -{ - "Resources": { - "SourceBucketDDD2130A": { - "Type": "AWS::S3::Bucket", - "Properties": { - "Tags": [ - { - "Key": "aws-cdk:auto-delete-objects", - "Value": "true" - } - ] - }, - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "SourceBucketPolicy703DFBF9": { - "Type": "AWS::S3::BucketPolicy", - "Properties": { - "Bucket": { - "Ref": "SourceBucketDDD2130A" - }, - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:List*", - "s3:PutBucketPolicy" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", - "Arn" - ] - } - }, - "Resource": [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - } - } - }, - "SourceBucketAutoDeleteObjectsCustomResourceC68FC040": { - "Type": "Custom::S3AutoDeleteObjects", - "Properties": { - "ServiceToken": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", - "Arn" - ] - }, - "BucketName": { - "Ref": "SourceBucketDDD2130A" - } - }, - "DependsOn": [ - "SourceBucketPolicy703DFBF9" - ], - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ] - }, - "ManagedPolicyArns": [ - { - "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - } - ] - } - }, - "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { - "Type": "AWS::Lambda::Function", - "Properties": { - "Code": { - "S3Bucket": { - "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" - }, - "S3Key": "44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61.zip" - }, - "Timeout": 900, - "MemorySize": 128, - "Handler": "index.handler", - "Role": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", - "Arn" - ] - }, - "Runtime": { - "Fn::FindInMap": [ - "LatestNodeRuntimeMap", - { - "Ref": "AWS::Region" - }, - "value" - ] - }, - "Description": { - "Fn::Join": [ - "", - [ - "Lambda function for auto-deleting objects in ", - { - "Ref": "SourceBucketDDD2130A" - }, - " S3 bucket." - ] - ] - } - }, - "DependsOn": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092" - ] - }, - "PipelineArtifactsBucketEncryptionKeyF5BF0670": { - "Type": "AWS::KMS::Key", - "Properties": { - "KeyPolicy": { - "Statement": [ - { - "Action": "kms:*", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": "*" - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - }, - "Resource": "*" - } - ], - "Version": "2012-10-17" - } - }, - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "PipelineArtifactsBucketEncryptionKeyAlias94A07392": { - "Type": "AWS::KMS::Alias", - "Properties": { - "AliasName": "alias/codepipeline-pipelinestack-pipeline-e95eedaa", - "TargetKeyId": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - }, - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "PipelineArtifactsBucketAEA9A052": { - "Type": "AWS::S3::Bucket", - "Properties": { - "BucketEncryption": { - "ServerSideEncryptionConfiguration": [ - { - "ServerSideEncryptionByDefault": { - "KMSMasterKeyID": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "SSEAlgorithm": "aws:kms" - } - } - ] - }, - "PublicAccessBlockConfiguration": { - "BlockPublicAcls": true, - "BlockPublicPolicy": true, - "IgnorePublicAcls": true, - "RestrictPublicBuckets": true - } - }, - "UpdateReplacePolicy": "Retain", - "DeletionPolicy": "Retain" - }, - "PipelineArtifactsBucketPolicyF53CCC52": { - "Type": "AWS::S3::BucketPolicy", - "Properties": { - "Bucket": { - "Ref": "PipelineArtifactsBucketAEA9A052" - }, - "PolicyDocument": { - "Statement": [ - { - "Action": "s3:*", - "Condition": { - "Bool": { - "aws:SecureTransport": "false" - } - }, - "Effect": "Deny", - "Principal": { - "AWS": "*" - }, - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - }, - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineRoleB27FAA37": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codepipeline.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineRoleDefaultPolicy7BDC1ABB": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - }, - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineAssetsFileRole59943A77", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelineBuildSynthCodePipelineActionRole4E7A6C97", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelineSourceS3CodePipelineActionRole83895A58", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineRoleDefaultPolicy7BDC1ABB", - "Roles": [ - { - "Ref": "PipelineRoleB27FAA37" - } - ] - } - }, - "Pipeline9850B417": { - "Type": "AWS::CodePipeline::Pipeline", - "Properties": { - "ArtifactStore": { - "EncryptionKey": { - "Id": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "Type": "KMS" - }, - "Location": { - "Ref": "PipelineArtifactsBucketAEA9A052" - }, - "Type": "S3" - }, - "RestartExecutionOnUpdate": true, - "RoleArn": { - "Fn::GetAtt": [ - "PipelineRoleB27FAA37", - "Arn" - ] - }, - "Stages": [ - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Source", - "Owner": "AWS", - "Provider": "S3", - "Version": "1" - }, - "Configuration": { - "S3Bucket": { - "Ref": "SourceBucketDDD2130A" - }, - "S3ObjectKey": "key" - }, - "Name": "S3", - "OutputArtifacts": [ - { - "Name": "Artifact_Source_S3" - } - ], - "RoleArn": { - "Fn::GetAtt": [ - "PipelineSourceS3CodePipelineActionRole83895A58", - "Arn" - ] - }, - "RunOrder": 1 - } - ], - "Name": "Source" - }, - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Build", - "Owner": "AWS", - "Provider": "CodeBuild", - "Version": "1" - }, - "Configuration": { - "ProjectName": { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - }, - "EnvironmentVariables": "[{\"name\":\"_PROJECT_CONFIG_HASH\",\"type\":\"PLAINTEXT\",\"value\":\"7f66814704b7757367a6ec706823d271fb9c6fceda866eee4260d1e76b73967b\"}]" - }, - "InputArtifacts": [ - { - "Name": "Artifact_Source_S3" - } - ], - "Name": "Synth", - "OutputArtifacts": [ - { - "Name": "CloudAsm" - }, - { - "Name": "IntegTests" - } - ], - "RoleArn": { - "Fn::GetAtt": [ - "PipelineBuildSynthCodePipelineActionRole4E7A6C97", - "Arn" - ] - }, - "RunOrder": 1 - } - ], - "Name": "Build" - }, - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Build", - "Owner": "AWS", - "Provider": "CodeBuild", - "Version": "1" - }, - "Configuration": { - "ProjectName": { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - }, - "EnvironmentVariables": "[{\"name\":\"CDK_CLI_VERSION\",\"type\":\"PLAINTEXT\",\"value\":\"2\"}]" - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "SelfMutate", - "RoleArn": { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF", - "Arn" - ] - }, - "RunOrder": 1 - } - ], - "Name": "UpdatePipeline" - }, - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Build", - "Owner": "AWS", - "Provider": "CodeBuild", - "Version": "1" - }, - "Configuration": { - "ProjectName": { - "Ref": "PipelineAssetsFileAsset5D8C5DA6" - }, - "EnvironmentVariables": "[{\"name\":\"CDK_CLI_VERSION\",\"type\":\"PLAINTEXT\",\"value\":\"2\"}]" - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "FileAsset", - "RoleArn": { - "Fn::GetAtt": [ - "PipelineAssetsFileRole59943A77", - "Arn" - ] - }, - "RunOrder": 1 - } - ], - "Name": "Assets" - }, - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Build", - "Owner": "AWS", - "Provider": "CodeBuild", - "Version": "1" - }, - "Configuration": { - "ProjectName": { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - } - }, - "InputArtifacts": [ - { - "Name": "Artifact_Source_S3" - } - ], - "Name": "UseSource", - "RoleArn": { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA", - "Arn" - ] - }, - "RunOrder": 100 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "PreProd-Stack", - "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-cfn-exec-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "ActionMode": "CHANGE_SET_REPLACE", - "ChangeSetName": "PipelineChange", - "TemplatePath": "CloudAsm::assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.template.json" - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "Stack.Prepare", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 1 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "PreProd-Stack", - "ActionMode": "CHANGE_SET_EXECUTE", - "ChangeSetName": "PipelineChange" - }, - "Name": "Stack.Deploy", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 2 - } - ], - "Name": "PreProd" - } - ] - }, - "DependsOn": [ - "PipelineRoleDefaultPolicy7BDC1ABB", - "PipelineRoleB27FAA37" - ] - }, - "PipelineSourceS3CodePipelineActionRole83895A58": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineSourceS3CodePipelineActionRoleDefaultPolicyB176A07F": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - "/key" - ] - ] - } - ] - }, - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineSourceS3CodePipelineActionRoleDefaultPolicyB176A07F", - "Roles": [ - { - "Ref": "PipelineSourceS3CodePipelineActionRole83895A58" - } - ] - } - }, - "PipelineBuildSynthCodePipelineActionRole4E7A6C97": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineBuildSynthCodePipelineActionRoleDefaultPolicy92C90290": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineBuildSynthCdkBuildProject6BEFA8E6", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineBuildSynthCodePipelineActionRoleDefaultPolicy92C90290", - "Roles": [ - { - "Ref": "PipelineBuildSynthCodePipelineActionRole4E7A6C97" - } - ] - } - }, - "PipelineBuildSynthCdkBuildProjectRole231EEA2A": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineBuildSynthCdkBuildProjectRoleDefaultPolicyFB6C941C": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - }, - "-*" - ] - ] - } - }, - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineBuildSynthCdkBuildProjectRoleDefaultPolicyFB6C941C", - "Roles": [ - { - "Ref": "PipelineBuildSynthCdkBuildProjectRole231EEA2A" - } - ] - } - }, - "PipelineBuildSynthCdkBuildProject6BEFA8E6": { - "Type": "AWS::CodeBuild::Project", - "Properties": { - "Artifacts": { - "Type": "CODEPIPELINE" - }, - "Cache": { - "Type": "NO_CACHE" - }, - "EncryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "Environment": { - "ComputeType": "BUILD_GENERAL1_SMALL", - "EnvironmentVariables": [ - { - "Name": "NPM_CONFIG_UNSAFE_PERM", - "Type": "PLAINTEXT", - "Value": "true" - } - ], - "Image": "aws/codebuild/standard:7.0", - "ImagePullCredentialsType": "CODEBUILD", - "PrivilegedMode": false, - "Type": "LINUX_CONTAINER" - }, - "Name": "MyServicePipeline-synth", - "ServiceRole": { - "Fn::GetAtt": [ - "PipelineBuildSynthCdkBuildProjectRole231EEA2A", - "Arn" - ] - }, - "Source": { - "BuildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"pre_build\": {\n \"commands\": [\n \"npm ci\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"npx cdk synth\"\n ]\n }\n },\n \"artifacts\": {\n \"secondary-artifacts\": {\n \"CloudAsm\": {\n \"base-directory\": \"cdk.out\",\n \"files\": \"**/*\"\n },\n \"IntegTests\": {\n \"base-directory\": \"test\",\n \"files\": \"**/*\"\n }\n }\n }\n}", - "Type": "CODEPIPELINE" - } - } - }, - "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleDefaultPolicyE626265B": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutationDAA41400", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleDefaultPolicyE626265B", - "Roles": [ - { - "Ref": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF" - } - ] - } - }, - "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelinePreProdUseSourceCodePipelineActionRoleDefaultPolicy9BE325AD": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceProject2E711EB4", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelinePreProdUseSourceCodePipelineActionRoleDefaultPolicy9BE325AD", - "Roles": [ - { - "Ref": "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA" - } - ] - } - }, - "PipelinePreProdUseSourceProjectRole69B20A71": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelinePreProdUseSourceProjectRoleDefaultPolicy50F68DF3": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - }, - "-*" - ] - ] - } - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelinePreProdUseSourceProjectRoleDefaultPolicy50F68DF3", - "Roles": [ - { - "Ref": "PipelinePreProdUseSourceProjectRole69B20A71" - } - ] - } - }, - "PipelinePreProdUseSourceProject2E711EB4": { - "Type": "AWS::CodeBuild::Project", - "Properties": { - "Artifacts": { - "Type": "CODEPIPELINE" - }, - "Cache": { - "Type": "NO_CACHE" - }, - "EncryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "Environment": { - "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:7.0", - "ImagePullCredentialsType": "CODEBUILD", - "PrivilegedMode": false, - "Type": "LINUX_CONTAINER" - }, - "ServiceRole": { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceProjectRole69B20A71", - "Arn" - ] - }, - "Source": { - "BuildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"build\": {\n \"commands\": [\n \"set -eu\",\n \"cat README.md\"\n ]\n }\n }\n}", - "Type": "CODEPIPELINE" - } - } - }, - "PipelineUpdatePipelineSelfMutationRole57E559E8": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineUpdatePipelineSelfMutationRoleDefaultPolicyA225DA4E": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - }, - "-*" - ] - ] - } - }, - { - "Action": "sts:AssumeRole", - "Condition": { - "ForAnyValue:StringEquals": { - "iam:ResourceTag/aws-cdk:bootstrap-role": [ - "image-publishing", - "file-publishing", - "deploy" - ] - } - }, - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:*:iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/*" - ] - ] - } - }, - { - "Action": [ - "cloudformation:DescribeStacks", - "s3:ListBucket" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineUpdatePipelineSelfMutationRoleDefaultPolicyA225DA4E", - "Roles": [ - { - "Ref": "PipelineUpdatePipelineSelfMutationRole57E559E8" - } - ] - } - }, - "PipelineUpdatePipelineSelfMutationDAA41400": { - "Type": "AWS::CodeBuild::Project", - "Properties": { - "Artifacts": { - "Type": "CODEPIPELINE" - }, - "Cache": { - "Type": "NO_CACHE" - }, - "EncryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "Environment": { - "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:7.0", - "ImagePullCredentialsType": "CODEBUILD", - "PrivilegedMode": false, - "Type": "LINUX_CONTAINER" - }, - "ServiceRole": { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutationRole57E559E8", - "Arn" - ] - }, - "Source": { - "BuildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"install\": {\n \"commands\": [\n \"npm install -g aws-cdk@2\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"cdk -a . deploy PipelineStack --require-approval=never --verbose\"\n ]\n }\n }\n}", - "Type": "CODEPIPELINE" - } - } - }, - "PipelineAssetsFileRole59943A77": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - }, - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineAssetsFileRoleDefaultPolicy14DB8755": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/*" - ] - ] - } - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/*" - ] - ] - } - }, - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Resource": { - "Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineAssetsFileRoleDefaultPolicy14DB8755", - "Roles": [ - { - "Ref": "PipelineAssetsFileRole59943A77" - } - ] - } - }, - "PipelineAssetsFileAsset5D8C5DA6": { - "Type": "AWS::CodeBuild::Project", - "Properties": { - "Artifacts": { - "Type": "CODEPIPELINE" - }, - "Cache": { - "Type": "NO_CACHE" - }, - "EncryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "Environment": { - "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:7.0", - "ImagePullCredentialsType": "CODEBUILD", - "PrivilegedMode": false, - "Type": "LINUX_CONTAINER" - }, - "ServiceRole": { - "Fn::GetAtt": [ - "PipelineAssetsFileRole59943A77", - "Arn" - ] - }, - "Source": { - "BuildSpec": "buildspec-assets-PipelineStack-Pipeline-Assets-FileAsset.yaml", - "Type": "CODEPIPELINE" - } - } - } - }, - "Mappings": { - "LatestNodeRuntimeMap": { - "af-south-1": { - "value": "nodejs20.x" - }, - "ap-east-1": { - "value": "nodejs20.x" - }, - "ap-northeast-1": { - "value": "nodejs20.x" - }, - "ap-northeast-2": { - "value": "nodejs20.x" - }, - "ap-northeast-3": { - "value": "nodejs20.x" - }, - "ap-south-1": { - "value": "nodejs20.x" - }, - "ap-south-2": { - "value": "nodejs20.x" - }, - "ap-southeast-1": { - "value": "nodejs20.x" - }, - "ap-southeast-2": { - "value": "nodejs20.x" - }, - "ap-southeast-3": { - "value": "nodejs20.x" - }, - "ap-southeast-4": { - "value": "nodejs20.x" - }, - "ap-southeast-5": { - "value": "nodejs20.x" - }, - "ap-southeast-7": { - "value": "nodejs20.x" - }, - "ca-central-1": { - "value": "nodejs20.x" - }, - "ca-west-1": { - "value": "nodejs20.x" - }, - "cn-north-1": { - "value": "nodejs18.x" - }, - "cn-northwest-1": { - "value": "nodejs18.x" - }, - "eu-central-1": { - "value": "nodejs20.x" - }, - "eu-central-2": { - "value": "nodejs20.x" - }, - "eu-isoe-west-1": { - "value": "nodejs18.x" - }, - "eu-north-1": { - "value": "nodejs20.x" - }, - "eu-south-1": { - "value": "nodejs20.x" - }, - "eu-south-2": { - "value": "nodejs20.x" - }, - "eu-west-1": { - "value": "nodejs20.x" - }, - "eu-west-2": { - "value": "nodejs20.x" - }, - "eu-west-3": { - "value": "nodejs20.x" - }, - "il-central-1": { - "value": "nodejs20.x" - }, - "me-central-1": { - "value": "nodejs20.x" - }, - "me-south-1": { - "value": "nodejs20.x" - }, - "mx-central-1": { - "value": "nodejs20.x" - }, - "sa-east-1": { - "value": "nodejs20.x" - }, - "us-east-1": { - "value": "nodejs20.x" - }, - "us-east-2": { - "value": "nodejs20.x" - }, - "us-gov-east-1": { - "value": "nodejs18.x" - }, - "us-gov-west-1": { - "value": "nodejs18.x" - }, - "us-iso-east-1": { - "value": "nodejs18.x" - }, - "us-iso-west-1": { - "value": "nodejs18.x" - }, - "us-isob-east-1": { - "value": "nodejs18.x" - }, - "us-west-1": { - "value": "nodejs20.x" - }, - "us-west-2": { - "value": "nodejs20.x" - } - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.assets.json deleted file mode 100644 index 6343ec9323d0c..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.assets.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "8289faf53c7da377bb2b90615999171adef5e1d8f6b88810e5fef75e6ca09ba5": { - "source": { - "path": "../asset.8289faf53c7da377bb2b90615999171adef5e1d8f6b88810e5fef75e6ca09ba5.txt", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "8289faf53c7da377bb2b90615999171adef5e1d8f6b88810e5fef75e6ca09ba5.txt", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - }, - "ac76997971c3f6ddf37120660003f1ced72b4fc58c498dfd99c78fa77e721e0e": { - "source": { - "path": "../asset.ac76997971c3f6ddf37120660003f1ced72b4fc58c498dfd99c78fa77e721e0e.txt", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "ac76997971c3f6ddf37120660003f1ced72b4fc58c498dfd99c78fa77e721e0e.txt", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - }, - "17b50ab4e61e5c19d1e2d14ccc136d8c1ae3b77a4236035ac6ac6273619764a4": { - "source": { - "path": "PipelineStackPreProdStack65A0AD1F.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "17b50ab4e61e5c19d1e2d14ccc136d8c1ae3b77a4236035ac6ac6273619764a4.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.template.json deleted file mode 100644 index 5f37c46ccf4b5..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.template.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "Resources": { - "Resource": { - "Type": "AWS::Test::SomeResource" - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/cdk.out deleted file mode 100644 index 1f0068d32659a..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/cdk.out +++ /dev/null @@ -1 +0,0 @@ -{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/manifest.json deleted file mode 100644 index a85b758286df0..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/manifest.json +++ /dev/null @@ -1,60 +0,0 @@ -{ - "version": "36.0.0", - "artifacts": { - "PipelineStackPreProdStack65A0AD1F.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "PipelineStackPreProdStack65A0AD1F.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "PipelineStackPreProdStack65A0AD1F": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "PipelineStackPreProdStack65A0AD1F.template.json", - "terminationProtection": false, - "validateOnSynth": true, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/17b50ab4e61e5c19d1e2d14ccc136d8c1ae3b77a4236035ac6ac6273619764a4.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "PipelineStackPreProdStack65A0AD1F.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - }, - "stackName": "PreProd-Stack" - }, - "dependencies": [ - "PipelineStackPreProdStack65A0AD1F.assets" - ], - "metadata": { - "/PipelineStack/PreProd/Stack/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "Resource" - } - ], - "/PipelineStack/PreProd/Stack/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/PipelineStack/PreProd/Stack/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "PipelineStack/PreProd/Stack" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js deleted file mode 100644 index 1002ba018e9fb..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";var f=Object.create;var i=Object.defineProperty;var I=Object.getOwnPropertyDescriptor;var C=Object.getOwnPropertyNames;var w=Object.getPrototypeOf,P=Object.prototype.hasOwnProperty;var A=(t,e)=>{for(var o in e)i(t,o,{get:e[o],enumerable:!0})},d=(t,e,o,r)=>{if(e&&typeof e=="object"||typeof e=="function")for(let s of C(e))!P.call(t,s)&&s!==o&&i(t,s,{get:()=>e[s],enumerable:!(r=I(e,s))||r.enumerable});return t};var l=(t,e,o)=>(o=t!=null?f(w(t)):{},d(e||!t||!t.__esModule?i(o,"default",{value:t,enumerable:!0}):o,t)),B=t=>d(i({},"__esModule",{value:!0}),t);var q={};A(q,{autoDeleteHandler:()=>S,handler:()=>H});module.exports=B(q);var h=require("@aws-sdk/client-s3");var y=l(require("https")),m=l(require("url")),a={sendHttpRequest:D,log:T,includeStackTraces:!0,userHandlerIndex:"./index"},p="AWSCDK::CustomResourceProviderFramework::CREATE_FAILED",L="AWSCDK::CustomResourceProviderFramework::MISSING_PHYSICAL_ID";function R(t){return async(e,o)=>{let r={...e,ResponseURL:"..."};if(a.log(JSON.stringify(r,void 0,2)),e.RequestType==="Delete"&&e.PhysicalResourceId===p){a.log("ignoring DELETE event caused by a failed CREATE event"),await u("SUCCESS",e);return}try{let s=await t(r,o),n=k(e,s);await u("SUCCESS",n)}catch(s){let n={...e,Reason:a.includeStackTraces?s.stack:s.message};n.PhysicalResourceId||(e.RequestType==="Create"?(a.log("CREATE failed, responding with a marker physical resource id so that the subsequent DELETE will be ignored"),n.PhysicalResourceId=p):a.log(`ERROR: Malformed event. "PhysicalResourceId" is required: ${JSON.stringify(e)}`)),await u("FAILED",n)}}}function k(t,e={}){let o=e.PhysicalResourceId??t.PhysicalResourceId??t.RequestId;if(t.RequestType==="Delete"&&o!==t.PhysicalResourceId)throw new Error(`DELETE: cannot change the physical resource ID from "${t.PhysicalResourceId}" to "${e.PhysicalResourceId}" during deletion`);return{...t,...e,PhysicalResourceId:o}}async function u(t,e){let o={Status:t,Reason:e.Reason??t,StackId:e.StackId,RequestId:e.RequestId,PhysicalResourceId:e.PhysicalResourceId||L,LogicalResourceId:e.LogicalResourceId,NoEcho:e.NoEcho,Data:e.Data},r=m.parse(e.ResponseURL),s=`${r.protocol}//${r.hostname}/${r.pathname}?***`;a.log("submit response to cloudformation",s,o);let n=JSON.stringify(o),E={hostname:r.hostname,path:r.path,method:"PUT",headers:{"content-type":"","content-length":Buffer.byteLength(n,"utf8")}};await O({attempts:5,sleep:1e3},a.sendHttpRequest)(E,n)}async function D(t,e){return new Promise((o,r)=>{try{let s=y.request(t,n=>{n.resume(),!n.statusCode||n.statusCode>=400?r(new Error(`Unsuccessful HTTP response: ${n.statusCode}`)):o()});s.on("error",r),s.write(e),s.end()}catch(s){r(s)}})}function T(t,...e){console.log(t,...e)}function O(t,e){return async(...o)=>{let r=t.attempts,s=t.sleep;for(;;)try{return await e(...o)}catch(n){if(r--<=0)throw n;await b(Math.floor(Math.random()*s)),s*=2}}}async function b(t){return new Promise(e=>setTimeout(e,t))}var g="aws-cdk:auto-delete-objects",x=JSON.stringify({Version:"2012-10-17",Statement:[]}),c=new h.S3({}),H=R(S);async function S(t){switch(t.RequestType){case"Create":return;case"Update":return{PhysicalResourceId:(await F(t)).PhysicalResourceId};case"Delete":return N(t.ResourceProperties?.BucketName)}}async function F(t){let e=t,o=e.OldResourceProperties?.BucketName;return{PhysicalResourceId:e.ResourceProperties?.BucketName??o}}async function _(t){try{let e=(await c.getBucketPolicy({Bucket:t}))?.Policy??x,o=JSON.parse(e);o.Statement.push({Principal:"*",Effect:"Deny",Action:["s3:PutObject"],Resource:[`arn:aws:s3:::${t}/*`]}),await c.putBucketPolicy({Bucket:t,Policy:JSON.stringify(o)})}catch(e){if(e.name==="NoSuchBucket")throw e;console.log(`Could not set new object deny policy on bucket '${t}' prior to deletion.`)}}async function U(t){let e;do{e=await c.listObjectVersions({Bucket:t});let o=[...e.Versions??[],...e.DeleteMarkers??[]];if(o.length===0)return;let r=o.map(s=>({Key:s.Key,VersionId:s.VersionId}));await c.deleteObjects({Bucket:t,Delete:{Objects:r}})}while(e?.IsTruncated)}async function N(t){if(!t)throw new Error("No BucketName was provided.");try{if(!await W(t)){console.log(`Bucket does not have '${g}' tag, skipping cleaning.`);return}await _(t),await U(t)}catch(e){if(e.name==="NoSuchBucket"){console.log(`Bucket '${t}' does not exist.`);return}throw e}}async function W(t){return(await c.getBucketTagging({Bucket:t})).TagSet?.some(o=>o.Key===g&&o.Value==="true")}0&&(module.exports={autoDeleteHandler,handler}); diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/asset.8289faf53c7da377bb2b90615999171adef5e1d8f6b88810e5fef75e6ca09ba5.txt b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/asset.8289faf53c7da377bb2b90615999171adef5e1d8f6b88810e5fef75e6ca09ba5.txt deleted file mode 100644 index 95e9dcd2e3bf0..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/asset.8289faf53c7da377bb2b90615999171adef5e1d8f6b88810e5fef75e6ca09ba5.txt +++ /dev/null @@ -1 +0,0 @@ -This is a file asset that's just here for kicks. \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/asset.ac76997971c3f6ddf37120660003f1ced72b4fc58c498dfd99c78fa77e721e0e.txt b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/asset.ac76997971c3f6ddf37120660003f1ced72b4fc58c498dfd99c78fa77e721e0e.txt deleted file mode 100644 index 8b1c7231bf2f4..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/asset.ac76997971c3f6ddf37120660003f1ced72b4fc58c498dfd99c78fa77e721e0e.txt +++ /dev/null @@ -1 +0,0 @@ -Here's a second file asset. \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/buildspec-assets-PipelineStack-Pipeline-Assets-FileAsset.yaml b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/buildspec-assets-PipelineStack-Pipeline-Assets-FileAsset.yaml deleted file mode 100644 index 06708bb7e14f9..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/buildspec-assets-PipelineStack-Pipeline-Assets-FileAsset.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{ - "version": "0.2", - "phases": { - "install": { - "commands": [ - "npm install -g cdk-assets@2" - ] - }, - "build": { - "commands": [ - "cdk-assets --path \"assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.assets.json\" --verbose publish \"8289faf53c7da377bb2b90615999171adef5e1d8f6b88810e5fef75e6ca09ba5:current_account-current_region\"", - "cdk-assets --path \"assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.assets.json\" --verbose publish \"ac76997971c3f6ddf37120660003f1ced72b4fc58c498dfd99c78fa77e721e0e:current_account-current_region\"" - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/cdk.out deleted file mode 100644 index 1f0068d32659a..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/cdk.out +++ /dev/null @@ -1 +0,0 @@ -{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/integ.json deleted file mode 100644 index 5315ad6d43743..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/integ.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "version": "36.0.0", - "testCases": { - "PipelineStackTest/DefaultTest": { - "stacks": [ - "PipelineStack" - ], - "diffAssets": true, - "assertionStack": "PipelineStackTest/DefaultTest/DeployAssert", - "assertionStackName": "PipelineStackTestDefaultTestDeployAssertBC780F98" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/manifest.json deleted file mode 100644 index e3dd3aa926f06..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/manifest.json +++ /dev/null @@ -1,318 +0,0 @@ -{ - "version": "36.0.0", - "artifacts": { - "assembly-PipelineStack-PreProd": { - "type": "cdk:cloud-assembly", - "properties": { - "directoryName": "assembly-PipelineStack-PreProd", - "displayName": "PipelineStack/PreProd" - } - }, - "PipelineStack.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "PipelineStack.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "PipelineStack": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "PipelineStack.template.json", - "terminationProtection": false, - "validateOnSynth": false, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/d638ba18659142158a20f892d018e0ed7ea71928d1859cbece1b4d50f7f514f5.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "PipelineStack.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "dependencies": [ - "PipelineStack.assets" - ], - "metadata": { - "/PipelineStack/SourceBucket/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "SourceBucketDDD2130A" - } - ], - "/PipelineStack/SourceBucket/Policy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "SourceBucketPolicy703DFBF9" - } - ], - "/PipelineStack/SourceBucket/AutoDeleteObjectsCustomResource/Default": [ - { - "type": "aws:cdk:logicalId", - "data": "SourceBucketAutoDeleteObjectsCustomResourceC68FC040" - } - ], - "/PipelineStack/LatestNodeRuntimeMap": [ - { - "type": "aws:cdk:logicalId", - "data": "LatestNodeRuntimeMap" - } - ], - "/PipelineStack/Custom::S3AutoDeleteObjectsCustomResourceProvider/Role": [ - { - "type": "aws:cdk:logicalId", - "data": "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092" - } - ], - "/PipelineStack/Custom::S3AutoDeleteObjectsCustomResourceProvider/Handler": [ - { - "type": "aws:cdk:logicalId", - "data": "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F" - } - ], - "/PipelineStack/Pipeline/Pipeline": [ - { - "type": "aws:cdk:warning", - "data": "V1 pipeline type is implicitly selected when `pipelineType` is not set. If you want to use V2 type, set `PipelineType.V2`. [ack: @aws-cdk/aws-codepipeline:unspecifiedPipelineType]" - } - ], - "/PipelineStack/Pipeline/Pipeline/ArtifactsBucketEncryptionKey/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineArtifactsBucketEncryptionKeyF5BF0670" - } - ], - "/PipelineStack/Pipeline/Pipeline/ArtifactsBucketEncryptionKeyAlias/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineArtifactsBucketEncryptionKeyAlias94A07392" - } - ], - "/PipelineStack/Pipeline/Pipeline/ArtifactsBucket/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineArtifactsBucketAEA9A052" - } - ], - "/PipelineStack/Pipeline/Pipeline/ArtifactsBucket/Policy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineArtifactsBucketPolicyF53CCC52" - } - ], - "/PipelineStack/Pipeline/Pipeline/Role/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineRoleB27FAA37" - } - ], - "/PipelineStack/Pipeline/Pipeline/Role/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineRoleDefaultPolicy7BDC1ABB" - } - ], - "/PipelineStack/Pipeline/Pipeline/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "Pipeline9850B417" - } - ], - "/PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineSourceS3CodePipelineActionRole83895A58" - } - ], - "/PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineSourceS3CodePipelineActionRoleDefaultPolicyB176A07F" - } - ], - "/PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineBuildSynthCodePipelineActionRole4E7A6C97" - } - ], - "/PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineBuildSynthCodePipelineActionRoleDefaultPolicy92C90290" - } - ], - "/PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineBuildSynthCdkBuildProjectRole231EEA2A" - } - ], - "/PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineBuildSynthCdkBuildProjectRoleDefaultPolicyFB6C941C" - } - ], - "/PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - } - ], - "/PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF" - } - ], - "/PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleDefaultPolicyE626265B" - } - ], - "/PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA" - } - ], - "/PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelinePreProdUseSourceCodePipelineActionRoleDefaultPolicy9BE325AD" - } - ], - "/PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelinePreProdUseSourceProjectRole69B20A71" - } - ], - "/PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelinePreProdUseSourceProjectRoleDefaultPolicy50F68DF3" - } - ], - "/PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelinePreProdUseSourceProject2E711EB4" - } - ], - "/PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineUpdatePipelineSelfMutationRole57E559E8" - } - ], - "/PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineUpdatePipelineSelfMutationRoleDefaultPolicyA225DA4E" - } - ], - "/PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineUpdatePipelineSelfMutationDAA41400" - } - ], - "/PipelineStack/Pipeline/Assets/FileRole/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineAssetsFileRole59943A77" - } - ], - "/PipelineStack/Pipeline/Assets/FileRole/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineAssetsFileRoleDefaultPolicy14DB8755" - } - ], - "/PipelineStack/Pipeline/Assets/FileAsset/Default/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineAssetsFileAsset5D8C5DA6" - } - ], - "/PipelineStack/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/PipelineStack/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "PipelineStack" - }, - "PipelineStackTestDefaultTestDeployAssertBC780F98.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "PipelineStackTestDefaultTestDeployAssertBC780F98.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "PipelineStackTestDefaultTestDeployAssertBC780F98": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "PipelineStackTestDefaultTestDeployAssertBC780F98.template.json", - "terminationProtection": false, - "validateOnSynth": false, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "PipelineStackTestDefaultTestDeployAssertBC780F98.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "dependencies": [ - "PipelineStackTestDefaultTestDeployAssertBC780F98.assets" - ], - "metadata": { - "/PipelineStackTest/DefaultTest/DeployAssert/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/PipelineStackTest/DefaultTest/DeployAssert/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "PipelineStackTest/DefaultTest/DeployAssert" - }, - "Tree": { - "type": "cdk:tree", - "properties": { - "file": "tree.json" - } - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/tree.json deleted file mode 100644 index 2f8c1da478a39..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/tree.json +++ /dev/null @@ -1,2946 +0,0 @@ -{ - "version": "tree-0.1", - "tree": { - "id": "App", - "path": "", - "children": { - "PipelineStack": { - "id": "PipelineStack", - "path": "PipelineStack", - "children": { - "SourceBucket": { - "id": "SourceBucket", - "path": "PipelineStack/SourceBucket", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/SourceBucket/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::S3::Bucket", - "aws:cdk:cloudformation:props": { - "tags": [ - { - "key": "aws-cdk:auto-delete-objects", - "value": "true" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.CfnBucket", - "version": "0.0.0" - } - }, - "Policy": { - "id": "Policy", - "path": "PipelineStack/SourceBucket/Policy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/SourceBucket/Policy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::S3::BucketPolicy", - "aws:cdk:cloudformation:props": { - "bucket": { - "Ref": "SourceBucketDDD2130A" - }, - "policyDocument": { - "Statement": [ - { - "Action": [ - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:List*", - "s3:PutBucketPolicy" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", - "Arn" - ] - } - }, - "Resource": [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.CfnBucketPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.BucketPolicy", - "version": "0.0.0" - } - }, - "AutoDeleteObjectsCustomResource": { - "id": "AutoDeleteObjectsCustomResource", - "path": "PipelineStack/SourceBucket/AutoDeleteObjectsCustomResource", - "children": { - "Default": { - "id": "Default", - "path": "PipelineStack/SourceBucket/AutoDeleteObjectsCustomResource/Default", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnResource", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.CustomResource", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.Bucket", - "version": "0.0.0" - } - }, - "LatestNodeRuntimeMap": { - "id": "LatestNodeRuntimeMap", - "path": "PipelineStack/LatestNodeRuntimeMap", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnMapping", - "version": "0.0.0" - } - }, - "Custom::S3AutoDeleteObjectsCustomResourceProvider": { - "id": "Custom::S3AutoDeleteObjectsCustomResourceProvider", - "path": "PipelineStack/Custom::S3AutoDeleteObjectsCustomResourceProvider", - "children": { - "Staging": { - "id": "Staging", - "path": "PipelineStack/Custom::S3AutoDeleteObjectsCustomResourceProvider/Staging", - "constructInfo": { - "fqn": "aws-cdk-lib.AssetStaging", - "version": "0.0.0" - } - }, - "Role": { - "id": "Role", - "path": "PipelineStack/Custom::S3AutoDeleteObjectsCustomResourceProvider/Role", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnResource", - "version": "0.0.0" - } - }, - "Handler": { - "id": "Handler", - "path": "PipelineStack/Custom::S3AutoDeleteObjectsCustomResourceProvider/Handler", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnResource", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.CustomResourceProviderBase", - "version": "0.0.0" - } - }, - "Pipeline": { - "id": "Pipeline", - "path": "PipelineStack/Pipeline", - "children": { - "Pipeline": { - "id": "Pipeline", - "path": "PipelineStack/Pipeline/Pipeline", - "children": { - "ArtifactsBucketEncryptionKey": { - "id": "ArtifactsBucketEncryptionKey", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucketEncryptionKey", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucketEncryptionKey/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::KMS::Key", - "aws:cdk:cloudformation:props": { - "keyPolicy": { - "Statement": [ - { - "Action": "kms:*", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": "*" - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - }, - "Resource": "*" - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.CfnKey", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.Key", - "version": "0.0.0" - } - }, - "ArtifactsBucketEncryptionKeyAlias": { - "id": "ArtifactsBucketEncryptionKeyAlias", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucketEncryptionKeyAlias", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucketEncryptionKeyAlias/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::KMS::Alias", - "aws:cdk:cloudformation:props": { - "aliasName": "alias/codepipeline-pipelinestack-pipeline-e95eedaa", - "targetKeyId": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.CfnAlias", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.Alias", - "version": "0.0.0" - } - }, - "ArtifactsBucket": { - "id": "ArtifactsBucket", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucket", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucket/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::S3::Bucket", - "aws:cdk:cloudformation:props": { - "bucketEncryption": { - "serverSideEncryptionConfiguration": [ - { - "serverSideEncryptionByDefault": { - "sseAlgorithm": "aws:kms", - "kmsMasterKeyId": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - } - ] - }, - "publicAccessBlockConfiguration": { - "blockPublicAcls": true, - "blockPublicPolicy": true, - "ignorePublicAcls": true, - "restrictPublicBuckets": true - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.CfnBucket", - "version": "0.0.0" - } - }, - "Policy": { - "id": "Policy", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucket/Policy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucket/Policy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::S3::BucketPolicy", - "aws:cdk:cloudformation:props": { - "bucket": { - "Ref": "PipelineArtifactsBucketAEA9A052" - }, - "policyDocument": { - "Statement": [ - { - "Action": "s3:*", - "Condition": { - "Bool": { - "aws:SecureTransport": "false" - } - }, - "Effect": "Deny", - "Principal": { - "AWS": "*" - }, - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - }, - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.CfnBucketPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.BucketPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.Bucket", - "version": "0.0.0" - } - }, - "Role": { - "id": "Role", - "path": "PipelineStack/Pipeline/Pipeline/Role", - "children": { - "ImportRole": { - "id": "ImportRole", - "path": "PipelineStack/Pipeline/Pipeline/Role/ImportRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Role/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codepipeline.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/Role/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Role/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - }, - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineAssetsFileRole59943A77", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelineBuildSynthCodePipelineActionRole4E7A6C97", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelineSourceS3CodePipelineActionRole83895A58", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineRoleDefaultPolicy7BDC1ABB", - "roles": [ - { - "Ref": "PipelineRoleB27FAA37" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::CodePipeline::Pipeline", - "aws:cdk:cloudformation:props": { - "artifactStore": { - "type": "S3", - "location": { - "Ref": "PipelineArtifactsBucketAEA9A052" - }, - "encryptionKey": { - "type": "KMS", - "id": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - }, - "restartExecutionOnUpdate": true, - "roleArn": { - "Fn::GetAtt": [ - "PipelineRoleB27FAA37", - "Arn" - ] - }, - "stages": [ - { - "name": "Source", - "actions": [ - { - "name": "S3", - "outputArtifacts": [ - { - "name": "Artifact_Source_S3" - } - ], - "actionTypeId": { - "category": "Source", - "version": "1", - "owner": "AWS", - "provider": "S3" - }, - "configuration": { - "S3Bucket": { - "Ref": "SourceBucketDDD2130A" - }, - "S3ObjectKey": "key" - }, - "runOrder": 1, - "roleArn": { - "Fn::GetAtt": [ - "PipelineSourceS3CodePipelineActionRole83895A58", - "Arn" - ] - } - } - ] - }, - { - "name": "Build", - "actions": [ - { - "name": "Synth", - "inputArtifacts": [ - { - "name": "Artifact_Source_S3" - } - ], - "outputArtifacts": [ - { - "name": "CloudAsm" - }, - { - "name": "IntegTests" - } - ], - "actionTypeId": { - "category": "Build", - "version": "1", - "owner": "AWS", - "provider": "CodeBuild" - }, - "configuration": { - "ProjectName": { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - }, - "EnvironmentVariables": "[{\"name\":\"_PROJECT_CONFIG_HASH\",\"type\":\"PLAINTEXT\",\"value\":\"7f66814704b7757367a6ec706823d271fb9c6fceda866eee4260d1e76b73967b\"}]" - }, - "runOrder": 1, - "roleArn": { - "Fn::GetAtt": [ - "PipelineBuildSynthCodePipelineActionRole4E7A6C97", - "Arn" - ] - } - } - ] - }, - { - "name": "UpdatePipeline", - "actions": [ - { - "name": "SelfMutate", - "inputArtifacts": [ - { - "name": "CloudAsm" - } - ], - "actionTypeId": { - "category": "Build", - "version": "1", - "owner": "AWS", - "provider": "CodeBuild" - }, - "configuration": { - "ProjectName": { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - }, - "EnvironmentVariables": "[{\"name\":\"CDK_CLI_VERSION\",\"type\":\"PLAINTEXT\",\"value\":\"2\"}]" - }, - "runOrder": 1, - "roleArn": { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF", - "Arn" - ] - } - } - ] - }, - { - "name": "Assets", - "actions": [ - { - "name": "FileAsset", - "inputArtifacts": [ - { - "name": "CloudAsm" - } - ], - "actionTypeId": { - "category": "Build", - "version": "1", - "owner": "AWS", - "provider": "CodeBuild" - }, - "configuration": { - "ProjectName": { - "Ref": "PipelineAssetsFileAsset5D8C5DA6" - }, - "EnvironmentVariables": "[{\"name\":\"CDK_CLI_VERSION\",\"type\":\"PLAINTEXT\",\"value\":\"2\"}]" - }, - "runOrder": 1, - "roleArn": { - "Fn::GetAtt": [ - "PipelineAssetsFileRole59943A77", - "Arn" - ] - } - } - ] - }, - { - "name": "PreProd", - "actions": [ - { - "name": "UseSource", - "inputArtifacts": [ - { - "name": "Artifact_Source_S3" - } - ], - "actionTypeId": { - "category": "Build", - "version": "1", - "owner": "AWS", - "provider": "CodeBuild" - }, - "configuration": { - "ProjectName": { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - } - }, - "runOrder": 100, - "roleArn": { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA", - "Arn" - ] - } - }, - { - "name": "Stack.Prepare", - "inputArtifacts": [ - { - "name": "CloudAsm" - } - ], - "actionTypeId": { - "category": "Deploy", - "version": "1", - "owner": "AWS", - "provider": "CloudFormation" - }, - "configuration": { - "StackName": "PreProd-Stack", - "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-cfn-exec-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "ActionMode": "CHANGE_SET_REPLACE", - "ChangeSetName": "PipelineChange", - "TemplatePath": "CloudAsm::assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.template.json" - }, - "runOrder": 1, - "roleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - }, - { - "name": "Stack.Deploy", - "actionTypeId": { - "category": "Deploy", - "version": "1", - "owner": "AWS", - "provider": "CloudFormation" - }, - "configuration": { - "StackName": "PreProd-Stack", - "ActionMode": "CHANGE_SET_EXECUTE", - "ChangeSetName": "PipelineChange" - }, - "runOrder": 2, - "roleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - } - ] - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codepipeline.CfnPipeline", - "version": "0.0.0" - } - }, - "Source": { - "id": "Source", - "path": "PipelineStack/Pipeline/Pipeline/Source", - "children": { - "S3": { - "id": "S3", - "path": "PipelineStack/Pipeline/Pipeline/Source/S3", - "children": { - "CodePipelineActionRole": { - "id": "CodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole", - "children": { - "ImportCodePipelineActionRole": { - "id": "ImportCodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole/ImportCodePipelineActionRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - "/key" - ] - ] - } - ] - }, - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineSourceS3CodePipelineActionRoleDefaultPolicyB176A07F", - "roles": [ - { - "Ref": "PipelineSourceS3CodePipelineActionRole83895A58" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "Build": { - "id": "Build", - "path": "PipelineStack/Pipeline/Pipeline/Build", - "children": { - "Synth": { - "id": "Synth", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth", - "children": { - "CodePipelineActionRole": { - "id": "CodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole", - "children": { - "ImportCodePipelineActionRole": { - "id": "ImportCodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole/ImportCodePipelineActionRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineBuildSynthCdkBuildProject6BEFA8E6", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineBuildSynthCodePipelineActionRoleDefaultPolicy92C90290", - "roles": [ - { - "Ref": "PipelineBuildSynthCodePipelineActionRole4E7A6C97" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "CdkBuildProject": { - "id": "CdkBuildProject", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject", - "children": { - "Role": { - "id": "Role", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role", - "children": { - "ImportRole": { - "id": "ImportRole", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role/ImportRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - }, - "-*" - ] - ] - } - }, - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineBuildSynthCdkBuildProjectRoleDefaultPolicyFB6C941C", - "roles": [ - { - "Ref": "PipelineBuildSynthCdkBuildProjectRole231EEA2A" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::CodeBuild::Project", - "aws:cdk:cloudformation:props": { - "artifacts": { - "type": "CODEPIPELINE" - }, - "cache": { - "type": "NO_CACHE" - }, - "encryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "environment": { - "type": "LINUX_CONTAINER", - "image": "aws/codebuild/standard:7.0", - "imagePullCredentialsType": "CODEBUILD", - "privilegedMode": false, - "computeType": "BUILD_GENERAL1_SMALL", - "environmentVariables": [ - { - "name": "NPM_CONFIG_UNSAFE_PERM", - "type": "PLAINTEXT", - "value": "true" - } - ] - }, - "name": "MyServicePipeline-synth", - "serviceRole": { - "Fn::GetAtt": [ - "PipelineBuildSynthCdkBuildProjectRole231EEA2A", - "Arn" - ] - }, - "source": { - "type": "CODEPIPELINE", - "buildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"pre_build\": {\n \"commands\": [\n \"npm ci\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"npx cdk synth\"\n ]\n }\n },\n \"artifacts\": {\n \"secondary-artifacts\": {\n \"CloudAsm\": {\n \"base-directory\": \"cdk.out\",\n \"files\": \"**/*\"\n },\n \"IntegTests\": {\n \"base-directory\": \"test\",\n \"files\": \"**/*\"\n }\n }\n }\n}" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.CfnProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.PipelineProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "UpdatePipeline": { - "id": "UpdatePipeline", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline", - "children": { - "SelfMutate": { - "id": "SelfMutate", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate", - "children": { - "CodePipelineActionRole": { - "id": "CodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole", - "children": { - "ImportCodePipelineActionRole": { - "id": "ImportCodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole/ImportCodePipelineActionRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutationDAA41400", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleDefaultPolicyE626265B", - "roles": [ - { - "Ref": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "PreProd": { - "id": "PreProd", - "path": "PipelineStack/Pipeline/Pipeline/PreProd", - "children": { - "UseSource": { - "id": "UseSource", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource", - "children": { - "CodePipelineActionRole": { - "id": "CodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole", - "children": { - "ImportCodePipelineActionRole": { - "id": "ImportCodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole/ImportCodePipelineActionRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceProject2E711EB4", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelinePreProdUseSourceCodePipelineActionRoleDefaultPolicy9BE325AD", - "roles": [ - { - "Ref": "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "Project": { - "id": "Project", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project", - "children": { - "Role": { - "id": "Role", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role", - "children": { - "ImportRole": { - "id": "ImportRole", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role/ImportRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - }, - "-*" - ] - ] - } - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelinePreProdUseSourceProjectRoleDefaultPolicy50F68DF3", - "roles": [ - { - "Ref": "PipelinePreProdUseSourceProjectRole69B20A71" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::CodeBuild::Project", - "aws:cdk:cloudformation:props": { - "artifacts": { - "type": "CODEPIPELINE" - }, - "cache": { - "type": "NO_CACHE" - }, - "encryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "environment": { - "type": "LINUX_CONTAINER", - "image": "aws/codebuild/standard:7.0", - "imagePullCredentialsType": "CODEBUILD", - "privilegedMode": false, - "computeType": "BUILD_GENERAL1_SMALL" - }, - "serviceRole": { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceProjectRole69B20A71", - "Arn" - ] - }, - "source": { - "type": "CODEPIPELINE", - "buildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"build\": {\n \"commands\": [\n \"set -eu\",\n \"cat README.md\"\n ]\n }\n }\n}" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.CfnProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.PipelineProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "Stack.Deploy": { - "id": "Stack.Deploy", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/Stack.Deploy", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "Stack.Prepare": { - "id": "Stack.Prepare", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/Stack.Prepare", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "Assets": { - "id": "Assets", - "path": "PipelineStack/Pipeline/Pipeline/Assets", - "children": { - "FileAsset": { - "id": "FileAsset", - "path": "PipelineStack/Pipeline/Pipeline/Assets/FileAsset", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codepipeline.Pipeline", - "version": "0.0.0" - } - }, - "UpdatePipeline": { - "id": "UpdatePipeline", - "path": "PipelineStack/Pipeline/UpdatePipeline", - "children": { - "SelfMutation": { - "id": "SelfMutation", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation", - "children": { - "Role": { - "id": "Role", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role", - "children": { - "ImportRole": { - "id": "ImportRole", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role/ImportRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - }, - "-*" - ] - ] - } - }, - { - "Action": "sts:AssumeRole", - "Condition": { - "ForAnyValue:StringEquals": { - "iam:ResourceTag/aws-cdk:bootstrap-role": [ - "image-publishing", - "file-publishing", - "deploy" - ] - } - }, - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:*:iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/*" - ] - ] - } - }, - { - "Action": [ - "cloudformation:DescribeStacks", - "s3:ListBucket" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineUpdatePipelineSelfMutationRoleDefaultPolicyA225DA4E", - "roles": [ - { - "Ref": "PipelineUpdatePipelineSelfMutationRole57E559E8" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::CodeBuild::Project", - "aws:cdk:cloudformation:props": { - "artifacts": { - "type": "CODEPIPELINE" - }, - "cache": { - "type": "NO_CACHE" - }, - "encryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "environment": { - "type": "LINUX_CONTAINER", - "image": "aws/codebuild/standard:7.0", - "imagePullCredentialsType": "CODEBUILD", - "privilegedMode": false, - "computeType": "BUILD_GENERAL1_SMALL" - }, - "serviceRole": { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutationRole57E559E8", - "Arn" - ] - }, - "source": { - "type": "CODEPIPELINE", - "buildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"install\": {\n \"commands\": [\n \"npm install -g aws-cdk@2\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"cdk -a . deploy PipelineStack --require-approval=never --verbose\"\n ]\n }\n }\n}" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.CfnProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.PipelineProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.pipelines.UpdatePipelineAction", - "version": "0.0.0" - } - }, - "Assets": { - "id": "Assets", - "path": "PipelineStack/Pipeline/Assets", - "children": { - "FileRole": { - "id": "FileRole", - "path": "PipelineStack/Pipeline/Assets/FileRole", - "children": { - "ImportFileRole": { - "id": "ImportFileRole", - "path": "PipelineStack/Pipeline/Assets/FileRole/ImportFileRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Assets/FileRole/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - }, - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Assets/FileRole/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Assets/FileRole/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/*" - ] - ] - } - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/*" - ] - ] - } - }, - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Resource": { - "Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineAssetsFileRoleDefaultPolicy14DB8755", - "roles": [ - { - "Ref": "PipelineAssetsFileRole59943A77" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "FileAsset": { - "id": "FileAsset", - "path": "PipelineStack/Pipeline/Assets/FileAsset", - "children": { - "Default": { - "id": "Default", - "path": "PipelineStack/Pipeline/Assets/FileAsset/Default", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Assets/FileAsset/Default/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::CodeBuild::Project", - "aws:cdk:cloudformation:props": { - "artifacts": { - "type": "CODEPIPELINE" - }, - "cache": { - "type": "NO_CACHE" - }, - "encryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "environment": { - "type": "LINUX_CONTAINER", - "image": "aws/codebuild/standard:7.0", - "imagePullCredentialsType": "CODEBUILD", - "privilegedMode": false, - "computeType": "BUILD_GENERAL1_SMALL" - }, - "serviceRole": { - "Fn::GetAtt": [ - "PipelineAssetsFileRole59943A77", - "Arn" - ] - }, - "source": { - "type": "CODEPIPELINE", - "buildSpec": "buildspec-assets-PipelineStack-Pipeline-Assets-FileAsset.yaml" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.CfnProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.PipelineProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.pipelines.PublishAssetsAction", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "PreProd": { - "id": "PreProd", - "path": "PipelineStack/Pipeline/PreProd", - "children": { - "MutableRolearn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}": { - "id": "MutableRolearn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "path": "PipelineStack/Pipeline/PreProd/MutableRolearn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}": { - "id": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "path": "PipelineStack/Pipeline/PreProd/arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "children": { - "8389e75f-0810-4838-bf64-d6f85a95cf83": { - "id": "8389e75f-0810-4838-bf64-d6f85a95cf83", - "path": "PipelineStack/Pipeline/PreProd/arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}/8389e75f-0810-4838-bf64-d6f85a95cf83", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "MutableRolearn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}": { - "id": "MutableRolearn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "path": "PipelineStack/Pipeline/PreProd/MutableRolearn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}": { - "id": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "path": "PipelineStack/Pipeline/PreProd/arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.pipelines.CdkStage", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.pipelines.CdkPipeline", - "version": "0.0.0" - } - }, - "PreProd": { - "id": "PreProd", - "path": "PipelineStack/PreProd", - "children": { - "Stack": { - "id": "Stack", - "path": "PipelineStack/PreProd/Stack", - "children": { - "Asset": { - "id": "Asset", - "path": "PipelineStack/PreProd/Stack/Asset", - "children": { - "Stage": { - "id": "Stage", - "path": "PipelineStack/PreProd/Stack/Asset/Stage", - "constructInfo": { - "fqn": "aws-cdk-lib.AssetStaging", - "version": "0.0.0" - } - }, - "AssetBucket": { - "id": "AssetBucket", - "path": "PipelineStack/PreProd/Stack/Asset/AssetBucket", - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.BucketBase", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3_assets.Asset", - "version": "0.0.0" - } - }, - "Asset2": { - "id": "Asset2", - "path": "PipelineStack/PreProd/Stack/Asset2", - "children": { - "Stage": { - "id": "Stage", - "path": "PipelineStack/PreProd/Stack/Asset2/Stage", - "constructInfo": { - "fqn": "aws-cdk-lib.AssetStaging", - "version": "0.0.0" - } - }, - "AssetBucket": { - "id": "AssetBucket", - "path": "PipelineStack/PreProd/Stack/Asset2/AssetBucket", - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.BucketBase", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3_assets.Asset", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/PreProd/Stack/Resource", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnResource", - "version": "0.0.0" - } - }, - "BootstrapVersion": { - "id": "BootstrapVersion", - "path": "PipelineStack/PreProd/Stack/BootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" - } - }, - "CheckBootstrapVersion": { - "id": "CheckBootstrapVersion", - "path": "PipelineStack/PreProd/Stack/CheckBootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Stage", - "version": "0.0.0" - } - }, - "BootstrapVersion": { - "id": "BootstrapVersion", - "path": "PipelineStack/BootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" - } - }, - "CheckBootstrapVersion": { - "id": "CheckBootstrapVersion", - "path": "PipelineStack/CheckBootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" - } - }, - "PipelineStackTest": { - "id": "PipelineStackTest", - "path": "PipelineStackTest", - "children": { - "DefaultTest": { - "id": "DefaultTest", - "path": "PipelineStackTest/DefaultTest", - "children": { - "Default": { - "id": "Default", - "path": "PipelineStackTest/DefaultTest/Default", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "DeployAssert": { - "id": "DeployAssert", - "path": "PipelineStackTest/DefaultTest/DeployAssert", - "children": { - "BootstrapVersion": { - "id": "BootstrapVersion", - "path": "PipelineStackTest/DefaultTest/DeployAssert/BootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" - } - }, - "CheckBootstrapVersion": { - "id": "CheckBootstrapVersion", - "path": "PipelineStackTest/DefaultTest/DeployAssert/CheckBootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", - "version": "0.0.0" - } - }, - "Tree": { - "id": "Tree", - "path": "Tree", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.App", - "version": "0.0.0" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.ts b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.ts deleted file mode 100644 index c05a52e685eba..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.ts +++ /dev/null @@ -1,107 +0,0 @@ -/// !cdk-integ PipelineStack pragma:set-context:@aws-cdk/core:newStyleStackSynthesis=true -import * as path from 'path'; -import * as codepipeline from 'aws-cdk-lib/aws-codepipeline'; -import * as codepipeline_actions from 'aws-cdk-lib/aws-codepipeline-actions'; -import * as s3 from 'aws-cdk-lib/aws-s3'; -import * as s3_assets from 'aws-cdk-lib/aws-s3-assets'; -import { App, CfnResource, RemovalPolicy, DefaultStackSynthesizer, Stack, StackProps, Stage, StageProps } from 'aws-cdk-lib'; -import { Construct } from 'constructs'; -import * as cdkp from 'aws-cdk-lib/pipelines'; -import { IntegTest } from '@aws-cdk/integ-tests-alpha'; - -class MyStage extends Stage { - constructor(scope: Construct, id: string, props?: StageProps) { - super(scope, id, props); - - const stack = new Stack(this, 'Stack', { - ...props, - synthesizer: new DefaultStackSynthesizer(), - }); - - new s3_assets.Asset(stack, 'Asset', { - path: path.join(__dirname, 'testhelpers/assets/test-file-asset.txt'), - }); - new s3_assets.Asset(stack, 'Asset2', { - path: path.join(__dirname, 'testhelpers/assets/test-file-asset-two.txt'), - }); - - new CfnResource(stack, 'Resource', { - type: 'AWS::Test::SomeResource', - }); - } -} - -/** - * The stack that defines the application pipeline - */ -class CdkpipelinesDemoPipelineStack extends Stack { - constructor(scope: Construct, id: string, props?: StackProps) { - super(scope, id, props); - - const sourceArtifact = new codepipeline.Artifact(); - const cloudAssemblyArtifact = new codepipeline.Artifact('CloudAsm'); - const integTestArtifact = new codepipeline.Artifact('IntegTests'); - - const sourceBucket = new s3.Bucket(this, 'SourceBucket', { - removalPolicy: RemovalPolicy.DESTROY, - autoDeleteObjects: true, - }); - const pipeline = new cdkp.CdkPipeline(this, 'Pipeline', { - crossAccountKeys: true, - cloudAssemblyArtifact, - singlePublisherPerType: true, - - // Where the source can be found - sourceAction: new codepipeline_actions.S3SourceAction({ - bucket: sourceBucket, - output: sourceArtifact, - bucketKey: 'key', - actionName: 'S3', - }), - - // How it will be built - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - projectName: 'MyServicePipeline-synth', - additionalArtifacts: [ - { - directory: 'test', - artifact: integTestArtifact, - }, - ], - }), - }); - - // This is where we add the application stages - // ... - const stage = pipeline.addApplicationStage(new MyStage(this, 'PreProd')); - stage.addActions( - new cdkp.ShellScriptAction({ - actionName: 'UseSource', - commands: [ - // Comes from source - 'cat README.md', - ], - additionalArtifacts: [sourceArtifact], - }), - ); - } -} - -const app = new App({ - postCliContext: { - '@aws-cdk/core:newStyleStackSynthesis': 'true', - '@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2': false, - }, -}); -const stack = new CdkpipelinesDemoPipelineStack(app, 'PipelineStack', { - synthesizer: new DefaultStackSynthesizer(), -}); - -new IntegTest(app, 'PipelineStackTest', { - testCases: [stack], - diffAssets: true, -}); - -app.synth(); diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets.ts b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets.ts deleted file mode 100644 index 3c71922e1e02d..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets.ts +++ /dev/null @@ -1,106 +0,0 @@ -/// !cdk-integ PipelineStack pragma:set-context:@aws-cdk/core:newStyleStackSynthesis=true -import * as path from 'path'; -import * as codepipeline from 'aws-cdk-lib/aws-codepipeline'; -import * as codepipeline_actions from 'aws-cdk-lib/aws-codepipeline-actions'; -import * as s3 from 'aws-cdk-lib/aws-s3'; -import * as s3_assets from 'aws-cdk-lib/aws-s3-assets'; -import { App, CfnResource, DefaultStackSynthesizer, RemovalPolicy, Stack, StackProps, Stage, StageProps } from 'aws-cdk-lib'; -import { Construct } from 'constructs'; -import * as cdkp from 'aws-cdk-lib/pipelines'; -import { IntegTest } from '@aws-cdk/integ-tests-alpha'; - -class MyStage extends Stage { - constructor(scope: Construct, id: string, props?: StageProps) { - super(scope, id, props); - - const stack = new Stack(this, 'Stack', { - ...props, - synthesizer: new DefaultStackSynthesizer(), - }); - - new s3_assets.Asset(stack, 'Asset', { - path: path.join(__dirname, 'testhelpers/assets/test-file-asset.txt'), - }); - new s3_assets.Asset(stack, 'Asset2', { - path: path.join(__dirname, 'testhelpers/assets/test-file-asset-two.txt'), - }); - - new CfnResource(stack, 'Resource', { - type: 'AWS::Test::SomeResource', - }); - } -} - -/** - * The stack that defines the application pipeline - */ -class CdkpipelinesDemoPipelineStack extends Stack { - constructor(scope: Construct, id: string, props?: StackProps) { - super(scope, id, props); - - const sourceArtifact = new codepipeline.Artifact(); - const cloudAssemblyArtifact = new codepipeline.Artifact('CloudAsm'); - const integTestArtifact = new codepipeline.Artifact('IntegTests'); - - const sourceBucket = new s3.Bucket(this, 'SourceBucket', { - removalPolicy: RemovalPolicy.DESTROY, - autoDeleteObjects: true, - }); - const pipeline = new cdkp.CdkPipeline(this, 'Pipeline', { - crossAccountKeys: true, - cloudAssemblyArtifact, - - // Where the source can be found - sourceAction: new codepipeline_actions.S3SourceAction({ - bucket: sourceBucket, - output: sourceArtifact, - bucketKey: 'key', - actionName: 'S3', - }), - - // How it will be built - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - projectName: 'MyServicePipeline-synth', - additionalArtifacts: [ - { - directory: 'test', - artifact: integTestArtifact, - }, - ], - }), - }); - - // This is where we add the application stages - // ... - const stage = pipeline.addApplicationStage(new MyStage(this, 'PreProd')); - stage.addActions( - new cdkp.ShellScriptAction({ - actionName: 'UseSource', - commands: [ - // Comes from source - 'cat README.md', - ], - additionalArtifacts: [sourceArtifact], - }), - ); - } -} - -const app = new App({ - postCliContext: { - '@aws-cdk/core:newStyleStackSynthesis': 'true', - '@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2': false, - }, -}); -const stack = new CdkpipelinesDemoPipelineStack(app, 'PipelineStack', { - synthesizer: new DefaultStackSynthesizer(), -}); - -new IntegTest(app, 'PipelineStackTest', { - testCases: [stack], - diffAssets: true, -}); - -app.synth(); diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStack.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStack.assets.json deleted file mode 100644 index d96305350050e..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStack.assets.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61": { - "source": { - "path": "asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61", - "packaging": "zip" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61.zip", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - }, - "e7f81f8bda67ff3e586b06697af53694f5743a8e161a832b871afb6b753f90a9": { - "source": { - "path": "PipelineStack.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "e7f81f8bda67ff3e586b06697af53694f5743a8e161a832b871afb6b753f90a9.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStack.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStack.template.json deleted file mode 100644 index b95f0f452e79f..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStack.template.json +++ /dev/null @@ -1,1910 +0,0 @@ -{ - "Resources": { - "SourceBucketDDD2130A": { - "Type": "AWS::S3::Bucket", - "Properties": { - "Tags": [ - { - "Key": "aws-cdk:auto-delete-objects", - "Value": "true" - } - ] - }, - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "SourceBucketPolicy703DFBF9": { - "Type": "AWS::S3::BucketPolicy", - "Properties": { - "Bucket": { - "Ref": "SourceBucketDDD2130A" - }, - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:List*", - "s3:PutBucketPolicy" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", - "Arn" - ] - } - }, - "Resource": [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - } - } - }, - "SourceBucketAutoDeleteObjectsCustomResourceC68FC040": { - "Type": "Custom::S3AutoDeleteObjects", - "Properties": { - "ServiceToken": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", - "Arn" - ] - }, - "BucketName": { - "Ref": "SourceBucketDDD2130A" - } - }, - "DependsOn": [ - "SourceBucketPolicy703DFBF9" - ], - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ] - }, - "ManagedPolicyArns": [ - { - "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - } - ] - } - }, - "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { - "Type": "AWS::Lambda::Function", - "Properties": { - "Code": { - "S3Bucket": { - "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" - }, - "S3Key": "44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61.zip" - }, - "Timeout": 900, - "MemorySize": 128, - "Handler": "index.handler", - "Role": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", - "Arn" - ] - }, - "Runtime": { - "Fn::FindInMap": [ - "LatestNodeRuntimeMap", - { - "Ref": "AWS::Region" - }, - "value" - ] - }, - "Description": { - "Fn::Join": [ - "", - [ - "Lambda function for auto-deleting objects in ", - { - "Ref": "SourceBucketDDD2130A" - }, - " S3 bucket." - ] - ] - } - }, - "DependsOn": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092" - ] - }, - "PipelineArtifactsBucketEncryptionKeyF5BF0670": { - "Type": "AWS::KMS::Key", - "Properties": { - "KeyPolicy": { - "Statement": [ - { - "Action": "kms:*", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": "*" - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - }, - "Resource": "*" - } - ], - "Version": "2012-10-17" - } - }, - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "PipelineArtifactsBucketEncryptionKeyAlias94A07392": { - "Type": "AWS::KMS::Alias", - "Properties": { - "AliasName": "alias/codepipeline-pipelinestack-pipeline-e95eedaa", - "TargetKeyId": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - }, - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "PipelineArtifactsBucketAEA9A052": { - "Type": "AWS::S3::Bucket", - "Properties": { - "BucketEncryption": { - "ServerSideEncryptionConfiguration": [ - { - "ServerSideEncryptionByDefault": { - "KMSMasterKeyID": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "SSEAlgorithm": "aws:kms" - } - } - ] - }, - "PublicAccessBlockConfiguration": { - "BlockPublicAcls": true, - "BlockPublicPolicy": true, - "IgnorePublicAcls": true, - "RestrictPublicBuckets": true - } - }, - "UpdateReplacePolicy": "Retain", - "DeletionPolicy": "Retain" - }, - "PipelineArtifactsBucketPolicyF53CCC52": { - "Type": "AWS::S3::BucketPolicy", - "Properties": { - "Bucket": { - "Ref": "PipelineArtifactsBucketAEA9A052" - }, - "PolicyDocument": { - "Statement": [ - { - "Action": "s3:*", - "Condition": { - "Bool": { - "aws:SecureTransport": "false" - } - }, - "Effect": "Deny", - "Principal": { - "AWS": "*" - }, - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - }, - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineRoleB27FAA37": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codepipeline.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineRoleDefaultPolicy7BDC1ABB": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - }, - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineBuildSynthCodePipelineActionRole4E7A6C97", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelineSourceS3CodePipelineActionRole83895A58", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineRoleDefaultPolicy7BDC1ABB", - "Roles": [ - { - "Ref": "PipelineRoleB27FAA37" - } - ] - } - }, - "Pipeline9850B417": { - "Type": "AWS::CodePipeline::Pipeline", - "Properties": { - "ArtifactStore": { - "EncryptionKey": { - "Id": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "Type": "KMS" - }, - "Location": { - "Ref": "PipelineArtifactsBucketAEA9A052" - }, - "Type": "S3" - }, - "RestartExecutionOnUpdate": true, - "RoleArn": { - "Fn::GetAtt": [ - "PipelineRoleB27FAA37", - "Arn" - ] - }, - "Stages": [ - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Source", - "Owner": "AWS", - "Provider": "S3", - "Version": "1" - }, - "Configuration": { - "S3Bucket": { - "Ref": "SourceBucketDDD2130A" - }, - "S3ObjectKey": "key" - }, - "Name": "S3", - "OutputArtifacts": [ - { - "Name": "Artifact_Source_S3" - } - ], - "RoleArn": { - "Fn::GetAtt": [ - "PipelineSourceS3CodePipelineActionRole83895A58", - "Arn" - ] - }, - "RunOrder": 1 - } - ], - "Name": "Source" - }, - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Build", - "Owner": "AWS", - "Provider": "CodeBuild", - "Version": "1" - }, - "Configuration": { - "ProjectName": { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - }, - "EnvironmentVariables": "[{\"name\":\"_PROJECT_CONFIG_HASH\",\"type\":\"PLAINTEXT\",\"value\":\"7f66814704b7757367a6ec706823d271fb9c6fceda866eee4260d1e76b73967b\"}]" - }, - "InputArtifacts": [ - { - "Name": "Artifact_Source_S3" - } - ], - "Name": "Synth", - "OutputArtifacts": [ - { - "Name": "CloudAsm" - }, - { - "Name": "IntegTests" - } - ], - "RoleArn": { - "Fn::GetAtt": [ - "PipelineBuildSynthCodePipelineActionRole4E7A6C97", - "Arn" - ] - }, - "RunOrder": 1 - } - ], - "Name": "Build" - }, - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Build", - "Owner": "AWS", - "Provider": "CodeBuild", - "Version": "1" - }, - "Configuration": { - "ProjectName": { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - }, - "EnvironmentVariables": "[{\"name\":\"CDK_CLI_VERSION\",\"type\":\"PLAINTEXT\",\"value\":\"2\"}]" - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "SelfMutate", - "RoleArn": { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF", - "Arn" - ] - }, - "RunOrder": 1 - } - ], - "Name": "UpdatePipeline" - }, - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Build", - "Owner": "AWS", - "Provider": "CodeBuild", - "Version": "1" - }, - "Configuration": { - "ProjectName": { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - } - }, - "InputArtifacts": [ - { - "Name": "Artifact_Source_S3" - } - ], - "Name": "UseSource", - "RoleArn": { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA", - "Arn" - ] - }, - "RunOrder": 100 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "PreProd-Stack", - "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-cfn-exec-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "ActionMode": "CHANGE_SET_REPLACE", - "ChangeSetName": "PipelineChange", - "TemplatePath": "CloudAsm::assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.template.json" - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "Stack.Prepare", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 1 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "PreProd-Stack", - "ActionMode": "CHANGE_SET_EXECUTE", - "ChangeSetName": "PipelineChange" - }, - "Name": "Stack.Deploy", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 2 - } - ], - "Name": "PreProd" - } - ] - }, - "DependsOn": [ - "PipelineRoleDefaultPolicy7BDC1ABB", - "PipelineRoleB27FAA37" - ] - }, - "PipelineSourceS3CodePipelineActionRole83895A58": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineSourceS3CodePipelineActionRoleDefaultPolicyB176A07F": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - "/key" - ] - ] - } - ] - }, - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineSourceS3CodePipelineActionRoleDefaultPolicyB176A07F", - "Roles": [ - { - "Ref": "PipelineSourceS3CodePipelineActionRole83895A58" - } - ] - } - }, - "PipelineBuildSynthCodePipelineActionRole4E7A6C97": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineBuildSynthCodePipelineActionRoleDefaultPolicy92C90290": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineBuildSynthCdkBuildProject6BEFA8E6", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineBuildSynthCodePipelineActionRoleDefaultPolicy92C90290", - "Roles": [ - { - "Ref": "PipelineBuildSynthCodePipelineActionRole4E7A6C97" - } - ] - } - }, - "PipelineBuildSynthCdkBuildProjectRole231EEA2A": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineBuildSynthCdkBuildProjectRoleDefaultPolicyFB6C941C": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - }, - "-*" - ] - ] - } - }, - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineBuildSynthCdkBuildProjectRoleDefaultPolicyFB6C941C", - "Roles": [ - { - "Ref": "PipelineBuildSynthCdkBuildProjectRole231EEA2A" - } - ] - } - }, - "PipelineBuildSynthCdkBuildProject6BEFA8E6": { - "Type": "AWS::CodeBuild::Project", - "Properties": { - "Artifacts": { - "Type": "CODEPIPELINE" - }, - "Cache": { - "Type": "NO_CACHE" - }, - "EncryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "Environment": { - "ComputeType": "BUILD_GENERAL1_SMALL", - "EnvironmentVariables": [ - { - "Name": "NPM_CONFIG_UNSAFE_PERM", - "Type": "PLAINTEXT", - "Value": "true" - } - ], - "Image": "aws/codebuild/standard:7.0", - "ImagePullCredentialsType": "CODEBUILD", - "PrivilegedMode": false, - "Type": "LINUX_CONTAINER" - }, - "Name": "MyServicePipeline-synth", - "ServiceRole": { - "Fn::GetAtt": [ - "PipelineBuildSynthCdkBuildProjectRole231EEA2A", - "Arn" - ] - }, - "Source": { - "BuildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"pre_build\": {\n \"commands\": [\n \"npm ci\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"npx cdk synth\"\n ]\n }\n },\n \"artifacts\": {\n \"secondary-artifacts\": {\n \"CloudAsm\": {\n \"base-directory\": \"cdk.out\",\n \"files\": \"**/*\"\n },\n \"IntegTests\": {\n \"base-directory\": \"test\",\n \"files\": \"**/*\"\n }\n }\n }\n}", - "Type": "CODEPIPELINE" - } - } - }, - "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleDefaultPolicyE626265B": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutationDAA41400", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleDefaultPolicyE626265B", - "Roles": [ - { - "Ref": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF" - } - ] - } - }, - "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelinePreProdUseSourceCodePipelineActionRoleDefaultPolicy9BE325AD": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceProject2E711EB4", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelinePreProdUseSourceCodePipelineActionRoleDefaultPolicy9BE325AD", - "Roles": [ - { - "Ref": "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA" - } - ] - } - }, - "PipelinePreProdUseSourceProjectRole69B20A71": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelinePreProdUseSourceProjectRoleDefaultPolicy50F68DF3": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - }, - "-*" - ] - ] - } - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelinePreProdUseSourceProjectRoleDefaultPolicy50F68DF3", - "Roles": [ - { - "Ref": "PipelinePreProdUseSourceProjectRole69B20A71" - } - ] - } - }, - "PipelinePreProdUseSourceProject2E711EB4": { - "Type": "AWS::CodeBuild::Project", - "Properties": { - "Artifacts": { - "Type": "CODEPIPELINE" - }, - "Cache": { - "Type": "NO_CACHE" - }, - "EncryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "Environment": { - "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:7.0", - "ImagePullCredentialsType": "CODEBUILD", - "PrivilegedMode": false, - "Type": "LINUX_CONTAINER" - }, - "ServiceRole": { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceProjectRole69B20A71", - "Arn" - ] - }, - "Source": { - "BuildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"build\": {\n \"commands\": [\n \"set -eu\",\n \"cat README.md\"\n ]\n }\n }\n}", - "Type": "CODEPIPELINE" - } - } - }, - "PipelineUpdatePipelineSelfMutationRole57E559E8": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineUpdatePipelineSelfMutationRoleDefaultPolicyA225DA4E": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - }, - "-*" - ] - ] - } - }, - { - "Action": "sts:AssumeRole", - "Condition": { - "ForAnyValue:StringEquals": { - "iam:ResourceTag/aws-cdk:bootstrap-role": [ - "image-publishing", - "file-publishing", - "deploy" - ] - } - }, - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:*:iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/*" - ] - ] - } - }, - { - "Action": [ - "cloudformation:DescribeStacks", - "s3:ListBucket" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineUpdatePipelineSelfMutationRoleDefaultPolicyA225DA4E", - "Roles": [ - { - "Ref": "PipelineUpdatePipelineSelfMutationRole57E559E8" - } - ] - } - }, - "PipelineUpdatePipelineSelfMutationDAA41400": { - "Type": "AWS::CodeBuild::Project", - "Properties": { - "Artifacts": { - "Type": "CODEPIPELINE" - }, - "Cache": { - "Type": "NO_CACHE" - }, - "EncryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "Environment": { - "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:7.0", - "ImagePullCredentialsType": "CODEBUILD", - "PrivilegedMode": false, - "Type": "LINUX_CONTAINER" - }, - "ServiceRole": { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutationRole57E559E8", - "Arn" - ] - }, - "Source": { - "BuildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"install\": {\n \"commands\": [\n \"npm install -g aws-cdk@2\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"cdk -a . deploy PipelineStack --require-approval=never --verbose\"\n ]\n }\n }\n}", - "Type": "CODEPIPELINE" - } - } - } - }, - "Mappings": { - "LatestNodeRuntimeMap": { - "af-south-1": { - "value": "nodejs20.x" - }, - "ap-east-1": { - "value": "nodejs20.x" - }, - "ap-northeast-1": { - "value": "nodejs20.x" - }, - "ap-northeast-2": { - "value": "nodejs20.x" - }, - "ap-northeast-3": { - "value": "nodejs20.x" - }, - "ap-south-1": { - "value": "nodejs20.x" - }, - "ap-south-2": { - "value": "nodejs20.x" - }, - "ap-southeast-1": { - "value": "nodejs20.x" - }, - "ap-southeast-2": { - "value": "nodejs20.x" - }, - "ap-southeast-3": { - "value": "nodejs20.x" - }, - "ap-southeast-4": { - "value": "nodejs20.x" - }, - "ap-southeast-5": { - "value": "nodejs20.x" - }, - "ap-southeast-7": { - "value": "nodejs20.x" - }, - "ca-central-1": { - "value": "nodejs20.x" - }, - "ca-west-1": { - "value": "nodejs20.x" - }, - "cn-north-1": { - "value": "nodejs18.x" - }, - "cn-northwest-1": { - "value": "nodejs18.x" - }, - "eu-central-1": { - "value": "nodejs20.x" - }, - "eu-central-2": { - "value": "nodejs20.x" - }, - "eu-isoe-west-1": { - "value": "nodejs18.x" - }, - "eu-north-1": { - "value": "nodejs20.x" - }, - "eu-south-1": { - "value": "nodejs20.x" - }, - "eu-south-2": { - "value": "nodejs20.x" - }, - "eu-west-1": { - "value": "nodejs20.x" - }, - "eu-west-2": { - "value": "nodejs20.x" - }, - "eu-west-3": { - "value": "nodejs20.x" - }, - "il-central-1": { - "value": "nodejs20.x" - }, - "me-central-1": { - "value": "nodejs20.x" - }, - "me-south-1": { - "value": "nodejs20.x" - }, - "mx-central-1": { - "value": "nodejs20.x" - }, - "sa-east-1": { - "value": "nodejs20.x" - }, - "us-east-1": { - "value": "nodejs20.x" - }, - "us-east-2": { - "value": "nodejs20.x" - }, - "us-gov-east-1": { - "value": "nodejs18.x" - }, - "us-gov-west-1": { - "value": "nodejs18.x" - }, - "us-iso-east-1": { - "value": "nodejs18.x" - }, - "us-iso-west-1": { - "value": "nodejs18.x" - }, - "us-isob-east-1": { - "value": "nodejs18.x" - }, - "us-west-1": { - "value": "nodejs20.x" - }, - "us-west-2": { - "value": "nodejs20.x" - } - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.assets.json deleted file mode 100644 index 8f0029884a021..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.assets.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { - "source": { - "path": "PipelineStackTestDefaultTestDeployAssertBC780F98.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.assets.json deleted file mode 100644 index f4cee0d9b9779..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.assets.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "17b50ab4e61e5c19d1e2d14ccc136d8c1ae3b77a4236035ac6ac6273619764a4": { - "source": { - "path": "PipelineStackPreProdStack65A0AD1F.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "17b50ab4e61e5c19d1e2d14ccc136d8c1ae3b77a4236035ac6ac6273619764a4.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.template.json deleted file mode 100644 index 5f37c46ccf4b5..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.template.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "Resources": { - "Resource": { - "Type": "AWS::Test::SomeResource" - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/cdk.out deleted file mode 100644 index 1f0068d32659a..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/cdk.out +++ /dev/null @@ -1 +0,0 @@ -{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/manifest.json deleted file mode 100644 index a85b758286df0..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/manifest.json +++ /dev/null @@ -1,60 +0,0 @@ -{ - "version": "36.0.0", - "artifacts": { - "PipelineStackPreProdStack65A0AD1F.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "PipelineStackPreProdStack65A0AD1F.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "PipelineStackPreProdStack65A0AD1F": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "PipelineStackPreProdStack65A0AD1F.template.json", - "terminationProtection": false, - "validateOnSynth": true, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/17b50ab4e61e5c19d1e2d14ccc136d8c1ae3b77a4236035ac6ac6273619764a4.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "PipelineStackPreProdStack65A0AD1F.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - }, - "stackName": "PreProd-Stack" - }, - "dependencies": [ - "PipelineStackPreProdStack65A0AD1F.assets" - ], - "metadata": { - "/PipelineStack/PreProd/Stack/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "Resource" - } - ], - "/PipelineStack/PreProd/Stack/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/PipelineStack/PreProd/Stack/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "PipelineStack/PreProd/Stack" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js deleted file mode 100644 index 1002ba018e9fb..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";var f=Object.create;var i=Object.defineProperty;var I=Object.getOwnPropertyDescriptor;var C=Object.getOwnPropertyNames;var w=Object.getPrototypeOf,P=Object.prototype.hasOwnProperty;var A=(t,e)=>{for(var o in e)i(t,o,{get:e[o],enumerable:!0})},d=(t,e,o,r)=>{if(e&&typeof e=="object"||typeof e=="function")for(let s of C(e))!P.call(t,s)&&s!==o&&i(t,s,{get:()=>e[s],enumerable:!(r=I(e,s))||r.enumerable});return t};var l=(t,e,o)=>(o=t!=null?f(w(t)):{},d(e||!t||!t.__esModule?i(o,"default",{value:t,enumerable:!0}):o,t)),B=t=>d(i({},"__esModule",{value:!0}),t);var q={};A(q,{autoDeleteHandler:()=>S,handler:()=>H});module.exports=B(q);var h=require("@aws-sdk/client-s3");var y=l(require("https")),m=l(require("url")),a={sendHttpRequest:D,log:T,includeStackTraces:!0,userHandlerIndex:"./index"},p="AWSCDK::CustomResourceProviderFramework::CREATE_FAILED",L="AWSCDK::CustomResourceProviderFramework::MISSING_PHYSICAL_ID";function R(t){return async(e,o)=>{let r={...e,ResponseURL:"..."};if(a.log(JSON.stringify(r,void 0,2)),e.RequestType==="Delete"&&e.PhysicalResourceId===p){a.log("ignoring DELETE event caused by a failed CREATE event"),await u("SUCCESS",e);return}try{let s=await t(r,o),n=k(e,s);await u("SUCCESS",n)}catch(s){let n={...e,Reason:a.includeStackTraces?s.stack:s.message};n.PhysicalResourceId||(e.RequestType==="Create"?(a.log("CREATE failed, responding with a marker physical resource id so that the subsequent DELETE will be ignored"),n.PhysicalResourceId=p):a.log(`ERROR: Malformed event. "PhysicalResourceId" is required: ${JSON.stringify(e)}`)),await u("FAILED",n)}}}function k(t,e={}){let o=e.PhysicalResourceId??t.PhysicalResourceId??t.RequestId;if(t.RequestType==="Delete"&&o!==t.PhysicalResourceId)throw new Error(`DELETE: cannot change the physical resource ID from "${t.PhysicalResourceId}" to "${e.PhysicalResourceId}" during deletion`);return{...t,...e,PhysicalResourceId:o}}async function u(t,e){let o={Status:t,Reason:e.Reason??t,StackId:e.StackId,RequestId:e.RequestId,PhysicalResourceId:e.PhysicalResourceId||L,LogicalResourceId:e.LogicalResourceId,NoEcho:e.NoEcho,Data:e.Data},r=m.parse(e.ResponseURL),s=`${r.protocol}//${r.hostname}/${r.pathname}?***`;a.log("submit response to cloudformation",s,o);let n=JSON.stringify(o),E={hostname:r.hostname,path:r.path,method:"PUT",headers:{"content-type":"","content-length":Buffer.byteLength(n,"utf8")}};await O({attempts:5,sleep:1e3},a.sendHttpRequest)(E,n)}async function D(t,e){return new Promise((o,r)=>{try{let s=y.request(t,n=>{n.resume(),!n.statusCode||n.statusCode>=400?r(new Error(`Unsuccessful HTTP response: ${n.statusCode}`)):o()});s.on("error",r),s.write(e),s.end()}catch(s){r(s)}})}function T(t,...e){console.log(t,...e)}function O(t,e){return async(...o)=>{let r=t.attempts,s=t.sleep;for(;;)try{return await e(...o)}catch(n){if(r--<=0)throw n;await b(Math.floor(Math.random()*s)),s*=2}}}async function b(t){return new Promise(e=>setTimeout(e,t))}var g="aws-cdk:auto-delete-objects",x=JSON.stringify({Version:"2012-10-17",Statement:[]}),c=new h.S3({}),H=R(S);async function S(t){switch(t.RequestType){case"Create":return;case"Update":return{PhysicalResourceId:(await F(t)).PhysicalResourceId};case"Delete":return N(t.ResourceProperties?.BucketName)}}async function F(t){let e=t,o=e.OldResourceProperties?.BucketName;return{PhysicalResourceId:e.ResourceProperties?.BucketName??o}}async function _(t){try{let e=(await c.getBucketPolicy({Bucket:t}))?.Policy??x,o=JSON.parse(e);o.Statement.push({Principal:"*",Effect:"Deny",Action:["s3:PutObject"],Resource:[`arn:aws:s3:::${t}/*`]}),await c.putBucketPolicy({Bucket:t,Policy:JSON.stringify(o)})}catch(e){if(e.name==="NoSuchBucket")throw e;console.log(`Could not set new object deny policy on bucket '${t}' prior to deletion.`)}}async function U(t){let e;do{e=await c.listObjectVersions({Bucket:t});let o=[...e.Versions??[],...e.DeleteMarkers??[]];if(o.length===0)return;let r=o.map(s=>({Key:s.Key,VersionId:s.VersionId}));await c.deleteObjects({Bucket:t,Delete:{Objects:r}})}while(e?.IsTruncated)}async function N(t){if(!t)throw new Error("No BucketName was provided.");try{if(!await W(t)){console.log(`Bucket does not have '${g}' tag, skipping cleaning.`);return}await _(t),await U(t)}catch(e){if(e.name==="NoSuchBucket"){console.log(`Bucket '${t}' does not exist.`);return}throw e}}async function W(t){return(await c.getBucketTagging({Bucket:t})).TagSet?.some(o=>o.Key===g&&o.Value==="true")}0&&(module.exports={autoDeleteHandler,handler}); diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/cdk.out deleted file mode 100644 index 1f0068d32659a..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/cdk.out +++ /dev/null @@ -1 +0,0 @@ -{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/integ.json deleted file mode 100644 index 5315ad6d43743..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/integ.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "version": "36.0.0", - "testCases": { - "PipelineStackTest/DefaultTest": { - "stacks": [ - "PipelineStack" - ], - "diffAssets": true, - "assertionStack": "PipelineStackTest/DefaultTest/DeployAssert", - "assertionStackName": "PipelineStackTestDefaultTestDeployAssertBC780F98" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/manifest.json deleted file mode 100644 index 515495bbbc66a..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/manifest.json +++ /dev/null @@ -1,300 +0,0 @@ -{ - "version": "36.0.0", - "artifacts": { - "assembly-PipelineStack-PreProd": { - "type": "cdk:cloud-assembly", - "properties": { - "directoryName": "assembly-PipelineStack-PreProd", - "displayName": "PipelineStack/PreProd" - } - }, - "PipelineStack.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "PipelineStack.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "PipelineStack": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "PipelineStack.template.json", - "terminationProtection": false, - "validateOnSynth": false, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/e7f81f8bda67ff3e586b06697af53694f5743a8e161a832b871afb6b753f90a9.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "PipelineStack.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "dependencies": [ - "PipelineStack.assets" - ], - "metadata": { - "/PipelineStack/SourceBucket/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "SourceBucketDDD2130A" - } - ], - "/PipelineStack/SourceBucket/Policy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "SourceBucketPolicy703DFBF9" - } - ], - "/PipelineStack/SourceBucket/AutoDeleteObjectsCustomResource/Default": [ - { - "type": "aws:cdk:logicalId", - "data": "SourceBucketAutoDeleteObjectsCustomResourceC68FC040" - } - ], - "/PipelineStack/LatestNodeRuntimeMap": [ - { - "type": "aws:cdk:logicalId", - "data": "LatestNodeRuntimeMap" - } - ], - "/PipelineStack/Custom::S3AutoDeleteObjectsCustomResourceProvider/Role": [ - { - "type": "aws:cdk:logicalId", - "data": "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092" - } - ], - "/PipelineStack/Custom::S3AutoDeleteObjectsCustomResourceProvider/Handler": [ - { - "type": "aws:cdk:logicalId", - "data": "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F" - } - ], - "/PipelineStack/Pipeline/Pipeline": [ - { - "type": "aws:cdk:warning", - "data": "V1 pipeline type is implicitly selected when `pipelineType` is not set. If you want to use V2 type, set `PipelineType.V2`. [ack: @aws-cdk/aws-codepipeline:unspecifiedPipelineType]" - } - ], - "/PipelineStack/Pipeline/Pipeline/ArtifactsBucketEncryptionKey/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineArtifactsBucketEncryptionKeyF5BF0670" - } - ], - "/PipelineStack/Pipeline/Pipeline/ArtifactsBucketEncryptionKeyAlias/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineArtifactsBucketEncryptionKeyAlias94A07392" - } - ], - "/PipelineStack/Pipeline/Pipeline/ArtifactsBucket/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineArtifactsBucketAEA9A052" - } - ], - "/PipelineStack/Pipeline/Pipeline/ArtifactsBucket/Policy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineArtifactsBucketPolicyF53CCC52" - } - ], - "/PipelineStack/Pipeline/Pipeline/Role/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineRoleB27FAA37" - } - ], - "/PipelineStack/Pipeline/Pipeline/Role/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineRoleDefaultPolicy7BDC1ABB" - } - ], - "/PipelineStack/Pipeline/Pipeline/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "Pipeline9850B417" - } - ], - "/PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineSourceS3CodePipelineActionRole83895A58" - } - ], - "/PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineSourceS3CodePipelineActionRoleDefaultPolicyB176A07F" - } - ], - "/PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineBuildSynthCodePipelineActionRole4E7A6C97" - } - ], - "/PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineBuildSynthCodePipelineActionRoleDefaultPolicy92C90290" - } - ], - "/PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineBuildSynthCdkBuildProjectRole231EEA2A" - } - ], - "/PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineBuildSynthCdkBuildProjectRoleDefaultPolicyFB6C941C" - } - ], - "/PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - } - ], - "/PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF" - } - ], - "/PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleDefaultPolicyE626265B" - } - ], - "/PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA" - } - ], - "/PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelinePreProdUseSourceCodePipelineActionRoleDefaultPolicy9BE325AD" - } - ], - "/PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelinePreProdUseSourceProjectRole69B20A71" - } - ], - "/PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelinePreProdUseSourceProjectRoleDefaultPolicy50F68DF3" - } - ], - "/PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelinePreProdUseSourceProject2E711EB4" - } - ], - "/PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineUpdatePipelineSelfMutationRole57E559E8" - } - ], - "/PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineUpdatePipelineSelfMutationRoleDefaultPolicyA225DA4E" - } - ], - "/PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineUpdatePipelineSelfMutationDAA41400" - } - ], - "/PipelineStack/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/PipelineStack/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "PipelineStack" - }, - "PipelineStackTestDefaultTestDeployAssertBC780F98.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "PipelineStackTestDefaultTestDeployAssertBC780F98.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "PipelineStackTestDefaultTestDeployAssertBC780F98": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "PipelineStackTestDefaultTestDeployAssertBC780F98.template.json", - "terminationProtection": false, - "validateOnSynth": false, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "PipelineStackTestDefaultTestDeployAssertBC780F98.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "dependencies": [ - "PipelineStackTestDefaultTestDeployAssertBC780F98.assets" - ], - "metadata": { - "/PipelineStackTest/DefaultTest/DeployAssert/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/PipelineStackTest/DefaultTest/DeployAssert/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "PipelineStackTest/DefaultTest/DeployAssert" - }, - "Tree": { - "type": "cdk:tree", - "properties": { - "file": "tree.json" - } - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/tree.json deleted file mode 100644 index ffb2d51e18c94..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/tree.json +++ /dev/null @@ -1,2564 +0,0 @@ -{ - "version": "tree-0.1", - "tree": { - "id": "App", - "path": "", - "children": { - "PipelineStack": { - "id": "PipelineStack", - "path": "PipelineStack", - "children": { - "SourceBucket": { - "id": "SourceBucket", - "path": "PipelineStack/SourceBucket", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/SourceBucket/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::S3::Bucket", - "aws:cdk:cloudformation:props": { - "tags": [ - { - "key": "aws-cdk:auto-delete-objects", - "value": "true" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.CfnBucket", - "version": "0.0.0" - } - }, - "Policy": { - "id": "Policy", - "path": "PipelineStack/SourceBucket/Policy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/SourceBucket/Policy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::S3::BucketPolicy", - "aws:cdk:cloudformation:props": { - "bucket": { - "Ref": "SourceBucketDDD2130A" - }, - "policyDocument": { - "Statement": [ - { - "Action": [ - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:List*", - "s3:PutBucketPolicy" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", - "Arn" - ] - } - }, - "Resource": [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.CfnBucketPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.BucketPolicy", - "version": "0.0.0" - } - }, - "AutoDeleteObjectsCustomResource": { - "id": "AutoDeleteObjectsCustomResource", - "path": "PipelineStack/SourceBucket/AutoDeleteObjectsCustomResource", - "children": { - "Default": { - "id": "Default", - "path": "PipelineStack/SourceBucket/AutoDeleteObjectsCustomResource/Default", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnResource", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.CustomResource", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.Bucket", - "version": "0.0.0" - } - }, - "LatestNodeRuntimeMap": { - "id": "LatestNodeRuntimeMap", - "path": "PipelineStack/LatestNodeRuntimeMap", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnMapping", - "version": "0.0.0" - } - }, - "Custom::S3AutoDeleteObjectsCustomResourceProvider": { - "id": "Custom::S3AutoDeleteObjectsCustomResourceProvider", - "path": "PipelineStack/Custom::S3AutoDeleteObjectsCustomResourceProvider", - "children": { - "Staging": { - "id": "Staging", - "path": "PipelineStack/Custom::S3AutoDeleteObjectsCustomResourceProvider/Staging", - "constructInfo": { - "fqn": "aws-cdk-lib.AssetStaging", - "version": "0.0.0" - } - }, - "Role": { - "id": "Role", - "path": "PipelineStack/Custom::S3AutoDeleteObjectsCustomResourceProvider/Role", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnResource", - "version": "0.0.0" - } - }, - "Handler": { - "id": "Handler", - "path": "PipelineStack/Custom::S3AutoDeleteObjectsCustomResourceProvider/Handler", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnResource", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.CustomResourceProviderBase", - "version": "0.0.0" - } - }, - "Pipeline": { - "id": "Pipeline", - "path": "PipelineStack/Pipeline", - "children": { - "Pipeline": { - "id": "Pipeline", - "path": "PipelineStack/Pipeline/Pipeline", - "children": { - "ArtifactsBucketEncryptionKey": { - "id": "ArtifactsBucketEncryptionKey", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucketEncryptionKey", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucketEncryptionKey/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::KMS::Key", - "aws:cdk:cloudformation:props": { - "keyPolicy": { - "Statement": [ - { - "Action": "kms:*", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": "*" - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - }, - "Resource": "*" - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.CfnKey", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.Key", - "version": "0.0.0" - } - }, - "ArtifactsBucketEncryptionKeyAlias": { - "id": "ArtifactsBucketEncryptionKeyAlias", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucketEncryptionKeyAlias", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucketEncryptionKeyAlias/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::KMS::Alias", - "aws:cdk:cloudformation:props": { - "aliasName": "alias/codepipeline-pipelinestack-pipeline-e95eedaa", - "targetKeyId": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.CfnAlias", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.Alias", - "version": "0.0.0" - } - }, - "ArtifactsBucket": { - "id": "ArtifactsBucket", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucket", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucket/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::S3::Bucket", - "aws:cdk:cloudformation:props": { - "bucketEncryption": { - "serverSideEncryptionConfiguration": [ - { - "serverSideEncryptionByDefault": { - "sseAlgorithm": "aws:kms", - "kmsMasterKeyId": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - } - ] - }, - "publicAccessBlockConfiguration": { - "blockPublicAcls": true, - "blockPublicPolicy": true, - "ignorePublicAcls": true, - "restrictPublicBuckets": true - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.CfnBucket", - "version": "0.0.0" - } - }, - "Policy": { - "id": "Policy", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucket/Policy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucket/Policy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::S3::BucketPolicy", - "aws:cdk:cloudformation:props": { - "bucket": { - "Ref": "PipelineArtifactsBucketAEA9A052" - }, - "policyDocument": { - "Statement": [ - { - "Action": "s3:*", - "Condition": { - "Bool": { - "aws:SecureTransport": "false" - } - }, - "Effect": "Deny", - "Principal": { - "AWS": "*" - }, - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - }, - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.CfnBucketPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.BucketPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.Bucket", - "version": "0.0.0" - } - }, - "Role": { - "id": "Role", - "path": "PipelineStack/Pipeline/Pipeline/Role", - "children": { - "ImportRole": { - "id": "ImportRole", - "path": "PipelineStack/Pipeline/Pipeline/Role/ImportRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Role/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codepipeline.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/Role/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Role/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - }, - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineBuildSynthCodePipelineActionRole4E7A6C97", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelineSourceS3CodePipelineActionRole83895A58", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineRoleDefaultPolicy7BDC1ABB", - "roles": [ - { - "Ref": "PipelineRoleB27FAA37" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::CodePipeline::Pipeline", - "aws:cdk:cloudformation:props": { - "artifactStore": { - "type": "S3", - "location": { - "Ref": "PipelineArtifactsBucketAEA9A052" - }, - "encryptionKey": { - "type": "KMS", - "id": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - }, - "restartExecutionOnUpdate": true, - "roleArn": { - "Fn::GetAtt": [ - "PipelineRoleB27FAA37", - "Arn" - ] - }, - "stages": [ - { - "name": "Source", - "actions": [ - { - "name": "S3", - "outputArtifacts": [ - { - "name": "Artifact_Source_S3" - } - ], - "actionTypeId": { - "category": "Source", - "version": "1", - "owner": "AWS", - "provider": "S3" - }, - "configuration": { - "S3Bucket": { - "Ref": "SourceBucketDDD2130A" - }, - "S3ObjectKey": "key" - }, - "runOrder": 1, - "roleArn": { - "Fn::GetAtt": [ - "PipelineSourceS3CodePipelineActionRole83895A58", - "Arn" - ] - } - } - ] - }, - { - "name": "Build", - "actions": [ - { - "name": "Synth", - "inputArtifacts": [ - { - "name": "Artifact_Source_S3" - } - ], - "outputArtifacts": [ - { - "name": "CloudAsm" - }, - { - "name": "IntegTests" - } - ], - "actionTypeId": { - "category": "Build", - "version": "1", - "owner": "AWS", - "provider": "CodeBuild" - }, - "configuration": { - "ProjectName": { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - }, - "EnvironmentVariables": "[{\"name\":\"_PROJECT_CONFIG_HASH\",\"type\":\"PLAINTEXT\",\"value\":\"7f66814704b7757367a6ec706823d271fb9c6fceda866eee4260d1e76b73967b\"}]" - }, - "runOrder": 1, - "roleArn": { - "Fn::GetAtt": [ - "PipelineBuildSynthCodePipelineActionRole4E7A6C97", - "Arn" - ] - } - } - ] - }, - { - "name": "UpdatePipeline", - "actions": [ - { - "name": "SelfMutate", - "inputArtifacts": [ - { - "name": "CloudAsm" - } - ], - "actionTypeId": { - "category": "Build", - "version": "1", - "owner": "AWS", - "provider": "CodeBuild" - }, - "configuration": { - "ProjectName": { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - }, - "EnvironmentVariables": "[{\"name\":\"CDK_CLI_VERSION\",\"type\":\"PLAINTEXT\",\"value\":\"2\"}]" - }, - "runOrder": 1, - "roleArn": { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF", - "Arn" - ] - } - } - ] - }, - { - "name": "PreProd", - "actions": [ - { - "name": "UseSource", - "inputArtifacts": [ - { - "name": "Artifact_Source_S3" - } - ], - "actionTypeId": { - "category": "Build", - "version": "1", - "owner": "AWS", - "provider": "CodeBuild" - }, - "configuration": { - "ProjectName": { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - } - }, - "runOrder": 100, - "roleArn": { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA", - "Arn" - ] - } - }, - { - "name": "Stack.Prepare", - "inputArtifacts": [ - { - "name": "CloudAsm" - } - ], - "actionTypeId": { - "category": "Deploy", - "version": "1", - "owner": "AWS", - "provider": "CloudFormation" - }, - "configuration": { - "StackName": "PreProd-Stack", - "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-cfn-exec-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "ActionMode": "CHANGE_SET_REPLACE", - "ChangeSetName": "PipelineChange", - "TemplatePath": "CloudAsm::assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.template.json" - }, - "runOrder": 1, - "roleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - }, - { - "name": "Stack.Deploy", - "actionTypeId": { - "category": "Deploy", - "version": "1", - "owner": "AWS", - "provider": "CloudFormation" - }, - "configuration": { - "StackName": "PreProd-Stack", - "ActionMode": "CHANGE_SET_EXECUTE", - "ChangeSetName": "PipelineChange" - }, - "runOrder": 2, - "roleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - } - ] - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codepipeline.CfnPipeline", - "version": "0.0.0" - } - }, - "Source": { - "id": "Source", - "path": "PipelineStack/Pipeline/Pipeline/Source", - "children": { - "S3": { - "id": "S3", - "path": "PipelineStack/Pipeline/Pipeline/Source/S3", - "children": { - "CodePipelineActionRole": { - "id": "CodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole", - "children": { - "ImportCodePipelineActionRole": { - "id": "ImportCodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole/ImportCodePipelineActionRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - "/key" - ] - ] - } - ] - }, - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineSourceS3CodePipelineActionRoleDefaultPolicyB176A07F", - "roles": [ - { - "Ref": "PipelineSourceS3CodePipelineActionRole83895A58" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "Build": { - "id": "Build", - "path": "PipelineStack/Pipeline/Pipeline/Build", - "children": { - "Synth": { - "id": "Synth", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth", - "children": { - "CodePipelineActionRole": { - "id": "CodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole", - "children": { - "ImportCodePipelineActionRole": { - "id": "ImportCodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole/ImportCodePipelineActionRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineBuildSynthCdkBuildProject6BEFA8E6", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineBuildSynthCodePipelineActionRoleDefaultPolicy92C90290", - "roles": [ - { - "Ref": "PipelineBuildSynthCodePipelineActionRole4E7A6C97" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "CdkBuildProject": { - "id": "CdkBuildProject", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject", - "children": { - "Role": { - "id": "Role", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role", - "children": { - "ImportRole": { - "id": "ImportRole", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role/ImportRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - }, - "-*" - ] - ] - } - }, - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineBuildSynthCdkBuildProjectRoleDefaultPolicyFB6C941C", - "roles": [ - { - "Ref": "PipelineBuildSynthCdkBuildProjectRole231EEA2A" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::CodeBuild::Project", - "aws:cdk:cloudformation:props": { - "artifacts": { - "type": "CODEPIPELINE" - }, - "cache": { - "type": "NO_CACHE" - }, - "encryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "environment": { - "type": "LINUX_CONTAINER", - "image": "aws/codebuild/standard:7.0", - "imagePullCredentialsType": "CODEBUILD", - "privilegedMode": false, - "computeType": "BUILD_GENERAL1_SMALL", - "environmentVariables": [ - { - "name": "NPM_CONFIG_UNSAFE_PERM", - "type": "PLAINTEXT", - "value": "true" - } - ] - }, - "name": "MyServicePipeline-synth", - "serviceRole": { - "Fn::GetAtt": [ - "PipelineBuildSynthCdkBuildProjectRole231EEA2A", - "Arn" - ] - }, - "source": { - "type": "CODEPIPELINE", - "buildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"pre_build\": {\n \"commands\": [\n \"npm ci\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"npx cdk synth\"\n ]\n }\n },\n \"artifacts\": {\n \"secondary-artifacts\": {\n \"CloudAsm\": {\n \"base-directory\": \"cdk.out\",\n \"files\": \"**/*\"\n },\n \"IntegTests\": {\n \"base-directory\": \"test\",\n \"files\": \"**/*\"\n }\n }\n }\n}" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.CfnProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.PipelineProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "UpdatePipeline": { - "id": "UpdatePipeline", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline", - "children": { - "SelfMutate": { - "id": "SelfMutate", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate", - "children": { - "CodePipelineActionRole": { - "id": "CodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole", - "children": { - "ImportCodePipelineActionRole": { - "id": "ImportCodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole/ImportCodePipelineActionRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutationDAA41400", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleDefaultPolicyE626265B", - "roles": [ - { - "Ref": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "PreProd": { - "id": "PreProd", - "path": "PipelineStack/Pipeline/Pipeline/PreProd", - "children": { - "UseSource": { - "id": "UseSource", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource", - "children": { - "CodePipelineActionRole": { - "id": "CodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole", - "children": { - "ImportCodePipelineActionRole": { - "id": "ImportCodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole/ImportCodePipelineActionRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceProject2E711EB4", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelinePreProdUseSourceCodePipelineActionRoleDefaultPolicy9BE325AD", - "roles": [ - { - "Ref": "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "Project": { - "id": "Project", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project", - "children": { - "Role": { - "id": "Role", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role", - "children": { - "ImportRole": { - "id": "ImportRole", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role/ImportRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - }, - "-*" - ] - ] - } - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelinePreProdUseSourceProjectRoleDefaultPolicy50F68DF3", - "roles": [ - { - "Ref": "PipelinePreProdUseSourceProjectRole69B20A71" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::CodeBuild::Project", - "aws:cdk:cloudformation:props": { - "artifacts": { - "type": "CODEPIPELINE" - }, - "cache": { - "type": "NO_CACHE" - }, - "encryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "environment": { - "type": "LINUX_CONTAINER", - "image": "aws/codebuild/standard:7.0", - "imagePullCredentialsType": "CODEBUILD", - "privilegedMode": false, - "computeType": "BUILD_GENERAL1_SMALL" - }, - "serviceRole": { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceProjectRole69B20A71", - "Arn" - ] - }, - "source": { - "type": "CODEPIPELINE", - "buildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"build\": {\n \"commands\": [\n \"set -eu\",\n \"cat README.md\"\n ]\n }\n }\n}" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.CfnProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.PipelineProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "Stack.Deploy": { - "id": "Stack.Deploy", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/Stack.Deploy", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "Stack.Prepare": { - "id": "Stack.Prepare", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/Stack.Prepare", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codepipeline.Pipeline", - "version": "0.0.0" - } - }, - "UpdatePipeline": { - "id": "UpdatePipeline", - "path": "PipelineStack/Pipeline/UpdatePipeline", - "children": { - "SelfMutation": { - "id": "SelfMutation", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation", - "children": { - "Role": { - "id": "Role", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role", - "children": { - "ImportRole": { - "id": "ImportRole", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role/ImportRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - }, - "-*" - ] - ] - } - }, - { - "Action": "sts:AssumeRole", - "Condition": { - "ForAnyValue:StringEquals": { - "iam:ResourceTag/aws-cdk:bootstrap-role": [ - "image-publishing", - "file-publishing", - "deploy" - ] - } - }, - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:*:iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/*" - ] - ] - } - }, - { - "Action": [ - "cloudformation:DescribeStacks", - "s3:ListBucket" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineUpdatePipelineSelfMutationRoleDefaultPolicyA225DA4E", - "roles": [ - { - "Ref": "PipelineUpdatePipelineSelfMutationRole57E559E8" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::CodeBuild::Project", - "aws:cdk:cloudformation:props": { - "artifacts": { - "type": "CODEPIPELINE" - }, - "cache": { - "type": "NO_CACHE" - }, - "encryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "environment": { - "type": "LINUX_CONTAINER", - "image": "aws/codebuild/standard:7.0", - "imagePullCredentialsType": "CODEBUILD", - "privilegedMode": false, - "computeType": "BUILD_GENERAL1_SMALL" - }, - "serviceRole": { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutationRole57E559E8", - "Arn" - ] - }, - "source": { - "type": "CODEPIPELINE", - "buildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"install\": {\n \"commands\": [\n \"npm install -g aws-cdk@2\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"cdk -a . deploy PipelineStack --require-approval=never --verbose\"\n ]\n }\n }\n}" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.CfnProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.PipelineProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.pipelines.UpdatePipelineAction", - "version": "0.0.0" - } - }, - "Assets": { - "id": "Assets", - "path": "PipelineStack/Pipeline/Assets", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "PreProd": { - "id": "PreProd", - "path": "PipelineStack/Pipeline/PreProd", - "children": { - "MutableRolearn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}": { - "id": "MutableRolearn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "path": "PipelineStack/Pipeline/PreProd/MutableRolearn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}": { - "id": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "path": "PipelineStack/Pipeline/PreProd/arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "children": { - "8389e75f-0810-4838-bf64-d6f85a95cf83": { - "id": "8389e75f-0810-4838-bf64-d6f85a95cf83", - "path": "PipelineStack/Pipeline/PreProd/arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}/8389e75f-0810-4838-bf64-d6f85a95cf83", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "MutableRolearn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}": { - "id": "MutableRolearn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "path": "PipelineStack/Pipeline/PreProd/MutableRolearn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}": { - "id": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "path": "PipelineStack/Pipeline/PreProd/arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.pipelines.CdkStage", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.pipelines.CdkPipeline", - "version": "0.0.0" - } - }, - "PreProd": { - "id": "PreProd", - "path": "PipelineStack/PreProd", - "children": { - "Stack": { - "id": "Stack", - "path": "PipelineStack/PreProd/Stack", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/PreProd/Stack/Resource", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnResource", - "version": "0.0.0" - } - }, - "BootstrapVersion": { - "id": "BootstrapVersion", - "path": "PipelineStack/PreProd/Stack/BootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" - } - }, - "CheckBootstrapVersion": { - "id": "CheckBootstrapVersion", - "path": "PipelineStack/PreProd/Stack/CheckBootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Stage", - "version": "0.0.0" - } - }, - "BootstrapVersion": { - "id": "BootstrapVersion", - "path": "PipelineStack/BootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" - } - }, - "CheckBootstrapVersion": { - "id": "CheckBootstrapVersion", - "path": "PipelineStack/CheckBootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" - } - }, - "PipelineStackTest": { - "id": "PipelineStackTest", - "path": "PipelineStackTest", - "children": { - "DefaultTest": { - "id": "DefaultTest", - "path": "PipelineStackTest/DefaultTest", - "children": { - "Default": { - "id": "Default", - "path": "PipelineStackTest/DefaultTest/Default", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "DeployAssert": { - "id": "DeployAssert", - "path": "PipelineStackTest/DefaultTest/DeployAssert", - "children": { - "BootstrapVersion": { - "id": "BootstrapVersion", - "path": "PipelineStackTest/DefaultTest/DeployAssert/BootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" - } - }, - "CheckBootstrapVersion": { - "id": "CheckBootstrapVersion", - "path": "PipelineStackTest/DefaultTest/DeployAssert/CheckBootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", - "version": "0.0.0" - } - }, - "Tree": { - "id": "Tree", - "path": "Tree", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.App", - "version": "0.0.0" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.ts b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.ts deleted file mode 100644 index b8afeedfc285d..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.ts +++ /dev/null @@ -1,97 +0,0 @@ -/// !cdk-integ PipelineStack pragma:set-context:@aws-cdk/core:newStyleStackSynthesis=true -import * as codepipeline from 'aws-cdk-lib/aws-codepipeline'; -import * as codepipeline_actions from 'aws-cdk-lib/aws-codepipeline-actions'; -import * as s3 from 'aws-cdk-lib/aws-s3'; -import { App, CfnResource, DefaultStackSynthesizer, RemovalPolicy, Stack, StackProps, Stage, StageProps } from 'aws-cdk-lib'; -import { Construct } from 'constructs'; -import * as cdkp from 'aws-cdk-lib/pipelines'; -import { IntegTest } from '@aws-cdk/integ-tests-alpha'; - -class MyStage extends Stage { - constructor(scope: Construct, id: string, props?: StageProps) { - super(scope, id, props); - - const stack = new Stack(this, 'Stack', { - ...props, - synthesizer: new DefaultStackSynthesizer(), - }); - new CfnResource(stack, 'Resource', { - type: 'AWS::Test::SomeResource', - }); - } -} - -/** - * The stack that defines the application pipeline - */ -class CdkpipelinesDemoPipelineStack extends Stack { - constructor(scope: Construct, id: string, props?: StackProps) { - super(scope, id, props); - - const sourceArtifact = new codepipeline.Artifact(); - const cloudAssemblyArtifact = new codepipeline.Artifact('CloudAsm'); - const integTestArtifact = new codepipeline.Artifact('IntegTests'); - - const sourceBucket = new s3.Bucket(this, 'SourceBucket', { - removalPolicy: RemovalPolicy.DESTROY, - autoDeleteObjects: true, - }); - const pipeline = new cdkp.CdkPipeline(this, 'Pipeline', { - crossAccountKeys: true, - cloudAssemblyArtifact, - - // Where the source can be found - sourceAction: new codepipeline_actions.S3SourceAction({ - bucket: sourceBucket, - output: sourceArtifact, - bucketKey: 'key', - actionName: 'S3', - }), - - // How it will be built - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - projectName: 'MyServicePipeline-synth', - additionalArtifacts: [ - { - directory: 'test', - artifact: integTestArtifact, - }, - ], - }), - }); - - // This is where we add the application stages - // ... - const stage = pipeline.addApplicationStage(new MyStage(this, 'PreProd')); - stage.addActions( - new cdkp.ShellScriptAction({ - actionName: 'UseSource', - commands: [ - // Comes from source - 'cat README.md', - ], - additionalArtifacts: [sourceArtifact], - }), - ); - } -} - -const app = new App({ - postCliContext: { - '@aws-cdk/core:newStyleStackSynthesis': 'true', - '@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2': false, - }, -}); - -const stack = new CdkpipelinesDemoPipelineStack(app, 'PipelineStack', { - synthesizer: new DefaultStackSynthesizer(), -}); - -new IntegTest(app, 'PipelineStackTest', { - testCases: [stack], - diffAssets: true, -}); - -app.synth(); diff --git a/packages/@aws-cdk/aws-amplify-alpha/README.md b/packages/@aws-cdk/aws-amplify-alpha/README.md index 0aa1e72e37726..d543b4090faff 100644 --- a/packages/@aws-cdk/aws-amplify-alpha/README.md +++ b/packages/@aws-cdk/aws-amplify-alpha/README.md @@ -138,6 +138,17 @@ domain.mapSubDomain(main, 'www'); domain.mapSubDomain(dev); // sub domain prefix defaults to branch name ``` +To specify a custom certificate for your custom domain use the `customCertificate` property: + +```ts +declare const customCertificate: acm.Certificate; +declare const amplifyApp: amplify.App; + +const domain = amplifyApp.addDomain('example.com', { + customCertificate, // set your custom certificate +}); +``` + ## Restricting access Password protect the app with basic auth by specifying the `basicAuth` prop. diff --git a/packages/@aws-cdk/aws-amplify-alpha/lib/domain.ts b/packages/@aws-cdk/aws-amplify-alpha/lib/domain.ts index 6075d2b2a1a52..c90d2ed78a46b 100644 --- a/packages/@aws-cdk/aws-amplify-alpha/lib/domain.ts +++ b/packages/@aws-cdk/aws-amplify-alpha/lib/domain.ts @@ -1,3 +1,4 @@ +import * as acm from 'aws-cdk-lib/aws-certificatemanager'; import * as iam from 'aws-cdk-lib/aws-iam'; import { Lazy, Resource, IResolvable } from 'aws-cdk-lib/core'; import { Construct } from 'constructs'; @@ -36,6 +37,13 @@ export interface DomainOptions { * @default - all repository branches ['*', 'pr*'] */ readonly autoSubdomainCreationPatterns?: string[]; + + /** + * The type of SSL/TLS certificate to use for your custom domain + * + * @default - Amplify uses the default certificate that it provisions and manages for you + */ + readonly customCertificate?: acm.ICertificate; } /** @@ -130,6 +138,10 @@ export class Domain extends Resource { enableAutoSubDomain: !!props.enableAutoSubdomain, autoSubDomainCreationPatterns: props.autoSubdomainCreationPatterns || ['*', 'pr*'], autoSubDomainIamRole: props.autoSubDomainIamRole?.roleArn, + certificateSettings: props.customCertificate ? { + certificateType: 'CUSTOM', + customCertificateArn: props.customCertificate.certificateArn, + } : undefined, }); this.arn = domain.attrArn; diff --git a/packages/@aws-cdk/aws-amplify-alpha/rosetta/default.ts-fixture b/packages/@aws-cdk/aws-amplify-alpha/rosetta/default.ts-fixture index dd27e406b3985..85e3aab9ce9f6 100644 --- a/packages/@aws-cdk/aws-amplify-alpha/rosetta/default.ts-fixture +++ b/packages/@aws-cdk/aws-amplify-alpha/rosetta/default.ts-fixture @@ -2,6 +2,7 @@ import { SecretValue, Stack } from 'aws-cdk-lib'; import { Construct } from 'constructs'; import * as amplify from '@aws-cdk/aws-amplify-alpha'; +import * as acm from 'aws-cdk-lib/aws-certificatemanager'; class Fixture extends Stack { constructor(scope: Construct, id: string) { diff --git a/packages/@aws-cdk/aws-amplify-alpha/test/domain.test.ts b/packages/@aws-cdk/aws-amplify-alpha/test/domain.test.ts index 4ed31051277e6..cbf8d9d9a42d2 100644 --- a/packages/@aws-cdk/aws-amplify-alpha/test/domain.test.ts +++ b/packages/@aws-cdk/aws-amplify-alpha/test/domain.test.ts @@ -1,4 +1,5 @@ import { Template } from 'aws-cdk-lib/assertions'; +import * as acm from 'aws-cdk-lib/aws-certificatemanager'; import * as iam from 'aws-cdk-lib/aws-iam'; import { App, SecretValue, Stack } from 'aws-cdk-lib'; import * as amplify from '../lib'; @@ -64,6 +65,78 @@ test('create a domain', () => { }); }); +test('create a domain with custom certificate', () => { + // GIVEN + const stack = new Stack(); + const app = new amplify.App(stack, 'App', { + sourceCodeProvider: new amplify.GitHubSourceCodeProvider({ + owner: 'aws', + repository: 'aws-cdk', + oauthToken: SecretValue.unsafePlainText('secret'), + }), + }); + const prodBranch = app.addBranch('main'); + const devBranch = app.addBranch('dev'); + + const customCertificate = new acm.Certificate(stack, 'Cert', { + domainName: '*.example.com', + }); + + // WHEN + const domain = app.addDomain('example.com', { + subDomains: [ + { + branch: prodBranch, + prefix: 'prod', + }, + ], + customCertificate, + }); + domain.mapSubDomain(devBranch); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::Amplify::Domain', { + AppId: { + 'Fn::GetAtt': [ + 'AppF1B96344', + 'AppId', + ], + }, + DomainName: 'example.com', + CertificateSettings: { + CertificateType: 'CUSTOM', + CustomCertificateArn: { + Ref: 'Cert5C9FAEC1', + }, + }, + SubDomainSettings: [ + { + BranchName: { + 'Fn::GetAtt': [ + 'AppmainF505BAED', + 'BranchName', + ], + }, + Prefix: 'prod', + }, + { + BranchName: { + 'Fn::GetAtt': [ + 'AppdevB328DAFC', + 'BranchName', + ], + }, + Prefix: { + 'Fn::GetAtt': [ + 'AppdevB328DAFC', + 'BranchName', + ], + }, + }, + ], + }); +}); + test('map a branch to the domain root', () => { // GIVEN const stack = new Stack(); diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/FargateTaskDefinitionDefaultTestDeployAssertD76B1D35.assets.json b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/amplifyappcustomdomainintegDefaultTestDeployAssert5F8CD1EB.assets.json similarity index 86% rename from packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/FargateTaskDefinitionDefaultTestDeployAssertD76B1D35.assets.json rename to packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/amplifyappcustomdomainintegDefaultTestDeployAssert5F8CD1EB.assets.json index a2587e6d528bd..f02a474074771 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/FargateTaskDefinitionDefaultTestDeployAssertD76B1D35.assets.json +++ b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/amplifyappcustomdomainintegDefaultTestDeployAssert5F8CD1EB.assets.json @@ -3,7 +3,7 @@ "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { - "path": "FargateTaskDefinitionDefaultTestDeployAssertD76B1D35.template.json", + "path": "amplifyappcustomdomainintegDefaultTestDeployAssert5F8CD1EB.template.json", "packaging": "file" }, "destinations": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.template.json b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/amplifyappcustomdomainintegDefaultTestDeployAssert5F8CD1EB.template.json similarity index 100% rename from packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.template.json rename to packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/amplifyappcustomdomainintegDefaultTestDeployAssert5F8CD1EB.template.json diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/aws-ecs-fargate-task-def.assets.json b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/cdk-amplify-app-custom-domain.assets.json similarity index 65% rename from packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/aws-ecs-fargate-task-def.assets.json rename to packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/cdk-amplify-app-custom-domain.assets.json index 47920c3666a13..f1c3c1e152115 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/aws-ecs-fargate-task-def.assets.json +++ b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/cdk-amplify-app-custom-domain.assets.json @@ -1,15 +1,15 @@ { "version": "36.0.0", "files": { - "9cc4d79897c01e0d9dc06bb0648af4d1d360aea0fd4d556081bed713d96d2436": { + "5314d52dac3409b06902f1cf40df3d58dceb16146ad8cf66843edee0096d1d87": { "source": { - "path": "aws-ecs-fargate-task-def.template.json", + "path": "cdk-amplify-app-custom-domain.template.json", "packaging": "file" }, "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "9cc4d79897c01e0d9dc06bb0648af4d1d360aea0fd4d556081bed713d96d2436.json", + "objectKey": "5314d52dac3409b06902f1cf40df3d58dceb16146ad8cf66843edee0096d1d87.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/cdk-amplify-app-custom-domain.template.json b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/cdk-amplify-app-custom-domain.template.json new file mode 100644 index 0000000000000..5909af114f54a --- /dev/null +++ b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/cdk-amplify-app-custom-domain.template.json @@ -0,0 +1,210 @@ +{ + "Resources": { + "Repo02AC86CF": { + "Type": "AWS::CodeCommit::Repository", + "Properties": { + "RepositoryName": "integ-amplify-app" + } + }, + "AppRole1AF9B530": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "amplify.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + } + } + }, + "AppRoleDefaultPolicy9CADBAA1": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": "codecommit:GitPull", + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "Repo02AC86CF", + "Arn" + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "AppRoleDefaultPolicy9CADBAA1", + "Roles": [ + { + "Ref": "AppRole1AF9B530" + } + ] + } + }, + "AppF1B96344": { + "Type": "AWS::Amplify::App", + "Properties": { + "BasicAuthConfig": { + "EnableBasicAuth": false + }, + "IAMServiceRole": { + "Fn::GetAtt": [ + "AppRole1AF9B530", + "Arn" + ] + }, + "Name": "App", + "Platform": "WEB", + "Repository": { + "Fn::GetAtt": [ + "Repo02AC86CF", + "CloneUrlHttp" + ] + } + } + }, + "AppmainF505BAED": { + "Type": "AWS::Amplify::Branch", + "Properties": { + "AppId": { + "Fn::GetAtt": [ + "AppF1B96344", + "AppId" + ] + }, + "BranchName": "main", + "EnableAutoBuild": true, + "EnablePullRequestPreview": true + } + }, + "AppdevB328DAFC": { + "Type": "AWS::Amplify::Branch", + "Properties": { + "AppId": { + "Fn::GetAtt": [ + "AppF1B96344", + "AppId" + ] + }, + "BranchName": "dev", + "EnableAutoBuild": true, + "EnablePullRequestPreview": true + } + }, + "Appexamplecom6AF1A3AD": { + "Type": "AWS::Amplify::Domain", + "Properties": { + "AppId": { + "Fn::GetAtt": [ + "AppF1B96344", + "AppId" + ] + }, + "AutoSubDomainCreationPatterns": [ + "*", + "pr*" + ], + "AutoSubDomainIAMRole": { + "Fn::GetAtt": [ + "AppRole1AF9B530", + "Arn" + ] + }, + "CertificateSettings": { + "CertificateType": "CUSTOM", + "CustomCertificateArn": { + "Ref": "Certificate4E7ABB08" + } + }, + "DomainName": "*.example.com", + "EnableAutoSubDomain": false, + "SubDomainSettings": [ + { + "BranchName": { + "Fn::GetAtt": [ + "AppmainF505BAED", + "BranchName" + ] + }, + "Prefix": "prod" + }, + { + "BranchName": { + "Fn::GetAtt": [ + "AppdevB328DAFC", + "BranchName" + ] + }, + "Prefix": { + "Fn::GetAtt": [ + "AppdevB328DAFC", + "BranchName" + ] + } + } + ] + } + }, + "Certificate4E7ABB08": { + "Type": "AWS::CertificateManager::Certificate", + "Properties": { + "DomainName": "*.*.example.com", + "DomainValidationOptions": [ + { + "DomainName": "*.*.example.com", + "HostedZoneId": "Z23ABC4XYZL05B" + } + ], + "Tags": [ + { + "Key": "Name", + "Value": "cdk-amplify-app-custom-domain/Certificate" + } + ], + "ValidationMethod": "DNS" + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/cdk.out b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/cdk.out similarity index 100% rename from packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/cdk.out rename to packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/cdk.out diff --git a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/integ.json b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/integ.json new file mode 100644 index 0000000000000..b8c953f413ca9 --- /dev/null +++ b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/integ.json @@ -0,0 +1,14 @@ +{ + "enableLookups": true, + "version": "36.0.0", + "testCases": { + "amplify-app-custom-domain-integ/DefaultTest": { + "stacks": [ + "cdk-amplify-app-custom-domain" + ], + "stackUpdateWorkflow": false, + "assertionStack": "amplify-app-custom-domain-integ/DefaultTest/DeployAssert", + "assertionStackName": "amplifyappcustomdomainintegDefaultTestDeployAssert5F8CD1EB" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/manifest.json b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/manifest.json similarity index 57% rename from packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/manifest.json rename to packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/manifest.json index 11f65944a28fc..1586bbb9fed72 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/manifest.json @@ -1,28 +1,28 @@ { "version": "36.0.0", "artifacts": { - "aws-ecs-fargate-task-def.assets": { + "cdk-amplify-app-custom-domain.assets": { "type": "cdk:asset-manifest", "properties": { - "file": "aws-ecs-fargate-task-def.assets.json", + "file": "cdk-amplify-app-custom-domain.assets.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" } }, - "aws-ecs-fargate-task-def": { + "cdk-amplify-app-custom-domain": { "type": "aws:cloudformation:stack", "environment": "aws://unknown-account/unknown-region", "properties": { - "templateFile": "aws-ecs-fargate-task-def.template.json", + "templateFile": "cdk-amplify-app-custom-domain.template.json", "terminationProtection": false, "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/9cc4d79897c01e0d9dc06bb0648af4d1d360aea0fd4d556081bed713d96d2436.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/5314d52dac3409b06902f1cf40df3d58dceb16146ad8cf66843edee0096d1d87.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ - "aws-ecs-fargate-task-def.assets" + "cdk-amplify-app-custom-domain.assets" ], "lookupRole": { "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", @@ -31,52 +31,88 @@ } }, "dependencies": [ - "aws-ecs-fargate-task-def.assets" + "cdk-amplify-app-custom-domain.assets" ], "metadata": { - "/aws-ecs-fargate-task-def/TaskDef/TaskRole/Resource": [ + "/cdk-amplify-app-custom-domain/Repo/Resource": [ { "type": "aws:cdk:logicalId", - "data": "TaskDefTaskRole1EDB4A67" + "data": "Repo02AC86CF" } ], - "/aws-ecs-fargate-task-def/TaskDef/Resource": [ + "/cdk-amplify-app-custom-domain/App/Role/Resource": [ { "type": "aws:cdk:logicalId", - "data": "TaskDef54694570", + "data": "AppRole1AF9B530" + } + ], + "/cdk-amplify-app-custom-domain/App/Role/DefaultPolicy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "AppRoleDefaultPolicy9CADBAA1" + } + ], + "/cdk-amplify-app-custom-domain/App/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "AppF1B96344" + } + ], + "/cdk-amplify-app-custom-domain/App/main/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "AppmainF505BAED" + } + ], + "/cdk-amplify-app-custom-domain/App/dev/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "AppdevB328DAFC" + } + ], + "/cdk-amplify-app-custom-domain/App/*.example.com/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "Appexamplecom6AF1A3AD" + } + ], + "/cdk-amplify-app-custom-domain/Certificate/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "Certificate4E7ABB08", "trace": [ "!!DESTRUCTIVE_CHANGES: WILL_REPLACE" ] } ], - "/aws-ecs-fargate-task-def/BootstrapVersion": [ + "/cdk-amplify-app-custom-domain/BootstrapVersion": [ { "type": "aws:cdk:logicalId", "data": "BootstrapVersion" } ], - "/aws-ecs-fargate-task-def/CheckBootstrapVersion": [ + "/cdk-amplify-app-custom-domain/CheckBootstrapVersion": [ { "type": "aws:cdk:logicalId", "data": "CheckBootstrapVersion" } ] }, - "displayName": "aws-ecs-fargate-task-def" + "displayName": "cdk-amplify-app-custom-domain" }, - "FargateTaskDefinitionDefaultTestDeployAssertD76B1D35.assets": { + "amplifyappcustomdomainintegDefaultTestDeployAssert5F8CD1EB.assets": { "type": "cdk:asset-manifest", "properties": { - "file": "FargateTaskDefinitionDefaultTestDeployAssertD76B1D35.assets.json", + "file": "amplifyappcustomdomainintegDefaultTestDeployAssert5F8CD1EB.assets.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" } }, - "FargateTaskDefinitionDefaultTestDeployAssertD76B1D35": { + "amplifyappcustomdomainintegDefaultTestDeployAssert5F8CD1EB": { "type": "aws:cloudformation:stack", "environment": "aws://unknown-account/unknown-region", "properties": { - "templateFile": "FargateTaskDefinitionDefaultTestDeployAssertD76B1D35.template.json", + "templateFile": "amplifyappcustomdomainintegDefaultTestDeployAssert5F8CD1EB.template.json", "terminationProtection": false, "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", @@ -85,7 +121,7 @@ "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ - "FargateTaskDefinitionDefaultTestDeployAssertD76B1D35.assets" + "amplifyappcustomdomainintegDefaultTestDeployAssert5F8CD1EB.assets" ], "lookupRole": { "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", @@ -94,23 +130,23 @@ } }, "dependencies": [ - "FargateTaskDefinitionDefaultTestDeployAssertD76B1D35.assets" + "amplifyappcustomdomainintegDefaultTestDeployAssert5F8CD1EB.assets" ], "metadata": { - "/FargateTaskDefinition/DefaultTest/DeployAssert/BootstrapVersion": [ + "/amplify-app-custom-domain-integ/DefaultTest/DeployAssert/BootstrapVersion": [ { "type": "aws:cdk:logicalId", "data": "BootstrapVersion" } ], - "/FargateTaskDefinition/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + "/amplify-app-custom-domain-integ/DefaultTest/DeployAssert/CheckBootstrapVersion": [ { "type": "aws:cdk:logicalId", "data": "CheckBootstrapVersion" } ] }, - "displayName": "FargateTaskDefinition/DefaultTest/DeployAssert" + "displayName": "amplify-app-custom-domain-integ/DefaultTest/DeployAssert" }, "Tree": { "type": "cdk:tree", diff --git a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/tree.json b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/tree.json new file mode 100644 index 0000000000000..d91f03344d460 --- /dev/null +++ b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/tree.json @@ -0,0 +1,433 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "cdk-amplify-app-custom-domain": { + "id": "cdk-amplify-app-custom-domain", + "path": "cdk-amplify-app-custom-domain", + "children": { + "Repo": { + "id": "Repo", + "path": "cdk-amplify-app-custom-domain/Repo", + "children": { + "Resource": { + "id": "Resource", + "path": "cdk-amplify-app-custom-domain/Repo/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::CodeCommit::Repository", + "aws:cdk:cloudformation:props": { + "repositoryName": "integ-amplify-app" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_codecommit.CfnRepository", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_codecommit.Repository", + "version": "0.0.0" + } + }, + "App": { + "id": "App", + "path": "cdk-amplify-app-custom-domain/App", + "children": { + "Role": { + "id": "Role", + "path": "cdk-amplify-app-custom-domain/App/Role", + "children": { + "ImportRole": { + "id": "ImportRole", + "path": "cdk-amplify-app-custom-domain/App/Role/ImportRole", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "cdk-amplify-app-custom-domain/App/Role/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:props": { + "assumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "amplify.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" + } + }, + "DefaultPolicy": { + "id": "DefaultPolicy", + "path": "cdk-amplify-app-custom-domain/App/Role/DefaultPolicy", + "children": { + "Resource": { + "id": "Resource", + "path": "cdk-amplify-app-custom-domain/App/Role/DefaultPolicy/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Policy", + "aws:cdk:cloudformation:props": { + "policyDocument": { + "Statement": [ + { + "Action": "codecommit:GitPull", + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "Repo02AC86CF", + "Arn" + ] + } + } + ], + "Version": "2012-10-17" + }, + "policyName": "AppRoleDefaultPolicy9CADBAA1", + "roles": [ + { + "Ref": "AppRole1AF9B530" + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Policy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "cdk-amplify-app-custom-domain/App/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Amplify::App", + "aws:cdk:cloudformation:props": { + "basicAuthConfig": { + "enableBasicAuth": false + }, + "iamServiceRole": { + "Fn::GetAtt": [ + "AppRole1AF9B530", + "Arn" + ] + }, + "name": "App", + "platform": "WEB", + "repository": { + "Fn::GetAtt": [ + "Repo02AC86CF", + "CloneUrlHttp" + ] + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_amplify.CfnApp", + "version": "0.0.0" + } + }, + "main": { + "id": "main", + "path": "cdk-amplify-app-custom-domain/App/main", + "children": { + "Resource": { + "id": "Resource", + "path": "cdk-amplify-app-custom-domain/App/main/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Amplify::Branch", + "aws:cdk:cloudformation:props": { + "appId": { + "Fn::GetAtt": [ + "AppF1B96344", + "AppId" + ] + }, + "branchName": "main", + "enableAutoBuild": true, + "enablePullRequestPreview": true + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_amplify.CfnBranch", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "dev": { + "id": "dev", + "path": "cdk-amplify-app-custom-domain/App/dev", + "children": { + "Resource": { + "id": "Resource", + "path": "cdk-amplify-app-custom-domain/App/dev/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Amplify::Branch", + "aws:cdk:cloudformation:props": { + "appId": { + "Fn::GetAtt": [ + "AppF1B96344", + "AppId" + ] + }, + "branchName": "dev", + "enableAutoBuild": true, + "enablePullRequestPreview": true + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_amplify.CfnBranch", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "*.example.com": { + "id": "*.example.com", + "path": "cdk-amplify-app-custom-domain/App/*.example.com", + "children": { + "Resource": { + "id": "Resource", + "path": "cdk-amplify-app-custom-domain/App/*.example.com/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Amplify::Domain", + "aws:cdk:cloudformation:props": { + "appId": { + "Fn::GetAtt": [ + "AppF1B96344", + "AppId" + ] + }, + "autoSubDomainCreationPatterns": [ + "*", + "pr*" + ], + "autoSubDomainIamRole": { + "Fn::GetAtt": [ + "AppRole1AF9B530", + "Arn" + ] + }, + "certificateSettings": { + "certificateType": "CUSTOM", + "customCertificateArn": { + "Ref": "Certificate4E7ABB08" + } + }, + "domainName": "*.example.com", + "enableAutoSubDomain": false, + "subDomainSettings": [ + { + "branchName": { + "Fn::GetAtt": [ + "AppmainF505BAED", + "BranchName" + ] + }, + "prefix": "prod" + }, + { + "branchName": { + "Fn::GetAtt": [ + "AppdevB328DAFC", + "BranchName" + ] + }, + "prefix": { + "Fn::GetAtt": [ + "AppdevB328DAFC", + "BranchName" + ] + } + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_amplify.CfnDomain", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "HostedZone": { + "id": "HostedZone", + "path": "cdk-amplify-app-custom-domain/HostedZone", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "Certificate": { + "id": "Certificate", + "path": "cdk-amplify-app-custom-domain/Certificate", + "children": { + "Resource": { + "id": "Resource", + "path": "cdk-amplify-app-custom-domain/Certificate/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::CertificateManager::Certificate", + "aws:cdk:cloudformation:props": { + "domainName": "*.*.example.com", + "domainValidationOptions": [ + { + "domainName": "*.*.example.com", + "hostedZoneId": "Z23ABC4XYZL05B" + } + ], + "tags": [ + { + "key": "Name", + "value": "cdk-amplify-app-custom-domain/Certificate" + } + ], + "validationMethod": "DNS" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_certificatemanager.CfnCertificate", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_certificatemanager.Certificate", + "version": "0.0.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "cdk-amplify-app-custom-domain/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "cdk-amplify-app-custom-domain/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + }, + "amplify-app-custom-domain-integ": { + "id": "amplify-app-custom-domain-integ", + "path": "amplify-app-custom-domain-integ", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "amplify-app-custom-domain-integ/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "amplify-app-custom-domain-integ/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "amplify-app-custom-domain-integ/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "amplify-app-custom-domain-integ/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "amplify-app-custom-domain-integ/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.ts b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.ts new file mode 100644 index 0000000000000..2d38147cb0475 --- /dev/null +++ b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.ts @@ -0,0 +1,75 @@ +import * as acm from 'aws-cdk-lib/aws-certificatemanager'; +import * as codecommit from 'aws-cdk-lib/aws-codecommit'; +import * as route53 from 'aws-cdk-lib/aws-route53'; +import { App, Stack, StackProps } from 'aws-cdk-lib'; +import { Construct } from 'constructs'; +import * as amplify from '../lib'; +import { IntegTest } from '@aws-cdk/integ-tests-alpha'; + +interface TestStackProps extends StackProps { + hostedZoneId: string; + hostedZoneName: string; + domainName: string; +} + +class TestStack extends Stack { + constructor(scope: Construct, id: string, props: TestStackProps) { + super(scope, id, props); + + const repository = new codecommit.Repository(this, 'Repo', { + repositoryName: 'integ-amplify-app', + }); + + const app = new amplify.App(this, 'App', { + sourceCodeProvider: new amplify.CodeCommitSourceCodeProvider({ repository }), + }); + + const prodBranch = app.addBranch('main'); + const devBranch = app.addBranch('dev'); + + const hostedZone = route53.PublicHostedZone.fromHostedZoneAttributes(this, 'HostedZone', { + hostedZoneId: props.hostedZoneId, + zoneName: props.hostedZoneName, + }); + + const customCertificate = new acm.Certificate(this, 'Certificate', { + domainName: `*.${props.domainName}`, + validation: acm.CertificateValidation.fromDns(hostedZone), + }); + + const domain = app.addDomain(props.domainName, { + subDomains: [ + { + branch: prodBranch, + prefix: 'prod', + }, + ], + customCertificate, + }); + domain.mapSubDomain(devBranch); + } +} + +/** + * In order to test this you need to have a valid public hosted zone that you can use + * to request certificates for. +*/ +const hostedZoneId = process.env.CDK_INTEG_HOSTED_ZONE_ID ?? process.env.HOSTED_ZONE_ID; +if (!hostedZoneId) throw new Error('For this test you must provide your own HostedZoneId as an env var "HOSTED_ZONE_ID". See framework-integ/README.md for details.'); +const hostedZoneName = process.env.CDK_INTEG_HOSTED_ZONE_NAME ?? process.env.HOSTED_ZONE_NAME; +if (!hostedZoneName) throw new Error('For this test you must provide your own HostedZoneName as an env var "HOSTED_ZONE_NAME". See framework-integ/README.md for details.'); +const domainName = process.env.CDK_INTEG_DOMAIN_NAME ?? process.env.DOMAIN_NAME; +if (!domainName) throw new Error('For this test you must provide your own DomainName as an env var "DOMAIN_NAME". See framework-integ/README.md for details.'); + +const app = new App(); +const stack = new TestStack(app, 'cdk-amplify-app-custom-domain', { + hostedZoneId, + hostedZoneName, + domainName, +}); + +new IntegTest(app, 'amplify-app-custom-domain-integ', { + testCases: [stack], + enableLookups: true, + stackUpdateWorkflow: false, +}); diff --git a/packages/@aws-cdk/aws-cognito-identitypool-alpha/lib/identitypool.ts b/packages/@aws-cdk/aws-cognito-identitypool-alpha/lib/identitypool.ts index 9e65131f5cae8..1277bd682013f 100644 --- a/packages/@aws-cdk/aws-cognito-identitypool-alpha/lib/identitypool.ts +++ b/packages/@aws-cdk/aws-cognito-identitypool-alpha/lib/identitypool.ts @@ -16,6 +16,7 @@ import { Stack, ArnFormat, Lazy, + Token, } from 'aws-cdk-lib/core'; import { Construct, @@ -329,9 +330,15 @@ export class IdentityPool extends Resource implements IIdentityPool { if (!res) { throw new Error('Invalid Identity Pool ARN'); } - const idParts = res.split(':'); - if (!(idParts.length === 2)) throw new Error('Invalid Identity Pool Id: Identity Pool Ids must follow the format :'); - if (idParts[0] !== pool.region) throw new Error('Invalid Identity Pool Id: Region in Identity Pool Id must match stack region'); + if (!Token.isUnresolved(res)) { + const idParts = res.split(':'); + if (!(idParts.length === 2)) { + throw new Error('Invalid Identity Pool Id: Identity Pool Ids must follow the format :'); + } + if (!Token.isUnresolved(pool.region) && idParts[0] !== pool.region) { + throw new Error('Invalid Identity Pool Id: Region in Identity Pool Id must match stack region'); + } + } class ImportedIdentityPool extends Resource implements IIdentityPool { public readonly identityPoolId = res; public readonly identityPoolArn = identityPoolArn; diff --git a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/identitypool.test.ts b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/identitypool.test.ts index 3bacbeeb104ea..417c848c4407f 100644 --- a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/identitypool.test.ts +++ b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/identitypool.test.ts @@ -19,6 +19,7 @@ import { } from 'aws-cdk-lib/aws-iam'; import { Fn, + Lazy, Stack, } from 'aws-cdk-lib'; import { @@ -203,14 +204,28 @@ describe('identity pool', () => { account: '1234567891011', }, }); - expect(() => IdentityPool.fromIdentityPoolId(stack, 'idPoolIdError', 'idPool')).toThrowError('Invalid Identity Pool Id: Identity Pool Ids must follow the format :'); - expect(() => IdentityPool.fromIdentityPoolArn(stack, 'idPoolArnError', 'arn:aws:cognito-identity:my-region:1234567891011:identitypool\/your-region:idPool/')).toThrowError('Invalid Identity Pool Id: Region in Identity Pool Id must match stack region'); + expect(() => IdentityPool.fromIdentityPoolId(stack, 'idPoolIdError', 'idPool')).toThrow('Invalid Identity Pool Id: Identity Pool Ids must follow the format :'); + expect(() => IdentityPool.fromIdentityPoolId(stack, 'idPoolIdRegionError', 'your-region:idPool')).toThrow('Invalid Identity Pool Id: Region in Identity Pool Id must match stack region'); + expect(() => IdentityPool.fromIdentityPoolArn(stack, 'idPoolArnError', 'arn:aws:cognito-identity:my-region:1234567891011:identitypool\/your-region:idPool/')).toThrow('Invalid Identity Pool Id: Region in Identity Pool Id must match stack region'); const idPool = IdentityPool.fromIdentityPoolId(stack, 'staticIdPool', 'my-region:idPool'); expect(idPool.identityPoolId).toEqual('my-region:idPool'); expect(idPool.identityPoolArn).toMatch(/cognito-identity:my-region:1234567891011:identitypool\/my-region:idPool/); }); + test('fromIdentityPoolId accept token', () => { + const stack = new Stack(); + expect(() => IdentityPool.fromIdentityPoolId(stack, 'IdPool1', Lazy.string({ produce: () => 'lazy-id' }))).not.toThrow(); + expect(() => IdentityPool.fromIdentityPoolId(stack, 'IdPool2', 'id-region:pool-id')).not.toThrow(); + }); + + test('fromIdentityPoolArn accepts token', () => { + const stack = new Stack(); + expect(() => IdentityPool.fromIdentityPoolArn(stack, 'IdPool1', Lazy.string({ produce: () => 'lazy-arn' }))).not.toThrow(); + expect(() => IdentityPool.fromIdentityPoolArn(stack, 'IdPool2', `arn:aws:cognito-identity:${stack.region}:${stack.account}:identitypool/id-region:pool-id`)).not.toThrow(); + expect(() => IdentityPool.fromIdentityPoolArn(stack, 'IdPool3', `arn:aws:cognito-identity:arn-region:${stack.account}:identitypool/${Lazy.string({ produce: () => 'lazy-region' })}:pool-id`)).not.toThrow(); + }); + test('user pools are properly configured', () => { const stack = new Stack(); const poolProvider = UserPoolIdentityProvider.fromProviderName(stack, 'poolProvider', 'poolProvider'); diff --git a/packages/@aws-cdk/aws-ec2-alpha/lib/ipam.ts b/packages/@aws-cdk/aws-ec2-alpha/lib/ipam.ts index 0d420603fee9d..c6600d43315f0 100644 --- a/packages/@aws-cdk/aws-ec2-alpha/lib/ipam.ts +++ b/packages/@aws-cdk/aws-ec2-alpha/lib/ipam.ts @@ -415,6 +415,11 @@ class IpamScopeBase implements IIpamScopeBase { readonly scopeType?: IpamScopeType, ) { this.scopeType = IpamScopeType.DEFAULT; + if (!props.ipamScopeId) { + throw new Error('ipamScopeId is required'); + } else { + this.scopeId = props.ipamScopeId; + } } /** diff --git a/packages/@aws-cdk/aws-ec2-alpha/test/integ.subnet-v2.js.snapshot/aws-cdk-vpcv2-alpha-new.assets.json b/packages/@aws-cdk/aws-ec2-alpha/test/integ.subnet-v2.js.snapshot/aws-cdk-vpcv2-alpha-new.assets.json index 21b01be95b3c6..8fa7b0508afb2 100644 --- a/packages/@aws-cdk/aws-ec2-alpha/test/integ.subnet-v2.js.snapshot/aws-cdk-vpcv2-alpha-new.assets.json +++ b/packages/@aws-cdk/aws-ec2-alpha/test/integ.subnet-v2.js.snapshot/aws-cdk-vpcv2-alpha-new.assets.json @@ -1,7 +1,7 @@ { - "version": "36.0.0", + "version": "36.0.5", "files": { - "ccdbd85132bedf38aeb99e5b0c700f48494d3b7c344a96232f29b48a5279b6ef": { + "936d55c8ae74b8dbe0de8c85d4bec3718ce3f73a71342f5852a5a5586485c23c": { "source": { "path": "aws-cdk-vpcv2-alpha-new.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "ccdbd85132bedf38aeb99e5b0c700f48494d3b7c344a96232f29b48a5279b6ef.json", + "objectKey": "936d55c8ae74b8dbe0de8c85d4bec3718ce3f73a71342f5852a5a5586485c23c.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-ec2-alpha/test/integ.subnet-v2.js.snapshot/aws-cdk-vpcv2-alpha-new.template.json b/packages/@aws-cdk/aws-ec2-alpha/test/integ.subnet-v2.js.snapshot/aws-cdk-vpcv2-alpha-new.template.json index 575219310d27f..f6cffbdb23c5d 100644 --- a/packages/@aws-cdk/aws-ec2-alpha/test/integ.subnet-v2.js.snapshot/aws-cdk-vpcv2-alpha-new.template.json +++ b/packages/@aws-cdk/aws-ec2-alpha/test/integ.subnet-v2.js.snapshot/aws-cdk-vpcv2-alpha-new.template.json @@ -15,7 +15,12 @@ "Properties": { "AddressFamily": "ipv6", "AwsService": "ec2", - "IpamScopeId": "DefaultPublicScope", + "IpamScopeId": { + "Fn::GetAtt": [ + "Ipam50346F82", + "PublicDefaultScopeId" + ] + }, "Locale": "eu-west-2", "PublicIpSource": "amazon" } diff --git a/packages/@aws-cdk/aws-ec2-alpha/test/integ.subnet-v2.js.snapshot/cdk.out b/packages/@aws-cdk/aws-ec2-alpha/test/integ.subnet-v2.js.snapshot/cdk.out index 1f0068d32659a..bd5311dc372de 100644 --- a/packages/@aws-cdk/aws-ec2-alpha/test/integ.subnet-v2.js.snapshot/cdk.out +++ b/packages/@aws-cdk/aws-ec2-alpha/test/integ.subnet-v2.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"36.0.0"} \ No newline at end of file +{"version":"36.0.5"} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-ec2-alpha/test/integ.subnet-v2.js.snapshot/integ.json b/packages/@aws-cdk/aws-ec2-alpha/test/integ.subnet-v2.js.snapshot/integ.json index 321da99978a8c..50d9ec54ae49a 100644 --- a/packages/@aws-cdk/aws-ec2-alpha/test/integ.subnet-v2.js.snapshot/integ.json +++ b/packages/@aws-cdk/aws-ec2-alpha/test/integ.subnet-v2.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "36.0.5", "testCases": { "integtest-model/DefaultTest": { "stacks": [ diff --git a/packages/@aws-cdk/aws-ec2-alpha/test/integ.subnet-v2.js.snapshot/integtestmodelDefaultTestDeployAssertCF40BD53.assets.json b/packages/@aws-cdk/aws-ec2-alpha/test/integ.subnet-v2.js.snapshot/integtestmodelDefaultTestDeployAssertCF40BD53.assets.json index 3dba4ef9b8bab..e93a555169b11 100644 --- a/packages/@aws-cdk/aws-ec2-alpha/test/integ.subnet-v2.js.snapshot/integtestmodelDefaultTestDeployAssertCF40BD53.assets.json +++ b/packages/@aws-cdk/aws-ec2-alpha/test/integ.subnet-v2.js.snapshot/integtestmodelDefaultTestDeployAssertCF40BD53.assets.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "36.0.5", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { diff --git a/packages/@aws-cdk/aws-ec2-alpha/test/integ.subnet-v2.js.snapshot/manifest.json b/packages/@aws-cdk/aws-ec2-alpha/test/integ.subnet-v2.js.snapshot/manifest.json index 5979efcf9a0da..f6b54e8178156 100644 --- a/packages/@aws-cdk/aws-ec2-alpha/test/integ.subnet-v2.js.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-ec2-alpha/test/integ.subnet-v2.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "36.0.5", "artifacts": { "aws-cdk-vpcv2-alpha-new.assets": { "type": "cdk:asset-manifest", @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/ccdbd85132bedf38aeb99e5b0c700f48494d3b7c344a96232f29b48a5279b6ef.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/936d55c8ae74b8dbe0de8c85d4bec3718ce3f73a71342f5852a5a5586485c23c.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -141,15 +141,6 @@ "type": "aws:cdk:logicalId", "data": "CheckBootstrapVersion" } - ], - "VPCTestSecondaryIp48408C993194": [ - { - "type": "aws:cdk:logicalId", - "data": "VPCTestSecondaryIp48408C993194", - "trace": [ - "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" - ] - } ] }, "displayName": "aws-cdk-vpcv2-alpha-new" diff --git a/packages/@aws-cdk/aws-ec2-alpha/test/integ.subnet-v2.js.snapshot/tree.json b/packages/@aws-cdk/aws-ec2-alpha/test/integ.subnet-v2.js.snapshot/tree.json index c1ff499051b89..f1f62b0a8a30e 100644 --- a/packages/@aws-cdk/aws-ec2-alpha/test/integ.subnet-v2.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-ec2-alpha/test/integ.subnet-v2.js.snapshot/tree.json @@ -42,7 +42,12 @@ "aws:cdk:cloudformation:props": { "addressFamily": "ipv6", "awsService": "ec2", - "ipamScopeId": "DefaultPublicScope", + "ipamScopeId": { + "Fn::GetAtt": [ + "Ipam50346F82", + "PublicDefaultScopeId" + ] + }, "locale": "eu-west-2", "publicIpSource": "amazon" } @@ -80,7 +85,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-vpcv2-alpha.Ipam", + "fqn": "@aws-cdk/aws-ec2-alpha.Ipam", "version": "0.0.0" } }, @@ -200,7 +205,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-vpcv2-alpha.VpcV2", + "fqn": "@aws-cdk/aws-ec2-alpha.VpcV2", "version": "0.0.0" } }, @@ -278,7 +283,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-vpcv2-alpha.SubnetV2", + "fqn": "@aws-cdk/aws-ec2-alpha.SubnetV2", "version": "0.0.0" } }, diff --git a/packages/@aws-cdk/aws-ec2-alpha/test/integ.subnet-v2.ts b/packages/@aws-cdk/aws-ec2-alpha/test/integ.subnet-v2.ts index d30e47b2d9129..529b1cdcc5f40 100644 --- a/packages/@aws-cdk/aws-ec2-alpha/test/integ.subnet-v2.ts +++ b/packages/@aws-cdk/aws-ec2-alpha/test/integ.subnet-v2.ts @@ -11,7 +11,6 @@ import * as vpc_v2 from '../lib/vpc-v2'; import * as ec2 from 'aws-cdk-lib/aws-ec2'; import { AddressFamily, AwsServiceName, IpCidr, Ipam, IpamPoolPublicIpSource, SubnetV2 } from '../lib'; -//import { Ipv6Cidr } from '../lib'; import { IntegTest } from '@aws-cdk/integ-tests-alpha'; import * as cdk from 'aws-cdk-lib'; import { SubnetType } from 'aws-cdk-lib/aws-ec2'; diff --git a/packages/@aws-cdk/aws-ec2-alpha/test/integ.vpc-v2-alpha.js.snapshot/aws-cdk-vpcv2-alpha.assets.json b/packages/@aws-cdk/aws-ec2-alpha/test/integ.vpc-v2-alpha.js.snapshot/aws-cdk-vpcv2-alpha.assets.json index 073423dd71829..edea907079f09 100644 --- a/packages/@aws-cdk/aws-ec2-alpha/test/integ.vpc-v2-alpha.js.snapshot/aws-cdk-vpcv2-alpha.assets.json +++ b/packages/@aws-cdk/aws-ec2-alpha/test/integ.vpc-v2-alpha.js.snapshot/aws-cdk-vpcv2-alpha.assets.json @@ -1,7 +1,7 @@ { - "version": "36.0.0", + "version": "36.0.5", "files": { - "6af0c32b7b4dcf4566eda1afa97ddb6dc00a4597f5633e0d826df8642bc069f4": { + "a7489230071452bf2d95e6aff482ada8c6c5139402293c5aadfaa9821bd931a0": { "source": { "path": "aws-cdk-vpcv2-alpha.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "6af0c32b7b4dcf4566eda1afa97ddb6dc00a4597f5633e0d826df8642bc069f4.json", + "objectKey": "a7489230071452bf2d95e6aff482ada8c6c5139402293c5aadfaa9821bd931a0.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-ec2-alpha/test/integ.vpc-v2-alpha.js.snapshot/aws-cdk-vpcv2-alpha.template.json b/packages/@aws-cdk/aws-ec2-alpha/test/integ.vpc-v2-alpha.js.snapshot/aws-cdk-vpcv2-alpha.template.json index e1962661d5118..69b67454af10b 100644 --- a/packages/@aws-cdk/aws-ec2-alpha/test/integ.vpc-v2-alpha.js.snapshot/aws-cdk-vpcv2-alpha.template.json +++ b/packages/@aws-cdk/aws-ec2-alpha/test/integ.vpc-v2-alpha.js.snapshot/aws-cdk-vpcv2-alpha.template.json @@ -14,7 +14,12 @@ "Type": "AWS::EC2::IPAMPool", "Properties": { "AddressFamily": "ipv4", - "IpamScopeId": "DefaultPrivateScope", + "IpamScopeId": { + "Fn::GetAtt": [ + "IpamTestIpam6C9298EF", + "PrivateDefaultScopeId" + ] + }, "Locale": "eu-central-1", "ProvisionedCidrs": [ { @@ -28,7 +33,12 @@ "Properties": { "AddressFamily": "ipv6", "AwsService": "ec2", - "IpamScopeId": "DefaultPublicScope", + "IpamScopeId": { + "Fn::GetAtt": [ + "IpamTestIpam6C9298EF", + "PublicDefaultScopeId" + ] + }, "Locale": "eu-central-1", "PublicIpSource": "amazon" } diff --git a/packages/@aws-cdk/aws-ec2-alpha/test/integ.vpc-v2-alpha.js.snapshot/cdk.out b/packages/@aws-cdk/aws-ec2-alpha/test/integ.vpc-v2-alpha.js.snapshot/cdk.out index 1f0068d32659a..bd5311dc372de 100644 --- a/packages/@aws-cdk/aws-ec2-alpha/test/integ.vpc-v2-alpha.js.snapshot/cdk.out +++ b/packages/@aws-cdk/aws-ec2-alpha/test/integ.vpc-v2-alpha.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"36.0.0"} \ No newline at end of file +{"version":"36.0.5"} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-ec2-alpha/test/integ.vpc-v2-alpha.js.snapshot/integ.json b/packages/@aws-cdk/aws-ec2-alpha/test/integ.vpc-v2-alpha.js.snapshot/integ.json index c583ba29c25f7..b73b42e18e04e 100644 --- a/packages/@aws-cdk/aws-ec2-alpha/test/integ.vpc-v2-alpha.js.snapshot/integ.json +++ b/packages/@aws-cdk/aws-ec2-alpha/test/integ.vpc-v2-alpha.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "36.0.5", "testCases": { "integtest-model/DefaultTest": { "stacks": [ diff --git a/packages/@aws-cdk/aws-ec2-alpha/test/integ.vpc-v2-alpha.js.snapshot/integtestmodelDefaultTestDeployAssertCF40BD53.assets.json b/packages/@aws-cdk/aws-ec2-alpha/test/integ.vpc-v2-alpha.js.snapshot/integtestmodelDefaultTestDeployAssertCF40BD53.assets.json index 3dba4ef9b8bab..e93a555169b11 100644 --- a/packages/@aws-cdk/aws-ec2-alpha/test/integ.vpc-v2-alpha.js.snapshot/integtestmodelDefaultTestDeployAssertCF40BD53.assets.json +++ b/packages/@aws-cdk/aws-ec2-alpha/test/integ.vpc-v2-alpha.js.snapshot/integtestmodelDefaultTestDeployAssertCF40BD53.assets.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "36.0.5", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { diff --git a/packages/@aws-cdk/aws-ec2-alpha/test/integ.vpc-v2-alpha.js.snapshot/manifest.json b/packages/@aws-cdk/aws-ec2-alpha/test/integ.vpc-v2-alpha.js.snapshot/manifest.json index bd084b1280480..07729bcb92768 100644 --- a/packages/@aws-cdk/aws-ec2-alpha/test/integ.vpc-v2-alpha.js.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-ec2-alpha/test/integ.vpc-v2-alpha.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "36.0.5", "artifacts": { "aws-cdk-vpcv2-alpha.assets": { "type": "cdk:asset-manifest", @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/6af0c32b7b4dcf4566eda1afa97ddb6dc00a4597f5633e0d826df8642bc069f4.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/a7489230071452bf2d95e6aff482ada8c6c5139402293c5aadfaa9821bd931a0.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -165,51 +165,6 @@ "type": "aws:cdk:logicalId", "data": "CheckBootstrapVersion" } - ], - "VPCintegtest1SecondaryIp684795D0A306": [ - { - "type": "aws:cdk:logicalId", - "data": "VPCintegtest1SecondaryIp684795D0A306", - "trace": [ - "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" - ] - } - ], - "VPCintegtest1SecondaryIp757851A2E166": [ - { - "type": "aws:cdk:logicalId", - "data": "VPCintegtest1SecondaryIp757851A2E166", - "trace": [ - "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" - ] - } - ], - "Vpcintegtest2SecondaryIp4840275314DC": [ - { - "type": "aws:cdk:logicalId", - "data": "Vpcintegtest2SecondaryIp4840275314DC", - "trace": [ - "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" - ] - } - ], - "Vpcintegtest2SecondaryIp58F23280A479": [ - { - "type": "aws:cdk:logicalId", - "data": "Vpcintegtest2SecondaryIp58F23280A479", - "trace": [ - "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" - ] - } - ], - "Vpcintegtest2SecondaryIpD363CCF2FF57": [ - { - "type": "aws:cdk:logicalId", - "data": "Vpcintegtest2SecondaryIpD363CCF2FF57", - "trace": [ - "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" - ] - } ] }, "displayName": "aws-cdk-vpcv2-alpha" diff --git a/packages/@aws-cdk/aws-ec2-alpha/test/integ.vpc-v2-alpha.js.snapshot/tree.json b/packages/@aws-cdk/aws-ec2-alpha/test/integ.vpc-v2-alpha.js.snapshot/tree.json index d8432677382f0..4ef8722255a1d 100644 --- a/packages/@aws-cdk/aws-ec2-alpha/test/integ.vpc-v2-alpha.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-ec2-alpha/test/integ.vpc-v2-alpha.js.snapshot/tree.json @@ -41,7 +41,12 @@ "aws:cdk:cloudformation:type": "AWS::EC2::IPAMPool", "aws:cdk:cloudformation:props": { "addressFamily": "ipv4", - "ipamScopeId": "DefaultPrivateScope", + "ipamScopeId": { + "Fn::GetAtt": [ + "IpamTestIpam6C9298EF", + "PrivateDefaultScopeId" + ] + }, "locale": "eu-central-1", "provisionedCidrs": [ { @@ -73,7 +78,12 @@ "aws:cdk:cloudformation:props": { "addressFamily": "ipv6", "awsService": "ec2", - "ipamScopeId": "DefaultPublicScope", + "ipamScopeId": { + "Fn::GetAtt": [ + "IpamTestIpam6C9298EF", + "PublicDefaultScopeId" + ] + }, "locale": "eu-central-1", "publicIpSource": "amazon" } @@ -111,7 +121,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-vpcv2-alpha.Ipam", + "fqn": "@aws-cdk/aws-ec2-alpha.Ipam", "version": "0.0.0" } }, @@ -184,7 +194,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-vpcv2-alpha.VpcV2", + "fqn": "@aws-cdk/aws-ec2-alpha.VpcV2", "version": "0.0.0" } }, @@ -277,7 +287,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-vpcv2-alpha.VpcV2", + "fqn": "@aws-cdk/aws-ec2-alpha.VpcV2", "version": "0.0.0" } }, @@ -355,7 +365,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-vpcv2-alpha.SubnetV2", + "fqn": "@aws-cdk/aws-ec2-alpha.SubnetV2", "version": "0.0.0" } }, @@ -433,7 +443,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-vpcv2-alpha.SubnetV2", + "fqn": "@aws-cdk/aws-ec2-alpha.SubnetV2", "version": "0.0.0" } }, @@ -511,7 +521,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-vpcv2-alpha.SubnetV2", + "fqn": "@aws-cdk/aws-ec2-alpha.SubnetV2", "version": "0.0.0" } }, diff --git a/packages/@aws-cdk/aws-ec2-alpha/test/integ.vpc-v2-alpha.ts b/packages/@aws-cdk/aws-ec2-alpha/test/integ.vpc-v2-alpha.ts index 6074d53f5ea9e..b4174e8e3d2aa 100644 --- a/packages/@aws-cdk/aws-ec2-alpha/test/integ.vpc-v2-alpha.ts +++ b/packages/@aws-cdk/aws-ec2-alpha/test/integ.vpc-v2-alpha.ts @@ -92,7 +92,7 @@ new SubnetV2(stack, 'testsubnet', { subnetType: SubnetType.PRIVATE_ISOLATED, }); -//validate ipv6 +//Validate ipv6 IPAM new SubnetV2(stack, 'validateIpv6', { vpc, ipv4CidrBlock: new IpCidr('10.3.0.0/24'), diff --git a/packages/@aws-cdk/aws-ec2-alpha/test/ipam.test.ts b/packages/@aws-cdk/aws-ec2-alpha/test/ipam.test.ts index 7d5db75bcd7e2..aa3fd7884bccd 100644 --- a/packages/@aws-cdk/aws-ec2-alpha/test/ipam.test.ts +++ b/packages/@aws-cdk/aws-ec2-alpha/test/ipam.test.ts @@ -43,7 +43,9 @@ describe('IPAM Test', () => { 'AWS::EC2::IPAMPool', { AddressFamily: 'ipv6', - IpamScopeId: 'DefaultPublicScope', + IpamScopeId: { + 'Fn::GetAtt': ['Ipam50346F82', 'PublicDefaultScopeId'], + }, Locale: 'us-west-2', }, ); //End Template @@ -69,7 +71,9 @@ describe('IPAM Test', () => { 'AWS::EC2::IPAMPool', { AddressFamily: 'ipv4', - IpamScopeId: 'DefaultPrivateScope', + IpamScopeId: { + 'Fn::GetAtt': ['Ipam50346F82', 'PrivateDefaultScopeId'], + }, Locale: 'us-west-2', }, ); //End Template @@ -97,7 +101,9 @@ describe('IPAM Test', () => { Type: 'AWS::EC2::IPAMPool', Properties: { AddressFamily: 'ipv6', - IpamScopeId: 'DefaultPublicScope', + IpamScopeId: { + 'Fn::GetAtt': ['TestIpamDBF92BA8', 'PublicDefaultScopeId'], + }, Locale: 'us-west-2', }, }, @@ -129,7 +135,9 @@ describe('IPAM Test', () => { Type: 'AWS::EC2::IPAMPool', Properties: { AddressFamily: 'ipv6', - IpamScopeId: 'DefaultPublicScope', + IpamScopeId: { + 'Fn::GetAtt': ['TestIpamDBF92BA8', 'PublicDefaultScopeId'], + }, Locale: 'us-west-2', }, }, diff --git a/packages/@aws-cdk/aws-ec2-alpha/test/subnet-v2.test.ts b/packages/@aws-cdk/aws-ec2-alpha/test/subnet-v2.test.ts index 42289b359cece..bf1c3209dacce 100644 --- a/packages/@aws-cdk/aws-ec2-alpha/test/subnet-v2.test.ts +++ b/packages/@aws-cdk/aws-ec2-alpha/test/subnet-v2.test.ts @@ -201,7 +201,9 @@ describe('Subnet V2 with custom IP and routing', () => { Properties: { AddressFamily: 'ipv6', - IpamScopeId: 'DefaultPublicScope', + IpamScopeId: { + 'Fn::GetAtt': ['TestIpamDBF92BA8', 'PublicDefaultScopeId'], + }, }, }, TestVPCD26570D8: { Type: 'AWS::EC2::VPC' }, diff --git a/packages/@aws-cdk/aws-ec2-alpha/test/vpc-v2.test.ts b/packages/@aws-cdk/aws-ec2-alpha/test/vpc-v2.test.ts index bd5e6fb7161a8..5b2167ae3007b 100644 --- a/packages/@aws-cdk/aws-ec2-alpha/test/vpc-v2.test.ts +++ b/packages/@aws-cdk/aws-ec2-alpha/test/vpc-v2.test.ts @@ -150,7 +150,7 @@ describe('Vpc V2 with full control', () => { Type: 'AWS::EC2::IPAMPool', Properties: { AddressFamily: 'ipv4', - IpamScopeId: 'DefaultPrivateScope', + IpamScopeId: { 'Fn::GetAtt': ['TestIpamDBF92BA8', 'PrivateDefaultScopeId'] }, Locale: 'us-west-1', ProvisionedCidrs: [ { @@ -210,7 +210,7 @@ describe('Vpc V2 with full control', () => { Properties: { AddressFamily: 'ipv6', AwsService: 'ec2', - IpamScopeId: 'DefaultPublicScope', + IpamScopeId: { 'Fn::GetAtt': ['TestIpamDBF92BA8', 'PublicDefaultScopeId'] }, PublicIpSource: 'amazon', }, }, diff --git a/packages/@aws-cdk/aws-lambda-python-alpha/test/lambda-handler-pipenv/Pipfile.lock b/packages/@aws-cdk/aws-lambda-python-alpha/test/lambda-handler-pipenv/Pipfile.lock index 76849b1bba333..56c424a77a645 100644 --- a/packages/@aws-cdk/aws-lambda-python-alpha/test/lambda-handler-pipenv/Pipfile.lock +++ b/packages/@aws-cdk/aws-lambda-python-alpha/test/lambda-handler-pipenv/Pipfile.lock @@ -16,11 +16,12 @@ "default": { "certifi": { "hashes": [ - "sha256:539cc1d13202e33ca466e88b2807e29f4c13049d6d87031a3c110744495cb082", - "sha256:92d6037539857d8206b8f6ae472e8b77db8058fec5937a1ef3f54304089edbb9" + "sha256:5a1e7645bc0ec61a09e26c36f6106dd4cf40c6db3a1fb6352b0244e7fb057c7b", + "sha256:c198e21b1289c2ab85ee4e67bb4b4ef3ead0892059901a8d5b622f24a1101e90" ], + "index": "pypi", "markers": "python_version >= '3.6'", - "version": "==2023.7.22" + "version": "==2024.7.4" }, "charset-normalizer": { "hashes": [ diff --git a/packages/@aws-cdk/aws-sagemaker-alpha/README.md b/packages/@aws-cdk/aws-sagemaker-alpha/README.md index cdddec2ec8103..f4798faf19036 100644 --- a/packages/@aws-cdk/aws-sagemaker-alpha/README.md +++ b/packages/@aws-cdk/aws-sagemaker-alpha/README.md @@ -78,6 +78,31 @@ const model = new sagemaker.Model(this, 'InferencePipelineModel', { }); ``` +### Model Properties + +#### Network Isolation + +If you enable [network isolation](https://docs.aws.amazon.com/sagemaker/latest/dg/mkt-algo-model-internet-free.html), the containers can't make any outbound network calls, even to other AWS services such as Amazon S3. Additionally, no AWS credentials are made available to the container runtime environment. + +To enable network isolation, set the `networkIsolation` property to `true`: + +```typescript +import * as sagemaker from '@aws-cdk/aws-sagemaker-alpha'; + +declare const image: sagemaker.ContainerImage; +declare const modelData: sagemaker.ModelData; + +const model = new sagemaker.Model(this, 'ContainerModel', { + containers: [ + { + image, + modelData, + } + ], + networkIsolation: true, +}); +``` + ### Container Images Inference code can be stored in the Amazon EC2 Container Registry (Amazon ECR), which is specified diff --git a/packages/@aws-cdk/aws-sagemaker-alpha/lib/model.ts b/packages/@aws-cdk/aws-sagemaker-alpha/lib/model.ts index 589caed2e9556..28f88d4934b1d 100644 --- a/packages/@aws-cdk/aws-sagemaker-alpha/lib/model.ts +++ b/packages/@aws-cdk/aws-sagemaker-alpha/lib/model.ts @@ -206,6 +206,17 @@ export interface ModelProps { * @default true */ readonly allowAllOutbound?: boolean; + + /** + * Whether to enable network isolation for the model container. + * + * When enabled, no inbound or outbound network calls can be made to or from the model container. + * + * @see https://docs.aws.amazon.com/sagemaker/latest/dg/mkt-algo-model-internet-free.html + * + * @default false + */ + readonly networkIsolation?: boolean; } /** @@ -312,6 +323,7 @@ export class Model extends ModelBase { primaryContainer: cdk.Lazy.any({ produce: () => this.renderPrimaryContainer() }), vpcConfig: cdk.Lazy.any({ produce: () => this.renderVpcConfig() }), containers: cdk.Lazy.any({ produce: () => this.renderContainers() }), + enableNetworkIsolation: props.networkIsolation, }); this.modelName = this.getResourceNameAttribute(model.attrModelName); this.modelArn = this.getResourceArnAttribute(model.ref, { diff --git a/packages/@aws-cdk/aws-sagemaker-alpha/test/integ.model.js.snapshot/aws-cdk-sagemaker-model.assets.json b/packages/@aws-cdk/aws-sagemaker-alpha/test/integ.model.js.snapshot/aws-cdk-sagemaker-model.assets.json index d350b0f8b2887..b325edd0bba0b 100644 --- a/packages/@aws-cdk/aws-sagemaker-alpha/test/integ.model.js.snapshot/aws-cdk-sagemaker-model.assets.json +++ b/packages/@aws-cdk/aws-sagemaker-alpha/test/integ.model.js.snapshot/aws-cdk-sagemaker-model.assets.json @@ -14,7 +14,7 @@ } } }, - "3091b68a4482354b22fb86be9dfa04e7f07fd597c15825ad5b16b32f8fdaaf6a": { + "2bf7be4479c7f2590f4e7436df08e6f6516adf0e7234bfcfd7ea7115c7e6dfb6": { "source": { "path": "aws-cdk-sagemaker-model.template.json", "packaging": "file" @@ -22,7 +22,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "3091b68a4482354b22fb86be9dfa04e7f07fd597c15825ad5b16b32f8fdaaf6a.json", + "objectKey": "2bf7be4479c7f2590f4e7436df08e6f6516adf0e7234bfcfd7ea7115c7e6dfb6.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-sagemaker-alpha/test/integ.model.js.snapshot/aws-cdk-sagemaker-model.template.json b/packages/@aws-cdk/aws-sagemaker-alpha/test/integ.model.js.snapshot/aws-cdk-sagemaker-model.template.json index 51f06e115d3f8..1a783d4262dce 100644 --- a/packages/@aws-cdk/aws-sagemaker-alpha/test/integ.model.js.snapshot/aws-cdk-sagemaker-model.template.json +++ b/packages/@aws-cdk/aws-sagemaker-alpha/test/integ.model.js.snapshot/aws-cdk-sagemaker-model.template.json @@ -898,6 +898,169 @@ "HuggingFaceModelRoleDefaultPolicy50587D35", "HuggingFaceModelRoleDA17DA00" ] + }, + "NetworkIsolationModelRole562D6C7F": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "sagemaker.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/AmazonSageMakerFullAccess" + ] + ] + } + ] + } + }, + "NetworkIsolationModelRoleDefaultPolicy84ACFE88": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "ecr:BatchCheckLayerAvailability", + "ecr:BatchGetImage", + "ecr:GetDownloadUrlForLayer" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ecr:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":repository/", + { + "Fn::Sub": "cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}" + } + ] + ] + } + }, + { + "Action": "ecr:GetAuthorizationToken", + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "s3:GetBucket*", + "s3:GetObject*", + "s3:List*" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":s3:::", + { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":s3:::", + { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + } + ] + ] + } + ] + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "NetworkIsolationModelRoleDefaultPolicy84ACFE88", + "Roles": [ + { + "Ref": "NetworkIsolationModelRole562D6C7F" + } + ] + } + }, + "NetworkIsolationModel29FE9107": { + "Type": "AWS::SageMaker::Model", + "Properties": { + "Containers": [ + { + "Image": { + "Fn::Sub": "${AWS::AccountId}.dkr.ecr.${AWS::Region}.${AWS::URLSuffix}/cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}:442a71de95281cb26bd41da567c79060206108b97bdde93cb4ce5f213f50013a" + } + }, + { + "Image": { + "Fn::Sub": "${AWS::AccountId}.dkr.ecr.${AWS::Region}.${AWS::URLSuffix}/cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}:442a71de95281cb26bd41da567c79060206108b97bdde93cb4ce5f213f50013a" + }, + "ModelDataUrl": { + "Fn::Sub": "https://s3.${AWS::Region}.${AWS::URLSuffix}/cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/126d48fa0e32fbef5078b9d88658b35ad29d4291eb86675a64c75fa4f1338916.gz" + } + }, + { + "Image": { + "Fn::Sub": "${AWS::AccountId}.dkr.ecr.${AWS::Region}.${AWS::URLSuffix}/cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}:442a71de95281cb26bd41da567c79060206108b97bdde93cb4ce5f213f50013a" + }, + "ModelDataUrl": { + "Fn::Sub": "https://s3.${AWS::Region}.${AWS::URLSuffix}/cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/126d48fa0e32fbef5078b9d88658b35ad29d4291eb86675a64c75fa4f1338916.gz" + } + } + ], + "EnableNetworkIsolation": true, + "ExecutionRoleArn": { + "Fn::GetAtt": [ + "NetworkIsolationModelRole562D6C7F", + "Arn" + ] + } + }, + "DependsOn": [ + "NetworkIsolationModelRoleDefaultPolicy84ACFE88", + "NetworkIsolationModelRole562D6C7F" + ] } }, "Mappings": { diff --git a/packages/@aws-cdk/aws-sagemaker-alpha/test/integ.model.js.snapshot/manifest.json b/packages/@aws-cdk/aws-sagemaker-alpha/test/integ.model.js.snapshot/manifest.json index 0991dc132bb8b..9411f22bfb458 100644 --- a/packages/@aws-cdk/aws-sagemaker-alpha/test/integ.model.js.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-sagemaker-alpha/test/integ.model.js.snapshot/manifest.json @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/3091b68a4482354b22fb86be9dfa04e7f07fd597c15825ad5b16b32f8fdaaf6a.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/2bf7be4479c7f2590f4e7436df08e6f6516adf0e7234bfcfd7ea7115c7e6dfb6.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -238,6 +238,24 @@ "data": "DlcRepositoryAccountMap" } ], + "/aws-cdk-sagemaker-model/NetworkIsolationModel/Role/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "NetworkIsolationModelRole562D6C7F" + } + ], + "/aws-cdk-sagemaker-model/NetworkIsolationModel/Role/DefaultPolicy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "NetworkIsolationModelRoleDefaultPolicy84ACFE88" + } + ], + "/aws-cdk-sagemaker-model/NetworkIsolationModel/Model": [ + { + "type": "aws:cdk:logicalId", + "data": "NetworkIsolationModel29FE9107" + } + ], "/aws-cdk-sagemaker-model/BootstrapVersion": [ { "type": "aws:cdk:logicalId", diff --git a/packages/@aws-cdk/aws-sagemaker-alpha/test/integ.model.js.snapshot/tree.json b/packages/@aws-cdk/aws-sagemaker-alpha/test/integ.model.js.snapshot/tree.json index 660e3efff302b..60a1416e86bb8 100644 --- a/packages/@aws-cdk/aws-sagemaker-alpha/test/integ.model.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-sagemaker-alpha/test/integ.model.js.snapshot/tree.json @@ -1169,13 +1169,13 @@ "version": "0.0.0" } }, - "ModelImage4351027d8888cb0133eeba7ae4ab91c5": { - "id": "ModelImage4351027d8888cb0133eeba7ae4ab91c5", - "path": "aws-cdk-sagemaker-model/InferencePipelineModel/ModelImage4351027d8888cb0133eeba7ae4ab91c5", + "ModelImage1df1fb2d6963bb25c0be68fe5b4e5a62": { + "id": "ModelImage1df1fb2d6963bb25c0be68fe5b4e5a62", + "path": "aws-cdk-sagemaker-model/InferencePipelineModel/ModelImage1df1fb2d6963bb25c0be68fe5b4e5a62", "children": { "Staging": { "id": "Staging", - "path": "aws-cdk-sagemaker-model/InferencePipelineModel/ModelImage4351027d8888cb0133eeba7ae4ab91c5/Staging", + "path": "aws-cdk-sagemaker-model/InferencePipelineModel/ModelImage1df1fb2d6963bb25c0be68fe5b4e5a62/Staging", "constructInfo": { "fqn": "aws-cdk-lib.AssetStaging", "version": "0.0.0" @@ -1183,7 +1183,7 @@ }, "Repository": { "id": "Repository", - "path": "aws-cdk-sagemaker-model/InferencePipelineModel/ModelImage4351027d8888cb0133eeba7ae4ab91c5/Repository", + "path": "aws-cdk-sagemaker-model/InferencePipelineModel/ModelImage1df1fb2d6963bb25c0be68fe5b4e5a62/Repository", "constructInfo": { "fqn": "aws-cdk-lib.aws_ecr.RepositoryBase", "version": "0.0.0" @@ -1195,13 +1195,13 @@ "version": "0.0.0" } }, - "ModelDatab93b3e254f66541093e95be708719bbd": { - "id": "ModelDatab93b3e254f66541093e95be708719bbd", - "path": "aws-cdk-sagemaker-model/InferencePipelineModel/ModelDatab93b3e254f66541093e95be708719bbd", + "ModelDataac735c034334b02fb2f240145313a846": { + "id": "ModelDataac735c034334b02fb2f240145313a846", + "path": "aws-cdk-sagemaker-model/InferencePipelineModel/ModelDataac735c034334b02fb2f240145313a846", "children": { "Stage": { "id": "Stage", - "path": "aws-cdk-sagemaker-model/InferencePipelineModel/ModelDatab93b3e254f66541093e95be708719bbd/Stage", + "path": "aws-cdk-sagemaker-model/InferencePipelineModel/ModelDataac735c034334b02fb2f240145313a846/Stage", "constructInfo": { "fqn": "aws-cdk-lib.AssetStaging", "version": "0.0.0" @@ -1209,7 +1209,7 @@ }, "AssetBucket": { "id": "AssetBucket", - "path": "aws-cdk-sagemaker-model/InferencePipelineModel/ModelDatab93b3e254f66541093e95be708719bbd/AssetBucket", + "path": "aws-cdk-sagemaker-model/InferencePipelineModel/ModelDataac735c034334b02fb2f240145313a846/AssetBucket", "constructInfo": { "fqn": "aws-cdk-lib.aws_s3.BucketBase", "version": "0.0.0" @@ -1471,6 +1471,227 @@ "version": "0.0.0" } }, + "NetworkIsolationModel": { + "id": "NetworkIsolationModel", + "path": "aws-cdk-sagemaker-model/NetworkIsolationModel", + "children": { + "Role": { + "id": "Role", + "path": "aws-cdk-sagemaker-model/NetworkIsolationModel/Role", + "children": { + "ImportRole": { + "id": "ImportRole", + "path": "aws-cdk-sagemaker-model/NetworkIsolationModel/Role/ImportRole", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "aws-cdk-sagemaker-model/NetworkIsolationModel/Role/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:props": { + "assumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "sagemaker.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "managedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/AmazonSageMakerFullAccess" + ] + ] + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" + } + }, + "DefaultPolicy": { + "id": "DefaultPolicy", + "path": "aws-cdk-sagemaker-model/NetworkIsolationModel/Role/DefaultPolicy", + "children": { + "Resource": { + "id": "Resource", + "path": "aws-cdk-sagemaker-model/NetworkIsolationModel/Role/DefaultPolicy/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Policy", + "aws:cdk:cloudformation:props": { + "policyDocument": { + "Statement": [ + { + "Action": [ + "ecr:BatchCheckLayerAvailability", + "ecr:BatchGetImage", + "ecr:GetDownloadUrlForLayer" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ecr:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":repository/", + { + "Fn::Sub": "cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}" + } + ] + ] + } + }, + { + "Action": "ecr:GetAuthorizationToken", + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "s3:GetBucket*", + "s3:GetObject*", + "s3:List*" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":s3:::", + { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":s3:::", + { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + } + ] + ] + } + ] + } + ], + "Version": "2012-10-17" + }, + "policyName": "NetworkIsolationModelRoleDefaultPolicy84ACFE88", + "roles": [ + { + "Ref": "NetworkIsolationModelRole562D6C7F" + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Policy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0" + } + }, + "Model": { + "id": "Model", + "path": "aws-cdk-sagemaker-model/NetworkIsolationModel/Model", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::SageMaker::Model", + "aws:cdk:cloudformation:props": { + "containers": [ + { + "image": { + "Fn::Sub": "${AWS::AccountId}.dkr.ecr.${AWS::Region}.${AWS::URLSuffix}/cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}:442a71de95281cb26bd41da567c79060206108b97bdde93cb4ce5f213f50013a" + } + }, + { + "image": { + "Fn::Sub": "${AWS::AccountId}.dkr.ecr.${AWS::Region}.${AWS::URLSuffix}/cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}:442a71de95281cb26bd41da567c79060206108b97bdde93cb4ce5f213f50013a" + }, + "modelDataUrl": { + "Fn::Sub": "https://s3.${AWS::Region}.${AWS::URLSuffix}/cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/126d48fa0e32fbef5078b9d88658b35ad29d4291eb86675a64c75fa4f1338916.gz" + } + }, + { + "image": { + "Fn::Sub": "${AWS::AccountId}.dkr.ecr.${AWS::Region}.${AWS::URLSuffix}/cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}:442a71de95281cb26bd41da567c79060206108b97bdde93cb4ce5f213f50013a" + }, + "modelDataUrl": { + "Fn::Sub": "https://s3.${AWS::Region}.${AWS::URLSuffix}/cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/126d48fa0e32fbef5078b9d88658b35ad29d4291eb86675a64c75fa4f1338916.gz" + } + } + ], + "enableNetworkIsolation": true, + "executionRoleArn": { + "Fn::GetAtt": [ + "NetworkIsolationModelRole562D6C7F", + "Arn" + ] + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_sagemaker.CfnModel", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-sagemaker-alpha.Model", + "version": "0.0.0" + } + }, "BootstrapVersion": { "id": "BootstrapVersion", "path": "aws-cdk-sagemaker-model/BootstrapVersion", diff --git a/packages/@aws-cdk/aws-sagemaker-alpha/test/integ.model.ts b/packages/@aws-cdk/aws-sagemaker-alpha/test/integ.model.ts index 4de64b4b6dafe..e52785a2b35a0 100644 --- a/packages/@aws-cdk/aws-sagemaker-alpha/test/integ.model.ts +++ b/packages/@aws-cdk/aws-sagemaker-alpha/test/integ.model.ts @@ -131,6 +131,15 @@ new sagemaker.Model(stack, 'HuggingFaceModel', { ], }); +new sagemaker.Model(stack, 'NetworkIsolationModel', { + containers: [ + { image: localImage }, + { image: localImage, modelData: localModelData }, + { image: localImage, modelData: localModelData }, + ], + networkIsolation: true, +}); + new IntegTest(app, 'integtest-model', { testCases: [stack], }); diff --git a/packages/@aws-cdk/aws-sagemaker-alpha/test/model.test.ts b/packages/@aws-cdk/aws-sagemaker-alpha/test/model.test.ts index f4e64ec6131fc..d08ac389ed5e4 100644 --- a/packages/@aws-cdk/aws-sagemaker-alpha/test/model.test.ts +++ b/packages/@aws-cdk/aws-sagemaker-alpha/test/model.test.ts @@ -98,6 +98,22 @@ describe('When instantiating SageMaker Model', () => { expect(Object.entries(manifest.dockerImages)).toHaveLength(1); }); + test('set network isolation', () => { + // GIVEN + const stack = new cdk.Stack(); + + // WHEN + new sagemaker.Model(stack, 'Model', { + containers: [{ image: sagemaker.ContainerImage.fromEcrRepository(new ecr.Repository(stack, 'Repo')) }], + networkIsolation: true, + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::SageMaker::Model', { + EnableNetworkIsolation: true, + }); + }); + describe('with a VPC', () => { test('and security groups, no security group is created', () => { // GIVEN diff --git a/packages/@aws-cdk/cli-lib-alpha/THIRD_PARTY_LICENSES b/packages/@aws-cdk/cli-lib-alpha/THIRD_PARTY_LICENSES index 30c90c16203a6..bcafab7566719 100644 --- a/packages/@aws-cdk/cli-lib-alpha/THIRD_PARTY_LICENSES +++ b/packages/@aws-cdk/cli-lib-alpha/THIRD_PARTY_LICENSES @@ -207,7 +207,7 @@ The @aws-cdk/cli-lib-alpha package includes the following third-party software/l ---------------- -** @jsii/check-node@1.97.0 - https://www.npmjs.com/package/@jsii/check-node/v/1.97.0 | Apache-2.0 +** @jsii/check-node@1.102.0 - https://www.npmjs.com/package/@jsii/check-node/v/1.102.0 | Apache-2.0 jsii Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved. @@ -266,7 +266,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ---------------- -** ajv@8.12.0 - https://www.npmjs.com/package/ajv/v/8.12.0 | MIT +** ajv@8.16.0 - https://www.npmjs.com/package/ajv/v/8.16.0 | MIT The MIT License (MIT) Copyright (c) 2015-2021 Evgeny Poberezkin @@ -493,7 +493,17 @@ THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH RE ---------------- -** aws-sdk@2.1596.0 - https://www.npmjs.com/package/aws-sdk/v/2.1596.0 | Apache-2.0 +** aws-sdk@2.1653.0 - https://www.npmjs.com/package/aws-sdk/v/2.1653.0 | Apache-2.0 +AWS SDK for JavaScript +Copyright 2012-2017 Amazon.com, Inc. or its affiliates. All Rights Reserved. + +This product includes software developed at +Amazon Web Services, Inc. (http://aws.amazon.com/). + + +---------------- + +** aws-sdk@2.1675.0 - https://www.npmjs.com/package/aws-sdk/v/2.1675.0 | Apache-2.0 AWS SDK for JavaScript Copyright 2012-2017 Amazon.com, Inc. or its affiliates. All Rights Reserved. @@ -601,10 +611,10 @@ SOFTWARE. ---------------- -** braces@3.0.2 - https://www.npmjs.com/package/braces/v/3.0.2 | MIT +** braces@3.0.3 - https://www.npmjs.com/package/braces/v/3.0.3 | MIT The MIT License (MIT) -Copyright (c) 2014-2018, Jon Schlinkert. +Copyright (c) 2014-present, Jon Schlinkert. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal @@ -691,7 +701,7 @@ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLI ---------------- -** cdk-from-cfn@0.156.0 - https://www.npmjs.com/package/cdk-from-cfn/v/0.156.0 | MIT OR Apache-2.0 +** cdk-from-cfn@0.162.0 - https://www.npmjs.com/package/cdk-from-cfn/v/0.162.0 | MIT OR Apache-2.0 ---------------- @@ -1123,7 +1133,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ---------------- -** debug@4.3.4 - https://www.npmjs.com/package/debug/v/4.3.4 | MIT +** debug@4.3.5 - https://www.npmjs.com/package/debug/v/4.3.5 | MIT (The MIT License) Copyright (c) 2014-2017 TJ Holowaychuk @@ -1390,7 +1400,7 @@ SOFTWARE. ---------------- -** fill-range@7.0.1 - https://www.npmjs.com/package/fill-range/v/7.0.1 | MIT +** fill-range@7.1.1 - https://www.npmjs.com/package/fill-range/v/7.1.1 | MIT The MIT License (MIT) Copyright (c) 2014-present, Jon Schlinkert. @@ -1667,7 +1677,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ---------------- -** https-proxy-agent@7.0.4 - https://www.npmjs.com/package/https-proxy-agent/v/7.0.4 | MIT +** https-proxy-agent@7.0.5 - https://www.npmjs.com/package/https-proxy-agent/v/7.0.5 | MIT (The MIT License) Copyright (c) 2013 Nathan Rajlich @@ -2315,26 +2325,6 @@ licenses; we recommend you read them, as their terms may differ from the terms above. ----------------- - -** lru-cache@6.0.0 - https://www.npmjs.com/package/lru-cache/v/6.0.0 | ISC -The ISC License - -Copyright (c) Isaac Z. Schlueter and Contributors - -Permission to use, copy, modify, and/or distribute this software for any -purpose with or without fee is hereby granted, provided that the above -copyright notice and this permission notice appear in all copies. - -THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR -IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - - ---------------- ** lru-cache@7.18.3 - https://www.npmjs.com/package/lru-cache/v/7.18.3 | ISC @@ -2497,7 +2487,30 @@ IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ---------------- -** pac-proxy-agent@7.0.1 - https://www.npmjs.com/package/pac-proxy-agent/v/7.0.1 | MIT +** pac-proxy-agent@7.0.2 - https://www.npmjs.com/package/pac-proxy-agent/v/7.0.2 | MIT +(The MIT License) + +Copyright (c) 2014 Nathan Rajlich + +Permission is hereby granted, free of charge, to any person obtaining +a copy of this software and associated documentation files (the +'Software'), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, +distribute, sublicense, and/or sell copies of the Software, and to +permit persons to whom the Software is furnished to do so, subject to +the following conditions: + +The above copyright notice and this permission notice shall be +included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY +CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, +TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE +SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + ---------------- @@ -3094,10 +3107,10 @@ THE SOFTWARE. ---------------- -** sax@1.3.0 - https://www.npmjs.com/package/sax/v/1.3.0 | ISC +** sax@1.4.1 - https://www.npmjs.com/package/sax/v/1.4.1 | ISC The ISC License -Copyright (c) 2010-2022 Isaac Z. Schlueter and Contributors +Copyright (c) 2010-2024 Isaac Z. Schlueter and Contributors Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above @@ -3116,7 +3129,7 @@ IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. `String.fromCodePoint` by Mathias Bynens used according to terms of MIT License, as follows: -Copyright (c) 2010-2022 Mathias Bynens +Copyright (c) 2010-2024 Mathias Bynens Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the @@ -3140,7 +3153,27 @@ Copyright (c) 2010-2022 Mathias Bynens ---------------- -** semver@7.6.0 - https://www.npmjs.com/package/semver/v/7.6.0 | ISC +** semver@7.6.2 - https://www.npmjs.com/package/semver/v/7.6.2 | ISC +The ISC License + +Copyright (c) Isaac Z. Schlueter and Contributors + +Permission to use, copy, modify, and/or distribute this software for any +purpose with or without fee is hereby granted, provided that the above +copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR +IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + + +---------------- + +** semver@7.6.3 - https://www.npmjs.com/package/semver/v/7.6.3 | ISC The ISC License Copyright (c) Isaac Z. Schlueter and Contributors @@ -3200,7 +3233,7 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ---------------- -** socks-proxy-agent@8.0.3 - https://www.npmjs.com/package/socks-proxy-agent/v/8.0.3 | MIT +** socks-proxy-agent@8.0.4 - https://www.npmjs.com/package/socks-proxy-agent/v/8.0.4 | MIT (The MIT License) Copyright (c) 2013 Nathan Rajlich @@ -3545,7 +3578,7 @@ THE SOFTWARE. ---------------- -** tslib@2.6.2 - https://www.npmjs.com/package/tslib/v/2.6.2 | 0BSD +** tslib@2.6.3 - https://www.npmjs.com/package/tslib/v/2.6.3 | 0BSD Copyright (c) Microsoft Corporation. Permission to use, copy, modify, and/or distribute this software for any @@ -3723,26 +3756,6 @@ TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ----------------- - -** yallist@4.0.0 - https://www.npmjs.com/package/yallist/v/4.0.0 | ISC -The ISC License - -Copyright (c) Isaac Z. Schlueter and Contributors - -Permission to use, copy, modify, and/or distribute this software for any -purpose with or without fee is hereby granted, provided that the above -copyright notice and this permission notice appear in all copies. - -THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR -IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - - ---------------- ** yaml@1.10.2 - https://www.npmjs.com/package/yaml/v/1.10.2 | ISC @@ -3832,4 +3845,4 @@ WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ----------------- \ No newline at end of file +---------------- diff --git a/packages/@aws-cdk/cloud-assembly-schema/.gitignore b/packages/@aws-cdk/cloud-assembly-schema/.gitignore deleted file mode 100644 index 6b8649e2756f5..0000000000000 --- a/packages/@aws-cdk/cloud-assembly-schema/.gitignore +++ /dev/null @@ -1,9 +0,0 @@ -# This package is copied from aws-cdk-lib/cloud-assembly-schema, ignore everything -# except package.json -* -!package.json -!.npmignore -!jest.config.js -!LICENSE -!NOTICE -!CONTRIBUTING.md diff --git a/packages/@aws-cdk/cloud-assembly-schema/.npmignore b/packages/@aws-cdk/cloud-assembly-schema/.npmignore deleted file mode 100644 index 2f484b8db6b88..0000000000000 --- a/packages/@aws-cdk/cloud-assembly-schema/.npmignore +++ /dev/null @@ -1,29 +0,0 @@ -# Don't include original .ts files when doing `npm pack` -*.ts -!*.d.ts -coverage -.nyc_output -*.tgz - -dist -.LAST_PACKAGE -.LAST_BUILD -!*.js - -# Include .jsii -!.jsii - -*.snk - -*.tsbuildinfo - -tsconfig.json -.eslintrc.js -jest.config.js - -# exclude cdk artifacts -**/cdk.out -junit.xml -test/ -!*.lit.ts -**/*.snapshot diff --git a/packages/@aws-cdk/cloud-assembly-schema/CONTRIBUTING.md b/packages/@aws-cdk/cloud-assembly-schema/CONTRIBUTING.md deleted file mode 100644 index 0a96c52f7ca1a..0000000000000 --- a/packages/@aws-cdk/cloud-assembly-schema/CONTRIBUTING.md +++ /dev/null @@ -1,67 +0,0 @@ -## Cloud Assembly Schema - -Making changes to this module should only happen when you introduce new cloud assembly capabilities. - -> For example: supporting the `--target` option when building docker containers. - -If you decided these changes are necessary, simply go ahead and make the necessary modifications to -the interfaces that describe the schema. Our tests and validation mechanisms will ensure you make those -changes correctly. - -### Module Structure - -There are two main things to understand about the files in this module: - -- [`lib/manifest.ts`](./lib/manifest.ts) - - This is the typescript code that defines our schema. It is solely comprised of structs (property only interfaces). - It directly maps to the way we want manifest files to be stored on disk. When you want to make changes to the schema, - this is the file you should be editing. - -- [`lib/schema`](./schema/) - - This directory contains the generated json [schema](./schema/cloud-assembly.schema.json) from the aforementioned - typescript code. It also contains a [version](./schema/cloud-assembly.version.json) file that holds the current version - of the schema. These files are **not** intended for manual editing. Keep reading to understand how they change and when. - -### Schema Generation - -The schema can be generated by running `yarn update-schema`. It reads the [`manifest.ts`](./lib/manifest.ts) file and writes -an updated json schema to [`cloud-assembly.schema.json`](./schema/cloud-assembly.schema.json). -In addition, this command also performs a `major` version bump on the [version](./schema/cloud-assembly.version.json) file. - -Note that it is not generated as part of the build, this is to ensure developers will be intentional when making -changes to the schema. If changes to the code are performed, without generating a new schema, the tests will fail: - -```console -$ yarn test -FAIL test/schema.test.js (5.902s) - ✓ manifest save (7ms) - ✕ cloud-assembly.json.schema is correct (5304ms) - ✓ manifest load (4ms) - ✓ manifest load fails for invalid nested property (5ms) - ✓ manifest load fails for invalid artifact type (1ms) - ✓ stack-tags are deserialized properly (1ms) - ✓ can access random metadata (1ms) - - ● cloud-assembly.json.schema is correct - - Whoops, Looks like the schema has changed. Did you forget to run 'yarn update-schema'? -``` - -### Schema Validation - -Being a **stable** `jsii` module, it undergoes strict API compatibility checks with the help -of [`jsii-diff`](https://github.com/aws/jsii/tree/master/packages/jsii-diff). -This means that breaking changes will be rejected. These include: - -- Adding a required property. (same as changing from *optional* to *required*) -- Changing the type of the property. - -In addition, the interfaces defined here are programmatically exposed to users, via the `manifest` -property of the [`CloudAssembly`](../cx-api/lib/cloud-assembly.ts) class. This means that the following are -also considered breaking changes: - -- Changing a property from *required* to *optional*. -- Removing an optional property. -- Removing a required property. diff --git a/packages/@aws-cdk/cloud-assembly-schema/LICENSE b/packages/@aws-cdk/cloud-assembly-schema/LICENSE deleted file mode 100644 index dcf28b52a83af..0000000000000 --- a/packages/@aws-cdk/cloud-assembly-schema/LICENSE +++ /dev/null @@ -1,201 +0,0 @@ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright 2018-2024 Amazon.com, Inc. or its affiliates. All Rights Reserved. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/packages/@aws-cdk/cloud-assembly-schema/NOTICE b/packages/@aws-cdk/cloud-assembly-schema/NOTICE deleted file mode 100644 index 14e30418ed7dc..0000000000000 --- a/packages/@aws-cdk/cloud-assembly-schema/NOTICE +++ /dev/null @@ -1,46 +0,0 @@ -AWS Cloud Development Kit (AWS CDK) -Copyright 2018-2024 Amazon.com, Inc. or its affiliates. All Rights Reserved. - -------------------------------------------------------------------------------- - -The AWS CDK includes the following third-party software/licensing: - -** jsonschema - https://www.npmjs.com/package/jsonschema -Copyright (C) 2012-2015 Tom de Grunt - -Permission is hereby granted, free of charge, to any person obtaining a copy of -this software and associated documentation files (the "Software"), to deal in -the Software without restriction, including without limitation the rights to -use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies -of the Software, and to permit persons to whom the Software is furnished to do -so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. - ----------------- - -** semver - https://www.npmjs.com/package/semver -Copyright (c) Isaac Z. Schlueter and Contributors - -Permission to use, copy, modify, and/or distribute this software for any -purpose with or without fee is hereby granted, provided that the above -copyright notice and this permission notice appear in all copies. - -THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR -IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - ----------------- diff --git a/packages/@aws-cdk/cloud-assembly-schema/jest.config.js b/packages/@aws-cdk/cloud-assembly-schema/jest.config.js deleted file mode 100644 index b128c97cea054..0000000000000 --- a/packages/@aws-cdk/cloud-assembly-schema/jest.config.js +++ /dev/null @@ -1,13 +0,0 @@ -const baseConfig = require('@aws-cdk/cdk-build-tools/config/jest.config'); -module.exports = { - ...baseConfig, - testMatch: [ - '/**/test/**/?(*.)+(test).ts', - ], - coverageThreshold: { - global: { - branches: 70, - statements: 75, - }, - }, -}; diff --git a/packages/@aws-cdk/cloud-assembly-schema/package.json b/packages/@aws-cdk/cloud-assembly-schema/package.json deleted file mode 100644 index 0a05241153b84..0000000000000 --- a/packages/@aws-cdk/cloud-assembly-schema/package.json +++ /dev/null @@ -1,122 +0,0 @@ -{ - "name": "@aws-cdk/cloud-assembly-schema", - "version": "0.0.0", - "description": "Cloud Assembly Schema", - "main": "lib/index.js", - "types": "lib/index.d.ts", - "nx": { - "targets": { - "build": { - "outputs": [ - "{projectRoot}/**/*.js", - "{projectRoot}/**/*.d.ts", - "{projectRoot}/.jsii", - "{projectRoot}/.warnings.jsii.js", - "{projectRoot}/.gitignore", - "{projectRoot}/tsconfig.json", - "{projectRoot}/schema/**/*", - "{projectRoot}/README.md", - "{projectRoot}/rosetta", - "!{projectRoot}/node_modules/**/*" - ] - } - } - }, - "jsii": { - "excludeTypescript": [ - "**/test/**/*.ts" - ], - "outdir": "dist", - "targets": { - "java": { - "package": "software.amazon.awscdk.cloudassembly.schema", - "maven": { - "groupId": "software.amazon.awscdk", - "artifactId": "cdk-cloud-assembly-schema" - } - }, - "dotnet": { - "namespace": "Amazon.CDK.CloudAssembly.Schema", - "packageId": "Amazon.CDK.CloudAssembly.Schema", - "iconUrl": "https://raw.githubusercontent.com/aws/aws-cdk/main/logo/default-256-dark.png" - }, - "python": { - "distName": "aws-cdk.cloud-assembly-schema", - "module": "aws_cdk.cloud_assembly_schema", - "classifiers": [ - "Framework :: AWS CDK", - "Framework :: AWS CDK :: 2" - ] - } - }, - "projectReferences": true, - "metadata": { - "jsii": { - "rosetta": { - "strict": false - } - } - } - }, - "scripts": { - "build": "cdk-build --skip-lint", - "gen": "cdk-copy cloud-assembly-schema", - "watch": "cdk-watch", - "test": "cdk-test", - "pkglint": "pkglint -f", - "package": "cdk-package", - "awslint": "cdk-awslint", - "build+test+package": "yarn build+test && yarn package", - "build+test": "yarn build && yarn test", - "compat": "cdk-compat", - "rosetta:extract": "yarn --silent jsii-rosetta extract", - "build+extract": "yarn build && yarn rosetta:extract", - "build+test+extract": "yarn build+test && yarn rosetta:extract" - }, - "author": { - "name": "Amazon Web Services", - "url": "https://aws.amazon.com", - "organization": true - }, - "license": "Apache-2.0", - "devDependencies": { - "@aws-cdk/cdk-build-tools": "0.0.0", - "@aws-cdk/pkglint": "0.0.0", - "@types/jest": "^29.5.12", - "@types/mock-fs": "^4.13.4", - "@types/semver": "^7.5.8", - "aws-cdk-lib": "0.0.0", - "jest": "^29.7.0", - "mock-fs": "^4.14.0", - "typescript-json-schema": "^0.64.0" - }, - "repository": { - "url": "https://github.com/aws/aws-cdk.git", - "type": "git", - "directory": "packages/@aws-cdk/cloud-assembly-schema" - }, - "keywords": [ - "aws", - "cdk" - ], - "homepage": "https://github.com/aws/aws-cdk", - "bundledDependencies": [ - "jsonschema", - "semver" - ], - "engines": { - "node": ">= 14.15.0" - }, - "stability": "stable", - "dependencies": { - "jsonschema": "^1.4.1", - "semver": "^7.6.2" - }, - "awscdkio": { - "announce": false - }, - "maturity": "stable", - "publishConfig": { - "tag": "latest" - } -} diff --git a/packages/@aws-cdk/cloudformation-diff/package.json b/packages/@aws-cdk/cloudformation-diff/package.json index d1e4c41c3e161..fbd982a36bc25 100644 --- a/packages/@aws-cdk/cloudformation-diff/package.json +++ b/packages/@aws-cdk/cloudformation-diff/package.json @@ -23,8 +23,8 @@ }, "license": "Apache-2.0", "dependencies": { - "@aws-cdk/aws-service-spec": "^0.1.15", - "@aws-cdk/service-spec-types": "^0.0.83", + "@aws-cdk/aws-service-spec": "^0.1.17", + "@aws-cdk/service-spec-types": "^0.0.85", "chalk": "^4", "diff": "^5.2.0", "fast-deep-equal": "^3.1.3", diff --git a/packages/@aws-cdk/custom-resource-handlers/lib/custom-resources-framework/classes.ts b/packages/@aws-cdk/custom-resource-handlers/lib/custom-resources-framework/classes.ts index bee5e57cb3f35..eee0e8c12e467 100644 --- a/packages/@aws-cdk/custom-resource-handlers/lib/custom-resources-framework/classes.ts +++ b/packages/@aws-cdk/custom-resource-handlers/lib/custom-resources-framework/classes.ts @@ -14,8 +14,15 @@ import { Expression, ClassSpec, $T, + Statement, } from '@cdklabs/typewriter'; -import { Runtime } from './config'; +import { + Runtime, + CUSTOM_RESOURCE_PROVIDER, + CUSTOM_RESOURCE_SINGLETON, + CUSTOM_RESOURCE_SINGLETON_LOG_GROUP, + CUSTOM_RESOURCE_SINGLETON_LOG_RETENTION, + } from './config'; import { HandlerFrameworkModule } from './framework'; import { PATH_MODULE, @@ -56,6 +63,13 @@ interface ConstructorBuildProps { * @default MemberVisbility.Public */ readonly constructorVisbility?: MemberVisibility; + + /** + * These statements are added to the constructor body in the order they appear in this property. + * + * @default undefined + */ + readonly statements?: Statement[]; } /** @@ -206,10 +220,17 @@ export abstract class HandlerFrameworkClass extends ClassType { ['handler', expr.lit(props.handler)], ['runtime', this.buildRuntimeProperty(scope, { runtime: props.runtime, isEvalNodejsProvider })], ]); + const metadataStatements: Statement[] = [ + expr.directCode(`this.addMetadata('${CUSTOM_RESOURCE_SINGLETON}', true)`), + expr.directCode(`if (props?.logGroup) { this.logGroup.node.addMetadata('${CUSTOM_RESOURCE_SINGLETON_LOG_GROUP}', true) }`), + // We need to access the private `_logRetention` custom resource, the only public property - `logGroup` - provides an ARN reference to the resource, instead of the resource itself. + expr.directCode(`if (props?.logRetention) { ((this as any).lambdaFunction as lambda.Function)._logRetention?.node.addMetadata('${CUSTOM_RESOURCE_SINGLETON_LOG_RETENTION}', true) }`), + ]; this.buildConstructor({ constructorPropsType: _interface.type, superProps, constructorVisbility: MemberVisibility.Public, + statements: metadataStatements, }); } })(); @@ -310,11 +331,13 @@ export abstract class HandlerFrameworkClass extends ClassType { isCustomResourceProvider: true, })], ]); + const metadataStatements: Statement[] = [expr.directCode(`this.node.addMetadata('${CUSTOM_RESOURCE_PROVIDER}', true)`)]; this.buildConstructor({ constructorPropsType: CORE_MODULE.CustomResourceProviderOptions, superProps, constructorVisbility: MemberVisibility.Private, optionalConstructorProps: true, + statements: metadataStatements, }); } })(); @@ -359,6 +382,11 @@ export abstract class HandlerFrameworkClass extends ClassType { const superInitializerArgs: Expression[] = [scope, id, props.superProps]; init.addBody(new SuperInitializer(...superInitializerArgs)); + if (props.statements){ + for (const statement of props.statements) { + init.addBody(statement); + } + } } private buildRuntimeProperty(scope: HandlerFrameworkModule, options: BuildRuntimePropertyOptions = {}) { diff --git a/packages/@aws-cdk/custom-resource-handlers/lib/custom-resources-framework/config.ts b/packages/@aws-cdk/custom-resource-handlers/lib/custom-resources-framework/config.ts index 41f18c6d6a1aa..7dd71a88fb595 100644 --- a/packages/@aws-cdk/custom-resource-handlers/lib/custom-resources-framework/config.ts +++ b/packages/@aws-cdk/custom-resource-handlers/lib/custom-resources-framework/config.ts @@ -367,3 +367,9 @@ export const config: HandlerFrameworkConfig = { ], }, }; + +/* This is duplicated in aws-cdk-lib/custom-resources/lib/custom-resource-config/custom-resource-config.ts */ +export const CUSTOM_RESOURCE_PROVIDER = 'aws:cdk:is-custom-resource-handler-customResourceProvider'; +export const CUSTOM_RESOURCE_SINGLETON = 'aws:cdk:is-custom-resource-handler-singleton'; +export const CUSTOM_RESOURCE_SINGLETON_LOG_GROUP = 'aws:cdk:is-custom-resource-handler-logGroup'; +export const CUSTOM_RESOURCE_SINGLETON_LOG_RETENTION = 'aws:cdk:is-custom-resource-handler-logRetention'; diff --git a/packages/@aws-cdk/custom-resource-handlers/test/custom-resources-framework/expected/node-runtime/custom-resource-provider-core.ts b/packages/@aws-cdk/custom-resource-handlers/test/custom-resources-framework/expected/node-runtime/custom-resource-provider-core.ts index 7d233b55451bd..942d465ea35bd 100644 --- a/packages/@aws-cdk/custom-resource-handlers/test/custom-resources-framework/expected/node-runtime/custom-resource-provider-core.ts +++ b/packages/@aws-cdk/custom-resource-handlers/test/custom-resources-framework/expected/node-runtime/custom-resource-provider-core.ts @@ -28,5 +28,6 @@ export class TestProvider extends CustomResourceProviderBase { "codeDirectory": path.join(__dirname, 'my-handler'), "runtimeName": determineLatestNodeRuntimeName(scope) }); + this.node.addMetadata('aws:cdk:is-custom-resource-handler-customResourceProvider', true); } } \ No newline at end of file diff --git a/packages/@aws-cdk/custom-resource-handlers/test/custom-resources-framework/expected/node-runtime/custom-resource-provider.ts b/packages/@aws-cdk/custom-resource-handlers/test/custom-resources-framework/expected/node-runtime/custom-resource-provider.ts index 8c45d66c40e93..6168a528fb5e9 100644 --- a/packages/@aws-cdk/custom-resource-handlers/test/custom-resources-framework/expected/node-runtime/custom-resource-provider.ts +++ b/packages/@aws-cdk/custom-resource-handlers/test/custom-resources-framework/expected/node-runtime/custom-resource-provider.ts @@ -27,5 +27,6 @@ export class TestProvider extends CustomResourceProviderBase { "codeDirectory": path.join(__dirname, 'my-handler'), "runtimeName": determineLatestNodeRuntimeName(scope) }); + this.node.addMetadata('aws:cdk:is-custom-resource-handler-customResourceProvider', true); } } \ No newline at end of file diff --git a/packages/@aws-cdk/custom-resource-handlers/test/custom-resources-framework/expected/node-runtime/singleton-function.ts b/packages/@aws-cdk/custom-resource-handlers/test/custom-resources-framework/expected/node-runtime/singleton-function.ts index 6f5f5e4897fa6..2830ce24110ac 100644 --- a/packages/@aws-cdk/custom-resource-handlers/test/custom-resources-framework/expected/node-runtime/singleton-function.ts +++ b/packages/@aws-cdk/custom-resource-handlers/test/custom-resources-framework/expected/node-runtime/singleton-function.ts @@ -11,6 +11,9 @@ export class TestSingletonFunction extends lambda.SingletonFunction { "handler": "index.handler", "runtime": lambda.determineLatestNodeRuntime(scope) }); + this.addMetadata('aws:cdk:is-custom-resource-handler-singleton', true); + if (props?.logGroup) { this.logGroup.node.addMetadata('aws:cdk:is-custom-resource-handler-logGroup', true) }; + if (props?.logRetention) { ((this as any).lambdaFunction as lambda.Function)._logRetention?.node.addMetadata('aws:cdk:is-custom-resource-handler-logRetention', true) }; } } diff --git a/packages/@aws-cdk/custom-resource-handlers/test/custom-resources-framework/expected/python-runtime/custom-resource-provider-core.ts b/packages/@aws-cdk/custom-resource-handlers/test/custom-resources-framework/expected/python-runtime/custom-resource-provider-core.ts index 46b3b7bdf532c..adb473ddac2de 100644 --- a/packages/@aws-cdk/custom-resource-handlers/test/custom-resources-framework/expected/python-runtime/custom-resource-provider-core.ts +++ b/packages/@aws-cdk/custom-resource-handlers/test/custom-resources-framework/expected/python-runtime/custom-resource-provider-core.ts @@ -28,5 +28,6 @@ export class TestProvider extends CustomResourceProviderBase { "codeDirectory": path.join(__dirname, 'my-handler'), "runtimeName": "python3.10" }); + this.node.addMetadata('aws:cdk:is-custom-resource-handler-customResourceProvider', true); } } \ No newline at end of file diff --git a/packages/@aws-cdk/custom-resource-handlers/test/custom-resources-framework/expected/python-runtime/custom-resource-provider.ts b/packages/@aws-cdk/custom-resource-handlers/test/custom-resources-framework/expected/python-runtime/custom-resource-provider.ts index 0ab4377ec0ebd..f16d83520d172 100644 --- a/packages/@aws-cdk/custom-resource-handlers/test/custom-resources-framework/expected/python-runtime/custom-resource-provider.ts +++ b/packages/@aws-cdk/custom-resource-handlers/test/custom-resources-framework/expected/python-runtime/custom-resource-provider.ts @@ -27,5 +27,6 @@ export class TestProvider extends CustomResourceProviderBase { "codeDirectory": path.join(__dirname, 'my-handler'), "runtimeName": "python3.10" }); + this.node.addMetadata('aws:cdk:is-custom-resource-handler-customResourceProvider', true); } } \ No newline at end of file diff --git a/packages/@aws-cdk/custom-resource-handlers/test/custom-resources-framework/expected/python-runtime/singleton-function.ts b/packages/@aws-cdk/custom-resource-handlers/test/custom-resources-framework/expected/python-runtime/singleton-function.ts index c8326cbeece52..bd16b8208c24c 100644 --- a/packages/@aws-cdk/custom-resource-handlers/test/custom-resources-framework/expected/python-runtime/singleton-function.ts +++ b/packages/@aws-cdk/custom-resource-handlers/test/custom-resources-framework/expected/python-runtime/singleton-function.ts @@ -11,6 +11,9 @@ export class TestSingletonFunction extends lambda.SingletonFunction { "handler": "index.handler", "runtime": lambda.Runtime.PYTHON_3_10 }); + this.addMetadata('aws:cdk:is-custom-resource-handler-singleton', true); + if (props?.logGroup) { this.logGroup.node.addMetadata('aws:cdk:is-custom-resource-handler-logGroup', true) }; + if (props?.logRetention) { ((this as any).lambdaFunction as lambda.Function)._logRetention?.node.addMetadata('aws:cdk:is-custom-resource-handler-logRetention', true) }; } } diff --git a/packages/@aws-cdk/custom-resource-handlers/test/custom-resources-framework/expected/singleton-function-eval-nodejs.ts b/packages/@aws-cdk/custom-resource-handlers/test/custom-resources-framework/expected/singleton-function-eval-nodejs.ts index a5f790c300641..d8f29a94c6e4b 100644 --- a/packages/@aws-cdk/custom-resource-handlers/test/custom-resources-framework/expected/singleton-function-eval-nodejs.ts +++ b/packages/@aws-cdk/custom-resource-handlers/test/custom-resources-framework/expected/singleton-function-eval-nodejs.ts @@ -11,6 +11,9 @@ export class EvalNodejsSingletonFunction extends lambda.SingletonFunction { "handler": "index.handler", "runtime": (props.runtime ? props.runtime : lambda.determineLatestNodeRuntime(scope)) }); + this.addMetadata('aws:cdk:is-custom-resource-handler-singleton', true); + if (props?.logGroup) { this.logGroup.node.addMetadata('aws:cdk:is-custom-resource-handler-logGroup', true) }; + if (props?.logRetention) { ((this as any).lambdaFunction as lambda.Function)._logRetention?.node.addMetadata('aws:cdk:is-custom-resource-handler-logRetention', true) }; } } diff --git a/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md b/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md index aad87ef49fbde..9e980cc71faae 100644 --- a/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md +++ b/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md @@ -71,7 +71,6 @@ Flags come in three types: | [@aws-cdk/pipelines:reduceAssetRoleTrustScope](#aws-cdkpipelinesreduceassetroletrustscope) | Remove the root account principal from PipelineAssetsFileRole trust policy | 2.141.0 | (default) | | [@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm](#aws-cdkaws-ecsremovedefaultdeploymentalarm) | When enabled, remove default deployment alarm settings | 2.143.0 | (default) | | [@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault](#aws-cdkcustom-resourceslogapiresponsedatapropertytruedefault) | When enabled, the custom resource used for `AwsCustomResource` will configure the `logApiResponseData` property as true by default | 2.145.0 | (fix) | -| [@aws-cdk/aws-stepfunctions-tasks:ecsReduceRunTaskPermissions](#aws-cdkaws-stepfunctions-tasksecsreduceruntaskpermissions) | When enabled, IAM Policy created to run tasks won't include the task definition ARN, only the revision ARN. | 2.148.0 | (fix) | @@ -132,8 +131,7 @@ The following json shows the current recommended set of flags, as `cdk init` wou "@aws-cdk/aws-eks:nodegroupNameAttribute": true, "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": true, "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": true, - "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": false, - "@aws-cdk/aws-stepfunctions-tasks:ecsReduceRunTaskPermissions": true + "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": false } } ``` @@ -1340,19 +1338,4 @@ property from the event object. | 2.145.0 | `false` | `false` | -### @aws-cdk/aws-stepfunctions-tasks:ecsReduceRunTaskPermissions - -*When enabled, IAM Policy created to run tasks won't include the task definition ARN, only the revision ARN.* (fix) - -When this feature flag is enabled, the IAM Policy created to run tasks won't include the task definition ARN, only the revision ARN. -The revision ARN is more specific than the task definition ARN. See https://docs.aws.amazon.com/step-functions/latest/dg/ecs-iam.html -for more details. - - -| Since | Default | Recommended | -| ----- | ----- | ----- | -| (not in v1) | | | -| 2.148.0 | `false` | `true` | - - - \ No newline at end of file + diff --git a/packages/@aws-cdk/cx-api/package.json b/packages/@aws-cdk/cx-api/package.json index 9f6ae2cf09c03..934dc131399b4 100644 --- a/packages/@aws-cdk/cx-api/package.json +++ b/packages/@aws-cdk/cx-api/package.json @@ -82,12 +82,12 @@ "semver": "^7.6.2" }, "peerDependencies": { - "@aws-cdk/cloud-assembly-schema": "0.0.0" + "@aws-cdk/cloud-assembly-schema": "^36.0.5" }, "license": "Apache-2.0", "devDependencies": { "@aws-cdk/cdk-build-tools": "0.0.0", - "@aws-cdk/cloud-assembly-schema": "0.0.0", + "@aws-cdk/cloud-assembly-schema": "^36.0.5", "@aws-cdk/pkglint": "0.0.0", "@types/jest": "^29.5.12", "@types/mock-fs": "^4.13.4", @@ -120,4 +120,4 @@ "publishConfig": { "tag": "latest" } -} +} \ No newline at end of file diff --git a/packages/@aws-cdk/integ-runner/THIRD_PARTY_LICENSES b/packages/@aws-cdk/integ-runner/THIRD_PARTY_LICENSES index 893b93cf2cd93..4467ac778b87e 100644 --- a/packages/@aws-cdk/integ-runner/THIRD_PARTY_LICENSES +++ b/packages/@aws-cdk/integ-runner/THIRD_PARTY_LICENSES @@ -750,7 +750,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ---------------- -** semver@7.6.2 - https://www.npmjs.com/package/semver/v/7.6.2 | ISC +** semver@7.6.3 - https://www.npmjs.com/package/semver/v/7.6.3 | ISC The ISC License Copyright (c) Isaac Z. Schlueter and Contributors diff --git a/packages/@aws-cdk/integ-runner/package.json b/packages/@aws-cdk/integ-runner/package.json index 4891fc574f029..76f88b48c2ad7 100644 --- a/packages/@aws-cdk/integ-runner/package.json +++ b/packages/@aws-cdk/integ-runner/package.json @@ -71,11 +71,11 @@ }, "dependencies": { "chokidar": "^3.6.0", - "@aws-cdk/cloud-assembly-schema": "0.0.0", + "@aws-cdk/cloud-assembly-schema": "^36.0.5", "@aws-cdk/cloudformation-diff": "0.0.0", "@aws-cdk/cx-api": "0.0.0", - "@aws-cdk/aws-service-spec": "^0.1.15", - "cdk-assets": "0.0.0", + "@aws-cdk/aws-service-spec": "^0.1.17", + "cdk-assets": "^2.151.2", "@aws-cdk/cdk-cli-wrapper": "0.0.0", "aws-cdk": "0.0.0", "chalk": "^4", @@ -108,4 +108,4 @@ "publishConfig": { "tag": "latest" } -} +} \ No newline at end of file diff --git a/packages/aws-cdk-lib/.jsii.tabl.json.gz b/packages/aws-cdk-lib/.jsii.tabl.json.gz new file mode 100644 index 0000000000000..f974e4715014a Binary files /dev/null and b/packages/aws-cdk-lib/.jsii.tabl.json.gz differ diff --git a/packages/aws-cdk-lib/aws-bedrock/lib/foundation-model.ts b/packages/aws-cdk-lib/aws-bedrock/lib/foundation-model.ts index daacd34ef584d..fd1881119b336 100644 --- a/packages/aws-cdk-lib/aws-bedrock/lib/foundation-model.ts +++ b/packages/aws-cdk-lib/aws-bedrock/lib/foundation-model.ts @@ -50,6 +50,9 @@ export class FoundationModelIdentifier { /** Base model "amazon.titan-image-generator-v1:0". */ public static readonly AMAZON_TITAN_IMAGE_GENERATOR_V1_0 = new FoundationModelIdentifier('amazon.titan-image-generator-v1:0'); + /** Base model "amazon.titan-image-generator-v2:0". */ + public static readonly AMAZON_TITAN_IMAGE_GENERATOR_V2_0 = new FoundationModelIdentifier('amazon.titan-image-generator-v2:0'); + /** Base model "amazon.titan-embed-image-v1:0". */ public static readonly AMAZON_TITAN_EMBED_IMAGE_V1_0 = new FoundationModelIdentifier('amazon.titan-embed-image-v1:0'); diff --git a/packages/aws-cdk-lib/aws-cloudfront/lib/web-distribution.ts b/packages/aws-cdk-lib/aws-cloudfront/lib/web-distribution.ts index c0fd28b157416..50f2d304b3aee 100644 --- a/packages/aws-cdk-lib/aws-cloudfront/lib/web-distribution.ts +++ b/packages/aws-cdk-lib/aws-cloudfront/lib/web-distribution.ts @@ -129,7 +129,7 @@ interface SourceConfigurationRender { /** * A source configuration is a wrapper for CloudFront origins and behaviors. - * An origin is what CloudFront will "be in front of" - that is, CloudFront will pull it's assets from an origin. + * An origin is what CloudFront will "be in front of" - that is, CloudFront will pull its assets from an origin. * * If you're using s3 as a source - pass the `s3Origin` property, otherwise, pass the `customOriginSource` property. * @@ -479,7 +479,7 @@ export interface LambdaFunctionAssociation { /** * Allows a Lambda function to have read access to the body content. * Only valid for "request" event types (`ORIGIN_REQUEST` or `VIEWER_REQUEST`). - * See https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-include-body-access.html + * @see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-include-body-access.html * * @default false */ @@ -736,7 +736,7 @@ export interface CloudFrontWebDistributionAttributes { * }); * ``` * - * This will create a CloudFront distribution that uses your S3Bucket as it's origin. + * This will create a CloudFront distribution that uses your S3Bucket as its origin. * * You can customize the distribution using additional properties from the CloudFrontWebDistributionProps interface. * diff --git a/packages/aws-cdk-lib/aws-codepipeline-actions/test/servicecatalog/servicecatalog-deploy-action-beta1.test.ts b/packages/aws-cdk-lib/aws-codepipeline-actions/test/servicecatalog/servicecatalog-deploy-action-beta1.test.ts index 30388c7801783..cee8f139e117f 100644 --- a/packages/aws-cdk-lib/aws-codepipeline-actions/test/servicecatalog/servicecatalog-deploy-action-beta1.test.ts +++ b/packages/aws-cdk-lib/aws-codepipeline-actions/test/servicecatalog/servicecatalog-deploy-action-beta1.test.ts @@ -7,7 +7,7 @@ import * as cpactions from '../../lib'; /* eslint-disable quote-props */ describe('ServiceCatalog Deploy Action', () => { - test('addAction successfully leads to creation of codepipeline service catalog action with properly formatted TemplateFilePath', () => { + test('addAction succesfully leads to creation of codepipeline service catalog action with properly formatted TemplateFilePath', () => { // GIVEN const stack = new TestFixture(); // WHEN diff --git a/packages/aws-cdk-lib/aws-ec2/lib/instance-types.ts b/packages/aws-cdk-lib/aws-ec2/lib/instance-types.ts index 4a09f956145f7..f5fa84835d910 100644 --- a/packages/aws-cdk-lib/aws-ec2/lib/instance-types.ts +++ b/packages/aws-cdk-lib/aws-ec2/lib/instance-types.ts @@ -1170,6 +1170,16 @@ export enum InstanceClass { */ MAC2_M2PRO = 'mac2-m2pro', + /** + * Macintosh instances built on 2022 Mac Studio hardware powered by Apple silicon M1 Ultra processors + */ + MACINTOSH2_M1_ULTRA = 'macintosh2-m1-ultra', + + /** + * Macintosh instances built on 2022 Mac Studio hardware powered by Apple silicon M1 Ultra processors + */ + MAC2_M1ULTRA = 'mac2-m1ultra', + /** * Multi-stream video transcoding instances for resolutions up to 4K UHD, 1st generation */ @@ -1632,6 +1642,8 @@ export class InstanceType { [InstanceClass.MAC2_M2]: 'mac2-m2', [InstanceClass.MACINTOSH2_M2_PRO]: 'mac2-m2pro', [InstanceClass.MAC2_M2PRO]: 'mac2-m2pro', + [InstanceClass.MACINTOSH2_M1_ULTRA]: 'mac2-m1ultra', + [InstanceClass.MAC2_M1ULTRA]: 'mac2-m1ultra', [InstanceClass.VIDEO_TRANSCODING1]: 'vt1', [InstanceClass.VT1]: 'vt1', [InstanceClass.HIGH_PERFORMANCE_COMPUTING6_AMD]: 'hpc6a', diff --git a/packages/aws-cdk-lib/aws-ec2/test/instance-type.test.ts b/packages/aws-cdk-lib/aws-ec2/test/instance-type.test.ts new file mode 100644 index 0000000000000..97dee37418cc2 --- /dev/null +++ b/packages/aws-cdk-lib/aws-ec2/test/instance-type.test.ts @@ -0,0 +1,8 @@ +import { InstanceClass, InstanceSize, InstanceType } from '../lib'; + +describe('InstanceType', () => { + test('mac2 m1 ultra', () => { + const instanceType = InstanceType.of(InstanceClass.MAC2_M1ULTRA, InstanceSize.METAL); + expect(instanceType.toString()).toEqual('mac2-m1ultra.metal'); + }); +}); \ No newline at end of file diff --git a/packages/aws-cdk-lib/aws-ecs-patterns/test/fargate/load-balanced-fargate-service-v2.test.ts b/packages/aws-cdk-lib/aws-ecs-patterns/test/fargate/load-balanced-fargate-service-v2.test.ts index 5700a62b58b15..3068e9a8e4e29 100644 --- a/packages/aws-cdk-lib/aws-ecs-patterns/test/fargate/load-balanced-fargate-service-v2.test.ts +++ b/packages/aws-cdk-lib/aws-ecs-patterns/test/fargate/load-balanced-fargate-service-v2.test.ts @@ -642,8 +642,7 @@ describe('Application Load Balancer', () => { // WHEN new ApplicationMultipleTargetGroupsFargateService(stack, 'myService', { cluster: new ecs.Cluster(stack, 'EcsCluster', { vpc }), - cpu: 256, - memoryLimitMiB: 512, + memoryLimitMiB: 256, taskImageOptions: { image: ecs.ContainerImage.fromRegistry('amazon/amazon-ecs-sample'), }, diff --git a/packages/aws-cdk-lib/aws-ecs-patterns/test/fargate/load-balanced-fargate-service.test.ts b/packages/aws-cdk-lib/aws-ecs-patterns/test/fargate/load-balanced-fargate-service.test.ts index bf60714822fcd..18b6b929f76f6 100644 --- a/packages/aws-cdk-lib/aws-ecs-patterns/test/fargate/load-balanced-fargate-service.test.ts +++ b/packages/aws-cdk-lib/aws-ecs-patterns/test/fargate/load-balanced-fargate-service.test.ts @@ -554,7 +554,7 @@ describe('ApplicationLoadBalancedFargateService', () => { // WHEN const taskDef = new ecs.FargateTaskDefinition(stack1, 'TaskDef', { cpu: 1024, - memoryLimitMiB: 2048, + memoryLimitMiB: 1024, }); const container = taskDef.addContainer('Container', { image: ecs.ContainerImage.fromRegistry('amazon/amazon-ecs-sample'), @@ -1816,7 +1816,7 @@ describe('NetworkLoadBalancedFargateService', () => { }); const taskDef = new ecs.FargateTaskDefinition(stack2, 'TaskDef', { cpu: 1024, - memoryLimitMiB: 2048, + memoryLimitMiB: 1024, }); const container = taskDef.addContainer('myContainer', { image: ecs.ContainerImage.fromRegistry('amazon/amazon-ecs-sample'), diff --git a/packages/aws-cdk-lib/aws-ecs-patterns/test/fargate/scheduled-fargate-task.test.ts b/packages/aws-cdk-lib/aws-ecs-patterns/test/fargate/scheduled-fargate-task.test.ts index 28d881b8f7d92..7300f3c16e908 100644 --- a/packages/aws-cdk-lib/aws-ecs-patterns/test/fargate/scheduled-fargate-task.test.ts +++ b/packages/aws-cdk-lib/aws-ecs-patterns/test/fargate/scheduled-fargate-task.test.ts @@ -91,7 +91,7 @@ test('Can create a scheduled Fargate Task - with optional props', () => { scheduledFargateTaskImageOptions: { image: ecs.ContainerImage.fromRegistry('henk'), memoryLimitMiB: 512, - cpu: 256, + cpu: 2, ephemeralStorageGiB: 100, environment: { TRIGGER: 'CloudWatch Events' }, }, diff --git a/packages/aws-cdk-lib/aws-ecs/README.md b/packages/aws-cdk-lib/aws-ecs/README.md index 6198c3f8f05c6..f0669e3adcc66 100644 --- a/packages/aws-cdk-lib/aws-ecs/README.md +++ b/packages/aws-cdk-lib/aws-ecs/README.md @@ -505,7 +505,7 @@ To grant a principal permission to run your `TaskDefinition`, you can use the `T ```ts declare const role: iam.IGrantable; const taskDef = new ecs.TaskDefinition(this, 'TaskDef', { - cpu: '256', + cpu: '512', memoryMiB: '512', compatibility: ecs.Compatibility.EC2_AND_FARGATE, }); diff --git a/packages/aws-cdk-lib/aws-ecs/lib/base/task-definition.ts b/packages/aws-cdk-lib/aws-ecs/lib/base/task-definition.ts index c3896e1113811..7ab075ae777ce 100644 --- a/packages/aws-cdk-lib/aws-ecs/lib/base/task-definition.ts +++ b/packages/aws-cdk-lib/aws-ecs/lib/base/task-definition.ts @@ -432,9 +432,23 @@ export class TaskDefinition extends TaskDefinitionBase { } this.networkMode = props.networkMode ?? (this.isFargateCompatible ? NetworkMode.AWS_VPC : NetworkMode.BRIDGE); + if (this.isFargateCompatible && this.networkMode !== NetworkMode.AWS_VPC) { + throw new Error(`Fargate tasks can only have AwsVpc network mode, got: ${this.networkMode}`); + } if (props.proxyConfiguration && this.networkMode !== NetworkMode.AWS_VPC) { throw new Error(`ProxyConfiguration can only be used with AwsVpc network mode, got: ${this.networkMode}`); } + if (props.placementConstraints && props.placementConstraints.length > 0 && this.isFargateCompatible) { + throw new Error('Cannot set placement constraints on tasks that run on Fargate'); + } + + if (this.isFargateCompatible && (!props.cpu || !props.memoryMiB)) { + throw new Error(`Fargate-compatible tasks require both CPU (${props.cpu}) and memory (${props.memoryMiB}) specifications`); + } + + if (props.inferenceAccelerators && props.inferenceAccelerators.length > 0 && this.isFargateCompatible) { + throw new Error('Cannot use inference accelerators on tasks that run on Fargate'); + } if (this.isExternalCompatible && ![NetworkMode.BRIDGE, NetworkMode.HOST, NetworkMode.NONE].includes(this.networkMode)) { throw new Error(`External tasks can only have Bridge, Host or None network mode, got: ${this.networkMode}`); @@ -444,30 +458,6 @@ export class TaskDefinition extends TaskDefinitionBase { throw new Error('Cannot specify runtimePlatform in non-Fargate compatible tasks'); } - //FARGATE compatible tasks pre-checks - if (this.isFargateCompatible) { - if (this.networkMode !== NetworkMode.AWS_VPC) { - throw new Error(`Fargate tasks can only have AwsVpc network mode, got: ${this.networkMode}`); - } - - if (props.placementConstraints && props.placementConstraints.length > 0) { - throw new Error('Cannot set placement constraints on tasks that run on Fargate'); - } - - if (!props.cpu || !props.memoryMiB) { - throw new Error(`Fargate-compatible tasks require both CPU (${props.cpu}) and memory (${props.memoryMiB}) specifications`); - } - - if (props.inferenceAccelerators && props.inferenceAccelerators.length > 0) { - throw new Error('Cannot use inference accelerators on tasks that run on Fargate'); - } - - // Check the combination as per doc https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html - this.node.addValidation({ - validate: () => this.validateFargateTaskDefinitionMemoryCpu(props.cpu!, props.memoryMiB!), - }); - } - this._executionRole = props.executionRole; this.taskRole = props.taskRole || new iam.Role(this, 'TaskRole', { @@ -909,40 +899,6 @@ export class TaskDefinition extends TaskDefinitionBase { throw new Error(`If operatingSystemFamily is ${runtimePlatform.operatingSystemFamily!._operatingSystemFamily}, then cpu must be in 1024 (1 vCPU), 2048 (2 vCPU), or 4096 (4 vCPU). Provided value was: ${cpu}`); } }; - - private validateFargateTaskDefinitionMemoryCpu(cpu: string, memory: string): string[] { - const ret = new Array(); - const resolvedCpu = this.stack.resolve(cpu) as string; - const resolvedMemoryMiB = this.stack.resolve(memory) as string; - const validCpuMemoryCombinations = [ - { cpu: '256', memory: ['512', '1024', '2048'] }, - { cpu: '512', memory: this.range(1024, 4096, 1024) }, - { cpu: '1024', memory: this.range(2048, 8192, 1024) }, - { cpu: '2048', memory: this.range(4096, 16384, 1024) }, - { cpu: '4096', memory: this.range(8192, 30720, 1024) }, - { cpu: '8192', memory: this.range(16384, 61440, 4096) }, - { cpu: '16384', memory: this.range(32768, 122880, 8192) }, - ]; - - const isValidCombination = validCpuMemoryCombinations.some((combo) => { - return combo.cpu === resolvedCpu && combo.memory.includes(resolvedMemoryMiB); - }); - - if (!isValidCombination) { - ret.push('Invalid CPU and memory combinations for FARGATE compatible task definition - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html'); - } - - return ret; - } - - private range(start: number, end: number, step: number): string[] { - const result = []; - for (let i = start; i <= end; i += step) { - result.push(String(i)); - } - return result; - } - } /** diff --git a/packages/aws-cdk-lib/aws-ecs/test/fargate/fargate-task-definition.test.ts b/packages/aws-cdk-lib/aws-ecs/test/fargate/fargate-task-definition.test.ts index 9d7c03c4a877f..be93c76e2b65e 100644 --- a/packages/aws-cdk-lib/aws-ecs/test/fargate/fargate-task-definition.test.ts +++ b/packages/aws-cdk-lib/aws-ecs/test/fargate/fargate-task-definition.test.ts @@ -26,13 +26,13 @@ describe('fargate task definition', () => { const stack = new cdk.Stack(); new ecs.FargateTaskDefinition(stack, 'FargateTaskDef', { - cpu: cdk.Lazy.number({ produce: () => 512 }), + cpu: cdk.Lazy.number({ produce: () => 128 }), memoryLimitMiB: cdk.Lazy.number({ produce: () => 1024 }), }); // THEN Template.fromStack(stack).hasResourceProperties('AWS::ECS::TaskDefinition', { - Cpu: '512', + Cpu: '128', Memory: '1024', }); @@ -42,7 +42,7 @@ describe('fargate task definition', () => { // GIVEN const stack = new cdk.Stack(); const taskDefinition = new ecs.FargateTaskDefinition(stack, 'FargateTaskDef', { - cpu: 256, + cpu: 128, executionRole: new iam.Role(stack, 'ExecutionRole', { path: '/', assumedBy: new iam.CompositePrincipal( @@ -72,7 +72,7 @@ describe('fargate task definition', () => { // THEN Template.fromStack(stack).hasResourceProperties('AWS::ECS::TaskDefinition', { - Cpu: '256', + Cpu: '128', ExecutionRoleArn: { 'Fn::GetAtt': [ 'ExecutionRole605A040B', @@ -216,32 +216,6 @@ describe('fargate task definition', () => { }); }).toThrow(/'pidMode' can only be set to 'task' for Linux Fargate containers, got: 'host'./); }); - - test('throws error when invalid CPU and memory combination is provided', () => { - const stack = new cdk.Stack(); - - new ecs.FargateTaskDefinition(stack, 'FargateTaskDef', { - cpu: 256, - memoryLimitMiB: 125, - }); - - expect(() => { - Template.fromStack(stack); - }).toThrow(/Invalid CPU and memory combinations for FARGATE compatible task definition/); - }); - - test('successful when valid CPU and memory combination is provided', () => { - const stack = new cdk.Stack(); - new ecs.FargateTaskDefinition(stack, 'FargateTaskDef', { - cpu: 256, - memoryLimitMiB: 512, - }); - - Template.fromStack(stack).hasResourceProperties('AWS::ECS::TaskDefinition', { - Cpu: '256', - Memory: '512', - }); - }); }); describe('When configuredAtLaunch in the Volume', ()=> { test('do not throw when configuredAtLaunch is false', () => { diff --git a/packages/aws-cdk-lib/aws-ecs/test/task-definition.test.ts b/packages/aws-cdk-lib/aws-ecs/test/task-definition.test.ts index 2347ded71b363..f098b3e89afcb 100644 --- a/packages/aws-cdk-lib/aws-ecs/test/task-definition.test.ts +++ b/packages/aws-cdk-lib/aws-ecs/test/task-definition.test.ts @@ -14,7 +14,7 @@ describe('task definition', () => { // WHEN new ecs.TaskDefinition(stack, 'TD', { - cpu: '256', + cpu: '512', memoryMiB: '512', compatibility: ecs.Compatibility.EC2_AND_FARGATE, }); @@ -51,7 +51,7 @@ describe('task definition', () => { assumedBy: new iam.AccountRootPrincipal(), }); const taskDef = new ecs.TaskDefinition(stack, 'TD', { - cpu: '256', + cpu: '512', memoryMiB: '512', compatibility: ecs.Compatibility.EC2_AND_FARGATE, }); @@ -96,7 +96,7 @@ describe('task definition', () => { assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'), }); const taskDef = new ecs.TaskDefinition(stack, 'TD', { - cpu: '256', + cpu: '512', memoryMiB: '512', compatibility: ecs.Compatibility.EC2_AND_FARGATE, executionRole: executionRole, @@ -154,7 +154,7 @@ describe('task definition', () => { }, ); const taskDef = new ecs.TaskDefinition(stack, 'TD', { - cpu: '256', + cpu: '512', memoryMiB: '512', compatibility: ecs.Compatibility.EC2_AND_FARGATE, }); @@ -387,7 +387,7 @@ describe('task definition', () => { }, ); const taskDef = new ecs.TaskDefinition(stack, 'TD', { - cpu: '256', + cpu: '512', memoryMiB: '512', compatibility: ecs.Compatibility.EC2_AND_FARGATE, }); @@ -457,34 +457,6 @@ describe('task definition', () => { Template.fromStack(stack); }).toThrow("ECS Container Container must have at least one of 'memoryLimitMiB' or 'memoryReservationMiB' specified"); }); - - test('throws error when invalid CPU and memory combination is provided with Fargate compatibilities', () => { - const stack = new cdk.Stack(); - - new ecs.TaskDefinition(stack, 'TaskDef', { - compatibility: ecs.Compatibility.EC2_AND_FARGATE, - cpu: '122', - memoryMiB: '513', - }); - - expect(() => { - Template.fromStack(stack); - }).toThrow(/Invalid CPU and memory combinations for FARGATE compatible task definition/); - }); - - test('successful when valid CPU and memory combination is provided with Fargate compatibilities', () => { - const stack = new cdk.Stack(); - new ecs.TaskDefinition(stack, 'TaskDef', { - compatibility: ecs.Compatibility.EC2_AND_FARGATE, - cpu: '256', - memoryMiB: '512', - }); - - Template.fromStack(stack).hasResourceProperties('AWS::ECS::TaskDefinition', { - Cpu: '256', - Memory: '512', - }); - }); }); describe('When importing from an existing Task definition', () => { @@ -588,7 +560,7 @@ describe('task definition', () => { const stack = new cdk.Stack(); const taskDefinition = new ecs.TaskDefinition(stack, 'TaskDef', { cpu: '512', - memoryMiB: '1024', + memoryMiB: '512', compatibility: ecs.Compatibility.FARGATE, }); @@ -638,7 +610,7 @@ describe('task definition', () => { const stack = new cdk.Stack(); const taskDefinition = new ecs.TaskDefinition(stack, 'TaskDef', { cpu: '512', - memoryMiB: '1024', + memoryMiB: '512', compatibility: ecs.Compatibility.FARGATE, }); diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2-targets/lib/alb-target.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2-targets/lib/alb-target.ts index ec658da181af6..ccb2aeb0c49aa 100644 --- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2-targets/lib/alb-target.ts +++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2-targets/lib/alb-target.ts @@ -5,7 +5,8 @@ import * as elbv2 from '../../aws-elasticloadbalancingv2'; */ export class AlbArnTarget implements elbv2.INetworkLoadBalancerTarget { /** - * Create a new alb target + * Create a new alb target. + * Note that the ALB must have a listener on the provided target port. * * @param albArn The ARN of the application load balancer to load balance to * @param port The port on which the target is listening @@ -20,10 +21,13 @@ export class AlbArnTarget implements elbv2.INetworkLoadBalancerTarget { * load balancer. */ public attachToNetworkTargetGroup(targetGroup: elbv2.INetworkTargetGroup): elbv2.LoadBalancerTargetProps { - return this.attach(targetGroup); + return this._attach(targetGroup); } - private attach(_targetGroup: elbv2.ITargetGroup): elbv2.LoadBalancerTargetProps { + /** + * @internal + */ + protected _attach(_targetGroup: elbv2.ITargetGroup): elbv2.LoadBalancerTargetProps { return { targetType: elbv2.TargetType.ALB, targetJson: { id: this.albArn, port: this.port }, @@ -32,8 +36,13 @@ export class AlbArnTarget implements elbv2.INetworkLoadBalancerTarget { } /** - * A single Application Load Balancer as the target for load balancing. - */ + * A single Application Load Balancer as the target for load balancing. + * @deprecated Use `AlbListenerTarget` instead or + * `AlbArnTarget` for an imported load balancer. This target does not automatically + * add a dependency between the ALB listener and resulting NLB target group, + * without which may cause stack deployments to fail if the NLB target group is provisioned + * before the listener has been fully created. + */ export class AlbTarget extends AlbArnTarget { /** * @param alb The application load balancer to load balance to @@ -43,3 +52,37 @@ export class AlbTarget extends AlbArnTarget { super(alb.loadBalancerArn, port); } } + +/** + * A single Application Load Balancer's listener as the target for load balancing. + */ +export class AlbListenerTarget extends AlbArnTarget { + /** + * Create a new ALB target. + * The associated target group will automatically have a dependency added + * against the ALB's listener. + * + * @param albListener The application load balancer listener to target. + */ + constructor(private albListener: elbv2.ApplicationListener) { + super(albListener.loadBalancer.loadBalancerArn, albListener.port); + } + + private attach(targetGroup: elbv2.ITargetGroup): elbv2.LoadBalancerTargetProps { + targetGroup.node.addDependency(this.albListener); + return super._attach(targetGroup); + } + + /** + * Register this ALB target with a load balancer. + * + * Don't call this, it is called automatically when you add the target to a + * load balancer. + * + * This adds dependency on albListener because creation of ALB listener and NLB can vary during runtime. + * More Details on - https://github.com/aws/aws-cdk/issues/17208 + */ + public attachToNetworkTargetGroup(targetGroup: elbv2.INetworkTargetGroup): elbv2.LoadBalancerTargetProps { + return this.attach(targetGroup); + } +} diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2-targets/test/alb-target.test.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2-targets/test/alb-target.test.ts index c48812bcadc94..322a4e6f507b0 100644 --- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2-targets/test/alb-target.test.ts +++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2-targets/test/alb-target.test.ts @@ -37,6 +37,37 @@ test('Can create target groups with alb target', () => { }); }); +test('AlbListener target creates a dependency on the NLB target group and ALB listener', () => { + // GIVEN + const stack = new Stack(); + const vpc = new ec2.Vpc(stack, 'Stack'); + const alb = new elbv2.ApplicationLoadBalancer(stack, 'ALB', { vpc }); + const albListener = alb.addListener('ALBListener', { + port: 80, + defaultAction: elbv2.ListenerAction.fixedResponse(200), + }); + const nlb = new elbv2.NetworkLoadBalancer(stack, 'NLB', { vpc }); + const listener = nlb.addListener('Listener', { port: 80 }); + + // WHEN + listener.addTargets('Targets', { + targets: [new targets.AlbListenerTarget(albListener)], + port: 80, + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::ElasticLoadBalancingV2::TargetGroup', { + Port: 80, + Protocol: 'TCP', + Targets: [{ Id: { Ref: 'ALBAEE750D2' }, Port: 80 }], + TargetType: 'alb', + VpcId: { Ref: 'Stack8A423254' }, + }); + Template.fromStack(stack).hasResource('AWS::ElasticLoadBalancingV2::TargetGroup', { + DependsOn: ['ALBALBListenerDB80B4FD'], + }); +}); + test('Can create target groups with alb arn target', () => { // GIVEN const stack = new Stack(); diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/README.md b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/README.md index 0f16e99b08917..a3052f5f18430 100644 --- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/README.md +++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/README.md @@ -267,6 +267,22 @@ lb.logAccessLogs(bucket); ``` +### Setting up Connection Log Bucket on Application Load Balancer + +Like access log bucket, the only server-side encryption option that's supported is Amazon S3-managed keys (SSE-S3). For more information +Documentation: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-connection-logging.html + +```ts +declare const vpc: ec2.Vpc; + +const bucket = new s3.Bucket(this, 'ALBConnectionLogsBucket',{ + encryption: s3.BucketEncryption.S3_MANAGED, +}); + +const lb = new elbv2.ApplicationLoadBalancer(this, 'LB', { vpc }); +lb.logConnectionLogs(bucket); +``` + ## Defining a Network Load Balancer Network Load Balancers are defined in a similar way to Application Load @@ -537,7 +553,7 @@ const nlb = new elbv2.NetworkLoadBalancer(this, 'Nlb', { const listener = nlb.addListener('listener', { port: 80 }); listener.addTargets('Targets', { - targets: [new targets.AlbTarget(svc.loadBalancer, 80)], + targets: [new targets.AlbListenerTarget(svc.listener)], port: 80, }); diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts index c4c75ea0c8fda..07cfb949f3b83 100644 --- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts +++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts @@ -233,6 +233,11 @@ export class ApplicationListener extends BaseListener implements IApplicationLis */ public readonly loadBalancer: IApplicationLoadBalancer; + /** + * The port of the listener. + */ + public readonly port: number; + /** * ARNs of certificates added to this listener */ @@ -266,6 +271,7 @@ export class ApplicationListener extends BaseListener implements IApplicationLis this.loadBalancer = props.loadBalancer; this.protocol = protocol; + this.port = port; this.certificateArns = []; // Attach certificates diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts index 0ec173c7b77df..2636e26abbdd5 100644 --- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts +++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts @@ -312,6 +312,68 @@ export class ApplicationLoadBalancer extends BaseLoadBalancer implements IApplic } } + /** + * Enable connection logging for this load balancer. + * + * A region must be specified on the stack containing the load balancer; you cannot enable logging on + * environment-agnostic stacks. + * + * @see https://docs.aws.amazon.com/cdk/latest/guide/environments.html + */ + public logConnectionLogs(bucket: s3.IBucket, prefix?: string) { + /** + * KMS key encryption is not supported on Connection Log bucket for ALB, the bucket must use Amazon S3-managed keys (SSE-S3). + * See https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-connection-logging.html#bucket-permissions-troubleshooting-connection + */ + if (bucket.encryptionKey) { + throw new Error('Encryption key detected. Bucket encryption using KMS keys is unsupported'); + } + + prefix = prefix || ''; + this.setAttribute('connection_logs.s3.enabled', 'true'); + this.setAttribute('connection_logs.s3.bucket', bucket.bucketName.toString()); + this.setAttribute('connection_logs.s3.prefix', prefix); + + // https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-connection-logging.html + const logsDeliveryServicePrincipal = new ServicePrincipal('delivery.logs.amazonaws.com'); + bucket.addToResourcePolicy(new PolicyStatement({ + actions: ['s3:PutObject'], + principals: [this.resourcePolicyPrincipal()], + resources: [ + bucket.arnForObjects(`${prefix ? prefix + '/' : ''}AWSLogs/${Stack.of(this).account}/*`), + ], + })); + // We still need this policy for the bucket using the ACL + bucket.addToResourcePolicy( + new PolicyStatement({ + actions: ['s3:PutObject'], + principals: [logsDeliveryServicePrincipal], + resources: [ + bucket.arnForObjects(`${prefix ? prefix + '/' : ''}AWSLogs/${Stack.of(this).account}/*`), + ], + conditions: { + StringEquals: { 's3:x-amz-acl': 'bucket-owner-full-control' }, + }, + }), + ); + bucket.addToResourcePolicy( + new PolicyStatement({ + actions: ['s3:GetBucketAcl'], + principals: [logsDeliveryServicePrincipal], + resources: [bucket.bucketArn], + }), + ); + + // make sure the bucket's policy is created before the ALB (see https://github.com/aws/aws-cdk/issues/1633) + // at the L1 level to avoid creating a circular dependency (see https://github.com/aws/aws-cdk/issues/27528 + // and https://github.com/aws/aws-cdk/issues/27928) + const lb = this.node.defaultChild; + const bucketPolicy = bucket.policy?.node.defaultChild; + if (lb && bucketPolicy && CfnResource.isCfnResource(lb) && CfnResource.isCfnResource(bucketPolicy)) { + lb.addDependency(bucketPolicy); + } + } + /** * Add a security group to this load balancer */ diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/load-balancer.test.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/load-balancer.test.ts index 958a881846fab..6838181872275 100644 --- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/load-balancer.test.ts +++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/load-balancer.test.ts @@ -645,6 +645,345 @@ describe('tests', () => { }); }); + describe('logConnectionLogs', () => { + + class ExtendedLB extends elbv2.ApplicationLoadBalancer { + constructor(scope: Construct, id: string, vpc: ec2.IVpc) { + super(scope, id, { vpc }); + + const connectionLogsBucket = new s3.Bucket(this, 'ALBConnectionLogsBucket', { + blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL, + encryption: s3.BucketEncryption.S3_MANAGED, + versioned: true, + serverAccessLogsPrefix: 'selflog/', + enforceSSL: true, + }); + + this.logConnectionLogs(connectionLogsBucket); + } + } + + function loggingSetup(withEncryption: boolean = false ): { stack: cdk.Stack; bucket: s3.Bucket; lb: elbv2.ApplicationLoadBalancer } { + const app = new cdk.App(); + const stack = new cdk.Stack(app, undefined, { env: { region: 'us-east-1' } }); + const vpc = new ec2.Vpc(stack, 'Stack'); + let bucketProps = {}; + if (withEncryption) { + const kmsKey = new Key(stack, 'TestKMSKey'); + bucketProps = { ...bucketProps, encryption: s3.BucketEncryption.KMS, encyptionKey: kmsKey }; + } + const bucket = new s3.Bucket(stack, 'ConnectionLogBucket', { ...bucketProps }); + const lb = new elbv2.ApplicationLoadBalancer(stack, 'LB', { vpc }); + return { stack, bucket, lb }; + } + + test('sets load balancer attributes', () => { + // GIVEN + const { stack, bucket, lb } = loggingSetup(); + + // WHEN + lb.logConnectionLogs(bucket); + + //THEN + Template.fromStack(stack).hasResourceProperties('AWS::ElasticLoadBalancingV2::LoadBalancer', { + LoadBalancerAttributes: Match.arrayWith([ + { + Key: 'connection_logs.s3.enabled', + Value: 'true', + }, + { + Key: 'connection_logs.s3.bucket', + Value: { Ref: 'ConnectionLogBucketFDE8490A' }, + }, + { + Key: 'connection_logs.s3.prefix', + Value: '', + }, + ]), + }); + }); + + test('adds a dependency on the bucket', () => { + // GIVEN + const { stack, bucket, lb } = loggingSetup(); + + // WHEN + lb.logConnectionLogs(bucket); + + // THEN + // verify the ALB depends on the bucket policy + Template.fromStack(stack).hasResource('AWS::ElasticLoadBalancingV2::LoadBalancer', { + DependsOn: ['ConnectionLogBucketPolicyF17C8635'], + }); + }); + + test('logging bucket permissions', () => { + // GIVEN + const { stack, bucket, lb } = loggingSetup(); + + // WHEN + lb.logConnectionLogs(bucket); + + // THEN + // verify the bucket policy allows the ALB to put objects in the bucket + Template.fromStack(stack).hasResourceProperties('AWS::S3::BucketPolicy', { + PolicyDocument: { + Version: '2012-10-17', + Statement: [ + { + Action: 's3:PutObject', + Effect: 'Allow', + Principal: { AWS: { 'Fn::Join': ['', ['arn:', { Ref: 'AWS::Partition' }, ':iam::127311923021:root']] } }, + Resource: { + 'Fn::Join': ['', [{ 'Fn::GetAtt': ['ConnectionLogBucketFDE8490A', 'Arn'] }, '/AWSLogs/', + { Ref: 'AWS::AccountId' }, '/*']], + }, + }, + { + Action: 's3:PutObject', + Effect: 'Allow', + Principal: { Service: 'delivery.logs.amazonaws.com' }, + Resource: { + 'Fn::Join': ['', [{ 'Fn::GetAtt': ['ConnectionLogBucketFDE8490A', 'Arn'] }, '/AWSLogs/', + { Ref: 'AWS::AccountId' }, '/*']], + }, + Condition: { StringEquals: { 's3:x-amz-acl': 'bucket-owner-full-control' } }, + }, + { + Action: 's3:GetBucketAcl', + Effect: 'Allow', + Principal: { Service: 'delivery.logs.amazonaws.com' }, + Resource: { + 'Fn::GetAtt': ['ConnectionLogBucketFDE8490A', 'Arn'], + }, + }, + ], + }, + }); + }); + + test('connection logging with prefix', () => { + // GIVEN + const { stack, bucket, lb } = loggingSetup(); + + // WHEN + lb.logConnectionLogs(bucket, 'prefix-of-connection-logs'); + + // THEN + // verify that the LB attributes reference the bucket + Template.fromStack(stack).hasResourceProperties('AWS::ElasticLoadBalancingV2::LoadBalancer', { + LoadBalancerAttributes: Match.arrayWith([ + { + Key: 'connection_logs.s3.enabled', + Value: 'true', + }, + { + Key: 'connection_logs.s3.bucket', + Value: { Ref: 'ConnectionLogBucketFDE8490A' }, + }, + { + Key: 'connection_logs.s3.prefix', + Value: 'prefix-of-connection-logs', + }, + ]), + }); + + // verify the bucket policy allows the ALB to put objects in the bucket + Template.fromStack(stack).hasResourceProperties('AWS::S3::BucketPolicy', { + PolicyDocument: { + Version: '2012-10-17', + Statement: [ + { + Action: 's3:PutObject', + Effect: 'Allow', + Principal: { AWS: { 'Fn::Join': ['', ['arn:', { Ref: 'AWS::Partition' }, ':iam::127311923021:root']] } }, + Resource: { + 'Fn::Join': ['', [{ 'Fn::GetAtt': ['ConnectionLogBucketFDE8490A', 'Arn'] }, '/prefix-of-connection-logs/AWSLogs/', + { Ref: 'AWS::AccountId' }, '/*']], + }, + }, + { + Action: 's3:PutObject', + Effect: 'Allow', + Principal: { Service: 'delivery.logs.amazonaws.com' }, + Resource: { + 'Fn::Join': ['', [{ 'Fn::GetAtt': ['ConnectionLogBucketFDE8490A', 'Arn'] }, '/prefix-of-connection-logs/AWSLogs/', + { Ref: 'AWS::AccountId' }, '/*']], + }, + Condition: { StringEquals: { 's3:x-amz-acl': 'bucket-owner-full-control' } }, + }, + { + Action: 's3:GetBucketAcl', + Effect: 'Allow', + Principal: { Service: 'delivery.logs.amazonaws.com' }, + Resource: { + 'Fn::GetAtt': ['ConnectionLogBucketFDE8490A', 'Arn'], + }, + }, + ], + }, + }); + }); + + test('bucket with KMS throws validation error', () => { + //GIVEN + const { stack, bucket, lb } = loggingSetup(true); + + // WHEN + const logConnectionLogFunctionTest = () => lb.logConnectionLogs(bucket); + + // THEN + // verify failure in case the connection log bucket is encrypted with KMS + expect(logConnectionLogFunctionTest).toThrow('Encryption key detected. Bucket encryption using KMS keys is unsupported'); + + }); + + test('connection logging on imported bucket', () => { + // GIVEN + const { stack, lb } = loggingSetup(); + + const bucket = s3.Bucket.fromBucketName(stack, 'ImportedConnectionLoggingBucket', 'imported-bucket'); + // Imported buckets have `autoCreatePolicy` disabled by default + bucket.policy = new s3.BucketPolicy(stack, 'ImportedConnectionLoggingBucketPolicy', { + bucket, + }); + + // WHEN + lb.logConnectionLogs(bucket); + + // THEN + // verify that the LB attributes reference the bucket + Template.fromStack(stack).hasResourceProperties('AWS::ElasticLoadBalancingV2::LoadBalancer', { + LoadBalancerAttributes: Match.arrayWith([ + { + Key: 'connection_logs.s3.enabled', + Value: 'true', + }, + { + Key: 'connection_logs.s3.bucket', + Value: 'imported-bucket', + }, + { + Key: 'connection_logs.s3.prefix', + Value: '', + }, + ]), + }); + + // verify the bucket policy allows the ALB to put objects in the bucket + Template.fromStack(stack).hasResourceProperties('AWS::S3::BucketPolicy', { + PolicyDocument: { + Version: '2012-10-17', + Statement: [ + { + Action: 's3:PutObject', + Effect: 'Allow', + Principal: { AWS: { 'Fn::Join': ['', ['arn:', { Ref: 'AWS::Partition' }, ':iam::127311923021:root']] } }, + Resource: { + 'Fn::Join': [ + '', + [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':s3:::imported-bucket/AWSLogs/', + { Ref: 'AWS::AccountId' }, + '/*', + ], + ], + }, + }, + { + Action: 's3:PutObject', + Effect: 'Allow', + Principal: { Service: 'delivery.logs.amazonaws.com' }, + Resource: { + 'Fn::Join': [ + '', + [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':s3:::imported-bucket/AWSLogs/', + { Ref: 'AWS::AccountId' }, + '/*', + ], + ], + }, + Condition: { StringEquals: { 's3:x-amz-acl': 'bucket-owner-full-control' } }, + }, + { + Action: 's3:GetBucketAcl', + Effect: 'Allow', + Principal: { Service: 'delivery.logs.amazonaws.com' }, + Resource: { + 'Fn::Join': [ + '', + [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':s3:::imported-bucket', + ], + ], + }, + }, + ], + }, + }); + + // verify the ALB depends on the bucket policy + Template.fromStack(stack).hasResource('AWS::ElasticLoadBalancingV2::LoadBalancer', { + DependsOn: ['ImportedConnectionLoggingBucketPolicy548EEC12'], + }); + }); + + test('does not add circular dependency on bucket with extended load balancer', () => { + // GIVEN + const { stack } = loggingSetup(); + const vpc = new ec2.Vpc(stack, 'Vpc'); + + // WHEN + new ExtendedLB(stack, 'ExtendedLB', vpc); + + // THEN + Template.fromStack(stack).hasResource('AWS::S3::Bucket', { + Type: 'AWS::S3::Bucket', + Properties: { + AccessControl: 'LogDeliveryWrite', + BucketEncryption: { + ServerSideEncryptionConfiguration: [ + { + ServerSideEncryptionByDefault: { + SSEAlgorithm: 'AES256', + }, + }, + ], + }, + LoggingConfiguration: { + LogFilePrefix: 'selflog/', + }, + OwnershipControls: { + Rules: [ + { + ObjectOwnership: 'ObjectWriter', + }, + ], + }, + PublicAccessBlockConfiguration: { + BlockPublicAcls: true, + BlockPublicPolicy: true, + IgnorePublicAcls: true, + RestrictPublicBuckets: true, + }, + VersioningConfiguration: { + Status: 'Enabled', + }, + }, + UpdateReplacePolicy: 'Retain', + DeletionPolicy: 'Retain', + DependsOn: Match.absent(), + }); + }); + }); + test('Exercise metrics', () => { // GIVEN const stack = new cdk.Stack(); diff --git a/packages/aws-cdk-lib/aws-lambda-event-sources/README.md b/packages/aws-cdk-lib/aws-lambda-event-sources/README.md index c7fe6791f4df6..8c88ae99bc8b8 100644 --- a/packages/aws-cdk-lib/aws-lambda-event-sources/README.md +++ b/packages/aws-cdk-lib/aws-lambda-event-sources/README.md @@ -313,6 +313,39 @@ myFunction.addEventSource(new ManagedKafkaEventSource({ })); ``` +By default, Lambda will encrypt Filter Criteria using AWS managed keys. But if you want to use a self managed KMS key to encrypt the filters, You can specify the self managed key using the `filterEncryption` property. + +```ts +import { ManagedKafkaEventSource } from 'aws-cdk-lib/aws-lambda-event-sources'; +import { Key } from 'aws-cdk-lib/aws-kms'; + +// Your MSK cluster arn +const clusterArn = 'arn:aws:kafka:us-east-1:0123456789019:cluster/SalesCluster/abcd1234-abcd-cafe-abab-9876543210ab-4'; + +// The Kafka topic you want to subscribe to +const topic = 'some-cool-topic'; + +// Your self managed KMS key +const myKey = Key.fromKeyArn( + this, + 'SourceBucketEncryptionKey', + 'arn:aws:kms:us-east-1:123456789012:key/', +); + +declare const myFunction: lambda.Function; +myFunction.addEventSource(new ManagedKafkaEventSource({ + clusterArn, + topic, + startingPosition: lambda.StartingPosition.TRIM_HORIZON, + filters: [ + lambda.FilterCriteria.filter({ + stringEquals: lambda.FilterRule.isEqual('test'), + }), + ], + filterEncryption: myKey, +})); +``` + You can also specify an S3 bucket as an "on failure" destination: ```ts diff --git a/packages/aws-cdk-lib/aws-lambda-event-sources/lib/kafka.ts b/packages/aws-cdk-lib/aws-lambda-event-sources/lib/kafka.ts index d9d03988a19a3..3c75a45a51447 100644 --- a/packages/aws-cdk-lib/aws-lambda-event-sources/lib/kafka.ts +++ b/packages/aws-cdk-lib/aws-lambda-event-sources/lib/kafka.ts @@ -2,6 +2,7 @@ import { Construct } from 'constructs'; import { StreamEventSource, BaseStreamEventSourceProps } from './stream'; import { ISecurityGroup, IVpc, SubnetSelection } from '../../aws-ec2'; import * as iam from '../../aws-iam'; +import { IKey } from '../../aws-kms'; import * as lambda from '../../aws-lambda'; import * as secretsmanager from '../../aws-secretsmanager'; import { Stack, Names } from '../../core'; @@ -38,6 +39,16 @@ export interface KafkaEventSourceProps extends BaseStreamEventSourceProps { */ readonly filters?: Array<{[key: string]: any}>; + /** + * Add Customer managed KMS key to encrypt Filter Criteria. + * @see https://docs.aws.amazon.com/lambda/latest/dg/invocation-eventfiltering.html + * By default, Lambda will encrypt Filter Criteria using AWS managed keys + * @see https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk + * + * @default - none + */ + readonly filterEncryption?: IKey; + /** * Add an on Failure Destination for this Kafka event. SNS/SQS/S3 are supported * @@ -146,6 +157,7 @@ export class ManagedKafkaEventSource extends StreamEventSource { this.enrichMappingOptions({ eventSourceArn: this.innerProps.clusterArn, filters: this.innerProps.filters, + filterEncryption: this.innerProps.filterEncryption, startingPosition: this.innerProps.startingPosition, sourceAccessConfigurations: this.sourceAccessConfigurations(), kafkaTopic: this.innerProps.topic, @@ -236,6 +248,7 @@ export class SelfManagedKafkaEventSource extends StreamEventSource { this.mappingId(target), this.enrichMappingOptions({ filters: this.innerProps.filters, + filterEncryption: this.innerProps.filterEncryption, kafkaBootstrapServers: this.innerProps.bootstrapServers, kafkaTopic: this.innerProps.topic, kafkaConsumerGroupId: this.innerProps.consumerGroupId, diff --git a/packages/aws-cdk-lib/aws-lambda-event-sources/lib/sqs.ts b/packages/aws-cdk-lib/aws-lambda-event-sources/lib/sqs.ts index 6b175bc18cd25..bcf6f4adf573d 100644 --- a/packages/aws-cdk-lib/aws-lambda-event-sources/lib/sqs.ts +++ b/packages/aws-cdk-lib/aws-lambda-event-sources/lib/sqs.ts @@ -1,3 +1,4 @@ +import { IKey } from '../../aws-kms'; import * as lambda from '../../aws-lambda'; import * as sqs from '../../aws-sqs'; import { Duration, Names, Token, Annotations } from '../../core'; @@ -47,6 +48,16 @@ export interface SqsEventSourceProps { */ readonly filters?: Array<{[key: string]: any}>; + /** + * Add Customer managed KMS key to encrypt Filter Criteria. + * @see https://docs.aws.amazon.com/lambda/latest/dg/invocation-eventfiltering.html + * By default, Lambda will encrypt Filter Criteria using AWS managed keys + * @see https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk + * + * @default - none + */ + readonly filterEncryption?: IKey; + /** * The maximum concurrency setting limits the number of concurrent instances of the function that an Amazon SQS event source can invoke. * @@ -94,6 +105,7 @@ export class SqsEventSource implements lambda.IEventSource { enabled: this.props.enabled, eventSourceArn: this.queue.queueArn, filters: this.props.filters, + filterEncryption: this.props.filterEncryption, }); this._eventSourceMappingId = eventSourceMapping.eventSourceMappingId; this._eventSourceMappingArn = eventSourceMapping.eventSourceMappingArn; diff --git a/packages/aws-cdk-lib/aws-lambda-event-sources/lib/stream.ts b/packages/aws-cdk-lib/aws-lambda-event-sources/lib/stream.ts index 46b20d01e1787..414de7472f0e5 100644 --- a/packages/aws-cdk-lib/aws-lambda-event-sources/lib/stream.ts +++ b/packages/aws-cdk-lib/aws-lambda-event-sources/lib/stream.ts @@ -1,4 +1,5 @@ import { S3OnFailureDestination } from './s3-onfailuire-destination'; +import { IKey } from '../../aws-kms'; import * as lambda from '../../aws-lambda'; import { Duration } from '../../core'; @@ -125,6 +126,17 @@ export interface StreamEventSourceProps extends BaseStreamEventSourceProps { * @default - None */ readonly filters?: Array<{[key: string]: any}>; + + /** + * Add Customer managed KMS key to encrypt Filter Criteria. + * @see https://docs.aws.amazon.com/lambda/latest/dg/invocation-eventfiltering.html + * By default, Lambda will encrypt Filter Criteria using AWS managed keys + * @see https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk + * + * @default - none + */ + readonly filterEncryption?: IKey; + } /** @@ -155,6 +167,7 @@ export abstract class StreamEventSource implements lambda.IEventSource { tumblingWindow: this.props.tumblingWindow, enabled: this.props.enabled, filters: this.props.filters, + filterEncryption: this.props.filterEncryption, }; } } diff --git a/packages/aws-cdk-lib/aws-lambda-event-sources/test/dynamo.test.ts b/packages/aws-cdk-lib/aws-lambda-event-sources/test/dynamo.test.ts index f93e002170452..eb331b0de8972 100644 --- a/packages/aws-cdk-lib/aws-lambda-event-sources/test/dynamo.test.ts +++ b/packages/aws-cdk-lib/aws-lambda-event-sources/test/dynamo.test.ts @@ -1,6 +1,7 @@ import { TestFunction } from './test-function'; import { Template } from '../../assertions'; import * as dynamodb from '../../aws-dynamodb'; +import { Key } from '../../aws-kms'; import * as lambda from '../../aws-lambda'; import { Bucket } from '../../aws-s3'; import * as sqs from '../../aws-sqs'; @@ -288,6 +289,128 @@ describe('DynamoEventSource', () => { }); }); + test('adding filter criteria encryption', () => { + // GIVEN + const stack = new cdk.Stack(); + const fn = new TestFunction(stack, 'Fn'); + const table = new dynamodb.Table(stack, 'T', { + partitionKey: { + name: 'id', + type: dynamodb.AttributeType.STRING, + }, + stream: dynamodb.StreamViewType.NEW_IMAGE, + }); + + const myKey = Key.fromKeyArn( + stack, + 'SourceBucketEncryptionKey', + 'arn:aws:kms:us-east-1:123456789012:key/', + ); + + // WHEN + fn.addEventSource(new sources.DynamoEventSource(table, { + startingPosition: lambda.StartingPosition.LATEST, + filters: [ + lambda.FilterCriteria.filter({ + eventName: lambda.FilterRule.isEqual('INSERT'), + dynamodb: { + Keys: { + id: { + S: lambda.FilterRule.exists(), + }, + }, + }, + }), + ], + filterEncryption: myKey, + })); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::Lambda::EventSourceMapping', { + 'EventSourceArn': { + 'Fn::GetAtt': [ + 'TD925BC7E', + 'StreamArn', + ], + }, + 'FunctionName': { + 'Ref': 'Fn9270CBC0', + }, + 'FilterCriteria': { + 'Filters': [ + { + 'Pattern': '{"eventName":["INSERT"],"dynamodb":{"Keys":{"id":{"S":[{"exists":true}]}}}}', + }, + ], + }, + KmsKeyArn: 'arn:aws:kms:us-east-1:123456789012:key/', + 'StartingPosition': 'LATEST', + }); + }); + + test('adding filter criteria encryption with stack key', () => { + // GIVEN + const stack = new cdk.Stack(); + const fn = new TestFunction(stack, 'Fn'); + const table = new dynamodb.Table(stack, 'T', { + partitionKey: { + name: 'id', + type: dynamodb.AttributeType.STRING, + }, + stream: dynamodb.StreamViewType.NEW_IMAGE, + }); + + const myKey = new Key(stack, 'fc-test-key-name', { + removalPolicy: cdk.RemovalPolicy.DESTROY, + pendingWindow: cdk.Duration.days(7), + description: 'KMS key for test fc encryption', + }); + + // WHEN + fn.addEventSource(new sources.DynamoEventSource(table, { + startingPosition: lambda.StartingPosition.LATEST, + filters: [ + lambda.FilterCriteria.filter({ + eventName: lambda.FilterRule.isEqual('INSERT'), + dynamodb: { + Keys: { + id: { + S: lambda.FilterRule.exists(), + }, + }, + }, + }), + ], + filterEncryption: myKey, + })); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::KMS::Key', { + KeyPolicy: { + Statement: [ + { + Action: 'kms:*', + Effect: 'Allow', + Principal: { + AWS: { + 'Fn::Join': ['', ['arn:', { Ref: 'AWS::Partition' }, ':iam::', { Ref: 'AWS::AccountId' }, ':root']], + }, + }, + Resource: '*', + }, + { + Action: 'kms:Decrypt', + Effect: 'Allow', + Principal: { + Service: 'lambda.amazonaws.com', + }, + Resource: '*', + }, + ], + }, + }); + }); + test('specific maxBatchingWindow', () => { // GIVEN const stack = new cdk.Stack(); diff --git a/packages/aws-cdk-lib/aws-lambda-event-sources/test/kafka.test.ts b/packages/aws-cdk-lib/aws-lambda-event-sources/test/kafka.test.ts index cee9ca715e0f2..d5b1df2c9a657 100644 --- a/packages/aws-cdk-lib/aws-lambda-event-sources/test/kafka.test.ts +++ b/packages/aws-cdk-lib/aws-lambda-event-sources/test/kafka.test.ts @@ -1,6 +1,7 @@ import { TestFunction } from './test-function'; import { Template, Match } from '../../assertions'; import { SecurityGroup, SubnetType, Vpc } from '../../aws-ec2'; +import { Key } from '../../aws-kms'; import * as lambda from '../../aws-lambda'; import { Bucket } from '../../aws-s3'; import { Secret } from '../../aws-secretsmanager'; @@ -173,6 +174,110 @@ describe('KafkaEventSource', () => { }); }); + test('adding filter criteria encryption', () => { + // GIVEN + const stack = new cdk.Stack(); + const fn = new TestFunction(stack, 'Fn'); + const clusterArn = 'some-arn'; + const kafkaTopic = 'some-topic'; + const myKey = Key.fromKeyArn( + stack, + 'SourceBucketEncryptionKey', + 'arn:aws:kms:us-east-1:123456789012:key/', + ); + + // WHEN + fn.addEventSource(new sources.ManagedKafkaEventSource( + { + clusterArn, + topic: kafkaTopic, + startingPosition: lambda.StartingPosition.TRIM_HORIZON, + filters: [ + lambda.FilterCriteria.filter({ + orFilter: lambda.FilterRule.or('one', 'two'), + stringEquals: lambda.FilterRule.isEqual('test'), + }), + lambda.FilterCriteria.filter({ + numericEquals: lambda.FilterRule.isEqual(1), + }), + ], + filterEncryption: myKey, + })); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::Lambda::EventSourceMapping', { + FilterCriteria: { + Filters: [ + { + Pattern: '{"orFilter":["one","two"],"stringEquals":["test"]}', + }, + { + Pattern: '{"numericEquals":[{"numeric":["=",1]}]}', + }, + ], + }, + KmsKeyArn: 'arn:aws:kms:us-east-1:123456789012:key/', + }); + }); + + test('adding filter criteria encryption with stack key', () => { + // GIVEN + const stack = new cdk.Stack(); + const fn = new TestFunction(stack, 'Fn'); + const clusterArn = 'some-arn'; + const kafkaTopic = 'some-topic'; + + const myKey = new Key(stack, 'fc-test-key-name', { + removalPolicy: cdk.RemovalPolicy.DESTROY, + pendingWindow: cdk.Duration.days(7), + description: 'KMS key for test fc encryption', + }); + + // WHEN + fn.addEventSource(new sources.ManagedKafkaEventSource( + { + clusterArn, + topic: kafkaTopic, + startingPosition: lambda.StartingPosition.TRIM_HORIZON, + filters: [ + lambda.FilterCriteria.filter({ + orFilter: lambda.FilterRule.or('one', 'two'), + stringEquals: lambda.FilterRule.isEqual('test'), + }), + lambda.FilterCriteria.filter({ + numericEquals: lambda.FilterRule.isEqual(1), + }), + ], + filterEncryption: myKey, + })); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::KMS::Key', { + KeyPolicy: { + Statement: [ + { + Action: 'kms:*', + Effect: 'Allow', + Principal: { + AWS: { + 'Fn::Join': ['', ['arn:', { Ref: 'AWS::Partition' }, ':iam::', { Ref: 'AWS::AccountId' }, ':root']], + }, + }, + Resource: '*', + }, + { + Action: 'kms:Decrypt', + Effect: 'Allow', + Principal: { + Service: 'lambda.amazonaws.com', + }, + Resource: '*', + }, + ], + }, + }); + }); + test('with s3 onfailure destination', () => { // GIVEN const stack = new cdk.Stack(); @@ -315,6 +420,54 @@ describe('KafkaEventSource', () => { }); }); + test('adding filter criteria encryption', () => { + // GIVEN + const stack = new cdk.Stack(); + const fn = new TestFunction(stack, 'Fn'); + const kafkaTopic = 'some-topic'; + const secret = new Secret(stack, 'Secret', { secretName: 'AmazonMSK_KafkaSecret' }); + const bootstrapServers = ['kafka-broker:9092']; + const myKey = Key.fromKeyArn( + stack, + 'SourceBucketEncryptionKey', + 'arn:aws:kms:us-east-1:123456789012:key/', + ); + + // WHEN + fn.addEventSource(new sources.SelfManagedKafkaEventSource( + { + bootstrapServers: bootstrapServers, + topic: kafkaTopic, + secret: secret, + startingPosition: lambda.StartingPosition.TRIM_HORIZON, + filters: [ + lambda.FilterCriteria.filter({ + orFilter: lambda.FilterRule.or('one', 'two'), + stringEquals: lambda.FilterRule.isEqual('test'), + }), + lambda.FilterCriteria.filter({ + numericEquals: lambda.FilterRule.isEqual(1), + }), + ], + filterEncryption: myKey, + })); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::Lambda::EventSourceMapping', { + FilterCriteria: { + Filters: [ + { + Pattern: '{"orFilter":["one","two"],"stringEquals":["test"]}', + }, + { + Pattern: '{"numericEquals":[{"numeric":["=",1]}]}', + }, + ], + }, + KmsKeyArn: 'arn:aws:kms:us-east-1:123456789012:key/', + }); + }); + test('without vpc, secret must be set', () => { const stack = new cdk.Stack(); const fn = new TestFunction(stack, 'Fn'); diff --git a/packages/aws-cdk-lib/aws-lambda-event-sources/test/sqs.test.ts b/packages/aws-cdk-lib/aws-lambda-event-sources/test/sqs.test.ts index 48e09e24bbf8b..3865e02f63039 100644 --- a/packages/aws-cdk-lib/aws-lambda-event-sources/test/sqs.test.ts +++ b/packages/aws-cdk-lib/aws-lambda-event-sources/test/sqs.test.ts @@ -1,6 +1,7 @@ import { TestFunction } from './test-function'; import { Template } from '../../assertions'; import * as iam from '../../aws-iam'; +import { Key } from '../../aws-kms'; import * as lambda from '../../aws-lambda'; import * as sqs from '../../aws-sqs'; import * as cdk from '../../core'; @@ -439,6 +440,92 @@ describe('SQSEventSource', () => { }); }); + test('adding filter criteria encryption', () => { + // GIVEN + const stack = new cdk.Stack(); + const fn = new TestFunction(stack, 'Fn'); + const q = new sqs.Queue(stack, 'Q'); + const myKey = Key.fromKeyArn( + stack, + 'SourceBucketEncryptionKey', + 'arn:aws:kms:us-east-1:123456789012:key/', + ); + + // WHEN + fn.addEventSource(new sources.SqsEventSource(q, { + filters: [ + lambda.FilterCriteria.filter({ + body: { + id: lambda.FilterRule.exists(), + }, + }), + ], + filterEncryption: myKey, + })); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::Lambda::EventSourceMapping', { + 'FilterCriteria': { + 'Filters': [ + { + 'Pattern': '{"body":{"id":[{"exists":true}]}}', + }, + ], + }, + KmsKeyArn: 'arn:aws:kms:us-east-1:123456789012:key/', + }); + }); + + test('adding filter criteria encryption with stack key', () => { + // GIVEN + const stack = new cdk.Stack(); + const fn = new TestFunction(stack, 'Fn'); + const q = new sqs.Queue(stack, 'Q'); + const myKey = new Key(stack, 'fc-test-key-name', { + removalPolicy: cdk.RemovalPolicy.DESTROY, + pendingWindow: cdk.Duration.days(7), + description: 'KMS key for test fc encryption', + }); + + // WHEN + fn.addEventSource(new sources.SqsEventSource(q, { + filters: [ + lambda.FilterCriteria.filter({ + body: { + id: lambda.FilterRule.exists(), + }, + }), + ], + filterEncryption: myKey, + })); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::KMS::Key', { + KeyPolicy: { + Statement: [ + { + Action: 'kms:*', + Effect: 'Allow', + Principal: { + AWS: { + 'Fn::Join': ['', ['arn:', { Ref: 'AWS::Partition' }, ':iam::', { Ref: 'AWS::AccountId' }, ':root']], + }, + }, + Resource: '*', + }, + { + Action: 'kms:Decrypt', + Effect: 'Allow', + Principal: { + Service: 'lambda.amazonaws.com', + }, + Resource: '*', + }, + ], + }, + }); + }); + test('fails if maxConcurrency < 2', () => { // GIVEN const stack = new cdk.Stack(); diff --git a/packages/aws-cdk-lib/aws-lambda/README.md b/packages/aws-cdk-lib/aws-lambda/README.md index 58dc34ef74d53..160f9296c6242 100644 --- a/packages/aws-cdk-lib/aws-lambda/README.md +++ b/packages/aws-cdk-lib/aws-lambda/README.md @@ -780,6 +780,53 @@ fn.addEventSource(new eventsources.DynamoEventSource(table, { })); ``` +By default, Lambda will encrypt Filter Criteria using AWS managed keys. But if you want to use a self managed KMS key to encrypt the filters, You can specify the self managed key using the `filterEncryption` property. + +```ts +import * as eventsources from 'aws-cdk-lib/aws-lambda-event-sources'; +import * as dynamodb from 'aws-cdk-lib/aws-dynamodb'; +import { Key } from 'aws-cdk-lib/aws-kms'; + +declare const fn: lambda.Function; +const table = new dynamodb.Table(this, 'Table', { + partitionKey: { + name: 'id', + type: dynamodb.AttributeType.STRING, + }, + stream: dynamodb.StreamViewType.NEW_IMAGE, +}); +// Your self managed KMS key +const myKey = Key.fromKeyArn( + this, + 'SourceBucketEncryptionKey', + 'arn:aws:kms:us-east-1:123456789012:key/', +); + +fn.addEventSource(new eventsources.DynamoEventSource(table, { + startingPosition: lambda.StartingPosition.LATEST, + filters: [lambda.FilterCriteria.filter({ eventName: lambda.FilterRule.isEqual('INSERT') })], + filterEncryption: myKey, +})); +``` + +> Lambda requires allow `kms:Decrypt` on Lambda principal `lambda.amazonaws.com` to use the key for Filter Criteria Encryption. If you create the KMS key in the stack, CDK will automatically add this permission to the Key when you creates eventSourceMapping. However, if you import the key using function like `Key.fromKeyArn` then you need to add the following permission to the KMS key before using it to encrypt Filter Criteria + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + }, + "Action": "kms:Decrypt", + "Resource": "*" + } + ] +} +``` + See the documentation for the __@aws-cdk/aws-lambda-event-sources__ module for more details. ## Imported Lambdas diff --git a/packages/aws-cdk-lib/aws-lambda/lib/event-source-mapping.ts b/packages/aws-cdk-lib/aws-lambda/lib/event-source-mapping.ts index 1f49011ca1bd5..a441ce148788a 100644 --- a/packages/aws-cdk-lib/aws-lambda/lib/event-source-mapping.ts +++ b/packages/aws-cdk-lib/aws-lambda/lib/event-source-mapping.ts @@ -2,6 +2,8 @@ import { Construct } from 'constructs'; import { IEventSourceDlq } from './dlq'; import { IFunction } from './function-base'; import { CfnEventSourceMapping } from './lambda.generated'; +import * as iam from '../../aws-iam'; +import { IKey } from '../../aws-kms'; import * as cdk from '../../core'; /** @@ -251,6 +253,16 @@ export interface EventSourceMappingOptions { */ readonly filters?: Array<{[key: string]: any}>; + /** + * Add Customer managed KMS key to encrypt Filter Criteria. + * @see https://docs.aws.amazon.com/lambda/latest/dg/invocation-eventfiltering.html + * By default, Lambda will encrypt Filter Criteria using AWS managed keys + * @see https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk + * + * @default - none + */ + readonly filterEncryption?: IKey; + /** * Check if support S3 onfailure destination(ODF). Currently only MSK and self managed kafka event support S3 ODF * @@ -388,6 +400,23 @@ export class EventSourceMapping extends cdk.Resource implements IEventSourceMapp this.validateKafkaConsumerGroupIdOrThrow(props.kafkaConsumerGroupId); } + if (props.filterEncryption !== undefined && props.filters == undefined) { + throw new Error('filter criteria must be provided to enable setting filter criteria encryption'); + } + + /** + * Grants the Lambda function permission to decrypt data using the specified KMS key. + * This step is necessary for setting up encrypted filter criteria. + * + * If the KMS key was created within this CloudFormation stack (via `new Key`), a Key policy + * will be attached to the key to allow the Lambda function to access it. However, if the + * Key is imported from an existing ARN (`Key.fromKeyArn`), no action will be taken. + */ + if (props.filterEncryption !== undefined) { + const lambdaPrincipal = new iam.ServicePrincipal('lambda.amazonaws.com'); + props.filterEncryption.grantDecrypt(lambdaPrincipal); + } + let destinationConfig; if (props.onFailure) { @@ -423,6 +452,7 @@ export class EventSourceMapping extends cdk.Resource implements IEventSourceMapp sourceAccessConfigurations: props.sourceAccessConfigurations?.map((o) => {return { type: o.type.type, uri: o.uri };}), selfManagedEventSource, filterCriteria: props.filters ? { filters: props.filters }: undefined, + kmsKeyArn: props.filterEncryption?.keyArn, selfManagedKafkaEventSourceConfig: props.kafkaBootstrapServers ? consumerGroupConfig : undefined, amazonManagedKafkaEventSourceConfig: props.eventSourceArn ? consumerGroupConfig : undefined, }); diff --git a/packages/aws-cdk-lib/aws-lambda/lib/function.ts b/packages/aws-cdk-lib/aws-lambda/lib/function.ts index 8d282a4e44415..2f804ca0d4f06 100644 --- a/packages/aws-cdk-lib/aws-lambda/lib/function.ts +++ b/packages/aws-cdk-lib/aws-lambda/lib/function.ts @@ -861,6 +861,9 @@ export class Function extends FunctionBase { /** @internal */ public readonly _layers: ILayerVersion[] = []; + /** @internal */ + public _logRetention?: logs.LogRetention; + private _logGroup?: logs.ILogGroup; /** @@ -1080,6 +1083,7 @@ export class Function extends FunctionBase { logRetentionRetryOptions: props.logRetentionRetryOptions as logs.LogRetentionRetryOptions, }); this._logGroup = logs.LogGroup.fromLogGroupArn(this, 'LogGroup', logRetention.logGroupArn); + this._logRetention = logRetention; } props.code.bindToResource(resource); diff --git a/packages/aws-cdk-lib/aws-lambda/lib/singleton-lambda.ts b/packages/aws-cdk-lib/aws-lambda/lib/singleton-lambda.ts index 7c1d0ee0b48de..197e7e005d985 100644 --- a/packages/aws-cdk-lib/aws-lambda/lib/singleton-lambda.ts +++ b/packages/aws-cdk-lib/aws-lambda/lib/singleton-lambda.ts @@ -1,4 +1,4 @@ -import { Construct, IConstruct, IDependable, Node } from 'constructs'; +import { Construct, IConstruct, IDependable, Node, MetadataOptions } from 'constructs'; import { Architecture } from './architecture'; import { Function as LambdaFunction, FunctionProps, EnvironmentOptions } from './function'; import { FunctionBase } from './function-base'; @@ -155,6 +155,14 @@ export class SingletonFunction extends FunctionBase { this.lambdaFunction.node.addDependency(...up); } + /** + * Use this method to write to the construct tree. + * The metadata entries are written to the Cloud Assembly Manifest if the `treeMetadata` property is specified in the props of the App that contains this Construct. + */ + public addMetadata(type: string, data: any, options?: MetadataOptions) { + this.lambdaFunction.node.addMetadata(type, data, options); + } + /** * The SingletonFunction construct cannot be added as a dependency of another construct using * node.addDependency(). Use this method instead to declare this as a dependency of another construct. diff --git a/packages/aws-cdk-lib/aws-lambda/test/event-source-mapping.test.ts b/packages/aws-cdk-lib/aws-lambda/test/event-source-mapping.test.ts index 8182a15406db7..6eafc9267471d 100644 --- a/packages/aws-cdk-lib/aws-lambda/test/event-source-mapping.test.ts +++ b/packages/aws-cdk-lib/aws-lambda/test/event-source-mapping.test.ts @@ -1,4 +1,5 @@ import { Match, Template } from '../../assertions'; +import { Key } from '../../aws-kms'; import * as cdk from '../../core'; import * as lambda from '../lib'; import { Code, EventSourceMapping, Function, Runtime, Alias, StartingPosition, FilterRule, FilterCriteria } from '../lib'; @@ -323,6 +324,74 @@ describe('event source mapping', () => { }); }); + test('adding filter criteria encryption', () => { + const topicNameParam = new cdk.CfnParameter(stack, 'TopicNameParam', { + type: 'String', + }); + + let eventSourceArn = 'some-arn'; + + const myKey = Key.fromKeyArn( + stack, + 'SourceBucketEncryptionKey', + 'arn:aws:kms:us-east-1:123456789012:key/', + ); + + // WHEN + new EventSourceMapping(stack, 'test', { + target: fn, + eventSourceArn: eventSourceArn, + kafkaTopic: topicNameParam.valueAsString, + filters: [ + FilterCriteria.filter({ + orFilter: FilterRule.or('one', 'two'), + stringEquals: FilterRule.isEqual('test'), + }), + FilterCriteria.filter({ + numericEquals: FilterRule.isEqual(1), + }), + ], + filterEncryption: myKey, + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::Lambda::EventSourceMapping', { + FilterCriteria: { + Filters: [ + { + Pattern: '{"orFilter":["one","two"],"stringEquals":["test"]}', + }, + { + Pattern: '{"numericEquals":[{"numeric":["=",1]}]}', + }, + ], + }, + KmsKeyArn: 'arn:aws:kms:us-east-1:123456789012:key/', + }); + + }); + + test('adding filter criteria encryption without filter criteria', () => { + const topicNameParam = new cdk.CfnParameter(stack, 'TopicNameParam', { + type: 'String', + }); + + let eventSourceArn = 'some-arn'; + + const myKey = Key.fromKeyArn( + stack, + 'SourceBucketEncryptionKey', + 'arn:aws:kms:us-east-1:123456789012:key/', + ); + + expect(() => new EventSourceMapping(stack, 'test', { + target: fn, + eventSourceArn: eventSourceArn, + kafkaTopic: topicNameParam.valueAsString, + filterEncryption: myKey, + })).toThrow(/filter criteria must be provided to enable setting filter criteria encryption/); + }); + test('kafkaBootstrapServers appears in stack', () => { const topicNameParam = new cdk.CfnParameter(stack, 'TopicNameParam', { type: 'String', diff --git a/packages/aws-cdk-lib/aws-rds/lib/cluster-engine.ts b/packages/aws-cdk-lib/aws-rds/lib/cluster-engine.ts index 53c3ace4aa99f..ae281e741a27c 100644 --- a/packages/aws-cdk-lib/aws-rds/lib/cluster-engine.ts +++ b/packages/aws-cdk-lib/aws-rds/lib/cluster-engine.ts @@ -946,6 +946,8 @@ export class AuroraPostgresEngineVersion { public static readonly VER_12_17 = AuroraPostgresEngineVersion.of('12.17', '12', { s3Import: true, s3Export: true }); /** Version "12.18". */ public static readonly VER_12_18 = AuroraPostgresEngineVersion.of('12.18', '12', { s3Import: true, s3Export: true }); + /** Version "12.19". */ + public static readonly VER_12_19 = AuroraPostgresEngineVersion.of('12.19', '12', { s3Import: true, s3Export: true }); /** * Version "13.3". * @deprecated Version 13.3 is no longer supported by Amazon RDS. @@ -982,6 +984,8 @@ export class AuroraPostgresEngineVersion { public static readonly VER_13_13 = AuroraPostgresEngineVersion.of('13.13', '13', { s3Import: true, s3Export: true }); /** Version "13.14". */ public static readonly VER_13_14 = AuroraPostgresEngineVersion.of('13.14', '13', { s3Import: true, s3Export: true }); + /** Version "13.15". */ + public static readonly VER_13_15 = AuroraPostgresEngineVersion.of('13.15', '13', { s3Import: true, s3Export: true }); /** Version "14.3". */ public static readonly VER_14_3 = AuroraPostgresEngineVersion.of('14.3', '14', { s3Import: true, s3Export: true }); /** Version "14.4". */ @@ -1000,6 +1004,8 @@ export class AuroraPostgresEngineVersion { public static readonly VER_14_10 = AuroraPostgresEngineVersion.of('14.10', '14', { s3Import: true, s3Export: true }); /** Version "14.11". */ public static readonly VER_14_11 = AuroraPostgresEngineVersion.of('14.11', '14', { s3Import: true, s3Export: true }); + /** Version "14.12". */ + public static readonly VER_14_12 = AuroraPostgresEngineVersion.of('14.12', '14', { s3Import: true, s3Export: true }); /** Version "15.2". */ public static readonly VER_15_2 = AuroraPostgresEngineVersion.of('15.2', '15', { s3Import: true, s3Export: true }); /** Version "15.3". */ @@ -1010,6 +1016,8 @@ export class AuroraPostgresEngineVersion { public static readonly VER_15_5 = AuroraPostgresEngineVersion.of('15.5', '15', { s3Import: true, s3Export: true }); /** Version "15.6". */ public static readonly VER_15_6 = AuroraPostgresEngineVersion.of('15.6', '15', { s3Import: true, s3Export: true }); + /** Version "15.7". */ + public static readonly VER_15_7 = AuroraPostgresEngineVersion.of('15.7', '15', { s3Import: true, s3Export: true }); /** * Version "16.0" * @deprecated Version 16.0 is no longer supported by Amazon RDS. diff --git a/packages/aws-cdk-lib/aws-rds/lib/instance-engine.ts b/packages/aws-cdk-lib/aws-rds/lib/instance-engine.ts index 9ed03ee7da226..3c0b256f6e687 100644 --- a/packages/aws-cdk-lib/aws-rds/lib/instance-engine.ts +++ b/packages/aws-cdk-lib/aws-rds/lib/instance-engine.ts @@ -936,6 +936,8 @@ export class MysqlEngineVersion { public static readonly VER_8_0_36 = MysqlEngineVersion.of('8.0.36', '8.0'); /** Version "8.0.37". */ public static readonly VER_8_0_37 = MysqlEngineVersion.of('8.0.37', '8.0'); + /** Version "8.0.39". */ + public static readonly VER_8_0_39 = MysqlEngineVersion.of('8.0.39', '8.0'); /** * Create a new MysqlEngineVersion with an arbitrary version. @@ -1525,6 +1527,8 @@ export class PostgresEngineVersion { public static readonly VER_12_18 = PostgresEngineVersion.of('12.18', '12', { s3Import: true, s3Export: true }); /** Version "12.19". */ public static readonly VER_12_19 = PostgresEngineVersion.of('12.19', '12', { s3Import: true, s3Export: true }); + /** Version "12.20". */ + public static readonly VER_12_20 = PostgresEngineVersion.of('12.20', '12', { s3Import: true, s3Export: true }); /** Version "13" (only a major version, without a specific minor version). */ public static readonly VER_13 = PostgresEngineVersion.of('13', '13', { s3Import: true, s3Export: true }); @@ -1588,6 +1592,8 @@ export class PostgresEngineVersion { public static readonly VER_13_14 = PostgresEngineVersion.of('13.14', '13', { s3Import: true, s3Export: true }); /** Version "13.15". */ public static readonly VER_13_15 = PostgresEngineVersion.of('13.15', '13', { s3Import: true, s3Export: true }); + /** Version "13.16". */ + public static readonly VER_13_16 = PostgresEngineVersion.of('13.16', '13', { s3Import: true, s3Export: true }); /** Version "14" (only a major version, without a specific minor version). */ public static readonly VER_14 = PostgresEngineVersion.of('14', '14', { s3Import: true, s3Export: true }); @@ -1639,6 +1645,8 @@ export class PostgresEngineVersion { public static readonly VER_14_11 = PostgresEngineVersion.of('14.11', '14', { s3Import: true, s3Export: true }); /** Version "14.12". */ public static readonly VER_14_12 = PostgresEngineVersion.of('14.12', '14', { s3Import: true, s3Export: true }); + /** Version "14.13". */ + public static readonly VER_14_13 = PostgresEngineVersion.of('14.13', '14', { s3Import: true, s3Export: true }); /** Version "15" (only a major version, without a specific minor version). */ public static readonly VER_15 = PostgresEngineVersion.of('15', '15', { s3Import: true, s3Export: true }); @@ -1660,6 +1668,8 @@ export class PostgresEngineVersion { public static readonly VER_15_6 = PostgresEngineVersion.of('15.6', '15', { s3Import: true, s3Export: true }); /** Version "15.7". */ public static readonly VER_15_7 = PostgresEngineVersion.of('15.7', '15', { s3Import: true, s3Export: true }); + /** Version "15.8". */ + public static readonly VER_15_8 = PostgresEngineVersion.of('15.8', '15', { s3Import: true, s3Export: true }); /** Version "16" (only a major version, without a specific minor version). */ public static readonly VER_16 = PostgresEngineVersion.of('16', '16', { s3Import: true, s3Export: true }); @@ -1669,6 +1679,8 @@ export class PostgresEngineVersion { public static readonly VER_16_2 = PostgresEngineVersion.of('16.2', '16', { s3Import: true, s3Export: true }); /** Version "16.3". */ public static readonly VER_16_3 = PostgresEngineVersion.of('16.3', '16', { s3Import: true, s3Export: true }); + /** Version "16.4". */ + public static readonly VER_16_4 = PostgresEngineVersion.of('16.4', '16', { s3Import: true, s3Export: true }); /** * Create a new PostgresEngineVersion with an arbitrary version. @@ -2547,6 +2559,8 @@ export class SqlServerEngineVersion { public static readonly VER_13_00_6430_49_V1 = SqlServerEngineVersion.of('13.00.6430.49.v1', '13.00'); /** Version "13.00.6435.1.v1". */ public static readonly VER_13_00_6435_1_V1 = SqlServerEngineVersion.of('13.00.6435.1.v1', '13.00'); + /** Version "13.00.6441.1.v1". */ + public static readonly VER_13_00_6441_1_V1 = SqlServerEngineVersion.of('13.00.6441.1.v1', '13.00'); /** Version "14.00" (only a major version, without a specific minor version). */ public static readonly VER_14 = SqlServerEngineVersion.of('14.00', '14.00'); @@ -2598,6 +2612,8 @@ export class SqlServerEngineVersion { public static readonly VER_14_00_3460_9_V1 = SqlServerEngineVersion.of('14.00.3460.9.v1', '14.00'); /** Version "14.00.3465.1.v1". */ public static readonly VER_14_00_3465_1_V1 = SqlServerEngineVersion.of('14.00.3465.1.v1', '14.00'); + /** Version "14.00.3471.2.v1 ". */ + public static readonly VER_14_00_3471_2_V1 = SqlServerEngineVersion.of('14.00.3471.2.v1 ', '14.00'); /** Version "15.00" (only a major version, without a specific minor version). */ public static readonly VER_15 = SqlServerEngineVersion.of('15.00', '15.00'); @@ -2630,6 +2646,10 @@ export class SqlServerEngineVersion { public static readonly VER_15_00_4345_5_V1 = SqlServerEngineVersion.of('15.00.4345.5.v1', '15.00'); /** Version "15.00.4365.2.v1". */ public static readonly VER_15_00_4365_2_V1 = SqlServerEngineVersion.of('15.00.4365.2.v1', '15.00'); + /** Version "15.00.4375.4.v1". */ + public static readonly VER_15_00_4375_4_V1 = SqlServerEngineVersion.of('15.00.4375.4.v1', '15.00'); + /** Version "15.00.4382.1.v1". */ + public static readonly VER_15_00_4382_1_V1 = SqlServerEngineVersion.of('15.00.4382.1.v1', '15.00'); /** Version "16.00" (only a major version, without a specific minor version). */ public static readonly VER_16 = SqlServerEngineVersion.of('16.00', '16.00'); @@ -2645,6 +2665,8 @@ export class SqlServerEngineVersion { public static readonly VER_16_00_4120_1_V1 = SqlServerEngineVersion.of('16.00.4120.1.v1', '16.00'); /** Version "16.00.4125.3.v1". */ public static readonly VER_16_00_4125_3_V1 = SqlServerEngineVersion.of('16.00.4125.3.v1', '16.00'); + /** Version "16.00.4131.2.v1". */ + public static readonly VER_16_00_4131_2_V1 = SqlServerEngineVersion.of('16.00.4131.2.v1', '16.00'); /** * Create a new SqlServerEngineVersion with an arbitrary version. diff --git a/packages/aws-cdk-lib/aws-rds/test/cluster-engine.test.ts b/packages/aws-cdk-lib/aws-rds/test/cluster-engine.test.ts index 441881a597991..cee26e65dfbcf 100644 --- a/packages/aws-cdk-lib/aws-rds/test/cluster-engine.test.ts +++ b/packages/aws-cdk-lib/aws-rds/test/cluster-engine.test.ts @@ -106,6 +106,8 @@ describe('cluster engine', () => { 'aurora-postgresql10'); expect(DatabaseClusterEngine.auroraPostgres({ version: AuroraPostgresEngineVersion.of('14.3', '14') }).parameterGroupFamily).toEqual( 'aurora-postgresql14'); + expect(DatabaseClusterEngine.auroraPostgres({ version: AuroraPostgresEngineVersion.of('15.7', '15') }).parameterGroupFamily).toEqual( + 'aurora-postgresql15'); expect(DatabaseClusterEngine.auroraPostgres({ version: AuroraPostgresEngineVersion.of('16.3', '16') }).parameterGroupFamily).toEqual( 'aurora-postgresql16'); }); diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/.jsiirc.json b/packages/aws-cdk-lib/cloud-assembly-schema/.jsiirc.json deleted file mode 100644 index 21db8e13672e1..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/.jsiirc.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "targets": { - "java": { - "package": "software.amazon.awscdk.cloudassembly.schema" - }, - "dotnet": { - "namespace": "Amazon.CDK.CloudAssembly.Schema" - }, - "python": { - "module": "aws_cdk.cloud_assembly_schema" - } - } -} diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/CONTRIBUTING.md b/packages/aws-cdk-lib/cloud-assembly-schema/CONTRIBUTING.md deleted file mode 100644 index 0a96c52f7ca1a..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/CONTRIBUTING.md +++ /dev/null @@ -1,67 +0,0 @@ -## Cloud Assembly Schema - -Making changes to this module should only happen when you introduce new cloud assembly capabilities. - -> For example: supporting the `--target` option when building docker containers. - -If you decided these changes are necessary, simply go ahead and make the necessary modifications to -the interfaces that describe the schema. Our tests and validation mechanisms will ensure you make those -changes correctly. - -### Module Structure - -There are two main things to understand about the files in this module: - -- [`lib/manifest.ts`](./lib/manifest.ts) - - This is the typescript code that defines our schema. It is solely comprised of structs (property only interfaces). - It directly maps to the way we want manifest files to be stored on disk. When you want to make changes to the schema, - this is the file you should be editing. - -- [`lib/schema`](./schema/) - - This directory contains the generated json [schema](./schema/cloud-assembly.schema.json) from the aforementioned - typescript code. It also contains a [version](./schema/cloud-assembly.version.json) file that holds the current version - of the schema. These files are **not** intended for manual editing. Keep reading to understand how they change and when. - -### Schema Generation - -The schema can be generated by running `yarn update-schema`. It reads the [`manifest.ts`](./lib/manifest.ts) file and writes -an updated json schema to [`cloud-assembly.schema.json`](./schema/cloud-assembly.schema.json). -In addition, this command also performs a `major` version bump on the [version](./schema/cloud-assembly.version.json) file. - -Note that it is not generated as part of the build, this is to ensure developers will be intentional when making -changes to the schema. If changes to the code are performed, without generating a new schema, the tests will fail: - -```console -$ yarn test -FAIL test/schema.test.js (5.902s) - ✓ manifest save (7ms) - ✕ cloud-assembly.json.schema is correct (5304ms) - ✓ manifest load (4ms) - ✓ manifest load fails for invalid nested property (5ms) - ✓ manifest load fails for invalid artifact type (1ms) - ✓ stack-tags are deserialized properly (1ms) - ✓ can access random metadata (1ms) - - ● cloud-assembly.json.schema is correct - - Whoops, Looks like the schema has changed. Did you forget to run 'yarn update-schema'? -``` - -### Schema Validation - -Being a **stable** `jsii` module, it undergoes strict API compatibility checks with the help -of [`jsii-diff`](https://github.com/aws/jsii/tree/master/packages/jsii-diff). -This means that breaking changes will be rejected. These include: - -- Adding a required property. (same as changing from *optional* to *required*) -- Changing the type of the property. - -In addition, the interfaces defined here are programmatically exposed to users, via the `manifest` -property of the [`CloudAssembly`](../cx-api/lib/cloud-assembly.ts) class. This means that the following are -also considered breaking changes: - -- Changing a property from *required* to *optional*. -- Removing an optional property. -- Removing a required property. diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/README.md b/packages/aws-cdk-lib/cloud-assembly-schema/README.md deleted file mode 100644 index a102522dba4fd..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/README.md +++ /dev/null @@ -1,55 +0,0 @@ -# Cloud Assembly Schema - - -This module is part of the [AWS Cloud Development Kit](https://github.com/aws/aws-cdk) project. - -## Cloud Assembly - -The *Cloud Assembly* is the output of the synthesis operation. It is produced as part of the -[`cdk synth`](https://github.com/aws/aws-cdk/tree/main/packages/aws-cdk#cdk-synthesize) -command, or the [`app.synth()`](https://github.com/aws/aws-cdk/blob/main/packages/@aws-cdk/core/lib/app.ts#L135) method invocation. - -Its essentially a set of files and directories, one of which is the `manifest.json` file. It defines the set of instructions that are -needed in order to deploy the assembly directory. - -> For example, when `cdk deploy` is executed, the CLI reads this file and performs its instructions: -> -> - Build container images. -> - Upload assets. -> - Deploy CloudFormation templates. - -Therefore, the assembly is how the CDK class library and CDK CLI (or any other consumer) communicate. To ensure compatibility -between the assembly and its consumers, we treat the manifest file as a well defined, versioned schema. - -## Schema - -This module contains the typescript structs that comprise the `manifest.json` file, as well as the -generated [*json-schema*](./schema/cloud-assembly.schema.json). - -## Versioning - -The schema version is specified in the [`cloud-assembly.version.json`](./schema/cloud-assembly.schema.json) file, under the `version` property. -It follows semantic versioning, but with a small twist. - -When we add instructions to the assembly, they are reflected in the manifest file and the *json-schema* accordingly. -Every such instruction, is crucial for ensuring the correct deployment behavior. This means that to properly deploy a cloud assembly, -consumers must be aware of every such instruction modification. - -For this reason, every change to the schema, even though it might not strictly break validation of the *json-schema* format, -is considered `major` version bump. - -## How to consume - -If you'd like to consume the [schema file](./schema/cloud-assembly.schema.json) in order to do validations on `manifest.json` files, -simply download it from this repo and run it against standard *json-schema* validators, such as [jsonschema](https://www.npmjs.com/package/jsonschema). - -Consumers must take into account the `major` version of the schema they are consuming. They should reject cloud assemblies -with a `major` version that is higher than what they expect. While schema validation might pass on such assemblies, the deployment integrity -cannot be guaranteed because some instructions will be ignored. - -> For example, if your consumer was built when the schema version was 2.0.0, you should reject deploying cloud assemblies with a -> manifest version of 3.0.0. - -## Contributing - -See [Contribution Guide](./CONTRIBUTING.md) diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/index.ts b/packages/aws-cdk-lib/cloud-assembly-schema/index.ts index f41a696fd204d..88dd90ebb9af3 100644 --- a/packages/aws-cdk-lib/cloud-assembly-schema/index.ts +++ b/packages/aws-cdk-lib/cloud-assembly-schema/index.ts @@ -1 +1 @@ -export * from './lib'; +export * from '@aws-cdk/cloud-assembly-schema'; diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/lib/assets/aws-destination.ts b/packages/aws-cdk-lib/cloud-assembly-schema/lib/assets/aws-destination.ts deleted file mode 100644 index f419fde03c56d..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/lib/assets/aws-destination.ts +++ /dev/null @@ -1,25 +0,0 @@ -/** - * Destination for assets that need to be uploaded to AWS - */ -export interface AwsDestination { - /** - * The region where this asset will need to be published - * - * @default - Current region - */ - readonly region?: string; - - /** - * The role that needs to be assumed while publishing this asset - * - * @default - No role will be assumed - */ - readonly assumeRoleArn?: string; - - /** - * The ExternalId that needs to be supplied while assuming this role - * - * @default - No ExternalId will be supplied - */ - readonly assumeRoleExternalId?: string; -} \ No newline at end of file diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/lib/assets/docker-image-asset.ts b/packages/aws-cdk-lib/cloud-assembly-schema/lib/assets/docker-image-asset.ts deleted file mode 100644 index 70c9761f47c70..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/lib/assets/docker-image-asset.ts +++ /dev/null @@ -1,175 +0,0 @@ -import { AwsDestination } from './aws-destination'; - -/** - * A file asset - */ -export interface DockerImageAsset { - /** - * Source description for file assets - */ - readonly source: DockerImageSource; - - /** - * Destinations for this file asset - */ - readonly destinations: { [id: string]: DockerImageDestination }; -} - -/** - * Properties for how to produce a Docker image from a source - */ -export interface DockerImageSource { - /** - * The directory containing the Docker image build instructions. - * - * This path is relative to the asset manifest location. - * - * @default - Exactly one of `directory` and `executable` is required - */ - readonly directory?: string; - - /** - * A command-line executable that returns the name of a local - * Docker image on stdout after being run. - * - * @default - Exactly one of `directory` and `executable` is required - */ - readonly executable?: string[]; - - /** - * The name of the file with build instructions - * - * Only allowed when `directory` is set. - * - * @default "Dockerfile" - */ - readonly dockerFile?: string; - - /** - * Target build stage in a Dockerfile with multiple build stages - * - * Only allowed when `directory` is set. - * - * @default - The last stage in the Dockerfile - */ - readonly dockerBuildTarget?: string; - - /** - * Additional build arguments - * - * Only allowed when `directory` is set. - * - * @default - No additional build arguments - */ - readonly dockerBuildArgs?: { [name: string]: string }; - - /** - * SSH agent socket or keys - * - * Requires building with docker buildkit. - * - * @default - No ssh flag is set - */ - readonly dockerBuildSsh?: string; - - /** - * Additional build secrets - * - * Only allowed when `directory` is set. - * - * @default - No additional build secrets - */ - readonly dockerBuildSecrets?: { [name: string]: string }; - - /** - * Networking mode for the RUN commands during build. _Requires Docker Engine API v1.25+_. - * - * Specify this property to build images on a specific networking mode. - * - * @default - no networking mode specified - */ - readonly networkMode?: string; - - /** - * Platform to build for. _Requires Docker Buildx_. - * - * Specify this property to build images on a specific platform/architecture. - * - * @default - current machine platform - */ - readonly platform?: string; - - /** - * Outputs - * - * @default - no outputs are passed to the build command (default outputs are used) - * @see https://docs.docker.com/engine/reference/commandline/build/#custom-build-outputs - */ - readonly dockerOutputs?: string[]; - - /** - * Cache from options to pass to the `docker build` command. - * - * @default - no cache from options are passed to the build command - * @see https://docs.docker.com/build/cache/backends/ - */ - readonly cacheFrom?: DockerCacheOption[]; - - /** - * Cache to options to pass to the `docker build` command. - * - * @default - no cache to options are passed to the build command - * @see https://docs.docker.com/build/cache/backends/ - */ - readonly cacheTo?: DockerCacheOption; - - /** - * Disable the cache and pass `--no-cache` to the `docker build` command. - * - * @default - cache is used - */ - readonly cacheDisabled?: boolean; -} - -/** - * Where to publish docker images - */ -export interface DockerImageDestination extends AwsDestination { - /** - * Name of the ECR repository to publish to - */ - readonly repositoryName: string; - - /** - * Tag of the image to publish - */ - readonly imageTag: string; -} - -/** - * Options for configuring the Docker cache backend - */ -export interface DockerCacheOption { - /** - * The type of cache to use. - * Refer to https://docs.docker.com/build/cache/backends/ for full list of backends. - * @default - unspecified - * - * @example 'registry' - */ - readonly type: string; - /** - * Any parameters to pass into the docker cache backend configuration. - * Refer to https://docs.docker.com/build/cache/backends/ for cache backend configuration. - * @default {} No options provided - * - * @example - * declare const branch: string; - * - * const params = { - * ref: `12345678.dkr.ecr.us-west-2.amazonaws.com/cache:${branch}`, - * mode: "max", - * }; - */ - readonly params?: { [key: string]: string }; -} diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/lib/assets/file-asset.ts b/packages/aws-cdk-lib/cloud-assembly-schema/lib/assets/file-asset.ts deleted file mode 100644 index 58c7e0cc93ebc..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/lib/assets/file-asset.ts +++ /dev/null @@ -1,76 +0,0 @@ -import { AwsDestination } from './aws-destination'; - -/** - * A file asset - */ -export interface FileAsset { - /** - * Source description for file assets - */ - readonly source: FileSource; - - /** - * Destinations for this file asset - */ - readonly destinations: { [id: string]: FileDestination }; -} - -/** - * Packaging strategy for file assets - */ -export enum FileAssetPackaging { - /** - * Upload the given path as a file - */ - FILE = 'file', - - /** - * The given path is a directory, zip it and upload - */ - ZIP_DIRECTORY = 'zip', -} - -/** - * Describe the source of a file asset - */ -export interface FileSource { - /** - * External command which will produce the file asset to upload. - * - * @default - Exactly one of `executable` and `path` is required. - */ - readonly executable?: string[]; - - /** - * The filesystem object to upload - * - * This path is relative to the asset manifest location. - * - * @default - Exactly one of `executable` and `path` is required. - */ - readonly path?: string; - - /** - * Packaging method - * - * Only allowed when `path` is specified. - * - * @default FILE - */ - readonly packaging?: FileAssetPackaging; -} - -/** - * Where in S3 a file asset needs to be published - */ -export interface FileDestination extends AwsDestination { - /** - * The name of the bucket - */ - readonly bucketName: string; - - /** - * The destination object key - */ - readonly objectKey: string; -} diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/lib/assets/index.ts b/packages/aws-cdk-lib/cloud-assembly-schema/lib/assets/index.ts deleted file mode 100644 index 49c126e3f2d9b..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/lib/assets/index.ts +++ /dev/null @@ -1,4 +0,0 @@ -export * from './schema'; -export * from './docker-image-asset'; -export * from './file-asset'; -export * from './aws-destination'; diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/lib/assets/schema.ts b/packages/aws-cdk-lib/cloud-assembly-schema/lib/assets/schema.ts deleted file mode 100644 index 7f5b33da127cd..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/lib/assets/schema.ts +++ /dev/null @@ -1,26 +0,0 @@ -import { DockerImageAsset } from './docker-image-asset'; -import { FileAsset } from './file-asset'; - -/** - * Definitions for the asset manifest - */ -export interface AssetManifest { - /** - * Version of the manifest - */ - readonly version: string; - - /** - * The file assets in this manifest - * - * @default - No files - */ - readonly files?: { [id: string]: FileAsset }; - - /** - * The Docker image assets in this manifest - * - * @default - No Docker images - */ - readonly dockerImages?: { [id: string]: DockerImageAsset }; -} diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/lib/cloud-assembly/artifact-schema.ts b/packages/aws-cdk-lib/cloud-assembly-schema/lib/cloud-assembly/artifact-schema.ts deleted file mode 100644 index 66872401251aa..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/lib/cloud-assembly/artifact-schema.ts +++ /dev/null @@ -1,204 +0,0 @@ - -/** - * Information needed to access an IAM role created - * as part of the bootstrap process - */ -export interface BootstrapRole { - /** - * The ARN of the IAM role created as part of bootrapping - * e.g. lookupRoleArn - */ - readonly arn: string; - - /** - * External ID to use when assuming the bootstrap role - * - * @default - No external ID - */ - readonly assumeRoleExternalId?: string; - - /** - * Version of bootstrap stack required to use this role - * - * @default - No bootstrap stack required - */ - readonly requiresBootstrapStackVersion?: number; - - /** - * Name of SSM parameter with bootstrap stack version - * - * @default - Discover SSM parameter by reading stack - */ - readonly bootstrapStackVersionSsmParameter?: string; -} - -/** - * Artifact properties for CloudFormation stacks. - */ -export interface AwsCloudFormationStackProperties { - /** - * A file relative to the assembly root which contains the CloudFormation template for this stack. - */ - readonly templateFile: string; - - /** - * Values for CloudFormation stack parameters that should be passed when the stack is deployed. - * - * @default - No parameters - */ - readonly parameters?: { [id: string]: string }; - - /** - * Values for CloudFormation stack tags that should be passed when the stack is deployed. - * - * @default - No tags - */ - readonly tags?: { [id: string]: string }; - - /** - * The name to use for the CloudFormation stack. - * @default - name derived from artifact ID - */ - readonly stackName?: string; - - /** - * Whether to enable termination protection for this stack. - * - * @default false - */ - readonly terminationProtection?: boolean; - - /** - * The role that needs to be assumed to deploy the stack - * - * @default - No role is assumed (current credentials are used) - */ - readonly assumeRoleArn?: string; - - /** - * External ID to use when assuming role for cloudformation deployments - * - * @default - No external ID - */ - readonly assumeRoleExternalId?: string; - - /** - * The role that is passed to CloudFormation to execute the change set - * - * @default - No role is passed (currently assumed role/credentials are used) - */ - readonly cloudFormationExecutionRoleArn?: string; - - /** - * The role to use to look up values from the target AWS account - * - * @default - No role is assumed (current credentials are used) - */ - readonly lookupRole?: BootstrapRole; - - /** - * If the stack template has already been included in the asset manifest, its asset URL - * - * @default - Not uploaded yet, upload just before deploying - */ - readonly stackTemplateAssetObjectUrl?: string; - - /** - * Version of bootstrap stack required to deploy this stack - * - * @default - No bootstrap stack required - */ - readonly requiresBootstrapStackVersion?: number; - - /** - * SSM parameter where the bootstrap stack version number can be found - * - * Only used if `requiresBootstrapStackVersion` is set. - * - * - If this value is not set, the bootstrap stack name must be known at - * deployment time so the stack version can be looked up from the stack - * outputs. - * - If this value is set, the bootstrap stack can have any name because - * we won't need to look it up. - * - * @default - Bootstrap stack version number looked up - */ - readonly bootstrapStackVersionSsmParameter?: string; - - /** - * Whether this stack should be validated by the CLI after synthesis - * - * @default - false - */ - readonly validateOnSynth?: boolean; -} - -/** - * Configuration options for the Asset Manifest - */ -export interface AssetManifestOptions { - /** - * Version of bootstrap stack required to deploy this stack - * - * @default - Version 1 (basic modern bootstrap stack) - */ - readonly requiresBootstrapStackVersion?: number; - - /** - * SSM parameter where the bootstrap stack version number can be found - * - * - If this value is not set, the bootstrap stack name must be known at - * deployment time so the stack version can be looked up from the stack - * outputs. - * - If this value is set, the bootstrap stack can have any name because - * we won't need to look it up. - * - * @default - Bootstrap stack version number looked up - */ - readonly bootstrapStackVersionSsmParameter?: string; -} - -/** - * Artifact properties for the Asset Manifest - */ -export interface AssetManifestProperties extends AssetManifestOptions { - /** - * Filename of the asset manifest - */ - readonly file: string; -} - -/** - * Artifact properties for the Construct Tree Artifact - */ -export interface TreeArtifactProperties { - /** - * Filename of the tree artifact - */ - readonly file: string; -} - -/** - * Artifact properties for nested cloud assemblies - */ -export interface NestedCloudAssemblyProperties { - /** - * Relative path to the nested cloud assembly - */ - readonly directoryName: string; - - /** - * Display name for the cloud assembly - * - * @default - The artifact ID - */ - readonly displayName?: string; -} - -/** - * Properties for manifest artifacts - */ -export type ArtifactProperties = AwsCloudFormationStackProperties -| AssetManifestProperties -| TreeArtifactProperties -| NestedCloudAssemblyProperties; diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/lib/cloud-assembly/context-queries.ts b/packages/aws-cdk-lib/cloud-assembly-schema/lib/cloud-assembly/context-queries.ts deleted file mode 100644 index bd35d023dfe69..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/lib/cloud-assembly/context-queries.ts +++ /dev/null @@ -1,514 +0,0 @@ -import { Tag } from './metadata-schema'; - -/** - * Identifier for the context provider - */ -export enum ContextProvider { - /** - * AMI provider - */ - AMI_PROVIDER = 'ami', - - /** - * AZ provider - */ - AVAILABILITY_ZONE_PROVIDER = 'availability-zones', - - /** - * Route53 Hosted Zone provider - */ - HOSTED_ZONE_PROVIDER = 'hosted-zone', - - /** - * SSM Parameter Provider - */ - SSM_PARAMETER_PROVIDER = 'ssm', - - /** - * VPC Provider - */ - VPC_PROVIDER = 'vpc-provider', - - /** - * VPC Endpoint Service AZ Provider - */ - ENDPOINT_SERVICE_AVAILABILITY_ZONE_PROVIDER = 'endpoint-service-availability-zones', - - /** - * Load balancer provider - */ - LOAD_BALANCER_PROVIDER = 'load-balancer', - - /** - * Load balancer listener provider - */ - LOAD_BALANCER_LISTENER_PROVIDER = 'load-balancer-listener', - - /** - * Security group provider - */ - SECURITY_GROUP_PROVIDER = 'security-group', - - /** - * KMS Key Provider - */ - KEY_PROVIDER = 'key-provider', - - /** - * A plugin provider (the actual plugin name will be in the properties) - */ - PLUGIN = 'plugin', -} - -/** - * Query to AMI context provider - */ -export interface AmiContextQuery { - /** - * Account to query - */ - readonly account: string; - - /** - * Region to query - */ - readonly region: string; - - /** - * The ARN of the role that should be used to look up the missing values - * - * @default - None - */ - readonly lookupRoleArn?: string; - - /** - * Owners to DescribeImages call - * - * @default - All owners - */ - readonly owners?: string[]; - - /** - * Filters to DescribeImages call - */ - readonly filters: {[key: string]: string[]}; -} - -/** - * Query to availability zone context provider - */ -export interface AvailabilityZonesContextQuery { - /** - * Query account - */ - readonly account: string; - - /** - * Query region - */ - readonly region: string; - - /** - * The ARN of the role that should be used to look up the missing values - * - * @default - None - */ - readonly lookupRoleArn?: string; - -} - -/** - * Query to hosted zone context provider - */ -export interface HostedZoneContextQuery { - /** - * Query account - */ - readonly account: string; - - /** - * Query region - */ - readonly region: string; - - /** - * The ARN of the role that should be used to look up the missing values - * - * @default - None - */ - readonly lookupRoleArn?: string; - - /** - * The domain name e.g. example.com to lookup - */ - readonly domainName: string; - - /** - * True if the zone you want to find is a private hosted zone - * - * @default false - */ - readonly privateZone?: boolean; - - /** - * The VPC ID to that the private zone must be associated with - * - * If you provide VPC ID and privateZone is false, this will return no results - * and raise an error. - * - * @default - Required if privateZone=true - */ - readonly vpcId?: string; -} - -/** - * Query to SSM Parameter Context Provider - */ -export interface SSMParameterContextQuery { - /** - * Query account - */ - readonly account: string; - - /** - * Query region - */ - readonly region: string; - - /** - * The ARN of the role that should be used to look up the missing values - * - * @default - None - */ - readonly lookupRoleArn?: string; - - /** - * Parameter name to query - */ - readonly parameterName: string; -} - -/** - * Query input for looking up a VPC - */ -export interface VpcContextQuery { - /** - * Query account - */ - readonly account: string; - - /** - * Query region - */ - readonly region: string; - - /** - * The ARN of the role that should be used to look up the missing values - * - * @default - None - */ - readonly lookupRoleArn?: string; - - /** - * Filters to apply to the VPC - * - * Filter parameters are the same as passed to DescribeVpcs. - * - * @see https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVpcs.html - */ - readonly filter: {[key: string]: string}; - - /** - * Whether to populate the subnetGroups field of the `VpcContextResponse`, - * which contains potentially asymmetric subnet groups. - * - * @default false - */ - readonly returnAsymmetricSubnets?: boolean; - - /** - * Optional tag for subnet group name. - * If not provided, we'll look at the aws-cdk:subnet-name tag. - * If the subnet does not have the specified tag, - * we'll use its type as the name. - * - * @default 'aws-cdk:subnet-name' - */ - readonly subnetGroupNameTag?: string; - - /** - * Whether to populate the `vpnGatewayId` field of the `VpcContextResponse`, - * which contains the VPN Gateway ID, if one exists. You can explicitly - * disable this in order to avoid the lookup if you know the VPC does not have - * a VPN Gatway attached. - * - * @default true - */ - readonly returnVpnGateways?: boolean; -} - -/** - * Query to endpoint service context provider - */ -export interface EndpointServiceAvailabilityZonesContextQuery { - /** - * Query account - */ - readonly account: string; - - /** - * Query region - */ - readonly region: string; - - /** - * The ARN of the role that should be used to look up the missing values - * - * @default - None - */ - readonly lookupRoleArn?: string; - - /** - * Query service name - */ - readonly serviceName: string; -} - -/** - * Type of load balancer - */ -export enum LoadBalancerType { - /** - * Network load balancer - */ - NETWORK = 'network', - - /** - * Application load balancer - */ - APPLICATION = 'application', -} - -/** - * Filters for selecting load balancers - */ -export interface LoadBalancerFilter { - /** - * Filter load balancers by their type - */ - readonly loadBalancerType: LoadBalancerType; - - /** - * Find by load balancer's ARN - * @default - does not search by load balancer arn - */ - readonly loadBalancerArn?: string; - - /** - * Match load balancer tags - * @default - does not match load balancers by tags - */ - readonly loadBalancerTags?: Tag[]; -} - -/** - * Query input for looking up a load balancer - */ -export interface LoadBalancerContextQuery extends LoadBalancerFilter { - /** - * Query account - */ - readonly account: string; - - /** - * Query region - */ - readonly region: string; - - /** - * The ARN of the role that should be used to look up the missing values - * - * @default - None - */ - readonly lookupRoleArn?: string; -} - -/** - * The protocol for connections from clients to the load balancer - */ -export enum LoadBalancerListenerProtocol { - /** - * HTTP protocol - */ - HTTP = 'HTTP', - - /** - * HTTPS protocol - */ - HTTPS = 'HTTPS', - - /** - * TCP protocol - */ - TCP = 'TCP', - - /** - * TLS protocol - */ - TLS = 'TLS', - - /** - * UDP protocol - * */ - UDP = 'UDP', - - /** - * TCP and UDP protocol - * */ - TCP_UDP = 'TCP_UDP', -} - -/** - * Query input for looking up a load balancer listener - */ -export interface LoadBalancerListenerContextQuery extends LoadBalancerFilter { - /** - * Query account - */ - readonly account: string; - - /** - * Query region - */ - readonly region: string; - - /** - * The ARN of the role that should be used to look up the missing values - * - * @default - None - */ - readonly lookupRoleArn?: string; - - /** - * Find by listener's arn - * @default - does not find by listener arn - */ - readonly listenerArn?: string; - - /** - * Filter by listener protocol - * @default - does not filter by listener protocol - */ - readonly listenerProtocol?: LoadBalancerListenerProtocol; - - /** - * Filter listeners by listener port - * @default - does not filter by a listener port - */ - readonly listenerPort?: number; -} - -/** - * Query input for looking up a security group - */ -export interface SecurityGroupContextQuery { - /** - * Query account - */ - readonly account: string; - - /** - * Query region - */ - readonly region: string; - - /** - * The ARN of the role that should be used to look up the missing values - * - * @default - None - */ - readonly lookupRoleArn?: string; - - /** - * Security group id - * - * @default - None - */ - readonly securityGroupId?: string; - - /** - * Security group name - * - * @default - None - */ - readonly securityGroupName?: string; - - /** - * VPC ID - * - * @default - None - */ - readonly vpcId?: string; -} - -/** - * Query input for looking up a KMS Key - */ -export interface KeyContextQuery { - /** - * Query account - */ - readonly account: string; - - /** - * Query region - */ - readonly region: string; - - /** - * The ARN of the role that should be used to look up the missing values - * - * @default - None - */ - readonly lookupRoleArn?: string; - - /** - * Alias name used to search the Key - */ - readonly aliasName: string; -} - -/** - * Query input for plugins - * - * This alternate branch is necessary because it needs to be able to escape all type checking - * we do on on the cloud assembly -- we cannot know the properties that will be used a priori. - */ -export interface PluginContextQuery { - /** - * The name of the plugin - */ - readonly pluginName: string; - - /** - * Arbitrary other arguments for the plugin. - * - * This index signature is not usable in non-TypeScript/JavaScript languages. - * - * @jsii ignore - */ - [key: string]: any; -} - -export type ContextQueryProperties = AmiContextQuery -| AvailabilityZonesContextQuery -| HostedZoneContextQuery -| SSMParameterContextQuery -| VpcContextQuery -| EndpointServiceAvailabilityZonesContextQuery -| LoadBalancerContextQuery -| LoadBalancerListenerContextQuery -| SecurityGroupContextQuery -| KeyContextQuery -| PluginContextQuery; - diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/lib/cloud-assembly/index.ts b/packages/aws-cdk-lib/cloud-assembly-schema/lib/cloud-assembly/index.ts deleted file mode 100644 index 931538d80cf11..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/lib/cloud-assembly/index.ts +++ /dev/null @@ -1,4 +0,0 @@ -export * from './schema'; -export * from './metadata-schema'; -export * from './artifact-schema'; -export * from './context-queries'; diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/lib/cloud-assembly/metadata-schema.ts b/packages/aws-cdk-lib/cloud-assembly-schema/lib/cloud-assembly/metadata-schema.ts deleted file mode 100644 index a96df56d49b58..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/lib/cloud-assembly/metadata-schema.ts +++ /dev/null @@ -1,325 +0,0 @@ -/** - * Common properties for asset metadata. - */ -interface BaseAssetMetadataEntry { - /** - * Requested packaging style - */ - readonly packaging: string; - - /** - * Logical identifier for the asset - */ - readonly id: string; - - /** - * The hash of the asset source. - */ - readonly sourceHash: string; - - /** - * Path on disk to the asset - */ - readonly path: string; -} - -/** - * Metadata Entry spec for files. - * - * @example - * const entry = { - * packaging: 'file', - * s3BucketParameter: 'bucket-parameter', - * s3KeyParamenter: 'key-parameter', - * artifactHashParameter: 'hash-parameter', - * } - */ -export interface FileAssetMetadataEntry extends BaseAssetMetadataEntry { - /** - * Requested packaging style - */ - readonly packaging: 'zip' | 'file'; - - /** - * Name of parameter where S3 bucket should be passed in - */ - readonly s3BucketParameter: string; - - /** - * Name of parameter where S3 key should be passed in - */ - readonly s3KeyParameter: string; - - /** - * The name of the parameter where the hash of the bundled asset should be passed in. - */ - readonly artifactHashParameter: string; -} - -/** - * Metadata Entry spec for stack tag. - */ -export interface Tag { - /** - * Tag key. - * - * (In the actual file on disk this will be cased as "Key", and the structure is - * patched to match this structure upon loading: - * https://github.com/aws/aws-cdk/blob/4aadaa779b48f35838cccd4e25107b2338f05547/packages/%40aws-cdk/cloud-assembly-schema/lib/manifest.ts#L137) - */ - readonly key: string; - - /** - * Tag value. - * - * (In the actual file on disk this will be cased as "Value", and the structure is - * patched to match this structure upon loading: - * https://github.com/aws/aws-cdk/blob/4aadaa779b48f35838cccd4e25107b2338f05547/packages/%40aws-cdk/cloud-assembly-schema/lib/manifest.ts#L137) - */ - readonly value: string; -} - -/** - * Options for configuring the Docker cache backend - */ -export interface ContainerImageAssetCacheOption { - /** - * The type of cache to use. - * Refer to https://docs.docker.com/build/cache/backends/ for full list of backends. - * @default - unspecified - * - * @example 'registry' - */ - readonly type: string; - /** - * Any parameters to pass into the docker cache backend configuration. - * Refer to https://docs.docker.com/build/cache/backends/ for cache backend configuration. - * @default {} No options provided - * - * @example - * declare const branch: string; - * - * const params = { - * ref: `12345678.dkr.ecr.us-west-2.amazonaws.com/cache:${branch}`, - * mode: "max", - * }; - */ - readonly params?: { [key: string]: string }; -} - -/** - * Metadata Entry spec for container images. - * - * @example - * const entry = { - * packaging: 'container-image', - * repositoryName: 'repository-name', - * imageTag: 'tag', - * } - */ -export interface ContainerImageAssetMetadataEntry extends BaseAssetMetadataEntry { - /** - * Type of asset - */ - readonly packaging: 'container-image'; - - /** - * ECR Repository name and repo digest (separated by "@sha256:") where this - * image is stored. - * - * @default undefined If not specified, `repositoryName` and `imageTag` are - * required because otherwise how will the stack know where to find the asset, - * ha? - * @deprecated specify `repositoryName` and `imageTag` instead, and then you - * know where the image will go. - */ - readonly imageNameParameter?: string; - - /** - * ECR repository name, if omitted a default name based on the asset's ID is - * used instead. Specify this property if you need to statically address the - * image, e.g. from a Kubernetes Pod. Note, this is only the repository name, - * without the registry and the tag parts. - * - * @default - this parameter is REQUIRED after 1.21.0 - */ - readonly repositoryName?: string; - - /** - * The docker image tag to use for tagging pushed images. This field is - * required if `imageParameterName` is ommited (otherwise, the app won't be - * able to find the image). - * - * @default - this parameter is REQUIRED after 1.21.0 - */ - readonly imageTag?: string; - - /** - * Build args to pass to the `docker build` command - * - * @default no build args are passed - */ - readonly buildArgs?: { [key: string]: string }; - - /** - * SSH agent socket or keys to pass to the `docker build` command - * - * @default no ssh arg is passed - */ - readonly buildSsh?: string; - - /** - * Build secrets to pass to the `docker build` command - * - * @default no build secrets are passed - */ - readonly buildSecrets?: { [key: string]: string }; - - /** - * Docker target to build to - * - * @default no build target - */ - readonly target?: string; - - /** - * Path to the Dockerfile (relative to the directory). - * - * @default - no file is passed - */ - readonly file?: string; - - /** - * Networking mode for the RUN commands during build. - * - * @default - no networking mode specified - */ - readonly networkMode?: string; - - /** - * Platform to build for. _Requires Docker Buildx_. - * - * @default - current machine platform - */ - readonly platform?: string; - - /** - * Outputs to pass to the `docker build` command. - * - * @default - no outputs are passed to the build command (default outputs are used) - * @see https://docs.docker.com/engine/reference/commandline/build/#custom-build-outputs - */ - readonly outputs?: string[]; - - /** - * Cache from options to pass to the `docker build` command. - * - * @default - no cache from options are passed to the build command - * @see https://docs.docker.com/build/cache/backends/ - */ - readonly cacheFrom?: ContainerImageAssetCacheOption[]; - - /** - * Cache to options to pass to the `docker build` command. - * - * @default - no cache to options are passed to the build command - * @see https://docs.docker.com/build/cache/backends/ - */ - readonly cacheTo?: ContainerImageAssetCacheOption; - - /** - * Disable the cache and pass `--no-cache` to the `docker build` command. - * - * @default - cache is used - */ - readonly cacheDisabled?: boolean; -} - -/** - * @see ArtifactMetadataEntryType.ASSET - */ -export type AssetMetadataEntry = FileAssetMetadataEntry | ContainerImageAssetMetadataEntry; - -// Type aliases for metadata entries. -// Used simply to assign names to data types for more clarity. - -/** - * @see ArtifactMetadataEntryType.INFO - * @see ArtifactMetadataEntryType.WARN - * @see ArtifactMetadataEntryType.ERROR - */ -export type LogMessageMetadataEntry = string; - -/** - * @see ArtifactMetadataEntryType.LOGICAL_ID - */ -export type LogicalIdMetadataEntry = string; - -/** - * @see ArtifactMetadataEntryType.STACK_TAGS - */ -export type StackTagsMetadataEntry = Tag[]; - -/** - * Union type for all metadata entries that might exist in the manifest. - */ -export type MetadataEntryData = AssetMetadataEntry | LogMessageMetadataEntry | LogicalIdMetadataEntry | StackTagsMetadataEntry; - -/** - * Type of artifact metadata entry. - */ -export enum ArtifactMetadataEntryType { - /** - * Asset in metadata. - */ - ASSET = 'aws:cdk:asset', - - /** - * Metadata key used to print INFO-level messages by the toolkit when an app is syntheized. - */ - INFO = 'aws:cdk:info', - - /** - * Metadata key used to print WARNING-level messages by the toolkit when an app is syntheized. - */ - WARN = 'aws:cdk:warning', - - /** - * Metadata key used to print ERROR-level messages by the toolkit when an app is syntheized. - */ - ERROR = 'aws:cdk:error', - - /** - * Represents the CloudFormation logical ID of a resource at a certain path. - */ - LOGICAL_ID = 'aws:cdk:logicalId', - - /** - * Represents tags of a stack. - */ - STACK_TAGS = 'aws:cdk:stack-tags', -} - -/** - * A metadata entry in a cloud assembly artifact. - */ -export interface MetadataEntry { - /** - * The type of the metadata entry. - */ - readonly type: string; - - /** - * The data. - * - * @default - no data. - */ - readonly data?: MetadataEntryData; - - /** - * A stack trace for when the entry was created. - * - * @default - no trace. - */ - readonly trace?: string[]; -} diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/lib/cloud-assembly/schema.ts b/packages/aws-cdk-lib/cloud-assembly-schema/lib/cloud-assembly/schema.ts deleted file mode 100644 index b6c9ba4ba39cd..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/lib/cloud-assembly/schema.ts +++ /dev/null @@ -1,140 +0,0 @@ -import { ArtifactProperties } from './artifact-schema'; -import { ContextProvider, ContextQueryProperties } from './context-queries'; -import { MetadataEntry } from './metadata-schema'; - -/** - * Type of cloud artifact. - */ -export enum ArtifactType { - /** - * Stub required because of JSII. - */ - NONE = 'none', // required due to a jsii bug - - /** - * The artifact is an AWS CloudFormation stack. - */ - AWS_CLOUDFORMATION_STACK = 'aws:cloudformation:stack', - - /** - * The artifact contains the CDK application's construct tree. - */ - CDK_TREE = 'cdk:tree', - - /** - * Manifest for all assets in the Cloud Assembly - */ - ASSET_MANIFEST = 'cdk:asset-manifest', - - /** - * Nested Cloud Assembly - */ - NESTED_CLOUD_ASSEMBLY = 'cdk:cloud-assembly', -} - -/** - * Information about the application's runtime components. - */ -export interface RuntimeInfo { - /** - * The list of libraries loaded in the application, associated with their versions. - */ - readonly libraries: { [name: string]: string }; -} - -/** - * Represents a missing piece of context. - */ -export interface MissingContext { - /** - * The missing context key. - */ - readonly key: string; - - /** - * The provider from which we expect this context key to be obtained. - */ - readonly provider: ContextProvider; - - /** - * A set of provider-specific options. - */ - readonly props: ContextQueryProperties; -} - -/** - * A manifest for a single artifact within the cloud assembly. - */ -export interface ArtifactManifest { - /** - * The type of artifact. - */ - readonly type: ArtifactType; - - /** - * The environment into which this artifact is deployed. - * - * @default - no envrionment. - */ - readonly environment?: string; // format: aws://account/region - - /** - * Associated metadata. - * - * @default - no metadata. - */ - readonly metadata?: { [path: string]: MetadataEntry[] }; - - /** - * IDs of artifacts that must be deployed before this artifact. - * - * @default - no dependencies. - */ - readonly dependencies?: string[]; - - /** - * The set of properties for this artifact (depends on type) - * - * @default - no properties. - */ - readonly properties?: ArtifactProperties; - - /** - * A string that represents this artifact. Should only be used in user interfaces. - * - * @default - no display name - */ - readonly displayName?: string; -} - -/** - * A manifest which describes the cloud assembly. - */ -export interface AssemblyManifest { - /** - * Protocol version - */ - readonly version: string; - - /** - * The set of artifacts in this assembly. - * - * @default - no artifacts. - */ - readonly artifacts?: { [id: string]: ArtifactManifest }; - - /** - * Missing context information. If this field has values, it means that the - * cloud assembly is not complete and should not be deployed. - * - * @default - no missing context. - */ - readonly missing?: MissingContext[]; - - /** - * Runtime information. - * - * @default - no info. - */ - readonly runtime?: RuntimeInfo; -} diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/lib/index.ts b/packages/aws-cdk-lib/cloud-assembly-schema/lib/index.ts deleted file mode 100644 index 5fd6eb6ceda07..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/lib/index.ts +++ /dev/null @@ -1,4 +0,0 @@ -export * from './cloud-assembly'; -export * from './assets'; -export * from './manifest'; -export * from './integ-tests'; diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/lib/integ-tests/commands/common.ts b/packages/aws-cdk-lib/cloud-assembly-schema/lib/integ-tests/commands/common.ts deleted file mode 100644 index 393307c260e5b..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/lib/integ-tests/commands/common.ts +++ /dev/null @@ -1,201 +0,0 @@ -/** - * In what scenarios should the CLI ask for approval - */ -export enum RequireApproval { - /** - * Never ask for approval - */ - NEVER = 'never', - - /** - * Prompt for approval for any type of change to the stack - */ - ANYCHANGE = 'any-change', - - /** - * Only prompt for approval if there are security related changes - */ - BROADENING = 'broadening', -} - -/** - * Default CDK CLI options that apply to all commands - */ -export interface DefaultCdkOptions { - /** - * List of stacks to deploy - * - * Requried if `all` is not set - * - * @default - [] - */ - readonly stacks?: string[]; - - /** - * Deploy all stacks - * - * Requried if `stacks` is not set - * - * @default - false - */ - readonly all?: boolean; - - /** - * command-line for executing your app or a cloud assembly directory - * e.g. "node bin/my-app.js" - * or - * "cdk.out" - * - * @default - read from cdk.json - */ - readonly app?: string; - - /** - * Role to pass to CloudFormation for deployment - * - * @default - use the bootstrap cfn-exec role - */ - readonly roleArn?: string; - - /** - * Additional context - * - * @default - no additional context - */ - readonly context?: { [name: string]: string }; - - /** - * Print trace for stack warnings - * - * @default false - */ - readonly trace?: boolean; - - /** - * Do not construct stacks with warnings - * - * @default false - */ - readonly strict?: boolean; - - /** - * Perform context lookups. - * - * Synthesis fails if this is disabled and context lookups need - * to be performed - * - * @default true - */ - readonly lookups?: boolean; - - /** - * Ignores synthesis errors, which will likely produce an invalid output - * - * @default false - */ - readonly ignoreErrors?: boolean; - - /** - * Use JSON output instead of YAML when templates are printed - * to STDOUT - * - * @default false - */ - readonly json?: boolean; - - /** - * show debug logs - * - * @default false - */ - readonly verbose?: boolean; - - /** - * enable emission of additional debugging information, such as creation stack - * traces of tokens - * - * @default false - */ - readonly debug?: boolean; - - /** - * Use the indicated AWS profile as the default environment - * - * @default - no profile is used - */ - readonly profile?: string; - - /** - * Use the indicated proxy. Will read from - * HTTPS_PROXY environment if specified - * - * @default - no proxy - */ - readonly proxy?: string; - - /** - * Path to CA certificate to use when validating HTTPS - * requests. - * - * @default - read from AWS_CA_BUNDLE environment variable - */ - readonly caBundlePath?: string; - - /** - * Force trying to fetch EC2 instance credentials - * - * @default - guess EC2 instance status - */ - readonly ec2Creds?: boolean; - - /** - * Include "AWS::CDK::Metadata" resource in synthesized templates - * - * @default true - */ - readonly versionReporting?: boolean; - - /** - * Include "aws:cdk:path" CloudFormation metadata for each resource - * - * @default true - */ - readonly pathMetadata?: boolean; - - /** - * Include "aws:asset:*" CloudFormation metadata for resources that use assets - * - * @default true - */ - readonly assetMetadata?: boolean; - - /** - * Copy assets to the output directory - * - * Needed for local debugging the source files with SAM CLI - * - * @default false - */ - readonly staging?: boolean; - - /** - * Emits the synthesized cloud assembly into a directory - * - * @default cdk.out - */ - readonly output?: string; - - /** - * Show relevant notices - * - * @default true - */ - readonly notices?: boolean; - - /** - * Show colors and other style from console output - * - * @default true - */ - readonly color?: boolean; -} diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/lib/integ-tests/commands/deploy.ts b/packages/aws-cdk-lib/cloud-assembly-schema/lib/integ-tests/commands/deploy.ts deleted file mode 100644 index 8d63a7d9644f9..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/lib/integ-tests/commands/deploy.ts +++ /dev/null @@ -1,104 +0,0 @@ -import { DefaultCdkOptions, RequireApproval } from './common'; - -/** - * Options to use with cdk deploy - */ -export interface DeployOptions extends DefaultCdkOptions { - /** - * Only perform action on the given stack - * - * @default false - */ - readonly exclusively?: boolean; - - /** - * Name of the toolkit stack to use/deploy - * - * @default CDKToolkit - */ - readonly toolkitStackName?: string; - - /** - * Reuse the assets with the given asset IDs - * - * @default - do not reuse assets - */ - readonly reuseAssets?: string[]; - - /** - * Optional name to use for the CloudFormation change set. - * If not provided, a name will be generated automatically. - * - * @default - auto generate a name - */ - readonly changeSetName?: string; - - /** - * Always deploy, even if templates are identical. - * @default false - */ - readonly force?: boolean; - - /** - * Rollback failed deployments - * - * @default true - */ - readonly rollback?: boolean; - - /** - * ARNs of SNS topics that CloudFormation will notify with stack related events - * - * @default - no notifications - */ - readonly notificationArns?: string[]; - - /** - * What kind of security changes require approval - * - * @default RequireApproval.Never - */ - readonly requireApproval?: RequireApproval; - - /** - * Whether to execute the ChangeSet - * Not providing `execute` parameter will result in execution of ChangeSet - * @default true - */ - readonly execute?: boolean; - - /** - * Additional parameters for CloudFormation at deploy time - * @default {} - */ - readonly parameters?: { [name: string]: string }; - - /** - * Use previous values for unspecified parameters - * - * If not set, all parameters must be specified for every deployment. - * - * @default true - */ - readonly usePreviousParameters?: boolean; - - /** - * Path to file where stack outputs will be written after a successful deploy as JSON - * @default - Outputs are not written to any file - */ - readonly outputsFile?: string; - - /** - * Whether we are on a CI system - * - * @default false - */ - readonly ci?: boolean; - - /** - * Deploy multiple stacks in parallel - * - * @default 1 - */ - readonly concurrency?: number; -} diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/lib/integ-tests/commands/destroy.ts b/packages/aws-cdk-lib/cloud-assembly-schema/lib/integ-tests/commands/destroy.ts deleted file mode 100644 index 9dfe8f267c6db..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/lib/integ-tests/commands/destroy.ts +++ /dev/null @@ -1,20 +0,0 @@ -import { DefaultCdkOptions } from './common'; - -/** - * Options to use with cdk destroy - */ -export interface DestroyOptions extends DefaultCdkOptions { - /** - * Do not ask for permission before destroying stacks - * - * @default false - */ - readonly force?: boolean; - - /** - * Only destroy the given stack - * - * @default false - */ - readonly exclusively?: boolean; -} diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/lib/integ-tests/commands/index.ts b/packages/aws-cdk-lib/cloud-assembly-schema/lib/integ-tests/commands/index.ts deleted file mode 100644 index 528980446938b..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/lib/integ-tests/commands/index.ts +++ /dev/null @@ -1,3 +0,0 @@ -export * from './common'; -export * from './deploy'; -export * from './destroy'; diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/lib/integ-tests/index.ts b/packages/aws-cdk-lib/cloud-assembly-schema/lib/integ-tests/index.ts deleted file mode 100644 index 5a08e62a47958..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/lib/integ-tests/index.ts +++ /dev/null @@ -1,3 +0,0 @@ -export * from './schema'; -export * from './commands'; -export * from './test-case'; diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/lib/integ-tests/schema.ts b/packages/aws-cdk-lib/cloud-assembly-schema/lib/integ-tests/schema.ts deleted file mode 100644 index 1a617e23cf959..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/lib/integ-tests/schema.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { TestCase } from './test-case'; -/** - * Definitions for the integration testing manifest - */ -export interface IntegManifest { - /** - * Version of the manifest - */ - readonly version: string; - - /** - * Enable lookups for this test. If lookups are enabled - * then `stackUpdateWorkflow` must be set to false. - * Lookups should only be enabled when you are explicitely testing - * lookups. - * - * @default false - */ - readonly enableLookups?: boolean; - - /** - * Additional context to use when performing - * a synth. Any context provided here will override - * any default context - * - * @default - no additional context - */ - readonly synthContext?: { [name: string]: string }; - - /** - * test cases - */ - readonly testCases: { [testName: string]: TestCase }; -} - diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/lib/integ-tests/test-case.ts b/packages/aws-cdk-lib/cloud-assembly-schema/lib/integ-tests/test-case.ts deleted file mode 100644 index 6878f9da2563c..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/lib/integ-tests/test-case.ts +++ /dev/null @@ -1,206 +0,0 @@ -import { DeployOptions, DestroyOptions } from './commands'; - -/** - * The set of options to control the workflow of the test runner - */ -export interface TestOptions { - /** - * Run update workflow on this test case - * This should only be set to false to test scenarios - * that are not possible to test as part of the update workflow - * - * @default true - */ - readonly stackUpdateWorkflow?: boolean; - - /** - * Additional options to use for each CDK command - * - * @default - runner default options - */ - readonly cdkCommandOptions?: CdkCommands; - - /** - * Additional commands to run at predefined points in the test workflow - * - * e.g. { postDeploy: ['yarn', 'test'] } - * - * @default - no hooks - */ - readonly hooks?: Hooks; - - /** - * Whether or not to include asset hashes in the diff - * Asset hashes can introduces a lot of unneccessary noise into tests, - * but there are some cases where asset hashes _should_ be included. For example - * any tests involving custom resources or bundling - * - * @default false - */ - readonly diffAssets?: boolean; - - /** - * List of CloudFormation resource types in this stack that can - * be destroyed as part of an update without failing the test. - * - * This list should only include resources that for this specific - * integration test we are sure will not cause errors or an outage if - * destroyed. For example, maybe we know that a new resource will be created - * first before the old resource is destroyed which prevents any outage. - * - * e.g. ['AWS::IAM::Role'] - * - * @default - do not allow destruction of any resources on update - */ - readonly allowDestroy?: string[]; - - /** - * Limit deployment to these regions - * - * @default - can run in any region - */ - readonly regions?: string[]; -} - -/** - * Represents an integration test case - */ -export interface TestCase extends TestOptions { - /** - * Stacks that should be tested as part of this test case - * The stackNames will be passed as args to the cdk commands - * so dependent stacks will be automatically deployed unless - * `exclusively` is passed - */ - readonly stacks: string[]; - - /** - * The node id of the stack that contains assertions. - * This is the value that can be used to deploy the stack with the CDK CLI - * - * @default - no assertion stack - */ - readonly assertionStack?: string; - - /** - * The name of the stack that contains assertions - * - * @default - no assertion stack - */ - readonly assertionStackName?: string; -} - -/** - * Commands to run at predefined points during the - * integration test workflow - */ -export interface Hooks { - /** - * Commands to run prior to deploying the cdk stacks - * in the integration test - * - * @default - no commands - */ - readonly preDeploy?: string[]; - - /** - * Commands to run prior after deploying the cdk stacks - * in the integration test - * - * @default - no commands - */ - readonly postDeploy?: string[]; - - /** - * Commands to run prior to destroying the cdk stacks - * in the integration test - * - * @default - no commands - */ - readonly preDestroy?: string[]; - - /** - * Commands to run after destroying the cdk stacks - * in the integration test - * - * @default - no commands - */ - readonly postDestroy?: string[]; -} - -/** - * Represents a cdk command - * i.e. `synth`, `deploy`, & `destroy` - */ -export interface CdkCommand { - /** - * Whether or not to run this command as part of the workflow - * This can be used if you only want to test some of the workflow - * for example enable `synth` and disable `deploy` & `destroy` in order - * to limit the test to synthesis - * - * @default true - */ - readonly enabled?: boolean; - - /** - * If the runner should expect this command to fail - * - * @default false - */ - readonly expectError?: boolean; - - /** - * This can be used in combination with `expectedError` - * to validate that a specific message is returned. - * - * @default - do not validate message - */ - readonly expectedMessage?: string; -} - -/** - * Represents a cdk deploy command - */ -export interface DeployCommand extends CdkCommand { - /** - * Additional arguments to pass to the command - * This can be used to test specific CLI functionality - * - * @default - only default args are used - */ - readonly args?: DeployOptions; -} - -/** - * Represents a cdk destroy command - */ -export interface DestroyCommand extends CdkCommand { - /** - * Additional arguments to pass to the command - * This can be used to test specific CLI functionality - * - * @default - only default args are used - */ - readonly args?: DestroyOptions; -} - -/** - * Options for specific cdk commands that are run - * as part of the integration test workflow - */ -export interface CdkCommands { - /** - * Options to for the cdk deploy command - * - * @default - default deploy options - */ - readonly deploy?: DeployCommand; - - /** - * Options to for the cdk destroy command - * - * @default - default destroy options - */ - readonly destroy?: DestroyCommand; -} diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/lib/manifest.ts b/packages/aws-cdk-lib/cloud-assembly-schema/lib/manifest.ts deleted file mode 100644 index 76069e0187d4c..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/lib/manifest.ts +++ /dev/null @@ -1,292 +0,0 @@ -import * as fs from 'fs'; -import * as jsonschema from 'jsonschema'; -import * as semver from 'semver'; -import * as assets from './assets'; -import * as assembly from './cloud-assembly'; -import * as integ from './integ-tests'; - -/* eslint-disable @typescript-eslint/no-var-requires */ -/* eslint-disable @typescript-eslint/no-require-imports */ - -// this prefix is used by the CLI to identify this specific error. -// in which case we want to instruct the user to upgrade his CLI. -// see exec.ts#createAssembly -export const VERSION_MISMATCH: string = 'Cloud assembly schema version mismatch'; - -const ASSETS_SCHEMA = require('../schema/assets.schema.json'); - -const ASSEMBLY_SCHEMA = require('../schema/cloud-assembly.schema.json'); - -/** - * Version is shared for both manifests - */ -const SCHEMA_VERSION = require('../schema/cloud-assembly.version.json').version; - -const INTEG_SCHEMA = require('../schema/integ.schema.json'); - -/** - * Options for the loadManifest operation - */ -export interface LoadManifestOptions { - /** - * Skip the version check - * - * This means you may read a newer cloud assembly than the CX API is designed - * to support, and your application may not be aware of all features that in use - * in the Cloud Assembly. - * - * @default false - */ - readonly skipVersionCheck?: boolean; - - /** - * Skip enum checks - * - * This means you may read enum values you don't know about yet. Make sure to always - * check the values of enums you encounter in the manifest. - * - * @default false - */ - readonly skipEnumCheck?: boolean; - - /** - * Topologically sort all artifacts - * - * This parameter is only respected by the constructor of `CloudAssembly`. The - * property lives here for backwards compatibility reasons. - * - * @default true - */ - readonly topoSort?: boolean; -} - -/** - * Protocol utility class. - */ -export class Manifest { - /** - * Validates and saves the cloud assembly manifest to file. - * - * @param manifest - manifest. - * @param filePath - output file path. - */ - public static saveAssemblyManifest(manifest: assembly.AssemblyManifest, filePath: string) { - Manifest.saveManifest(manifest, filePath, ASSEMBLY_SCHEMA, Manifest.patchStackTagsOnWrite); - } - - /** - * Load and validates the cloud assembly manifest from file. - * - * @param filePath - path to the manifest file. - */ - public static loadAssemblyManifest(filePath: string, options?: LoadManifestOptions): assembly.AssemblyManifest { - return Manifest.loadManifest(filePath, ASSEMBLY_SCHEMA, Manifest.patchStackTagsOnRead, options); - } - - /** - * Validates and saves the asset manifest to file. - * - * @param manifest - manifest. - * @param filePath - output file path. - */ - public static saveAssetManifest(manifest: assets.AssetManifest, filePath: string) { - Manifest.saveManifest(manifest, filePath, ASSETS_SCHEMA, Manifest.patchStackTagsOnRead); - } - - /** - * Load and validates the asset manifest from file. - * - * @param filePath - path to the manifest file. - */ - public static loadAssetManifest(filePath: string): assets.AssetManifest { - return this.loadManifest(filePath, ASSETS_SCHEMA); - } - - /** - * Validates and saves the integ manifest to file. - * - * @param manifest - manifest. - * @param filePath - output file path. - */ - public static saveIntegManifest(manifest: integ.IntegManifest, filePath: string) { - Manifest.saveManifest(manifest, filePath, INTEG_SCHEMA); - } - - /** - * Load and validates the integ manifest from file. - * - * @param filePath - path to the manifest file. - */ - public static loadIntegManifest(filePath: string): integ.IntegManifest { - return this.loadManifest(filePath, INTEG_SCHEMA); - } - - /** - * Fetch the current schema version number. - */ - public static version(): string { - return SCHEMA_VERSION; - } - - /** - * Deprecated - * @deprecated use `saveAssemblyManifest()` - */ - public static save(manifest: assembly.AssemblyManifest, filePath: string) { return this.saveAssemblyManifest(manifest, filePath); } - - /** - * Deprecated - * @deprecated use `loadAssemblyManifest()` - */ - public static load(filePath: string): assembly.AssemblyManifest { return this.loadAssemblyManifest(filePath); } - - private static validate(manifest: { version: string }, schema: jsonschema.Schema, options?: LoadManifestOptions) { - function parseVersion(version: string) { - const ver = semver.valid(version); - if (!ver) { - throw new Error(`Invalid semver string: "${version}"`); - } - return ver; - } - - const maxSupported = parseVersion(Manifest.version()); - const actual = parseVersion(manifest.version); - - // first validate the version should be accepted. - if (semver.gt(actual, maxSupported) && !options?.skipVersionCheck) { - // we use a well known error prefix so that the CLI can identify this specific error - // and print some more context to the user. - throw new Error(`${VERSION_MISMATCH}: Maximum schema version supported is ${maxSupported}, but found ${actual}`); - } - - // now validate the format is good. - const validator = new jsonschema.Validator(); - const result = validator.validate(manifest, schema, { - - // does exist but is not in the TypeScript definitions - nestedErrors: true, - - allowUnknownAttributes: false, - - } as any); - - let errors = result.errors; - if (options?.skipEnumCheck) { - // Enum validations aren't useful when - errors = stripEnumErrors(errors); - } - - if (errors.length > 0) { - throw new Error(`Invalid assembly manifest:\n${errors.map(e => e.stack).join('\n')}`); - } - } - - private static saveManifest(manifest: any, filePath: string, schema: jsonschema.Schema, preprocess?: (obj: any) => any) { - let withVersion = { ...manifest, version: Manifest.version() }; - Manifest.validate(withVersion, schema); - if (preprocess) { - withVersion = preprocess(withVersion); - } - fs.writeFileSync(filePath, JSON.stringify(withVersion, undefined, 2)); - } - - private static loadManifest(filePath: string, schema: jsonschema.Schema, preprocess?: (obj: any) => any, options?: LoadManifestOptions) { - const contents = fs.readFileSync(filePath, { encoding: 'utf-8' }); - let obj; - try { - obj = JSON.parse(contents); - } catch (e: any) { - throw new Error(`${e.message}, while parsing ${JSON.stringify(contents)}`); - } - if (preprocess) { - obj = preprocess(obj); - } - Manifest.validate(obj, schema, options); - return obj; - } - - /** - * This requires some explaining... - * - * We previously used `{ Key, Value }` for the object that represents a stack tag. (Notice the casing) - * @link https://github.com/aws/aws-cdk/blob/v1.27.0/packages/aws-cdk/lib/api/cxapp/stacks.ts#L427. - * - * When that object moved to this package, it had to be JSII compliant, which meant the property - * names must be `camelCased`, and not `PascalCased`. This meant it no longer matches the structure in the `manifest.json` file. - * In order to support current manifest files, we have to translate the `PascalCased` representation to the new `camelCased` one. - * - * Note that the serialization itself still writes `PascalCased` because it relates to how CloudFormation expects it. - * - * Ideally, we would start writing the `camelCased` and translate to how CloudFormation expects it when needed. But this requires nasty - * backwards-compatibility code and it just doesn't seem to be worth the effort. - */ - private static patchStackTagsOnRead(manifest: assembly.AssemblyManifest) { - return Manifest.replaceStackTags(manifest, tags => tags.map((diskTag: any) => ({ - key: diskTag.Key, - value: diskTag.Value, - }))); - } - - /** - * See explanation on `patchStackTagsOnRead` - * - * Translate stack tags metadata if it has the "right" casing. - */ - private static patchStackTagsOnWrite(manifest: assembly.AssemblyManifest) { - return Manifest.replaceStackTags(manifest, tags => tags.map(memTag => - // Might already be uppercased (because stack synthesis generates it in final form yet) - ('Key' in memTag ? memTag : { Key: memTag.key, Value: memTag.value }) as any, - )); - } - - /** - * Recursively replace stack tags in the stack metadata - */ - private static replaceStackTags(manifest: assembly.AssemblyManifest, fn: Endofunctor): assembly.AssemblyManifest { - // Need to add in the `noUndefined`s because otherwise jest snapshot tests are going to freak out - // about the keys with values that are `undefined` (even though they would never be JSON.stringified) - return noUndefined({ - ...manifest, - artifacts: mapValues(manifest.artifacts, artifact => { - if (artifact.type !== assembly.ArtifactType.AWS_CLOUDFORMATION_STACK) { return artifact; } - return noUndefined({ - ...artifact, - metadata: mapValues(artifact.metadata, metadataEntries => metadataEntries.map(metadataEntry => { - if (metadataEntry.type !== assembly.ArtifactMetadataEntryType.STACK_TAGS || !metadataEntry.data) { return metadataEntry; } - return { - ...metadataEntry, - data: fn(metadataEntry.data as assembly.StackTagsMetadataEntry), - }; - })), - } as assembly.ArtifactManifest); - }), - }); - } - - private constructor() {} -} - -type Endofunctor = (x: A) => A; - -function mapValues(xs: Record | undefined, fn: (x: A) => B): Record | undefined { - if (!xs) { return undefined; } - const ret: Record | undefined = {}; - for (const [k, v] of Object.entries(xs)) { - ret[k] = fn(v); - } - return ret; -} - -function noUndefined(xs: A): A { - const ret: any = {}; - for (const [k, v] of Object.entries(xs)) { - if (v !== undefined) { - ret[k] = v; - } - } - return ret; -} - -function stripEnumErrors(errors: jsonschema.ValidationError[]) { - return errors.filter(e => typeof e.schema ==='string' || !('enum' in e.schema)); -} diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/schema/README.md b/packages/aws-cdk-lib/cloud-assembly-schema/schema/README.md deleted file mode 100644 index ae58ce74ee4e8..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/schema/README.md +++ /dev/null @@ -1,5 +0,0 @@ -## Cloud Assembly JSON Schema - -**DO NOT MODIFY FILES IN THIS DIRECTORY BY HAND** - -To modify, run `yarn update-schema`. \ No newline at end of file diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/schema/assets.schema.json b/packages/aws-cdk-lib/cloud-assembly-schema/schema/assets.schema.json deleted file mode 100644 index 980fbaf0d86de..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/schema/assets.schema.json +++ /dev/null @@ -1,253 +0,0 @@ -{ - "$ref": "#/definitions/AssetManifest", - "definitions": { - "AssetManifest": { - "description": "Definitions for the asset manifest", - "type": "object", - "properties": { - "version": { - "description": "Version of the manifest", - "type": "string" - }, - "files": { - "description": "The file assets in this manifest (Default - No files)", - "type": "object", - "additionalProperties": { - "$ref": "#/definitions/FileAsset" - } - }, - "dockerImages": { - "description": "The Docker image assets in this manifest (Default - No Docker images)", - "type": "object", - "additionalProperties": { - "$ref": "#/definitions/DockerImageAsset" - } - } - }, - "required": [ - "version" - ] - }, - "FileAsset": { - "description": "A file asset", - "type": "object", - "properties": { - "source": { - "$ref": "#/definitions/FileSource", - "description": "Source description for file assets" - }, - "destinations": { - "description": "Destinations for this file asset", - "type": "object", - "additionalProperties": { - "$ref": "#/definitions/FileDestination" - } - } - }, - "required": [ - "destinations", - "source" - ] - }, - "FileSource": { - "description": "Describe the source of a file asset", - "type": "object", - "properties": { - "executable": { - "description": "External command which will produce the file asset to upload. (Default - Exactly one of `executable` and `path` is required.)", - "type": "array", - "items": { - "type": "string" - } - }, - "path": { - "description": "The filesystem object to upload\n\nThis path is relative to the asset manifest location. (Default - Exactly one of `executable` and `path` is required.)", - "type": "string" - }, - "packaging": { - "description": "Packaging method\n\nOnly allowed when `path` is specified. (Default FILE)", - "enum": [ - "file", - "zip" - ], - "type": "string" - } - } - }, - "FileDestination": { - "description": "Where in S3 a file asset needs to be published", - "type": "object", - "properties": { - "bucketName": { - "description": "The name of the bucket", - "type": "string" - }, - "objectKey": { - "description": "The destination object key", - "type": "string" - }, - "region": { - "description": "The region where this asset will need to be published (Default - Current region)", - "type": "string" - }, - "assumeRoleArn": { - "description": "The role that needs to be assumed while publishing this asset (Default - No role will be assumed)", - "type": "string" - }, - "assumeRoleExternalId": { - "description": "The ExternalId that needs to be supplied while assuming this role (Default - No ExternalId will be supplied)", - "type": "string" - } - }, - "required": [ - "bucketName", - "objectKey" - ] - }, - "DockerImageAsset": { - "description": "A file asset", - "type": "object", - "properties": { - "source": { - "$ref": "#/definitions/DockerImageSource", - "description": "Source description for file assets" - }, - "destinations": { - "description": "Destinations for this file asset", - "type": "object", - "additionalProperties": { - "$ref": "#/definitions/DockerImageDestination" - } - } - }, - "required": [ - "destinations", - "source" - ] - }, - "DockerImageSource": { - "description": "Properties for how to produce a Docker image from a source", - "type": "object", - "properties": { - "directory": { - "description": "The directory containing the Docker image build instructions.\n\nThis path is relative to the asset manifest location. (Default - Exactly one of `directory` and `executable` is required)", - "type": "string" - }, - "executable": { - "description": "A command-line executable that returns the name of a local\nDocker image on stdout after being run. (Default - Exactly one of `directory` and `executable` is required)", - "type": "array", - "items": { - "type": "string" - } - }, - "dockerFile": { - "description": "The name of the file with build instructions\n\nOnly allowed when `directory` is set. (Default Dockerfile)", - "type": "string" - }, - "dockerBuildTarget": { - "description": "Target build stage in a Dockerfile with multiple build stages\n\nOnly allowed when `directory` is set. (Default - The last stage in the Dockerfile)", - "type": "string" - }, - "dockerBuildArgs": { - "description": "Additional build arguments\n\nOnly allowed when `directory` is set. (Default - No additional build arguments)", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "dockerBuildSsh": { - "description": "SSH agent socket or keys\n\nRequires building with docker buildkit. (Default - No ssh flag is set)", - "type": "string" - }, - "dockerBuildSecrets": { - "description": "Additional build secrets\n\nOnly allowed when `directory` is set. (Default - No additional build secrets)", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "networkMode": { - "description": "Networking mode for the RUN commands during build. _Requires Docker Engine API v1.25+_.\n\nSpecify this property to build images on a specific networking mode. (Default - no networking mode specified)", - "type": "string" - }, - "platform": { - "description": "Platform to build for. _Requires Docker Buildx_.\n\nSpecify this property to build images on a specific platform/architecture. (Default - current machine platform)", - "type": "string" - }, - "dockerOutputs": { - "description": "Outputs (Default - no outputs are passed to the build command (default outputs are used))", - "type": "array", - "items": { - "type": "string" - } - }, - "cacheFrom": { - "description": "Cache from options to pass to the `docker build` command. (Default - no cache from options are passed to the build command)", - "type": "array", - "items": { - "$ref": "#/definitions/DockerCacheOption" - } - }, - "cacheTo": { - "description": "Cache to options to pass to the `docker build` command. (Default - no cache to options are passed to the build command)", - "$ref": "#/definitions/DockerCacheOption" - }, - "cacheDisabled": { - "description": "Disable the cache and pass `--no-cache` to the `docker build` command. (Default - cache is used)", - "type": "boolean" - } - } - }, - "DockerCacheOption": { - "description": "Options for configuring the Docker cache backend", - "type": "object", - "properties": { - "type": { - "description": "The type of cache to use.\nRefer to https://docs.docker.com/build/cache/backends/ for full list of backends. (Default - unspecified)", - "type": "string" - }, - "params": { - "description": "Any parameters to pass into the docker cache backend configuration.\nRefer to https://docs.docker.com/build/cache/backends/ for cache backend configuration. (Default {} No options provided)", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "required": [ - "type" - ] - }, - "DockerImageDestination": { - "description": "Where to publish docker images", - "type": "object", - "properties": { - "repositoryName": { - "description": "Name of the ECR repository to publish to", - "type": "string" - }, - "imageTag": { - "description": "Tag of the image to publish", - "type": "string" - }, - "region": { - "description": "The region where this asset will need to be published (Default - Current region)", - "type": "string" - }, - "assumeRoleArn": { - "description": "The role that needs to be assumed while publishing this asset (Default - No role will be assumed)", - "type": "string" - }, - "assumeRoleExternalId": { - "description": "The ExternalId that needs to be supplied while assuming this role (Default - No ExternalId will be supplied)", - "type": "string" - } - }, - "required": [ - "imageTag", - "repositoryName" - ] - } - }, - "$schema": "http://json-schema.org/draft-07/schema#" -} \ No newline at end of file diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/schema/cloud-assembly.schema.json b/packages/aws-cdk-lib/cloud-assembly-schema/schema/cloud-assembly.schema.json deleted file mode 100644 index 279dfbe369073..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/schema/cloud-assembly.schema.json +++ /dev/null @@ -1,939 +0,0 @@ -{ - "$ref": "#/definitions/AssemblyManifest", - "definitions": { - "AssemblyManifest": { - "description": "A manifest which describes the cloud assembly.", - "type": "object", - "properties": { - "version": { - "description": "Protocol version", - "type": "string" - }, - "artifacts": { - "description": "The set of artifacts in this assembly. (Default - no artifacts.)", - "type": "object", - "additionalProperties": { - "$ref": "#/definitions/ArtifactManifest" - } - }, - "missing": { - "description": "Missing context information. If this field has values, it means that the\ncloud assembly is not complete and should not be deployed. (Default - no missing context.)", - "type": "array", - "items": { - "$ref": "#/definitions/MissingContext" - } - }, - "runtime": { - "description": "Runtime information. (Default - no info.)", - "$ref": "#/definitions/RuntimeInfo" - } - }, - "required": [ - "version" - ] - }, - "ArtifactManifest": { - "description": "A manifest for a single artifact within the cloud assembly.", - "type": "object", - "properties": { - "type": { - "$ref": "#/definitions/ArtifactType", - "description": "The type of artifact." - }, - "environment": { - "description": "The environment into which this artifact is deployed. (Default - no envrionment.)", - "type": "string" - }, - "metadata": { - "description": "Associated metadata. (Default - no metadata.)", - "type": "object", - "additionalProperties": { - "type": "array", - "items": { - "$ref": "#/definitions/MetadataEntry" - } - } - }, - "dependencies": { - "description": "IDs of artifacts that must be deployed before this artifact. (Default - no dependencies.)", - "type": "array", - "items": { - "type": "string" - } - }, - "properties": { - "description": "The set of properties for this artifact (depends on type) (Default - no properties.)", - "anyOf": [ - { - "$ref": "#/definitions/AwsCloudFormationStackProperties" - }, - { - "$ref": "#/definitions/AssetManifestProperties" - }, - { - "$ref": "#/definitions/TreeArtifactProperties" - }, - { - "$ref": "#/definitions/NestedCloudAssemblyProperties" - } - ] - }, - "displayName": { - "description": "A string that represents this artifact. Should only be used in user interfaces. (Default - no display name)", - "type": "string" - } - }, - "required": [ - "type" - ] - }, - "ArtifactType": { - "description": "Type of cloud artifact.", - "type": "string", - "enum": [ - "none", - "aws:cloudformation:stack", - "cdk:tree", - "cdk:asset-manifest", - "cdk:cloud-assembly" - ] - }, - "MetadataEntry": { - "description": "A metadata entry in a cloud assembly artifact.", - "type": "object", - "properties": { - "type": { - "description": "The type of the metadata entry.", - "type": "string" - }, - "data": { - "description": "The data. (Default - no data.)", - "anyOf": [ - { - "$ref": "#/definitions/FileAssetMetadataEntry" - }, - { - "$ref": "#/definitions/ContainerImageAssetMetadataEntry" - }, - { - "type": "array", - "items": { - "$ref": "#/definitions/Tag" - } - }, - { - "type": "string" - }, - { - "description": "Free form data." - } - ] - }, - "trace": { - "description": "A stack trace for when the entry was created. (Default - no trace.)", - "type": "array", - "items": { - "type": "string" - } - } - }, - "required": [ - "type" - ] - }, - "FileAssetMetadataEntry": { - "description": "Metadata Entry spec for files.", - "type": "object", - "properties": { - "packaging": { - "description": "Requested packaging style", - "enum": [ - "file", - "zip" - ], - "type": "string" - }, - "s3BucketParameter": { - "description": "Name of parameter where S3 bucket should be passed in", - "type": "string" - }, - "s3KeyParameter": { - "description": "Name of parameter where S3 key should be passed in", - "type": "string" - }, - "artifactHashParameter": { - "description": "The name of the parameter where the hash of the bundled asset should be passed in.", - "type": "string" - }, - "id": { - "description": "Logical identifier for the asset", - "type": "string" - }, - "sourceHash": { - "description": "The hash of the asset source.", - "type": "string" - }, - "path": { - "description": "Path on disk to the asset", - "type": "string" - } - }, - "required": [ - "artifactHashParameter", - "id", - "packaging", - "path", - "s3BucketParameter", - "s3KeyParameter", - "sourceHash" - ] - }, - "ContainerImageAssetMetadataEntry": { - "description": "Metadata Entry spec for container images.", - "type": "object", - "properties": { - "packaging": { - "description": "Type of asset", - "type": "string", - "const": "container-image" - }, - "imageNameParameter": { - "description": "ECR Repository name and repo digest (separated by \"@sha256:\") where this\nimage is stored. (Default undefined If not specified, `repositoryName` and `imageTag` are\nrequired because otherwise how will the stack know where to find the asset,\nha?)", - "type": "string" - }, - "repositoryName": { - "description": "ECR repository name, if omitted a default name based on the asset's ID is\nused instead. Specify this property if you need to statically address the\nimage, e.g. from a Kubernetes Pod. Note, this is only the repository name,\nwithout the registry and the tag parts. (Default - this parameter is REQUIRED after 1.21.0)", - "type": "string" - }, - "imageTag": { - "description": "The docker image tag to use for tagging pushed images. This field is\nrequired if `imageParameterName` is ommited (otherwise, the app won't be\nable to find the image). (Default - this parameter is REQUIRED after 1.21.0)", - "type": "string" - }, - "buildArgs": { - "description": "Build args to pass to the `docker build` command (Default no build args are passed)", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "buildSsh": { - "description": "SSH agent socket or keys to pass to the `docker build` command (Default no ssh arg is passed)", - "type": "string" - }, - "buildSecrets": { - "description": "Build secrets to pass to the `docker build` command (Default no build secrets are passed)", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "target": { - "description": "Docker target to build to (Default no build target)", - "type": "string" - }, - "file": { - "description": "Path to the Dockerfile (relative to the directory). (Default - no file is passed)", - "type": "string" - }, - "networkMode": { - "description": "Networking mode for the RUN commands during build. (Default - no networking mode specified)", - "type": "string" - }, - "platform": { - "description": "Platform to build for. _Requires Docker Buildx_. (Default - current machine platform)", - "type": "string" - }, - "outputs": { - "description": "Outputs to pass to the `docker build` command. (Default - no outputs are passed to the build command (default outputs are used))", - "type": "array", - "items": { - "type": "string" - } - }, - "cacheFrom": { - "description": "Cache from options to pass to the `docker build` command. (Default - no cache from options are passed to the build command)", - "type": "array", - "items": { - "$ref": "#/definitions/ContainerImageAssetCacheOption" - } - }, - "cacheTo": { - "description": "Cache to options to pass to the `docker build` command. (Default - no cache to options are passed to the build command)", - "$ref": "#/definitions/ContainerImageAssetCacheOption" - }, - "cacheDisabled": { - "description": "Disable the cache and pass `--no-cache` to the `docker build` command. (Default - cache is used)", - "type": "boolean" - }, - "id": { - "description": "Logical identifier for the asset", - "type": "string" - }, - "sourceHash": { - "description": "The hash of the asset source.", - "type": "string" - }, - "path": { - "description": "Path on disk to the asset", - "type": "string" - } - }, - "required": [ - "id", - "packaging", - "path", - "sourceHash" - ] - }, - "ContainerImageAssetCacheOption": { - "description": "Options for configuring the Docker cache backend", - "type": "object", - "properties": { - "type": { - "description": "The type of cache to use.\nRefer to https://docs.docker.com/build/cache/backends/ for full list of backends. (Default - unspecified)", - "type": "string" - }, - "params": { - "description": "Any parameters to pass into the docker cache backend configuration.\nRefer to https://docs.docker.com/build/cache/backends/ for cache backend configuration. (Default {} No options provided)", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "required": [ - "type" - ] - }, - "Tag": { - "description": "Metadata Entry spec for stack tag.", - "type": "object", - "properties": { - "key": { - "description": "Tag key.\n\n(In the actual file on disk this will be cased as \"Key\", and the structure is\npatched to match this structure upon loading:\nhttps://github.com/aws/aws-cdk/blob/4aadaa779b48f35838cccd4e25107b2338f05547/packages/%40aws-cdk/cloud-assembly-schema/lib/manifest.ts#L137)", - "type": "string" - }, - "value": { - "description": "Tag value.\n\n(In the actual file on disk this will be cased as \"Value\", and the structure is\npatched to match this structure upon loading:\nhttps://github.com/aws/aws-cdk/blob/4aadaa779b48f35838cccd4e25107b2338f05547/packages/%40aws-cdk/cloud-assembly-schema/lib/manifest.ts#L137)", - "type": "string" - } - }, - "required": [ - "key", - "value" - ] - }, - "AwsCloudFormationStackProperties": { - "description": "Artifact properties for CloudFormation stacks.", - "type": "object", - "properties": { - "templateFile": { - "description": "A file relative to the assembly root which contains the CloudFormation template for this stack.", - "type": "string" - }, - "parameters": { - "description": "Values for CloudFormation stack parameters that should be passed when the stack is deployed. (Default - No parameters)", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "tags": { - "description": "Values for CloudFormation stack tags that should be passed when the stack is deployed. (Default - No tags)", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "stackName": { - "description": "The name to use for the CloudFormation stack. (Default - name derived from artifact ID)", - "type": "string" - }, - "terminationProtection": { - "description": "Whether to enable termination protection for this stack.", - "default": false, - "type": "boolean" - }, - "assumeRoleArn": { - "description": "The role that needs to be assumed to deploy the stack (Default - No role is assumed (current credentials are used))", - "type": "string" - }, - "assumeRoleExternalId": { - "description": "External ID to use when assuming role for cloudformation deployments (Default - No external ID)", - "type": "string" - }, - "cloudFormationExecutionRoleArn": { - "description": "The role that is passed to CloudFormation to execute the change set (Default - No role is passed (currently assumed role/credentials are used))", - "type": "string" - }, - "lookupRole": { - "description": "The role to use to look up values from the target AWS account (Default - No role is assumed (current credentials are used))", - "$ref": "#/definitions/BootstrapRole" - }, - "stackTemplateAssetObjectUrl": { - "description": "If the stack template has already been included in the asset manifest, its asset URL (Default - Not uploaded yet, upload just before deploying)", - "type": "string" - }, - "requiresBootstrapStackVersion": { - "description": "Version of bootstrap stack required to deploy this stack (Default - No bootstrap stack required)", - "type": "number" - }, - "bootstrapStackVersionSsmParameter": { - "description": "SSM parameter where the bootstrap stack version number can be found\n\nOnly used if `requiresBootstrapStackVersion` is set.\n\n- If this value is not set, the bootstrap stack name must be known at\n deployment time so the stack version can be looked up from the stack\n outputs.\n- If this value is set, the bootstrap stack can have any name because\n we won't need to look it up. (Default - Bootstrap stack version number looked up)", - "type": "string" - }, - "validateOnSynth": { - "description": "Whether this stack should be validated by the CLI after synthesis (Default - false)", - "type": "boolean" - } - }, - "required": [ - "templateFile" - ] - }, - "BootstrapRole": { - "description": "Information needed to access an IAM role created\nas part of the bootstrap process", - "type": "object", - "properties": { - "arn": { - "description": "The ARN of the IAM role created as part of bootrapping\ne.g. lookupRoleArn", - "type": "string" - }, - "assumeRoleExternalId": { - "description": "External ID to use when assuming the bootstrap role (Default - No external ID)", - "type": "string" - }, - "requiresBootstrapStackVersion": { - "description": "Version of bootstrap stack required to use this role (Default - No bootstrap stack required)", - "type": "number" - }, - "bootstrapStackVersionSsmParameter": { - "description": "Name of SSM parameter with bootstrap stack version (Default - Discover SSM parameter by reading stack)", - "type": "string" - } - }, - "required": [ - "arn" - ] - }, - "AssetManifestProperties": { - "description": "Artifact properties for the Asset Manifest", - "type": "object", - "properties": { - "file": { - "description": "Filename of the asset manifest", - "type": "string" - }, - "requiresBootstrapStackVersion": { - "description": "Version of bootstrap stack required to deploy this stack (Default - Version 1 (basic modern bootstrap stack))", - "type": "number" - }, - "bootstrapStackVersionSsmParameter": { - "description": "SSM parameter where the bootstrap stack version number can be found\n\n- If this value is not set, the bootstrap stack name must be known at\n deployment time so the stack version can be looked up from the stack\n outputs.\n- If this value is set, the bootstrap stack can have any name because\n we won't need to look it up. (Default - Bootstrap stack version number looked up)", - "type": "string" - } - }, - "required": [ - "file" - ] - }, - "TreeArtifactProperties": { - "description": "Artifact properties for the Construct Tree Artifact", - "type": "object", - "properties": { - "file": { - "description": "Filename of the tree artifact", - "type": "string" - } - }, - "required": [ - "file" - ] - }, - "NestedCloudAssemblyProperties": { - "description": "Artifact properties for nested cloud assemblies", - "type": "object", - "properties": { - "directoryName": { - "description": "Relative path to the nested cloud assembly", - "type": "string" - }, - "displayName": { - "description": "Display name for the cloud assembly (Default - The artifact ID)", - "type": "string" - } - }, - "required": [ - "directoryName" - ] - }, - "MissingContext": { - "description": "Represents a missing piece of context.", - "type": "object", - "properties": { - "key": { - "description": "The missing context key.", - "type": "string" - }, - "provider": { - "$ref": "#/definitions/ContextProvider", - "description": "The provider from which we expect this context key to be obtained." - }, - "props": { - "$ref": "#/definitions/ContextQueryProperties", - "description": "A set of provider-specific options." - } - }, - "required": [ - "key", - "props", - "provider" - ] - }, - "ContextProvider": { - "description": "Identifier for the context provider", - "type": "string", - "enum": [ - "ami", - "availability-zones", - "hosted-zone", - "ssm", - "vpc-provider", - "endpoint-service-availability-zones", - "load-balancer", - "load-balancer-listener", - "security-group", - "key-provider", - "plugin" - ] - }, - "ContextQueryProperties": { - "anyOf": [ - { - "$ref": "#/definitions/AmiContextQuery" - }, - { - "$ref": "#/definitions/AvailabilityZonesContextQuery" - }, - { - "$ref": "#/definitions/HostedZoneContextQuery" - }, - { - "$ref": "#/definitions/SSMParameterContextQuery" - }, - { - "$ref": "#/definitions/VpcContextQuery" - }, - { - "$ref": "#/definitions/EndpointServiceAvailabilityZonesContextQuery" - }, - { - "$ref": "#/definitions/LoadBalancerContextQuery" - }, - { - "$ref": "#/definitions/LoadBalancerListenerContextQuery" - }, - { - "$ref": "#/definitions/SecurityGroupContextQuery" - }, - { - "$ref": "#/definitions/KeyContextQuery" - }, - { - "$ref": "#/definitions/PluginContextQuery" - } - ] - }, - "AmiContextQuery": { - "description": "Query to AMI context provider", - "type": "object", - "properties": { - "account": { - "description": "Account to query", - "type": "string" - }, - "region": { - "description": "Region to query", - "type": "string" - }, - "lookupRoleArn": { - "description": "The ARN of the role that should be used to look up the missing values (Default - None)", - "type": "string" - }, - "owners": { - "description": "Owners to DescribeImages call (Default - All owners)", - "type": "array", - "items": { - "type": "string" - } - }, - "filters": { - "description": "Filters to DescribeImages call", - "type": "object", - "additionalProperties": { - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "required": [ - "account", - "filters", - "region" - ] - }, - "AvailabilityZonesContextQuery": { - "description": "Query to availability zone context provider", - "type": "object", - "properties": { - "account": { - "description": "Query account", - "type": "string" - }, - "region": { - "description": "Query region", - "type": "string" - }, - "lookupRoleArn": { - "description": "The ARN of the role that should be used to look up the missing values (Default - None)", - "type": "string" - } - }, - "required": [ - "account", - "region" - ] - }, - "HostedZoneContextQuery": { - "description": "Query to hosted zone context provider", - "type": "object", - "properties": { - "account": { - "description": "Query account", - "type": "string" - }, - "region": { - "description": "Query region", - "type": "string" - }, - "lookupRoleArn": { - "description": "The ARN of the role that should be used to look up the missing values (Default - None)", - "type": "string" - }, - "domainName": { - "description": "The domain name e.g. example.com to lookup", - "type": "string" - }, - "privateZone": { - "description": "True if the zone you want to find is a private hosted zone", - "default": false, - "type": "boolean" - }, - "vpcId": { - "description": "The VPC ID to that the private zone must be associated with\n\nIf you provide VPC ID and privateZone is false, this will return no results\nand raise an error. (Default - Required if privateZone=true)", - "type": "string" - } - }, - "required": [ - "account", - "domainName", - "region" - ] - }, - "SSMParameterContextQuery": { - "description": "Query to SSM Parameter Context Provider", - "type": "object", - "properties": { - "account": { - "description": "Query account", - "type": "string" - }, - "region": { - "description": "Query region", - "type": "string" - }, - "lookupRoleArn": { - "description": "The ARN of the role that should be used to look up the missing values (Default - None)", - "type": "string" - }, - "parameterName": { - "description": "Parameter name to query", - "type": "string" - } - }, - "required": [ - "account", - "parameterName", - "region" - ] - }, - "VpcContextQuery": { - "description": "Query input for looking up a VPC", - "type": "object", - "properties": { - "account": { - "description": "Query account", - "type": "string" - }, - "region": { - "description": "Query region", - "type": "string" - }, - "lookupRoleArn": { - "description": "The ARN of the role that should be used to look up the missing values (Default - None)", - "type": "string" - }, - "filter": { - "description": "Filters to apply to the VPC\n\nFilter parameters are the same as passed to DescribeVpcs.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "returnAsymmetricSubnets": { - "description": "Whether to populate the subnetGroups field of the `VpcContextResponse`,\nwhich contains potentially asymmetric subnet groups.", - "default": false, - "type": "boolean" - }, - "subnetGroupNameTag": { - "description": "Optional tag for subnet group name.\nIf not provided, we'll look at the aws-cdk:subnet-name tag.\nIf the subnet does not have the specified tag,\nwe'll use its type as the name. (Default 'aws-cdk:subnet-name')", - "type": "string" - }, - "returnVpnGateways": { - "description": "Whether to populate the `vpnGatewayId` field of the `VpcContextResponse`,\nwhich contains the VPN Gateway ID, if one exists. You can explicitly\ndisable this in order to avoid the lookup if you know the VPC does not have\na VPN Gatway attached. (Default true)", - "type": "boolean" - } - }, - "required": [ - "account", - "filter", - "region" - ] - }, - "EndpointServiceAvailabilityZonesContextQuery": { - "description": "Query to endpoint service context provider", - "type": "object", - "properties": { - "account": { - "description": "Query account", - "type": "string" - }, - "region": { - "description": "Query region", - "type": "string" - }, - "lookupRoleArn": { - "description": "The ARN of the role that should be used to look up the missing values (Default - None)", - "type": "string" - }, - "serviceName": { - "description": "Query service name", - "type": "string" - } - }, - "required": [ - "account", - "region", - "serviceName" - ] - }, - "LoadBalancerContextQuery": { - "description": "Query input for looking up a load balancer", - "type": "object", - "properties": { - "account": { - "description": "Query account", - "type": "string" - }, - "region": { - "description": "Query region", - "type": "string" - }, - "lookupRoleArn": { - "description": "The ARN of the role that should be used to look up the missing values (Default - None)", - "type": "string" - }, - "loadBalancerType": { - "$ref": "#/definitions/LoadBalancerType", - "description": "Filter load balancers by their type" - }, - "loadBalancerArn": { - "description": "Find by load balancer's ARN (Default - does not search by load balancer arn)", - "type": "string" - }, - "loadBalancerTags": { - "description": "Match load balancer tags (Default - does not match load balancers by tags)", - "type": "array", - "items": { - "$ref": "#/definitions/Tag" - } - } - }, - "required": [ - "account", - "loadBalancerType", - "region" - ] - }, - "LoadBalancerType": { - "description": "Type of load balancer", - "type": "string", - "enum": [ - "network", - "application" - ] - }, - "LoadBalancerListenerContextQuery": { - "description": "Query input for looking up a load balancer listener", - "type": "object", - "properties": { - "account": { - "description": "Query account", - "type": "string" - }, - "region": { - "description": "Query region", - "type": "string" - }, - "lookupRoleArn": { - "description": "The ARN of the role that should be used to look up the missing values (Default - None)", - "type": "string" - }, - "listenerArn": { - "description": "Find by listener's arn (Default - does not find by listener arn)", - "type": "string" - }, - "listenerProtocol": { - "description": "Filter by listener protocol (Default - does not filter by listener protocol)", - "enum": [ - "HTTP", - "HTTPS", - "TCP", - "TCP_UDP", - "TLS", - "UDP" - ], - "type": "string" - }, - "listenerPort": { - "description": "Filter listeners by listener port (Default - does not filter by a listener port)", - "type": "number" - }, - "loadBalancerType": { - "$ref": "#/definitions/LoadBalancerType", - "description": "Filter load balancers by their type" - }, - "loadBalancerArn": { - "description": "Find by load balancer's ARN (Default - does not search by load balancer arn)", - "type": "string" - }, - "loadBalancerTags": { - "description": "Match load balancer tags (Default - does not match load balancers by tags)", - "type": "array", - "items": { - "$ref": "#/definitions/Tag" - } - } - }, - "required": [ - "account", - "loadBalancerType", - "region" - ] - }, - "SecurityGroupContextQuery": { - "description": "Query input for looking up a security group", - "type": "object", - "properties": { - "account": { - "description": "Query account", - "type": "string" - }, - "region": { - "description": "Query region", - "type": "string" - }, - "lookupRoleArn": { - "description": "The ARN of the role that should be used to look up the missing values (Default - None)", - "type": "string" - }, - "securityGroupId": { - "description": "Security group id (Default - None)", - "type": "string" - }, - "securityGroupName": { - "description": "Security group name (Default - None)", - "type": "string" - }, - "vpcId": { - "description": "VPC ID (Default - None)", - "type": "string" - } - }, - "required": [ - "account", - "region" - ] - }, - "KeyContextQuery": { - "description": "Query input for looking up a KMS Key", - "type": "object", - "properties": { - "account": { - "description": "Query account", - "type": "string" - }, - "region": { - "description": "Query region", - "type": "string" - }, - "lookupRoleArn": { - "description": "The ARN of the role that should be used to look up the missing values (Default - None)", - "type": "string" - }, - "aliasName": { - "description": "Alias name used to search the Key", - "type": "string" - } - }, - "required": [ - "account", - "aliasName", - "region" - ] - }, - "PluginContextQuery": { - "description": "Query input for plugins\n\nThis alternate branch is necessary because it needs to be able to escape all type checking\nwe do on on the cloud assembly -- we cannot know the properties that will be used a priori.", - "type": "object", - "additionalProperties": {}, - "properties": { - "pluginName": { - "description": "The name of the plugin", - "type": "string" - } - }, - "required": [ - "pluginName" - ] - }, - "RuntimeInfo": { - "description": "Information about the application's runtime components.", - "type": "object", - "properties": { - "libraries": { - "description": "The list of libraries loaded in the application, associated with their versions.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "required": [ - "libraries" - ] - } - }, - "$schema": "http://json-schema.org/draft-07/schema#" -} \ No newline at end of file diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/schema/cloud-assembly.version.json b/packages/aws-cdk-lib/cloud-assembly-schema/schema/cloud-assembly.version.json deleted file mode 100644 index 1f0068d32659a..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/schema/cloud-assembly.version.json +++ /dev/null @@ -1 +0,0 @@ -{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/schema/integ.schema.json b/packages/aws-cdk-lib/cloud-assembly-schema/schema/integ.schema.json deleted file mode 100644 index a43e4f30b6f64..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/schema/integ.schema.json +++ /dev/null @@ -1,493 +0,0 @@ -{ - "$ref": "#/definitions/IntegManifest", - "definitions": { - "IntegManifest": { - "description": "Definitions for the integration testing manifest", - "type": "object", - "properties": { - "version": { - "description": "Version of the manifest", - "type": "string" - }, - "enableLookups": { - "description": "Enable lookups for this test. If lookups are enabled\nthen `stackUpdateWorkflow` must be set to false.\nLookups should only be enabled when you are explicitely testing\nlookups.", - "default": false, - "type": "boolean" - }, - "synthContext": { - "description": "Additional context to use when performing\na synth. Any context provided here will override\nany default context (Default - no additional context)", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "testCases": { - "description": "test cases", - "type": "object", - "additionalProperties": { - "$ref": "#/definitions/TestCase" - } - } - }, - "required": [ - "testCases", - "version" - ] - }, - "TestCase": { - "description": "Represents an integration test case", - "type": "object", - "properties": { - "stacks": { - "description": "Stacks that should be tested as part of this test case\nThe stackNames will be passed as args to the cdk commands\nso dependent stacks will be automatically deployed unless\n`exclusively` is passed", - "type": "array", - "items": { - "type": "string" - } - }, - "assertionStack": { - "description": "The node id of the stack that contains assertions.\nThis is the value that can be used to deploy the stack with the CDK CLI (Default - no assertion stack)", - "type": "string" - }, - "assertionStackName": { - "description": "The name of the stack that contains assertions (Default - no assertion stack)", - "type": "string" - }, - "stackUpdateWorkflow": { - "description": "Run update workflow on this test case\nThis should only be set to false to test scenarios\nthat are not possible to test as part of the update workflow (Default true)", - "type": "boolean" - }, - "cdkCommandOptions": { - "description": "Additional options to use for each CDK command (Default - runner default options)", - "$ref": "#/definitions/CdkCommands" - }, - "hooks": { - "description": "Additional commands to run at predefined points in the test workflow\n\ne.g. { postDeploy: ['yarn', 'test'] } (Default - no hooks)", - "$ref": "#/definitions/Hooks" - }, - "diffAssets": { - "description": "Whether or not to include asset hashes in the diff\nAsset hashes can introduces a lot of unneccessary noise into tests,\nbut there are some cases where asset hashes _should_ be included. For example\nany tests involving custom resources or bundling", - "default": false, - "type": "boolean" - }, - "allowDestroy": { - "description": "List of CloudFormation resource types in this stack that can\nbe destroyed as part of an update without failing the test.\n\nThis list should only include resources that for this specific\nintegration test we are sure will not cause errors or an outage if\ndestroyed. For example, maybe we know that a new resource will be created\nfirst before the old resource is destroyed which prevents any outage.\n\ne.g. ['AWS::IAM::Role'] (Default - do not allow destruction of any resources on update)", - "type": "array", - "items": { - "type": "string" - } - }, - "regions": { - "description": "Limit deployment to these regions (Default - can run in any region)", - "type": "array", - "items": { - "type": "string" - } - } - }, - "required": [ - "stacks" - ] - }, - "CdkCommands": { - "description": "Options for specific cdk commands that are run\nas part of the integration test workflow", - "type": "object", - "properties": { - "deploy": { - "description": "Options to for the cdk deploy command (Default - default deploy options)", - "$ref": "#/definitions/DeployCommand" - }, - "destroy": { - "description": "Options to for the cdk destroy command (Default - default destroy options)", - "$ref": "#/definitions/DestroyCommand" - } - } - }, - "DeployCommand": { - "description": "Represents a cdk deploy command", - "type": "object", - "properties": { - "args": { - "description": "Additional arguments to pass to the command\nThis can be used to test specific CLI functionality (Default - only default args are used)", - "$ref": "#/definitions/DeployOptions" - }, - "enabled": { - "description": "Whether or not to run this command as part of the workflow\nThis can be used if you only want to test some of the workflow\nfor example enable `synth` and disable `deploy` & `destroy` in order\nto limit the test to synthesis (Default true)", - "type": "boolean" - }, - "expectError": { - "description": "If the runner should expect this command to fail", - "default": false, - "type": "boolean" - }, - "expectedMessage": { - "description": "This can be used in combination with `expectedError`\nto validate that a specific message is returned. (Default - do not validate message)", - "type": "string" - } - } - }, - "DeployOptions": { - "description": "Options to use with cdk deploy", - "type": "object", - "properties": { - "exclusively": { - "description": "Only perform action on the given stack", - "default": false, - "type": "boolean" - }, - "toolkitStackName": { - "description": "Name of the toolkit stack to use/deploy (Default CDKToolkit)", - "type": "string" - }, - "reuseAssets": { - "description": "Reuse the assets with the given asset IDs (Default - do not reuse assets)", - "type": "array", - "items": { - "type": "string" - } - }, - "changeSetName": { - "description": "Optional name to use for the CloudFormation change set.\nIf not provided, a name will be generated automatically. (Default - auto generate a name)", - "type": "string" - }, - "force": { - "description": "Always deploy, even if templates are identical.", - "default": false, - "type": "boolean" - }, - "rollback": { - "description": "Rollback failed deployments (Default true)", - "type": "boolean" - }, - "notificationArns": { - "description": "ARNs of SNS topics that CloudFormation will notify with stack related events (Default - no notifications)", - "type": "array", - "items": { - "type": "string" - } - }, - "requireApproval": { - "description": "What kind of security changes require approval (Default RequireApproval.Never)", - "enum": [ - "any-change", - "broadening", - "never" - ], - "type": "string" - }, - "execute": { - "description": "Whether to execute the ChangeSet\nNot providing `execute` parameter will result in execution of ChangeSet (Default true)", - "type": "boolean" - }, - "parameters": { - "description": "Additional parameters for CloudFormation at deploy time (Default [object Object])", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "usePreviousParameters": { - "description": "Use previous values for unspecified parameters\n\nIf not set, all parameters must be specified for every deployment. (Default true)", - "type": "boolean" - }, - "outputsFile": { - "description": "Path to file where stack outputs will be written after a successful deploy as JSON (Default - Outputs are not written to any file)", - "type": "string" - }, - "ci": { - "description": "Whether we are on a CI system", - "default": false, - "type": "boolean" - }, - "concurrency": { - "description": "Deploy multiple stacks in parallel (Default 1)", - "type": "number" - }, - "stacks": { - "description": "List of stacks to deploy\n\nRequried if `all` is not set (Default - [])", - "type": "array", - "items": { - "type": "string" - } - }, - "all": { - "description": "Deploy all stacks\n\nRequried if `stacks` is not set (Default - false)", - "type": "boolean" - }, - "app": { - "description": "command-line for executing your app or a cloud assembly directory\ne.g. \"node bin/my-app.js\"\nor\n\"cdk.out\" (Default - read from cdk.json)", - "type": "string" - }, - "roleArn": { - "description": "Role to pass to CloudFormation for deployment (Default - use the bootstrap cfn-exec role)", - "type": "string" - }, - "context": { - "description": "Additional context (Default - no additional context)", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "trace": { - "description": "Print trace for stack warnings", - "default": false, - "type": "boolean" - }, - "strict": { - "description": "Do not construct stacks with warnings", - "default": false, - "type": "boolean" - }, - "lookups": { - "description": "Perform context lookups.\n\nSynthesis fails if this is disabled and context lookups need\nto be performed (Default true)", - "type": "boolean" - }, - "ignoreErrors": { - "description": "Ignores synthesis errors, which will likely produce an invalid output", - "default": false, - "type": "boolean" - }, - "json": { - "description": "Use JSON output instead of YAML when templates are printed\nto STDOUT", - "default": false, - "type": "boolean" - }, - "verbose": { - "description": "show debug logs", - "default": false, - "type": "boolean" - }, - "debug": { - "description": "enable emission of additional debugging information, such as creation stack\ntraces of tokens", - "default": false, - "type": "boolean" - }, - "profile": { - "description": "Use the indicated AWS profile as the default environment (Default - no profile is used)", - "type": "string" - }, - "proxy": { - "description": "Use the indicated proxy. Will read from\nHTTPS_PROXY environment if specified (Default - no proxy)", - "type": "string" - }, - "caBundlePath": { - "description": "Path to CA certificate to use when validating HTTPS\nrequests. (Default - read from AWS_CA_BUNDLE environment variable)", - "type": "string" - }, - "ec2Creds": { - "description": "Force trying to fetch EC2 instance credentials (Default - guess EC2 instance status)", - "type": "boolean" - }, - "versionReporting": { - "description": "Include \"AWS::CDK::Metadata\" resource in synthesized templates (Default true)", - "type": "boolean" - }, - "pathMetadata": { - "description": "Include \"aws:cdk:path\" CloudFormation metadata for each resource (Default true)", - "type": "boolean" - }, - "assetMetadata": { - "description": "Include \"aws:asset:*\" CloudFormation metadata for resources that use assets (Default true)", - "type": "boolean" - }, - "staging": { - "description": "Copy assets to the output directory\n\nNeeded for local debugging the source files with SAM CLI", - "default": false, - "type": "boolean" - }, - "output": { - "description": "Emits the synthesized cloud assembly into a directory (Default cdk.out)", - "type": "string" - }, - "notices": { - "description": "Show relevant notices (Default true)", - "type": "boolean" - }, - "color": { - "description": "Show colors and other style from console output (Default true)", - "type": "boolean" - } - } - }, - "DestroyCommand": { - "description": "Represents a cdk destroy command", - "type": "object", - "properties": { - "args": { - "description": "Additional arguments to pass to the command\nThis can be used to test specific CLI functionality (Default - only default args are used)", - "$ref": "#/definitions/DestroyOptions" - }, - "enabled": { - "description": "Whether or not to run this command as part of the workflow\nThis can be used if you only want to test some of the workflow\nfor example enable `synth` and disable `deploy` & `destroy` in order\nto limit the test to synthesis (Default true)", - "type": "boolean" - }, - "expectError": { - "description": "If the runner should expect this command to fail", - "default": false, - "type": "boolean" - }, - "expectedMessage": { - "description": "This can be used in combination with `expectedError`\nto validate that a specific message is returned. (Default - do not validate message)", - "type": "string" - } - } - }, - "DestroyOptions": { - "description": "Options to use with cdk destroy", - "type": "object", - "properties": { - "force": { - "description": "Do not ask for permission before destroying stacks", - "default": false, - "type": "boolean" - }, - "exclusively": { - "description": "Only destroy the given stack", - "default": false, - "type": "boolean" - }, - "stacks": { - "description": "List of stacks to deploy\n\nRequried if `all` is not set (Default - [])", - "type": "array", - "items": { - "type": "string" - } - }, - "all": { - "description": "Deploy all stacks\n\nRequried if `stacks` is not set (Default - false)", - "type": "boolean" - }, - "app": { - "description": "command-line for executing your app or a cloud assembly directory\ne.g. \"node bin/my-app.js\"\nor\n\"cdk.out\" (Default - read from cdk.json)", - "type": "string" - }, - "roleArn": { - "description": "Role to pass to CloudFormation for deployment (Default - use the bootstrap cfn-exec role)", - "type": "string" - }, - "context": { - "description": "Additional context (Default - no additional context)", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "trace": { - "description": "Print trace for stack warnings", - "default": false, - "type": "boolean" - }, - "strict": { - "description": "Do not construct stacks with warnings", - "default": false, - "type": "boolean" - }, - "lookups": { - "description": "Perform context lookups.\n\nSynthesis fails if this is disabled and context lookups need\nto be performed (Default true)", - "type": "boolean" - }, - "ignoreErrors": { - "description": "Ignores synthesis errors, which will likely produce an invalid output", - "default": false, - "type": "boolean" - }, - "json": { - "description": "Use JSON output instead of YAML when templates are printed\nto STDOUT", - "default": false, - "type": "boolean" - }, - "verbose": { - "description": "show debug logs", - "default": false, - "type": "boolean" - }, - "debug": { - "description": "enable emission of additional debugging information, such as creation stack\ntraces of tokens", - "default": false, - "type": "boolean" - }, - "profile": { - "description": "Use the indicated AWS profile as the default environment (Default - no profile is used)", - "type": "string" - }, - "proxy": { - "description": "Use the indicated proxy. Will read from\nHTTPS_PROXY environment if specified (Default - no proxy)", - "type": "string" - }, - "caBundlePath": { - "description": "Path to CA certificate to use when validating HTTPS\nrequests. (Default - read from AWS_CA_BUNDLE environment variable)", - "type": "string" - }, - "ec2Creds": { - "description": "Force trying to fetch EC2 instance credentials (Default - guess EC2 instance status)", - "type": "boolean" - }, - "versionReporting": { - "description": "Include \"AWS::CDK::Metadata\" resource in synthesized templates (Default true)", - "type": "boolean" - }, - "pathMetadata": { - "description": "Include \"aws:cdk:path\" CloudFormation metadata for each resource (Default true)", - "type": "boolean" - }, - "assetMetadata": { - "description": "Include \"aws:asset:*\" CloudFormation metadata for resources that use assets (Default true)", - "type": "boolean" - }, - "staging": { - "description": "Copy assets to the output directory\n\nNeeded for local debugging the source files with SAM CLI", - "default": false, - "type": "boolean" - }, - "output": { - "description": "Emits the synthesized cloud assembly into a directory (Default cdk.out)", - "type": "string" - }, - "notices": { - "description": "Show relevant notices (Default true)", - "type": "boolean" - }, - "color": { - "description": "Show colors and other style from console output (Default true)", - "type": "boolean" - } - } - }, - "Hooks": { - "description": "Commands to run at predefined points during the\nintegration test workflow", - "type": "object", - "properties": { - "preDeploy": { - "description": "Commands to run prior to deploying the cdk stacks\nin the integration test (Default - no commands)", - "type": "array", - "items": { - "type": "string" - } - }, - "postDeploy": { - "description": "Commands to run prior after deploying the cdk stacks\nin the integration test (Default - no commands)", - "type": "array", - "items": { - "type": "string" - } - }, - "preDestroy": { - "description": "Commands to run prior to destroying the cdk stacks\nin the integration test (Default - no commands)", - "type": "array", - "items": { - "type": "string" - } - }, - "postDestroy": { - "description": "Commands to run after destroying the cdk stacks\nin the integration test (Default - no commands)", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "$schema": "http://json-schema.org/draft-07/schema#" -} \ No newline at end of file diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/scripts/update-schema.sh b/packages/aws-cdk-lib/cloud-assembly-schema/scripts/update-schema.sh deleted file mode 100755 index 04a6710e54bdb..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/scripts/update-schema.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash -set -euo pipefail -scriptsdir=$(cd $(dirname $0) && pwd) -packagedir=$(cd ${scriptsdir}/.. && pwd) - -# Output -OUTPUT_DIR="${packagedir}/schema" -mkdir -p ${OUTPUT_DIR} - -# regenerate JSON schema and bumps the version -ts-node --prefer-ts-exts -e "require('${packagedir}/scripts/update-schema.ts').update()" diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/scripts/update-schema.ts b/packages/aws-cdk-lib/cloud-assembly-schema/scripts/update-schema.ts deleted file mode 100644 index 532a0774612f3..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/scripts/update-schema.ts +++ /dev/null @@ -1,151 +0,0 @@ -import * as fs from 'fs'; -import * as path from 'path'; -import * as semver from 'semver'; -// eslint-disable-next-line import/no-extraneous-dependencies -import * as tjs from 'typescript-json-schema'; - -function log(message: string) { - // eslint-disable-next-line no-console - console.log(message); -} - -/** - * Where schemas are committed. - */ -const SCHEMA_DIR = path.resolve(__dirname, '../schema'); - -const SCHEMA_DEFINITIONS: { - [schemaName: string]: { - /** - * The name of the root type. - */ - rootTypeName: string; - /** - * Files loaded to generate the schema. - * Should be relative to `cloud-assembly-schema/lib`. - * Usually this is just the file containing the root type. - */ - files: string[]; - }; -} = { - 'assets': { - rootTypeName: 'AssetManifest', - files: [path.join('assets', 'schema.ts')], - }, - 'cloud-assembly': { - rootTypeName: 'AssemblyManifest', - files: [path.join('cloud-assembly', 'schema.ts')], - }, - 'integ': { - rootTypeName: 'IntegManifest', - files: [path.join('integ-tests', 'schema.ts')], - }, -}; - -export const SCHEMAS = Object.keys(SCHEMA_DEFINITIONS); - -export function update() { - for (const s of SCHEMAS) { - generateSchema(s); - } - - bump(); -} - -export function bump() { - const versionFile = path.join(SCHEMA_DIR, 'cloud-assembly.version.json'); - - // eslint-disable-next-line @typescript-eslint/no-require-imports - const metadata = require(versionFile); - - const oldVersion = metadata.version; - const newVersion = semver.inc(oldVersion, 'major'); - - log(`Updating schema version: ${oldVersion} -> ${newVersion}`); - fs.writeFileSync(versionFile, JSON.stringify({ version: newVersion })); -} - -/** - * Generates a schema from typescript types. - * @returns JSON schema - * @param schemaName the schema to generate - * @param shouldBump writes a new version of the schema and bumps the major version - */ -export function generateSchema(schemaName: string, saveToFile: boolean = true) { - const spec = SCHEMA_DEFINITIONS[schemaName]; - const out = saveToFile ? path.join(SCHEMA_DIR, `${schemaName}.schema.json`) : ''; - - const settings: Partial = { - required: true, - ref: true, - topRef: true, - noExtraProps: false, - out, - }; - - const compilerOptions = { - strictNullChecks: true, - }; - - const program = tjs.getProgramFromFiles(spec.files.map(file =>path.join(__dirname, '..', 'lib', file)), compilerOptions); - const schema = tjs.generateSchema(program, spec.rootTypeName, settings); - - augmentDescription(schema); - addAnyMetadataEntry(schema); - - if (out) { - log(`Generating schema to ${out}`); - fs.writeFileSync(out, JSON.stringify(schema, null, 4)); - } - - return schema; -} - -/** - * Remove 'default' from the schema since its generated - * from the tsdocs, which are not necessarily actual values, - * but rather descriptive behavior. - * - * To keep this inforamtion in the schema, we append it to the - * 'description' of the property. - */ -function augmentDescription(schema: any) { - - function _recurse(o: any) { - for (const prop in o) { - - if (prop === 'description' && typeof o[prop] === 'string') { - - const description = o[prop]; - const defaultValue = o.default; - - if (!defaultValue) { - // property doesn't have a default value - // skip - continue; - } - - const descriptionWithDefault = `${description} (Default ${defaultValue})`; - - delete o.default; - o[prop] = descriptionWithDefault; - - } else if (typeof o[prop] === 'object') { - _recurse(o[prop]); - } - } - } - - _recurse(schema); - -} - -/** - * Patch the properties of MetadataEntry to allow - * specifying any free form data. This is needed since source - * code doesn't allow this in order to enforce stricter jsii - * compatibility checks. - */ -function addAnyMetadataEntry(schema: any) { - schema?.definitions?.MetadataEntry?.properties.data.anyOf.push({ description: 'Free form data.' }); -} diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/test/__snapshots__/manifest.test.ts.snap b/packages/aws-cdk-lib/cloud-assembly-schema/test/__snapshots__/manifest.test.ts.snap deleted file mode 100644 index 14a8ff8031165..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/test/__snapshots__/manifest.test.ts.snap +++ /dev/null @@ -1,7 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`manifest load 1`] = ` -{ - "version": "0.0.0", -} -`; diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/test/assets.test.ts b/packages/aws-cdk-lib/cloud-assembly-schema/test/assets.test.ts deleted file mode 100644 index 24ddd465484b7..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/test/assets.test.ts +++ /dev/null @@ -1,194 +0,0 @@ -import * as fs from 'fs'; -import * as os from 'os'; -import * as path from 'path'; -import { FileAssetPackaging, Manifest } from '../lib'; - -describe('Docker image asset', () => { - test('valid input', () => { - expect(() => { - validate({ - version: Manifest.version(), - dockerImages: { - asset: { - source: { - directory: '.', - }, - destinations: { - dest: { - region: 'us-north-20', - repositoryName: 'REPO', - imageTag: 'TAG', - }, - }, - }, - externalAsset: { - source: { - executable: ['sometool'], - }, - destinations: { - dest: { - region: 'us-north-20', - repositoryName: 'REPO', - imageTag: 'TAG', - }, - }, - }, - }, - }); - }).not.toThrow(); - }); - - test('invalid input', () => { - expect(() => { - validate({ - version: Manifest.version(), - dockerImages: { - asset: { - source: { - directory: true, - }, - destinations: {}, - }, - externalAsset: { - source: {}, - destinations: {}, - }, - }, - }); - }).toThrow(/instance\.dockerImages\.asset\.source\.directory is not of a type\(s\) string/); - }); -}); - -describe('File asset', () => { - describe('valid input', () => { - test('without packaging', () => { - expect(() => { - validate({ - version: Manifest.version(), - files: { - asset: { - source: { - path: 'a/b/c', - }, - destinations: { - dest: { - region: 'us-north-20', - bucketName: 'Bouquet', - objectKey: 'key', - }, - }, - }, - externalAsset: { - source: { - executable: ['sometool'], - }, - destinations: { - dest: { - region: 'us-north-20', - bucketName: 'Bouquet', - objectKey: 'key', - }, - }, - }, - }, - }); - }).not.toThrow(); - }); - - for (const packaging of Object.values(FileAssetPackaging)) { - test(`with "${packaging}" packaging`, () => { - expect(() => { - validate({ - version: Manifest.version(), - files: { - asset: { - source: { - path: 'a/b/c', - packaging, - }, - destinations: { - dest: { - region: 'us-north-20', - bucketName: 'Bouquet', - objectKey: 'key', - }, - }, - }, - }, - }); - }).not.toThrow(); - }); - } - }); - - describe('invalid input', () => { - test('bad "source.path" property', () => { - expect(() => { - validate({ - version: Manifest.version(), - files: { - asset: { - source: { - path: 3, - }, - destinations: { - dest: { - region: 'us-north-20', - bucketName: 'Bouquet', - objectKey: 'key', - }, - }, - }, - externalAsset: { - source: { - executable: ['sometool'], - }, - destinations: { - dest: { - region: 'us-north-20', - bucketName: 'Bouquet', - objectKey: 'key', - }, - }, - }, - }, - }); - }).toThrow(/instance\.files\.asset\.source\.path is not of a type\(s\) string/); - }); - - test('bad "source.packaging" property', () => { - expect(() => { - validate({ - version: Manifest.version(), - files: { - asset: { - source: { - path: 'a/b/c', - packaging: 'BLACK_HOLE', - }, - destinations: { - dest: { - region: 'us-north-20', - bucketName: 'Bouquet', - objectKey: 'key', - }, - }, - }, - }, - }); - }).toThrow(/instance\.files\.asset\.source\.packaging is not one of enum values: file,zip/); - }); - }); -}); - -function validate(manifest: any) { - const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'assets.test.')); - const filePath = path.join(dir, 'manifest.json'); - fs.writeFileSync(filePath, JSON.stringify(manifest, undefined, 2)); - try { - Manifest.loadAssetManifest(filePath); - } finally { - fs.unlinkSync(filePath); - fs.rmdirSync(dir); - } -} diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/test/fixtures/high-version/manifest.json b/packages/aws-cdk-lib/cloud-assembly-schema/test/fixtures/high-version/manifest.json deleted file mode 100644 index ef6fc1c901429..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/test/fixtures/high-version/manifest.json +++ /dev/null @@ -1,3 +0,0 @@ -{ - "version": "99.99.99" -} \ No newline at end of file diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/test/fixtures/invalid-artifact-type/manifest.json b/packages/aws-cdk-lib/cloud-assembly-schema/test/fixtures/invalid-artifact-type/manifest.json deleted file mode 100644 index ea1558cb1e6f9..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/test/fixtures/invalid-artifact-type/manifest.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "version": "0.0.0", - "artifacts": { - "MyArt": { - "type": "who:am:i", - "environment": "aws://37736633/us-region-1" - } - } -} \ No newline at end of file diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/test/fixtures/invalid-nested-property/manifest.json b/packages/aws-cdk-lib/cloud-assembly-schema/test/fixtures/invalid-nested-property/manifest.json deleted file mode 100644 index da1a33b17936e..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/test/fixtures/invalid-nested-property/manifest.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "version": "0.0.0", - "runtime": { - "libraries": ["should", "be", "a", "map"] - } -} \ No newline at end of file diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/test/fixtures/invalid-version/manifest.json b/packages/aws-cdk-lib/cloud-assembly-schema/test/fixtures/invalid-version/manifest.json deleted file mode 100644 index 36b2250cf8d33..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/test/fixtures/invalid-version/manifest.json +++ /dev/null @@ -1,3 +0,0 @@ -{ - "version": "version" -} \ No newline at end of file diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/test/fixtures/only-version/manifest.json b/packages/aws-cdk-lib/cloud-assembly-schema/test/fixtures/only-version/manifest.json deleted file mode 100644 index c158d5be87422..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/test/fixtures/only-version/manifest.json +++ /dev/null @@ -1,3 +0,0 @@ -{ - "version": "0.0.0" -} \ No newline at end of file diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/test/fixtures/random-metadata/manifest.json b/packages/aws-cdk-lib/cloud-assembly-schema/test/fixtures/random-metadata/manifest.json deleted file mode 100644 index cd2209c526595..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/test/fixtures/random-metadata/manifest.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "version": "0.0.0", - "artifacts": { - "Tree": { - "type": "cdk:tree", - "properties": { - "file": "tree.json" - } - }, - "stack": { - "type": "aws:cloudformation:stack", - "metadata": { - "AwsCdkPlaygroundBatch": [ - { - "type": "random-array", - "data": ["42"], - "trace": ["trace"] - }, - { - "type": "random-number", - "data": 42, - "trace": ["trace"] - }, - { - "type": "random-map", - "data": { - "key": "value" - }, - "trace": ["trace"] - } - ] - } - } - } - } \ No newline at end of file diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/test/fixtures/unknown-property/manifest.json b/packages/aws-cdk-lib/cloud-assembly-schema/test/fixtures/unknown-property/manifest.json deleted file mode 100644 index d1f0bca305c81..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/test/fixtures/unknown-property/manifest.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "version": "0.0.0", - "who-am-i": "unknown" -} \ No newline at end of file diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/test/fixtures/with-stack-tags/manifest.json b/packages/aws-cdk-lib/cloud-assembly-schema/test/fixtures/with-stack-tags/manifest.json deleted file mode 100644 index 4d18eed47c8a0..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/test/fixtures/with-stack-tags/manifest.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "version": "0.0.0", - "artifacts": { - "Tree": { - "type": "cdk:tree", - "properties": { - "file": "tree.json" - } - }, - "stack": { - "type": "aws:cloudformation:stack", - "metadata": { - "AwsCdkPlaygroundBatch": [ - { - "type": "aws:cdk:stack-tags", - "data": [{ - "Key": "hello", - "Value": "world" - }], - "trace": ["trace"] - }, - { - "type": "aws:cdk:asset", - "data": { - "repositoryName": "repo", - "imageTag": "tag", - "id": "id", - "packaging": "container-image", - "path": "path", - "sourceHash": "hash" - }, - "trace": ["trace"] - } - ] - } - } - } -} \ No newline at end of file diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/test/integ-tests.test.ts b/packages/aws-cdk-lib/cloud-assembly-schema/test/integ-tests.test.ts deleted file mode 100644 index 3baefc89d750f..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/test/integ-tests.test.ts +++ /dev/null @@ -1,137 +0,0 @@ -import * as fs from 'fs'; -import * as os from 'os'; -import * as path from 'path'; -import { Manifest } from '../lib'; - -describe('Integration test', () => { - test('valid input', () => { - expect(() => { - validate({ - version: Manifest.version(), - testCases: { - testCase1: { - stacks: ['stack1', 'stack2'], - stackUpdateWorkflow: true, - cdkCommandOptions: { - deploy: { - enabled: true, - expectError: false, - expectedMessage: 'some message', - args: { - exclusively: true, - toolkitStackName: 'Stack', - reuseAssets: ['asset1', 'asset2'], - changeSetName: 'changeset', - force: true, - rollback: false, - notificationArns: ['arn1', 'arn2'], - execute: true, - parameters: { - 'MYPARAM': 'Value', - 'Stack1:OtherParam': 'OtherValue', - }, - usePreviousParameters: true, - outputsFile: 'outputs.json', - ci: true, - requireApproval: 'never', - app: 'node bin/my-app.js', - roleArn: 'roleArn', - context: { - KEY: 'value', - }, - trace: true, - strict: true, - lookups: true, - ignoreErrors: true, - json: true, - verbose: true, - debug: true, - profile: 'profile', - proxy: 'https://proxy', - caBundlePath: 'path/to/bundle', - ec2Creds: true, - versionReporting: false, - pathMetadata: false, - assetMetadata: true, - staging: false, - output: true, - notices: true, - color: false, - }, - }, - synth: { - enabled: true, - expectError: false, - expectedMessage: 'some message', - args: { - quiet: true, - exclusively: true, - validation: true, - }, - }, - destroy: { - enabled: true, - expectError: false, - expectedMessage: 'some message', - args: { - force: true, - exclusively: true, - }, - }, - }, - hooks: { - preDeploy: ['yarn test'], - postDeploy: ['some other command'], - preDestroy: ['command1', 'command2'], - postDestroy: ['command3', 'command4'], - }, - diffAssets: true, - allowDestroy: ['AWS::IAM::Role'], - region: ['us-east-1', 'us-east-2'], - }, - }, - }); - }); - }); - - test('invalid input', () => { - expect(() => { - validate({ - version: Manifest.version(), - testCases: { - stacks: true, - }, - }); - }).toThrow(/instance\.testCases\.stacks is not of a type\(s\) object/); - }); - - test('without command options', () => { - expect(() => { - validate({ - version: Manifest.version(), - testCases: { - testCase1: { - stacks: ['stack1', 'stack2'], - stackUpdateWorkflow: true, - hooks: { - preDeploy: ['yarn test'], - }, - diffAssets: true, - }, - }, - }); - }); - }); -}); - -function validate(manifest: any) { - const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'integ.test.')); - const filePath = path.join(dir, 'manifest.json'); - fs.writeFileSync(filePath, JSON.stringify(manifest, undefined, 2)); - try { - Manifest.loadIntegManifest(filePath); - } finally { - fs.unlinkSync(filePath); - fs.rmdirSync(dir); - } -} diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/test/manifest.test.ts b/packages/aws-cdk-lib/cloud-assembly-schema/test/manifest.test.ts deleted file mode 100644 index a8f1311a2dcc9..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/test/manifest.test.ts +++ /dev/null @@ -1,162 +0,0 @@ -import * as fs from 'fs'; -import * as os from 'os'; -import * as path from 'path'; -import * as semver from 'semver'; -import { AssemblyManifest, Manifest, StackTagsMetadataEntry } from '../lib'; - -const FIXTURES = path.join(__dirname, 'fixtures'); - -function fixture(name: string) { - return path.join(FIXTURES, name, 'manifest.json'); -} - -test('manifest save', () => { - - const outdir = fs.mkdtempSync(path.join(os.tmpdir(), 'schema-tests')); - const manifestFile = path.join(outdir, 'manifest.json'); - - const assemblyManifest: AssemblyManifest = { - version: 'version', - runtime: { - libraries: { lib1: '1.2.3' }, - }, - }; - - Manifest.saveAssemblyManifest(assemblyManifest, manifestFile); - - const saved = JSON.parse(fs.readFileSync(manifestFile, { encoding: 'utf-8' })); - - expect(saved).toEqual({ - ...assemblyManifest, - version: Manifest.version(), // version is forced - }); -}); - -test('manifest load', () => { - const loaded = Manifest.loadAssemblyManifest(fixture('only-version')); - expect(loaded).toMatchSnapshot(); -}); - -test('manifest load fails for invalid nested property', () => { - expect(() => Manifest.loadAssemblyManifest(fixture('invalid-nested-property'))).toThrow(/Invalid assembly manifest/); -}); - -test('manifest load fails for invalid artifact type', () => { - expect(() => Manifest.loadAssemblyManifest(fixture('invalid-artifact-type'))).toThrow(/Invalid assembly manifest/); -}); - -test('manifest load fails on higher major version', () => { - expect(() => Manifest.loadAssemblyManifest(fixture('high-version'))).toThrow(/Cloud assembly schema version mismatch/); -}); - -// once we start introducing minor version bumps that are considered -// non breaking, this test can be removed. -test('manifest load fails on higher minor version', () => { - - const outdir = fs.mkdtempSync(path.join(os.tmpdir(), 'schema-tests')); - const manifestFile = path.join(outdir, 'manifest.json'); - - const newVersion = semver.inc(Manifest.version(), 'minor'); - expect(newVersion).toBeTruthy(); - - if (newVersion) { - const assemblyManifest: AssemblyManifest = { - version: newVersion, - }; - - // can't use saveAssemblyManifest because it will force the correct version - fs.writeFileSync(manifestFile, JSON.stringify(assemblyManifest)); - - expect(() => Manifest.loadAssemblyManifest(manifestFile)).toThrow(/Cloud assembly schema version mismatch/); - } -}); - -test('manifest load doesnt fail if version checking is disabled, and unknown properties are added', () => { - const outdir = fs.mkdtempSync(path.join(os.tmpdir(), 'schema-tests')); - const manifestFile = path.join(outdir, 'manifest.json'); - const newVersion = semver.inc(Manifest.version(), 'major'); - expect(newVersion).toBeTruthy(); - - const assemblyManifest: AssemblyManifest = { - version: newVersion!, - artifacts: { - SomeArtifact: { - type: 'aws:cloudformation:stack', - thisPropertyWillNeverBeInTheManifest: 'i_hope', - } as any, - UnknownArtifact: { - type: 'unknown-artifact-type', - } as any, - }, - }; - - // can't use saveAssemblyManifest because it will force the correct version - fs.writeFileSync(manifestFile, JSON.stringify(assemblyManifest)); - - Manifest.loadAssemblyManifest(manifestFile, { skipVersionCheck: true, skipEnumCheck: true }); -}); - -// once we start introducing patch version bumps that are considered -// non breaking, this test can be removed. -test('manifest load fails on higher patch version', () => { - - const outdir = fs.mkdtempSync(path.join(os.tmpdir(), 'schema-tests')); - const manifestFile = path.join(outdir, 'manifest.json'); - - const newVersion = semver.inc(Manifest.version(), 'patch'); - expect(newVersion).toBeTruthy(); - - if (newVersion) { - const assemblyManifest: AssemblyManifest = { - version: newVersion, - }; - - // can't use saveAssemblyManifest because it will force the correct version - fs.writeFileSync(manifestFile, JSON.stringify(assemblyManifest)); - - expect(() => Manifest.loadAssemblyManifest(manifestFile)).toThrow(/Cloud assembly schema version mismatch/); - } -}); - -test('manifest load fails on invalid version', () => { - expect(() => Manifest.loadAssemblyManifest(fixture('invalid-version'))).toThrow(/Invalid semver string/); -}); - -test('manifest load succeeds on unknown properties', () => { - const manifest = Manifest.loadAssemblyManifest(fixture('unknown-property')); - expect(manifest.version).toEqual('0.0.0'); -}); - -test('stack-tags are deserialized properly', () => { - - const m: AssemblyManifest = Manifest.loadAssemblyManifest(fixture('with-stack-tags')); - - if (m.artifacts?.stack?.metadata?.AwsCdkPlaygroundBatch[0].data) { - const entry = m.artifacts.stack.metadata.AwsCdkPlaygroundBatch[0].data as StackTagsMetadataEntry; - expect(entry[0].key).toEqual('hello'); - expect(entry[0].value).toEqual('world'); - } - expect(m.version).toEqual('0.0.0'); - -}); - -test('can access random metadata', () => { - - const loaded = Manifest.loadAssemblyManifest(fixture('random-metadata')); - const randomArray = loaded.artifacts?.stack.metadata?.AwsCdkPlaygroundBatch[0].data; - const randomNumber = loaded.artifacts?.stack.metadata?.AwsCdkPlaygroundBatch[1].data; - const randomMap = loaded.artifacts?.stack.metadata?.AwsCdkPlaygroundBatch[2].data; - - expect(randomArray).toEqual(['42']); - expect(randomNumber).toEqual(42); - expect(randomMap).toEqual({ - key: 'value', - }); - - expect(randomMap).toBeTruthy(); - - if (randomMap) { - expect((randomMap as any).key).toEqual('value'); - } - -}); diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/test/schema.test.ts b/packages/aws-cdk-lib/cloud-assembly-schema/test/schema.test.ts deleted file mode 100644 index ad935bbe73789..0000000000000 --- a/packages/aws-cdk-lib/cloud-assembly-schema/test/schema.test.ts +++ /dev/null @@ -1,47 +0,0 @@ -import { generateSchema, SCHEMAS } from '../scripts/update-schema'; - -test('if this test fails, run "yarn update-schema"', () => { - - // when we compare schemas we ignore changes the - // description that is generated from the ts docstrings. - const docStringFields = [ - 'description', - ]; - - for (const schemaName of SCHEMAS) { - const expected = removeStringKeys(generateSchema(schemaName, false), docStringFields); - - // eslint-disable-next-line @typescript-eslint/no-require-imports - const actual = removeStringKeys(require(`../schema/${schemaName}.schema.json`), docStringFields); - - try { - expect(actual).toEqual(expected); - } catch (err: any) { - // I couldn't for the life of me figure out how to provide additional error message - // to jest...any ideas? - err.message = `Whoops, Looks like the schema has changed. Did you forget to run 'yarn update-schema'?\n\n${err.message}`; - throw err; - } - } - -}); - -function removeStringKeys(obj: any, keys: string[]) { - - function _recurse(o: any) { - for (const prop in o) { - if (keys.includes(prop) && typeof o[prop] === 'string') { - delete o[prop]; - } else if (typeof o[prop] === 'object') { - _recurse(o[prop]); - } - } - } - const cloned = clone(obj); - _recurse(cloned); - return cloned; -} - -function clone(obj: any) { - return JSON.parse(JSON.stringify(obj)); -} diff --git a/packages/aws-cdk-lib/custom-resources/README.md b/packages/aws-cdk-lib/custom-resources/README.md index d1ab7c5a87d05..fec9d7ca1df23 100644 --- a/packages/aws-cdk-lib/custom-resources/README.md +++ b/packages/aws-cdk-lib/custom-resources/README.md @@ -824,3 +824,83 @@ new cr.AwsCustomResource(this, 'CrossAccount', { })]), }); ``` + +#### Custom Resource Config + +You can configure every CDK-vended custom resource in a given scope with `CustomResourceConfig`. + +Note that `CustomResourceConfig` uses Aspects to modify your constructs. There is no guarantee in the order in which Aspects modify the construct tree, which means that adding the same Aspect more than once to a given scope produces undefined behavior. This example guarantees that every affected resource will have a log retention of ten years or one day, but you cannot know which: +CustomResourceConfig.of(App).addLogRetentionLifetime(logs.RetentionDays.TEN_YEARS); +CustomResourceConfig.of(App).addLogRetentionLifetime(logs.RetentionDays.ONE_DAY); + +The following example configures every custom resource in this CDK app to retain its logs for ten years: + +```ts +import * as cdk from 'aws-cdk-lib'; +import { CustomResourceConfig } from 'aws-cdk-lib/custom-resources'; +import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment'; + +const app = new cdk.App(); +CustomResourceConfig.of(app).addLogRetentionLifetime(logs.RetentionDays.TEN_YEARS); +const stack = new cdk.Stack(app, 'Stack'); + +let websiteBucket = new s3.Bucket(stack, 'WebsiteBucket', {}); +new s3deploy.BucketDeployment(stack, 's3deploy', { + sources: [s3deploy.Source.jsonData('file.json', { a: 'b' })], + destinationBucket: websiteBucket, +}); +``` + +The following example configures every custom resource in two top-level stacks to retain its log for ten years: +```ts +import * as cdk from 'aws-cdk-lib'; +import { CustomResourceConfig } from 'aws-cdk-lib/custom-resources'; +import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment'; + +const app = new cdk.App(); +CustomResourceConfig.of(app).addLogRetentionLifetime(logs.RetentionDays.TEN_YEARS); + +const stackA = new cdk.Stack(app, 'stackA'); +let websiteBucketA = new s3.Bucket(stackA, "WebsiteBucketA", {}); +new s3deploy.BucketDeployment(stackA, "s3deployA", { + sources: [s3deploy.Source.jsonData("file.json", { a: "b" })], + destinationBucket: websiteBucketA, + logRetention: logs.RetentionDays.ONE_DAY, // overridden by the `TEN_YEARS` set by `CustomResourceConfig`. +}); + +const stackB = new cdk.Stack(app, 'stackB'); +let websiteBucketB = new s3.Bucket(stackB, "WebsiteBucketB", {}); +new s3deploy.BucketDeployment(stackB, "s3deployB", { + sources: [s3deploy.Source.jsonData("file.json", { a: "b" })], + destinationBucket: websiteBucketB, + logRetention: logs.RetentionDays.ONE_DAY, // overridden by the `TEN_YEARS` set by `CustomResourceConfig`. +}); + +``` + +This also applies to nested stacks: +```ts +import * as cdk from 'aws-cdk-lib'; +import { CustomResourceConfig } from 'aws-cdk-lib/custom-resources'; +import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment'; + +const app = new cdk.App(); +const stack = new cdk.Stack(app, 'Stack'); +CustomResourceConfig.of(app).addLogRetentionLifetime(logs.RetentionDays.TEN_YEARS); + +const nestedStackA = new cdk.NestedStack(stack, 'NestedStackA'); +let websiteBucketA = new s3.Bucket(nestedStackA, "WebsiteBucketA", {}); +new s3deploy.BucketDeployment(nestedStackA, "s3deployA", { + sources: [s3deploy.Source.jsonData("file.json", { a: "b" })], + destinationBucket: websiteBucketA, + logRetention: logs.RetentionDays.ONE_DAY, // overridden by the `TEN_YEARS` set by `CustomResourceConfig`. +}); + +const nestedStackB = new cdk.NestedStack(stack, 'NestedStackB'); +let websiteBucketB = new s3.Bucket(nestedStackB, "WebsiteBucketB", {}); +new s3deploy.BucketDeployment(nestedStackB, "s3deployB", { + sources: [s3deploy.Source.jsonData("file.json", { a: "b" })], + destinationBucket: websiteBucketB, + logRetention: logs.RetentionDays.ONE_DAY, // overridden by the `TEN_YEARS` set by `CustomResourceConfig`. +}); +``` diff --git a/packages/aws-cdk-lib/custom-resources/lib/custom-resource-config/custom-resource-config.ts b/packages/aws-cdk-lib/custom-resources/lib/custom-resource-config/custom-resource-config.ts new file mode 100644 index 0000000000000..40bea2713ff0a --- /dev/null +++ b/packages/aws-cdk-lib/custom-resources/lib/custom-resource-config/custom-resource-config.ts @@ -0,0 +1,81 @@ +import { IConstruct, MetadataEntry } from 'constructs'; +import * as cloudformation from '../../../aws-cloudformation'; +import * as lambda from '../../../aws-lambda'; +import * as logs from '../../../aws-logs'; +import { IAspect, Aspects } from '../../../core/lib'; + +/* This is duplicated in @aws-cdk/custom-resource-handlers/lib/custom-resources-framework/config.ts */ +export const CUSTOM_RESOURCE_PROVIDER = 'aws:cdk:is-custom-resource-handler-customResourceProvider'; +export const CUSTOM_RESOURCE_SINGLETON = 'aws:cdk:is-custom-resource-handler-singleton'; +export const CUSTOM_RESOURCE_SINGLETON_LOG_GROUP = 'aws:cdk:is-custom-resource-handler-logGroup'; +export const CUSTOM_RESOURCE_SINGLETON_LOG_RETENTION = 'aws:cdk:is-custom-resource-handler-logRetention'; + +/** + * Manages AWS vended Custom Resources + */ +export class CustomResourceConfig { + /** + * Returns the CustomResourceConfig for this scope. + */ + public static of(scope: IConstruct): CustomResourceConfig { + return new CustomResourceConfig(scope); + } + + private constructor(private readonly scope: IConstruct) { } + + /** + * Set the log retention of AWS-vended custom resource lambdas. + */ + public addLogRetentionLifetime(rentention: logs.RetentionDays) { + Aspects.of(this.scope).add(new CustomResourceLogRetention(rentention)); + } + +} + +/** + * Manages log retention for AWS vended custom resources. + */ +export class CustomResourceLogRetention implements IAspect { + private readonly logRetention: logs.RetentionDays; + + constructor(setLogRetention: logs.RetentionDays) { + this.logRetention = setLogRetention; + } + visit(node: IConstruct) { + for (const metadataEntry of node.node.metadata as MetadataEntry[]) { + if (metadataEntry.type == CUSTOM_RESOURCE_SINGLETON_LOG_GROUP) { + const localNode = node.node.defaultChild as logs.CfnLogGroup; + localNode.addPropertyOverride('RetentionInDays', this.logRetention); + } + + if (metadataEntry.type == CUSTOM_RESOURCE_SINGLETON) { + const localNode = node.node.defaultChild as lambda.CfnFunction; + + if (localNode && !localNode.loggingConfig) { + const newLogGroup = this.createLogGroup(localNode); + localNode.addPropertyOverride('LoggingConfig', { + LogGroup: newLogGroup.logGroupName, + }); + } + } + + if (metadataEntry.type == CUSTOM_RESOURCE_SINGLETON_LOG_RETENTION) { + let localNode = node.node.defaultChild as cloudformation.CfnCustomResource; + localNode.addPropertyOverride('RetentionInDays', this.logRetention); + } + } + } + + /* + * Creates a new logGroup and associates with the singletonLambda + * Returns a Cloudwatch LogGroup + */ + private createLogGroup(scope: lambda.CfnFunction): logs.ILogGroup { + const newLogGroup = new logs.LogGroup(scope, 'logGroup', { + retention: this.logRetention, + }); + newLogGroup.node.addMetadata(`${CUSTOM_RESOURCE_SINGLETON_LOG_GROUP}`, true); + return newLogGroup; + } +} + diff --git a/packages/aws-cdk-lib/custom-resources/lib/custom-resource-config/index.ts b/packages/aws-cdk-lib/custom-resources/lib/custom-resource-config/index.ts new file mode 100644 index 0000000000000..7958f673ee697 --- /dev/null +++ b/packages/aws-cdk-lib/custom-resources/lib/custom-resource-config/index.ts @@ -0,0 +1 @@ +export * from './custom-resource-config'; \ No newline at end of file diff --git a/packages/aws-cdk-lib/custom-resources/lib/index.ts b/packages/aws-cdk-lib/custom-resources/lib/index.ts index b3e6ae4cfb7d5..5b230377f70bb 100644 --- a/packages/aws-cdk-lib/custom-resources/lib/index.ts +++ b/packages/aws-cdk-lib/custom-resources/lib/index.ts @@ -1,2 +1,3 @@ export * from './aws-custom-resource'; -export * from './provider-framework'; \ No newline at end of file +export * from './provider-framework'; +export * from './custom-resource-config'; \ No newline at end of file diff --git a/packages/aws-cdk-lib/custom-resources/test/custom-resource-config/custom-resource-config.test.ts b/packages/aws-cdk-lib/custom-resources/test/custom-resource-config/custom-resource-config.test.ts new file mode 100644 index 0000000000000..17225b585c9c3 --- /dev/null +++ b/packages/aws-cdk-lib/custom-resources/test/custom-resource-config/custom-resource-config.test.ts @@ -0,0 +1,202 @@ +import { Template } from '../../../assertions'; +import * as logs from '../../../aws-logs'; +import * as s3 from '../../../aws-s3'; +import * as s3deploy from '../../../aws-s3-deployment'; +import * as cdk from '../../../core'; +import { CustomResourceConfig } from '../../lib/custom-resource-config/custom-resource-config'; + +describe('when a singleton-backed custom resource does not have logging defined', () => { + test('addLogRetentionLifetime creates a new log group with the correct retention period if one does not already exist', () => { + // GIVEN + const customResourceLogRetention = logs.RetentionDays.TEN_YEARS; + const app = new cdk.App(); + const stack = new cdk.Stack(app); + let websiteBucket = new s3.Bucket(stack, 'WebsiteBucket', {}); + new s3deploy.BucketDeployment(stack, 'BucketDeployment', { + sources: [s3deploy.Source.jsonData('file.json', { a: 'b' })], + destinationBucket: websiteBucket, + }); + + // WHEN + CustomResourceConfig.of(app).addLogRetentionLifetime(customResourceLogRetention); + + // THEN + const template = Template.fromStack(stack); + template.hasResourceProperties('AWS::Lambda::Function', { + LoggingConfig: { + LogGroup: { + Ref: 'CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756ClogGroupD6937F08', + }, + }, + }); + template.resourceCountIs('AWS::Logs::LogGroup', 1); + template.hasResourceProperties('AWS::Logs::LogGroup', { + RetentionInDays: customResourceLogRetention, + }); + }); + + test('addLogRetentionLifetime only modifies custom resource log groups', () => { + // GIVEN + const customResourceLogRetention = logs.RetentionDays.TEN_YEARS; + const nonCustomResourceLogRetention = logs.RetentionDays.TWO_YEARS; + const app = new cdk.App(); + const stack = new cdk.Stack(app); + new logs.LogGroup(stack, 'ignored', {}); + let websiteBucket = new s3.Bucket(stack, 'WebsiteBucket', {}); + new s3deploy.BucketDeployment(stack, 'BucketDeployment', { + sources: [s3deploy.Source.jsonData('file.json', { a: 'b' })], + destinationBucket: websiteBucket, + }); + + // WHEN + CustomResourceConfig.of(app).addLogRetentionLifetime(customResourceLogRetention); + + // THEN + const template = Template.fromStack(stack); + template.resourceCountIs('AWS::Logs::LogGroup', 2); + template.hasResourceProperties('AWS::Logs::LogGroup', { + RetentionInDays: customResourceLogRetention, + }); + template.hasResourceProperties('AWS::Logs::LogGroup', { + RetentionInDays: nonCustomResourceLogRetention, + }); + }); +}); + +describe('when a singleton-backed custom resource logRetention is specified', () => { + test('addLogRetentionLifetime overrides log retention', () => { + // GIVEN + const customResourceLogRetention = logs.RetentionDays.TEN_YEARS; + const app = new cdk.App(); + const stack = new cdk.Stack(app); + const websiteBucket = new s3.Bucket(stack, 'WebsiteBucket', {}); + new s3deploy.BucketDeployment(stack, 'BucketDeployment', { + sources: [s3deploy.Source.jsonData('file.json', { a: 'b' })], + destinationBucket: websiteBucket, + logRetention: logs.RetentionDays.ONE_WEEK, + }); + + // WHEN + CustomResourceConfig.of(app).addLogRetentionLifetime(customResourceLogRetention); + + // THEN + const template = Template.fromStack(stack); + template.hasResourceProperties('Custom::LogRetention', { + RetentionInDays: customResourceLogRetention, + }); + template.resourceCountIs('AWS::Logs::LogGroup', 1); + template.hasResourceProperties('AWS::Logs::LogGroup', { + RetentionInDays: customResourceLogRetention, + }); + }); +}); + +describe('when a singleton-backed custom resource log group is specified', () => { + test('addLogRetentionLifetime modifies the retention period of a singleton-backed custom resource log group.', () => { + // GIVEN + const customResourceLogRetention = logs.RetentionDays.TEN_YEARS; + const app = new cdk.App(); + const stack = new cdk.Stack(app); + const websiteBucket = new s3.Bucket(stack, 'WebsiteBucket', {}); + new s3deploy.BucketDeployment(stack, 'BucketDeployment', { + sources: [s3deploy.Source.jsonData('file.json', { a: 'b' })], + destinationBucket: websiteBucket, + logGroup: new logs.LogGroup(stack, 'LogGroup', { + retention: logs.RetentionDays.ONE_WEEK, + }), + }); + + // WHEN + CustomResourceConfig.of(app).addLogRetentionLifetime(customResourceLogRetention); + + // THEN + const template = Template.fromStack(stack); + template.resourceCountIs('AWS::Logs::LogGroup', 1); + template.hasResourceProperties('AWS::Logs::LogGroup', { + RetentionInDays: customResourceLogRetention, + }); + }); +}); + +test('addLogRetentionLifetime modifies the retention period of the custom resources in two top-level stacks', () => { + // GIVEN + const customResourceLogRetention = logs.RetentionDays.TEN_YEARS; + const app = new cdk.App(); + const stack1 = new cdk.Stack(app, 'stack1'); + let websiteBucket1 = new s3.Bucket(stack1, 'WebsiteBucket1', {}); + new s3deploy.BucketDeployment(stack1, 'BucketDeployment1', { + sources: [s3deploy.Source.jsonData('file.json', { a: 'b' })], + destinationBucket: websiteBucket1, + logRetention: logs.RetentionDays.ONE_DAY, + }); + const stack2 = new cdk.Stack(app, 'stack2'); + let websiteBucket2 = new s3.Bucket(stack2, 'WebsiteBucket2', {}); + new s3deploy.BucketDeployment(stack2, 'BucketDeployment2', { + sources: [s3deploy.Source.jsonData('file.json', { a: 'b' })], + destinationBucket: websiteBucket2, + logRetention: logs.RetentionDays.ONE_DAY, + }); + + // WHEN + CustomResourceConfig.of(app).addLogRetentionLifetime(customResourceLogRetention); + + // THEN + const template1 = Template.fromStack(stack1); + template1.hasResourceProperties('Custom::LogRetention', { + RetentionInDays: customResourceLogRetention, + }); + template1.resourceCountIs('AWS::Logs::LogGroup', 1); + template1.hasResourceProperties('AWS::Logs::LogGroup', { + RetentionInDays: customResourceLogRetention, + }); + const template2 = Template.fromStack(stack2); + template2.hasResourceProperties('Custom::LogRetention', { + RetentionInDays: customResourceLogRetention, + }); + template2.resourceCountIs('AWS::Logs::LogGroup', 1); + template2.hasResourceProperties('AWS::Logs::LogGroup', { + RetentionInDays: customResourceLogRetention, + }); +}); + +test('addLogRetentionLifetime modifies the retention period of the custom resources in the nested stack', () => { + // GIVEN + const customResourceLogRetention = logs.RetentionDays.TEN_YEARS; + const app = new cdk.App(); + const stack = new cdk.Stack(app, 'Stack'); + const nestedStack1 = new cdk.NestedStack(stack, 'nestedStack1'); + let websiteBucketA = new s3.Bucket(nestedStack1, 'WebsiteBucketA', {}); + new s3deploy.BucketDeployment(nestedStack1, 's3deployA', { + sources: [s3deploy.Source.jsonData('file.json', { a: 'b' })], + destinationBucket: websiteBucketA, + logRetention: logs.RetentionDays.ONE_DAY, + }); + const nestedStack2 = new cdk.NestedStack(stack, 'nestedStack2'); + let websiteBucketB = new s3.Bucket(nestedStack2, 'WebsiteBucketB', {}); + new s3deploy.BucketDeployment(nestedStack2, 's3deployB', { + sources: [s3deploy.Source.jsonData('file.json', { a: 'b' })], + destinationBucket: websiteBucketB, + logRetention: logs.RetentionDays.ONE_DAY, + }); + + // WHEN + CustomResourceConfig.of(app).addLogRetentionLifetime(customResourceLogRetention); + + // THEN + const templateA = Template.fromStack(nestedStack1); + templateA.hasResourceProperties('Custom::LogRetention', { + RetentionInDays: customResourceLogRetention, + }); + templateA.resourceCountIs('AWS::Logs::LogGroup', 1); + templateA.hasResourceProperties('AWS::Logs::LogGroup', { + RetentionInDays: customResourceLogRetention, + }); + const templateB = Template.fromStack(nestedStack2); + templateB.hasResourceProperties('Custom::LogRetention', { + RetentionInDays: customResourceLogRetention, + }); + templateB.resourceCountIs('AWS::Logs::LogGroup', 1); + templateB.hasResourceProperties('AWS::Logs::LogGroup', { + RetentionInDays: customResourceLogRetention, + }); +}); diff --git a/packages/aws-cdk-lib/jest.config.js b/packages/aws-cdk-lib/jest.config.js index a5d279d7bf4d0..3c03be37cab9f 100644 --- a/packages/aws-cdk-lib/jest.config.js +++ b/packages/aws-cdk-lib/jest.config.js @@ -1,18 +1 @@ -const baseConfig = require('@aws-cdk/cdk-build-tools/config/jest.config'); - -/** @type {import('ts-jest').JestConfigWithTsJest} */ -module.exports = { - ...baseConfig, - - // Different than usual - testMatch: [ - '/**/test/**/?(*.)+(test).ts', - ], - - coverageThreshold: { - global: { - branches: 35, - statements: 55, - }, - }, -}; +"use strict";const baseConfig=require("@aws-cdk/cdk-build-tools/config/jest.config");module.exports={...baseConfig,testMatch:["/**/test/**/?(*.)+(test).ts"],coverageThreshold:{global:{branches:35,statements:55}}}; diff --git a/packages/aws-cdk-lib/package.json b/packages/aws-cdk-lib/package.json index 37210abcc99f6..d9240053a5c44 100644 --- a/packages/aws-cdk-lib/package.json +++ b/packages/aws-cdk-lib/package.json @@ -122,6 +122,7 @@ "@aws-cdk/asset-awscli-v1": "^2.2.202", "@aws-cdk/asset-kubectl-v20": "^2.1.2", "@aws-cdk/asset-node-proxy-agent-v6": "^2.0.3", + "@aws-cdk/cloud-assembly-schema": "^36.0.5", "@balena/dockerignore": "^1.0.2", "case": "1.6.3", "fs-extra": "^11.2.0", @@ -135,7 +136,7 @@ "mime-types": "^2.1.35" }, "devDependencies": { - "@aws-cdk/aws-service-spec": "^0.1.15", + "@aws-cdk/aws-service-spec": "^0.1.17", "@aws-cdk/cdk-build-tools": "0.0.0", "@aws-cdk/custom-resource-handlers": "0.0.0", "@aws-cdk/pkglint": "0.0.0", diff --git a/packages/aws-cdk-lib/pipelines/README.md b/packages/aws-cdk-lib/pipelines/README.md index 2eceefc9e5236..40c06136e9dea 100644 --- a/packages/aws-cdk-lib/pipelines/README.md +++ b/packages/aws-cdk-lib/pipelines/README.md @@ -1,11 +1,10 @@ # CDK Pipelines - A construct library for painless Continuous Delivery of CDK applications. -CDK Pipelines is an *opinionated construct library*. It is purpose-built to +CDK Pipelines is an _opinionated construct library_. It is purpose-built to deploy one or more copies of your CDK applications using CloudFormation with a -minimal amount of effort on your part. It is *not* intended to support arbitrary +minimal amount of effort on your part. It is _not_ intended to support arbitrary deployment pipelines, and very specifically it is not built to use CodeDeploy to deploy applications to instances, or deploy your custom-built ECR images to an ECS cluster directly: use CDK file assets with CloudFormation Init for instances, or @@ -13,12 +12,12 @@ CDK container assets for ECS clusters instead. Give the CDK Pipelines way of doing things a shot first: you might find it does everything you need. If you need more control, or if you need `v2` support from -`aws-codepipeline`, we recommend you drop down to using the `aws-codepipeline` +`aws-codepipeline`, we recommend you drop down to using the `aws-codepipeline` construct library directly. > This module contains two sets of APIs: an **original** and a **modern** version of -> CDK Pipelines. The *modern* API has been updated to be easier to work with and -> customize, and will be the preferred API going forward. The *original* version +> CDK Pipelines. The _modern_ API has been updated to be easier to work with and +> customize, and will be the preferred API going forward. The _original_ version > of the API is still available for backwards compatibility, but we recommend migrating > to the new version if possible. > @@ -40,28 +39,28 @@ You then define a `Pipeline`, instantiate as many instances of `MyApplicationStage` as you want for your test and production environments, with different parameters for each, and calling `pipeline.addStage()` for each of them. You can deploy to the same account and Region, or to a different one, -with the same amount of code. The *CDK Pipelines* library takes care of the +with the same amount of code. The _CDK Pipelines_ library takes care of the details. -CDK Pipelines supports multiple *deployment engines* (see +CDK Pipelines supports multiple _deployment engines_ (see [Using a different deployment engine](#using-a-different-deployment-engine)), and comes with a deployment engine that deploys CDK apps using AWS CodePipeline. -To use the CodePipeline engine, define a `CodePipeline` construct. The following +To use the CodePipeline engine, define a `CodePipeline` construct. The following example creates a CodePipeline that deploys an application from GitHub: ```ts /** The stacks for our app are minimally defined here. The internals of these - * stacks aren't important, except that DatabaseStack exposes an attribute - * "table" for a database table it defines, and ComputeStack accepts a reference - * to this table in its properties. - */ + * stacks aren't important, except that DatabaseStack exposes an attribute + * "table" for a database table it defines, and ComputeStack accepts a reference + * to this table in its properties. + */ class DatabaseStack extends Stack { public readonly table: dynamodb.TableV2; constructor(scope: Construct, id: string) { super(scope, id); this.table = new dynamodb.TableV2(this, 'Table', { - partitionKey: { name: 'id', type: dynamodb.AttributeType.STRING } + partitionKey: { name: 'id', type: dynamodb.AttributeType.STRING }, }); } } @@ -87,26 +86,29 @@ class MyPipelineStack extends Stack { synth: new pipelines.ShellStep('Synth', { // Use a connection created using the AWS console to authenticate to GitHub // Other sources are available. - input: pipelines.CodePipelineSource.connection('my-org/my-app', 'main', { - connectionArn: 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', // Created using the AWS console * });', - }), - commands: [ - 'npm ci', - 'npm run build', - 'npx cdk synth', - ], + input: pipelines.CodePipelineSource.connection( + 'my-org/my-app', + 'main', + { + connectionArn: + 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', // Created using the AWS console * });', + } + ), + commands: ['npm ci', 'npm run build', 'npx cdk synth'], }), }); // 'MyApplication' is defined below. Call `addStage` as many times as // necessary with any account and region (may be different from the // pipeline's). - pipeline.addStage(new MyApplication(this, 'Prod', { - env: { - account: '123456789012', - region: 'eu-west-1', - }, - })); + pipeline.addStage( + new MyApplication(this, 'Prod', { + env: { + account: '123456789012', + region: 'eu-west-1', + }, + }) + ); } } @@ -134,7 +136,7 @@ new MyPipelineStack(this, 'PipelineStack', { env: { account: '123456789012', region: 'eu-west-1', - } + }, }); ``` @@ -143,7 +145,7 @@ application stages in the source code, or new stacks to `MyApplication`, the pipeline will automatically reconfigure itself to deploy those new stages and stacks. -(Note that you have to *bootstrap* all environments before the above code +(Note that you have to _bootstrap_ all environments before the above code will work, and switch on "Modern synthesis" if you are using CDKv1. See the section **CDK Environment Bootstrapping** below for more information). @@ -152,7 +154,7 @@ more information). To provision the pipeline you have defined, make sure the target environment has been bootstrapped (see below), and then execute deploying the -`PipelineStack` *once*. Afterwards, the pipeline will keep itself up-to-date. +`PipelineStack` _once_. Afterwards, the pipeline will keep itself up-to-date. > **Important**: be sure to `git commit` and `git push` before deploying the > Pipeline stack using `cdk deploy`! @@ -183,27 +185,16 @@ To make the development more convenient, the self-mutation feature can be turned off temporarily, by passing `selfMutation: false` property, example: ```ts -// Modern API -const modernPipeline = new pipelines.CodePipeline(this, 'Pipeline', { +const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { selfMutation: false, synth: new pipelines.ShellStep('Synth', { input: pipelines.CodePipelineSource.connection('my-org/my-app', 'main', { - connectionArn: 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', // Created using the AWS console * });', + connectionArn: + 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', // Created using the AWS console * });', }), - commands: [ - 'npm ci', - 'npm run build', - 'npx cdk synth', - ], + commands: ['npm ci', 'npm run build', 'npx cdk synth'], }), }); - -// Original API -const cloudAssemblyArtifact = new codepipeline.Artifact(); -const originalPipeline = new pipelines.CdkPipeline(this, 'Pipeline', { - selfMutating: false, - cloudAssemblyArtifact, -}); ``` ## Defining the pipeline @@ -232,11 +223,7 @@ declare const source: pipelines.IFileSetProducer; // the repository source const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { synth: new pipelines.ShellStep('Synth', { input: source, - commands: [ - 'npm ci', - 'npm run build', - 'npx cdk synth', - ], + commands: ['npm ci', 'npm run build', 'npx cdk synth'], }), }); ``` @@ -252,12 +239,7 @@ declare const source: pipelines.IFileSetProducer; // the repository source const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { synth: new pipelines.ShellStep('Synth', { input: source, - commands: [ - 'cd mysubdir', - 'npm ci', - 'npm run build', - 'npx cdk synth', - ], + commands: ['cd mysubdir', 'npm ci', 'npm run build', 'npx cdk synth'], primaryOutputDirectory: 'mysubdir/cdk.out', }), }); @@ -284,12 +266,8 @@ declare const source: pipelines.IFileSetProducer; // the repository source const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { synth: new pipelines.ShellStep('Synth', { input: source, - commands: [ - 'yarn install --frozen-lockfile', - 'yarn build', - 'npx cdk synth', - ], - }) + commands: ['yarn install --frozen-lockfile', 'yarn build', 'npx cdk synth'], + }), }); ``` @@ -307,7 +285,7 @@ const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { 'npm install -g aws-cdk', 'cdk synth', ], - }) + }), }); ``` @@ -322,11 +300,8 @@ declare const source: pipelines.IFileSetProducer; // the repository source const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { synth: new pipelines.ShellStep('Synth', { input: source, - commands: [ - 'npm install -g aws-cdk', - 'cdk synth', - ], - }) + commands: ['npm install -g aws-cdk', 'cdk synth'], + }), }); ``` @@ -358,7 +333,7 @@ const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { // Abstract over doing the build './build.sh', ], - }) + }), }); ``` @@ -368,19 +343,20 @@ for developers at the same time. #### CodePipeline Sources -In CodePipeline, *Sources* define where the source of your application lives. +In CodePipeline, _Sources_ define where the source of your application lives. When a change to the source is detected, the pipeline will start executing. Source objects can be created by factory methods on the `CodePipelineSource` class: ##### GitHub, GitHub Enterprise, BitBucket using a connection -The recommended way of connecting to GitHub or BitBucket is by using a *connection*. +The recommended way of connecting to GitHub or BitBucket is by using a _connection_. You will first use the AWS Console to authenticate to the source control provider, and then use the connection ARN in your pipeline definition: ```ts pipelines.CodePipelineSource.connection('org/repo', 'branch', { - connectionArn: 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', + connectionArn: + 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', }); ``` @@ -406,7 +382,11 @@ that the CodeCommit repository and then use `CodePipelineSource.codeCommit` to reference it: ```ts -const repository = codecommit.Repository.fromRepositoryName(this, 'Repository', 'my-repository'); +const repository = codecommit.Repository.fromRepositoryName( + this, + 'Repository', + 'my-repository' +); pipelines.CodePipelineSource.codeCommit(repository, 'main'); ``` @@ -448,12 +428,12 @@ const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { synth: new pipelines.ShellStep('Synth', { input: pipelines.CodePipelineSource.gitHub('myorg/repo2', 'main'), additionalInputs: { - 'subdir': pipelines.CodePipelineSource.gitHub('myorg/repo3', 'main'), + subdir: pipelines.CodePipelineSource.gitHub('myorg/repo3', 'main'), '../siblingdir': prebuild, }, commands: ['./build.sh'], - }) + }), }); ``` @@ -467,12 +447,14 @@ so, call `pipeline.addStage()` on the Stage object: declare const pipeline: pipelines.CodePipeline; // Do this as many times as necessary with any account and region // Account and region may different from the pipeline's. -pipeline.addStage(new MyApplicationStage(this, 'Prod', { - env: { - account: '123456789012', - region: 'eu-west-1', - } -})); +pipeline.addStage( + new MyApplicationStage(this, 'Prod', { + env: { + account: '123456789012', + region: 'eu-west-1', + }, + }) +); ``` CDK Pipelines will automatically discover all `Stacks` in the given `Stage` @@ -491,7 +473,7 @@ correctly and any requisite replication Buckets are created. By default, all applications added to CDK Pipelines by calling `addStage()` will be deployed in sequence, one after the other. If you have a lot of stages, you can speed up the pipeline by choosing to deploy some stages in parallel. You do this -by calling `addWave()` instead of `addStage()`: a *wave* is a set of stages that +by calling `addWave()` instead of `addStage()`: a _wave_ is a set of stages that are all deployed in parallel instead of sequentially. Waves themselves are still deployed in sequence. For example, the following will deploy two copies of your application to `eu-west-1` and `eu-central-1` in parallel: @@ -499,19 +481,23 @@ application to `eu-west-1` and `eu-central-1` in parallel: ```ts declare const pipeline: pipelines.CodePipeline; const europeWave = pipeline.addWave('Europe'); -europeWave.addStage(new MyApplicationStage(this, 'Ireland', { - env: { region: 'eu-west-1' } -})); -europeWave.addStage(new MyApplicationStage(this, 'Germany', { - env: { region: 'eu-central-1' } -})); +europeWave.addStage( + new MyApplicationStage(this, 'Ireland', { + env: { region: 'eu-west-1' }, + }) +); +europeWave.addStage( + new MyApplicationStage(this, 'Germany', { + env: { region: 'eu-central-1' }, + }) +); ``` #### Deploying to other accounts / encrypting the Artifact Bucket CDK Pipelines can transparently deploy to other Regions and other accounts (provided those target environments have been -[*bootstrapped*](https://docs.aws.amazon.com/cdk/latest/guide/bootstrapping.html)). +[_bootstrapped_](https://docs.aws.amazon.com/cdk/latest/guide/bootstrapping.html)). However, deploying to another account requires one additional piece of configuration: you need to enable `crossAccountKeys: true` when creating the pipeline. @@ -530,13 +516,10 @@ const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { enableKeyRotation: true, // optional synth: new pipelines.ShellStep('Synth', { input: pipelines.CodePipelineSource.connection('my-org/my-app', 'main', { - connectionArn: 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', // Created using the AWS console * });', + connectionArn: + 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', // Created using the AWS console * });', }), - commands: [ - 'npm ci', - 'npm run build', - 'npx cdk synth', - ], + commands: ['npm ci', 'npm run build', 'npx cdk synth'], }), }); ``` @@ -592,9 +575,7 @@ pipeline.addStage(preprod, { ], }); pipeline.addStage(prod, { - pre: [ - new pipelines.ManualApprovalStep('PromoteToProd'), - ], + pre: [new pipelines.ManualApprovalStep('PromoteToProd')], }); ``` @@ -616,15 +597,18 @@ declare const pipeline: pipelines.CodePipeline; const prod = new MyStacksStage(this, 'Prod'); pipeline.addStage(prod, { - stackSteps: [{ - stack: prod.stack1, - pre: [new pipelines.ManualApprovalStep('Pre-Stack Check')], // Executed before stack is prepared - changeSet: [new pipelines.ManualApprovalStep('ChangeSet Approval')], // Executed after stack is prepared but before the stack is deployed - post: [new pipelines.ManualApprovalStep('Post-Deploy Check')], // Executed after stack is deployed - }, { - stack: prod.stack2, - post: [new pipelines.ManualApprovalStep('Post-Deploy Check')], // Executed after stack is deployed - }], + stackSteps: [ + { + stack: prod.stack1, + pre: [new pipelines.ManualApprovalStep('Pre-Stack Check')], // Executed before stack is prepared + changeSet: [new pipelines.ManualApprovalStep('ChangeSet Approval')], // Executed after stack is prepared but before the stack is deployed + post: [new pipelines.ManualApprovalStep('Post-Deploy Check')], // Executed after stack is deployed + }, + { + stack: prod.stack2, + post: [new pipelines.ManualApprovalStep('Post-Deploy Check')], // Executed after stack is deployed + }, + ], }); ``` @@ -664,7 +648,9 @@ class MyOutputStage extends Stage { constructor(scope: Construct, id: string, props?: StageProps) { super(scope, id, props); - this.loadBalancerAddress = new CfnOutput(this, 'Output', {value: 'value'}); + this.loadBalancerAddress = new CfnOutput(this, 'Output', { + value: 'value', + }); } } @@ -724,8 +710,12 @@ declare const vpc: ec2.Vpc; declare const mySecurityGroup: ec2.SecurityGroup; new pipelines.CodeBuildStep('Synth', { // ...standard ShellStep props... - commands: [/* ... */], - env: { /* ... */ }, + commands: [ + /* ... */ + ], + env: { + /* ... */ + }, // If you are using a CodeBuildStep explicitly, set the 'cdk.out' directory // to be the synth step's output. @@ -746,12 +736,14 @@ new pipelines.CodeBuildStep('Synth', { privileged: true, }, timeout: Duration.minutes(90), - fileSystemLocations: [codebuild.FileSystemLocation.efs({ - identifier: "myidentifier2", - location: "myclodation.mydnsroot.com:/loc", - mountPoint: "/media", - mountOptions: "opts", - })], + fileSystemLocations: [ + codebuild.FileSystemLocation.efs({ + identifier: 'myidentifier2', + location: 'myclodation.mydnsroot.com:/loc', + mountPoint: '/media', + mountOptions: 'opts', + }), + ], // Control Elastic Network Interface creation vpc: vpc, @@ -763,12 +755,14 @@ new pipelines.CodeBuildStep('Synth', { // Additional policy statements for the execution role rolePolicyStatements: [ - new iam.PolicyStatement({ /* ... */ }), + new iam.PolicyStatement({ + /* ... */ + }), ], }); ``` -You can also configure defaults for *all* CodeBuild projects by passing `codeBuildDefaults`, +You can also configure defaults for _all_ CodeBuild projects by passing `codeBuildDefaults`, or just for the synth, asset publishing, and self-mutation projects by passing `synthCodeBuildDefaults`, `assetPublishingCodeBuildDefaults`, or `selfMutationCodeBuildDefaults`: @@ -782,13 +776,10 @@ new pipelines.CodePipeline(this, 'Pipeline', { // Standard CodePipeline properties synth: new pipelines.ShellStep('Synth', { input: pipelines.CodePipelineSource.connection('my-org/my-app', 'main', { - connectionArn: 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', // Created using the AWS console * });', + connectionArn: + 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', // Created using the AWS console * });', }), - commands: [ - 'npm ci', - 'npm run build', - 'npx cdk synth', - ], + commands: ['npm ci', 'npm run build', 'npx cdk synth'], }), // Defaults for all CodeBuild projects @@ -811,7 +802,9 @@ new pipelines.CodePipeline(this, 'Pipeline', { // Additional policy statements for the execution role rolePolicy: [ - new iam.PolicyStatement({ /* ... */ }), + new iam.PolicyStatement({ + /* ... */ + }), ], // Information about logs @@ -825,9 +818,15 @@ new pipelines.CodePipeline(this, 'Pipeline', { }, }, - synthCodeBuildDefaults: { /* ... */ }, - assetPublishingCodeBuildDefaults: { /* ... */ }, - selfMutationCodeBuildDefaults: { /* ... */ }, + synthCodeBuildDefaults: { + /* ... */ + }, + assetPublishingCodeBuildDefaults: { + /* ... */ + }, + selfMutationCodeBuildDefaults: { + /* ... */ + }, }); ``` @@ -840,10 +839,13 @@ doesn't have a matching class yet, you can define your own step class that exten Here's an example that adds a Jenkins step: ```ts -class MyJenkinsStep extends pipelines.Step implements pipelines.ICodePipelineActionFactory { +class MyJenkinsStep + extends pipelines.Step + implements pipelines.ICodePipelineActionFactory +{ constructor( private readonly provider: cpactions.JenkinsProvider, - private readonly input: pipelines.FileSet, + private readonly input: pipelines.FileSet ) { super('MyJenkinsStep'); @@ -851,27 +853,33 @@ class MyJenkinsStep extends pipelines.Step implements pipelines.ICodePipelineAct // that may contain outputs from other steps. It doesn't matter what the // structure is, as long as it contains the values that may contain outputs. this.discoverReferencedOutputs({ - env: { /* ... */ } + env: { + /* ... */ + }, }); } - public produceAction(stage: codepipeline.IStage, options: pipelines.ProduceActionOptions): pipelines.CodePipelineActionFactoryResult { - + public produceAction( + stage: codepipeline.IStage, + options: pipelines.ProduceActionOptions + ): pipelines.CodePipelineActionFactoryResult { // This is where you control what type of Action gets added to the // CodePipeline - stage.addAction(new cpactions.JenkinsAction({ - // Copy 'actionName' and 'runOrder' from the options - actionName: options.actionName, - runOrder: options.runOrder, - - // Jenkins-specific configuration - type: cpactions.JenkinsActionType.TEST, - jenkinsProvider: this.provider, - projectName: 'MyJenkinsProject', - - // Translate the FileSet into a codepipeline.Artifact - inputs: [options.artifacts.toCodePipeline(this.input)], - })); + stage.addAction( + new cpactions.JenkinsAction({ + // Copy 'actionName' and 'runOrder' from the options + actionName: options.actionName, + runOrder: options.runOrder, + + // Jenkins-specific configuration + type: cpactions.JenkinsActionType.TEST, + jenkinsProvider: this.provider, + projectName: 'MyJenkinsProject', + + // Translate the FileSet into a codepipeline.Artifact + inputs: [options.artifacts.toCodePipeline(this.input)], + }) + ); return { runOrdersConsumed: 1 }; } @@ -881,26 +889,35 @@ class MyJenkinsStep extends pipelines.Step implements pipelines.ICodePipelineAct Another example, adding a lambda step referencing outputs from a stack: ```ts -class MyLambdaStep extends pipelines.Step implements pipelines.ICodePipelineActionFactory { - private stackOutputReference: pipelines.StackOutputReference +class MyLambdaStep + extends pipelines.Step + implements pipelines.ICodePipelineActionFactory +{ + private stackOutputReference: pipelines.StackOutputReference; - constructor( - private readonly fn: lambda.Function, - stackOutput: CfnOutput, - ) { + constructor(private readonly fn: lambda.Function, stackOutput: CfnOutput) { super('MyLambdaStep'); - this.stackOutputReference = pipelines.StackOutputReference.fromCfnOutput(stackOutput); + this.stackOutputReference = + pipelines.StackOutputReference.fromCfnOutput(stackOutput); } - public produceAction(stage: codepipeline.IStage, options: pipelines.ProduceActionOptions): pipelines.CodePipelineActionFactoryResult { - - stage.addAction(new cpactions.LambdaInvokeAction({ - actionName: options.actionName, - runOrder: options.runOrder, - // Map the reference to the variable name the CDK has generated for you. - userParameters: {stackOutput: options.stackOutputsMap.toCodePipeline(this.stackOutputReference)}, - lambda: this.fn, - })); + public produceAction( + stage: codepipeline.IStage, + options: pipelines.ProduceActionOptions + ): pipelines.CodePipelineActionFactoryResult { + stage.addAction( + new cpactions.LambdaInvokeAction({ + actionName: options.actionName, + runOrder: options.runOrder, + // Map the reference to the variable name the CDK has generated for you. + userParameters: { + stackOutput: options.stackOutputsMap.toCodePipeline( + this.stackOutputReference + ), + }, + lambda: this.fn, + }) + ); return { runOrdersConsumed: 1 }; } @@ -924,7 +941,7 @@ This also gives you more direct control over the underlying `CodePipeline.Pipeli if the way the modern API creates it doesn't allow for desired configurations. Use `CodePipelineFileset` to convert CodePipeline **artifacts** into CDK Pipelines **file sets**, that can be used everywhere a file set or file set producer is expected. -Here's an example of passing in an existing pipeline and using a *source* that's already +Here's an example of passing in an existing pipeline and using a _source_ that's already in the pipeline: ```ts @@ -936,7 +953,7 @@ const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { codePipeline: codePipeline, synth: new pipelines.ShellStep('Synth', { input: pipelines.CodePipelineFileSet.fromArtifact(sourceArtifact), - commands: ['npm ci','npm run build','npx cdk synth'], + commands: ['npm ci', 'npm run build', 'npx cdk synth'], }), }); ``` @@ -970,7 +987,7 @@ Docker can be used in 3 different places in the pipeline: - If you are using Docker to bundle file assets anywhere in your project (for example, if you are using such construct libraries as `aws-cdk-lib/aws-lambda-nodejs`): Docker will run in the - *synth* project. + _synth_ project. For the first case, you don't need to do anything special. For the other two cases, you need to make sure that **privileged mode** is enabled on the correct CodeBuild @@ -991,9 +1008,10 @@ you need to pass `dockerEnabledForSelfMutation: true` to the pipeline. For examp const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { synth: new pipelines.ShellStep('Synth', { input: pipelines.CodePipelineSource.connection('my-org/my-app', 'main', { - connectionArn: 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', // Created using the AWS console * });', + connectionArn: + 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', // Created using the AWS console * });', }), - commands: ['npm ci','npm run build','npx cdk synth'], + commands: ['npm ci', 'npm run build', 'npx cdk synth'], }), // Turn this on because the pipeline uses Docker image assets @@ -1017,7 +1035,7 @@ pipeline.addWave('MyWave', { ``` > **Important**: You must turn on the `dockerEnabledForSelfMutation` flag, -> commit and allow the pipeline to self-update *before* adding the actual +> commit and allow the pipeline to self-update _before_ adding the actual > Docker asset. ### Using bundled file assets @@ -1030,9 +1048,10 @@ if you add a construct like `aws-cdk-lib/aws-lambda-nodejs`), you need to pass const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { synth: new pipelines.ShellStep('Synth', { input: pipelines.CodePipelineSource.connection('my-org/my-app', 'main', { - connectionArn: 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', // Created using the AWS console * });', + connectionArn: + 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', // Created using the AWS console * });', }), - commands: ['npm ci','npm run build','npx cdk synth'], + commands: ['npm ci', 'npm run build', 'npx cdk synth'], }), // Turn this on because the application uses bundled file assets @@ -1041,7 +1060,7 @@ const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { ``` > **Important**: You must turn on the `dockerEnabledForSynth` flag, -> commit and allow the pipeline to self-update *before* adding the actual +> commit and allow the pipeline to self-update _before_ adding the actual > Docker asset. ### Authenticating to Docker registries @@ -1052,22 +1071,42 @@ any of the application stages — require authentication, either due to being in different environment (e.g., ECR repo) or to avoid throttling (e.g., DockerHub). ```ts -const dockerHubSecret = secretsmanager.Secret.fromSecretCompleteArn(this, 'DHSecret', 'arn:aws:...'); -const customRegSecret = secretsmanager.Secret.fromSecretCompleteArn(this, 'CRSecret', 'arn:aws:...'); -const repo1 = ecr.Repository.fromRepositoryArn(this, 'Repo', 'arn:aws:ecr:eu-west-1:0123456789012:repository/Repo1'); -const repo2 = ecr.Repository.fromRepositoryArn(this, 'Repo', 'arn:aws:ecr:eu-west-1:0123456789012:repository/Repo2'); +const dockerHubSecret = secretsmanager.Secret.fromSecretCompleteArn( + this, + 'DHSecret', + 'arn:aws:...' +); +const customRegSecret = secretsmanager.Secret.fromSecretCompleteArn( + this, + 'CRSecret', + 'arn:aws:...' +); +const repo1 = ecr.Repository.fromRepositoryArn( + this, + 'Repo', + 'arn:aws:ecr:eu-west-1:0123456789012:repository/Repo1' +); +const repo2 = ecr.Repository.fromRepositoryArn( + this, + 'Repo', + 'arn:aws:ecr:eu-west-1:0123456789012:repository/Repo2' +); const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { dockerCredentials: [ pipelines.DockerCredential.dockerHub(dockerHubSecret), - pipelines.DockerCredential.customRegistry('dockerregistry.example.com', customRegSecret), + pipelines.DockerCredential.customRegistry( + 'dockerregistry.example.com', + customRegSecret + ), pipelines.DockerCredential.ecr([repo1, repo2]), ], synth: new pipelines.ShellStep('Synth', { input: pipelines.CodePipelineSource.connection('my-org/my-app', 'main', { - connectionArn: 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', // Created using the AWS console * });', + connectionArn: + 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', // Created using the AWS console * });', }), - commands: ['npm ci','npm run build','npx cdk synth'], + commands: ['npm ci', 'npm run build', 'npx cdk synth'], }), }); ``` @@ -1082,17 +1121,23 @@ optional role to assume before requesting the credentials. By default, the Docker credentials provided to the pipeline will be available to the **Synth**, **Self-Update**, and **Asset Publishing** actions within the -*pipeline. The scope of the credentials can be limited via the `DockerCredentialUsage` option. +\*pipeline. The scope of the credentials can be limited via the `DockerCredentialUsage` option. ```ts -const dockerHubSecret = secretsmanager.Secret.fromSecretCompleteArn(this, 'DHSecret', 'arn:aws:...'); +const dockerHubSecret = secretsmanager.Secret.fromSecretCompleteArn( + this, + 'DHSecret', + 'arn:aws:...' +); // Only the image asset publishing actions will be granted read access to the secret. -const creds = pipelines.DockerCredential.dockerHub(dockerHubSecret, { usages: [pipelines.DockerCredentialUsage.ASSET_PUBLISHING] }); +const creds = pipelines.DockerCredential.dockerHub(dockerHubSecret, { + usages: [pipelines.DockerCredentialUsage.ASSET_PUBLISHING], +}); ``` ## CDK Environment Bootstrapping -An *environment* is an *(account, region)* pair where you want to deploy a +An _environment_ is an _(account, region)_ pair where you want to deploy a CDK stack (see [Environments](https://docs.aws.amazon.com/cdk/latest/guide/environments.html) in the CDK Developer Guide). In a Continuous Deployment pipeline, there are @@ -1102,16 +1147,16 @@ different stages of the application). These can be the same, though best practices recommend you isolate your different application stages from each other in different AWS accounts or regions. -Before you can provision the pipeline, you have to *bootstrap* the environment you want +Before you can provision the pipeline, you have to _bootstrap_ the environment you want to create it in. If you are deploying your application to different environments, you -also have to bootstrap those and be sure to add a *trust* relationship. +also have to bootstrap those and be sure to add a _trust_ relationship. After you have bootstrapped an environment and created a pipeline that deploys -to it, it's important that you don't delete the stack or change its *Qualifier*, +to it, it's important that you don't delete the stack or change its _Qualifier_, or future deployments to this environment will fail. If you want to upgrade the bootstrap stack to a newer version, do that by updating it in-place. -> This library requires the *modern* bootstrapping stack which has +> This library requires the _modern_ bootstrapping stack which has > been updated specifically to support cross-account continuous delivery. > > If you are using CDKv2, you do not need to do anything else. Modern @@ -1189,7 +1234,7 @@ These command lines explained: > Be aware that anyone who has access to the trusted Accounts **effectively has all > permissions conferred by the configured CloudFormation execution policies**, > allowing them to do things like read arbitrary S3 buckets and create arbitrary -> infrastructure in the bootstrapped account. Restrict the list of `--trust`ed Accounts, +> infrastructure in the bootstrapped account. Restrict the list of `--trust`ed Accounts, > or restrict the policies configured by `--cloudformation-execution-policies`.
@@ -1223,7 +1268,7 @@ The "new" bootstrap stack (obtained by running `cdk bootstrap` with contains: - An S3 bucket and ECR repository with predictable names, so that we can reference - assets in these storage locations *without* the use of CloudFormation template + assets in these storage locations _without_ the use of CloudFormation template parameters. - A set of roles with permissions to access these asset locations and to execute CloudFormation, assumable from whatever accounts you specify under `--trust`. @@ -1256,30 +1301,40 @@ declare const sharedXRegionUsWest2KeyArn: string; const usWest1Bucket = s3.Bucket.fromBucketAttributes(scope, 'UsEast1Bucket', { bucketArn: sharedXRegionUsWest1BucketArn, - encryptionKey: kms.Key.fromKeyArn(scope, 'UsEast1BucketKeyArn', sharedXRegionUsWest1BucketArn), + encryptionKey: kms.Key.fromKeyArn( + scope, + 'UsEast1BucketKeyArn', + sharedXRegionUsWest1BucketArn + ), }); const usWest2Bucket = s3.Bucket.fromBucketAttributes(scope, 'UsWest2Bucket', { bucketArn: sharedXRegionUsWest2BucketArn, - encryptionKey: kms.Key.fromKeyArn(scope, 'UsWest2BucketKeyArn', sharedXRegionUsWest2KeyArn), + encryptionKey: kms.Key.fromKeyArn( + scope, + 'UsWest2BucketKeyArn', + sharedXRegionUsWest2KeyArn + ), }); const crossRegionReplicationBuckets: Record = { 'us-west-1': usWest1Bucket, 'us-west-2': usWest2Bucket, // Support for additional regions. -} +}; const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { synth: new pipelines.ShellStep('Synth', { input: pipelines.CodePipelineSource.connection('my-org/my-app', 'main', { - connectionArn: 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', + connectionArn: + 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', }), - commands: ['npm ci','npm run build','npx cdk synth'], - }), // Use shared buckets. + commands: ['npm ci', 'npm run build', 'npx cdk synth'], + }), // Use shared buckets. crossRegionReplicationBuckets, }); ``` + ## Context Lookups You might be using CDK constructs that need to look up [runtime @@ -1299,7 +1354,7 @@ contains the results of the context lookups. This will make sure your synthesized infrastructure is consistent and repeatable. If you do not commit `cdk.context.json`, the results of the lookups may suddenly be different in unexpected ways, and even produce results that cannot be deployed or will cause -data loss. To give an account permissions to perform lookups against an +data loss. To give an account permissions to perform lookups against an environment, without being able to deploy to it and make changes, run `cdk bootstrap --trust-for-lookup=`. @@ -1313,7 +1368,8 @@ lookup roles. As an example, doing so would look like this: new pipelines.CodePipeline(this, 'Pipeline', { synth: new pipelines.CodeBuildStep('Synth', { input: pipelines.CodePipelineSource.connection('my-org/my-app', 'main', { - connectionArn: 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', // Created using the AWS console * });', + connectionArn: + 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', // Created using the AWS console * });', }), commands: [ // Commands to load cdk.context.json from somewhere here @@ -1405,9 +1461,7 @@ You can insert the security check by using a `ConfirmPermissionsBroadening` step declare const pipeline: pipelines.CodePipeline; const stage = new MyApplicationStage(this, 'MyApplication'); pipeline.addStage(stage, { - pre: [ - new pipelines.ConfirmPermissionsBroadening('Check', { stage }), - ], + pre: [new pipelines.ConfirmPermissionsBroadening('Check', { stage })], }); ``` @@ -1436,7 +1490,7 @@ check enabled. ## Using a different deployment engine -CDK Pipelines supports multiple *deployment engines*, but this module vends a +CDK Pipelines supports multiple _deployment engines_, but this module vends a construct for only one such engine: AWS CodePipeline. It is also possible to use CDK Pipelines to build pipelines backed by other deployment engines. @@ -1490,7 +1544,7 @@ but the directory wasn't there. There are two common causes for this: ### is in ROLLBACK_COMPLETE state and can not be updated -If you see the following error during execution of your pipeline: +If you see the following error during execution of your pipeline: ```plaintext Stack ... is in ROLLBACK_COMPLETE state and can not be updated. (Service: @@ -1520,7 +1574,7 @@ project that uses the AWS SDK for JavaScript, without the target application having been installed yet. For example, it can be triggered by `npx cdk synth` if `aws-cdk` is not in your `package.json`. -Work around this by either installing the target application using NPM *before* +Work around this by either installing the target application using NPM _before_ running `npx`, or set the environment variable `NPM_CONFIG_UNSAFE_PERM=true`. ### Cannot connect to the Docker daemon at unix:///var/run/docker.sock @@ -1539,21 +1593,6 @@ that bundles asset using tools run via Docker, like `aws-lambda-nodejs`, `aws-la Make sure you set the `privileged` environment variable to `true` in the synth definition: -```ts -const sourceArtifact = new codepipeline.Artifact(); -const cloudAssemblyArtifact = new codepipeline.Artifact(); -const pipeline = new pipelines.CdkPipeline(this, 'MyPipeline', { - cloudAssemblyArtifact, - synthAction: pipelines.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - environment: { - privileged: true, - }, - }), -}); -``` - After turning on `privilegedMode: true`, you will need to do a one-time manual cdk deploy of your pipeline to get it going again (as with a broken 'synth' the pipeline will not be able to self update to the right state). @@ -1606,27 +1645,6 @@ An "S3 Access Denied" error can have two causes: - Asset hashes have changed, but self-mutation has been disabled in the pipeline. - You have deleted and recreated the bootstrap stack, or changed its qualifier. -#### Self-mutation step has been removed - -Some constructs, such as EKS clusters, generate nested stacks. When CloudFormation tries -to deploy those stacks, it may fail with this error: - -```console -S3 error: Access Denied For more information check http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html -``` - -This happens because the pipeline is not self-mutating and, as a consequence, the `FileAssetX` -build projects get out-of-sync with the generated templates. To fix this, make sure the -`selfMutating` property is set to `true`: - -```ts -const cloudAssemblyArtifact = new codepipeline.Artifact(); -const pipeline = new pipelines.CdkPipeline(this, 'MyPipeline', { - selfMutating: true, - cloudAssemblyArtifact, -}); -``` - #### Bootstrap roles have been renamed or recreated While attempting to deploy an application stage, the "Prepare" or "Deploy" stage may fail with a cryptic error like: @@ -1656,7 +1674,7 @@ $ env CDK_NEW_BOOTSTRAP=1 npx cdk bootstrap \ ``` - Update all impacted stacks in the pipeline to use this new qualifier. -See https://docs.aws.amazon.com/cdk/latest/guide/bootstrapping.html for more info. + See https://docs.aws.amazon.com/cdk/latest/guide/bootstrapping.html for more info. ```ts new Stack(this, 'MyStack', { @@ -1681,13 +1699,13 @@ encryption key policy for the artifacts bucket may have a statement that looks l ```json { - "Effect" : "Allow", - "Principal" : { + "Effect": "Allow", + "Principal": { // "AWS" : "AROAYBRETNYCYV6ZF2R93" // Indicates this issue; replace this value - "AWS": "arn:aws:iam::0123456789012:role/cdk-hnb659fds-deploy-role-0123456789012-eu-west-1", // Correct value + "AWS": "arn:aws:iam::0123456789012:role/cdk-hnb659fds-deploy-role-0123456789012-eu-west-1" // Correct value }, - "Action" : [ "kms:Decrypt", "kms:DescribeKey" ], - "Resource" : "*" + "Action": ["kms:Decrypt", "kms:DescribeKey"], + "Resource": "*" } ``` @@ -1704,7 +1722,7 @@ framework version that your application uses. You either forgot to change the `cliVersion` parameter, or changed the `cliVersion` in the same commit in which you changed the framework version. Because a change to the pipeline settings needs a successful run of the `SelfMutate` step to be applied, the next iteration of the -`SelfMutate` step still executes with the *old* CLI version, and that old CLI version +`SelfMutate` step still executes with the _old_ CLI version, and that old CLI version is not able to read the cloud assembly produced by the new framework version. Solution: change the `cliVersion` first, commit, push and deploy, and only then @@ -1751,8 +1769,8 @@ const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { // Add the shell commands to install your drop-in Docker // replacement to the CodeBuild enviromment. commands: installCommands, - } - } + }, + }, }), buildEnvironment: { environmentVariables: { @@ -1760,8 +1778,8 @@ const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { // `docker` when building / publishing docker images. // e.g., `drop-in-replacement build . -f path/to/Dockerfile` CDK_DOCKER: { value: 'drop-in-replacement' }, - } - } + }, + }, }, }); ``` @@ -1789,14 +1807,16 @@ const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { buildEnvironment: { // Provide a custom build image containing your toolchain and the // pre-installed replacement for the `docker` command. - buildImage: codebuild.LinuxBuildImage.fromDockerRegistry('your-docker-registry'), + buildImage: codebuild.LinuxBuildImage.fromDockerRegistry( + 'your-docker-registry' + ), environmentVariables: { // If you haven't provided an `ENV` in your Dockerfile that overrides // `CDK_DOCKER`, then you must provide the name of the command that // the AWS CDK should run instead of `docker` here. CDK_DOCKER: { value: 'drop-in-replacement' }, - } - } + }, + }, }, }); ``` diff --git a/packages/aws-cdk-lib/pipelines/lib/index.ts b/packages/aws-cdk-lib/pipelines/lib/index.ts index 5f469e9fd5ce6..e26c394c027cb 100644 --- a/packages/aws-cdk-lib/pipelines/lib/index.ts +++ b/packages/aws-cdk-lib/pipelines/lib/index.ts @@ -1,4 +1,3 @@ -export * from './legacy'; export * from './blueprint'; export * from './codepipeline'; export * from './main'; diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/actions/deploy-cdk-stack-action.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/actions/deploy-cdk-stack-action.ts deleted file mode 100644 index 3de0c99c3de23..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/actions/deploy-cdk-stack-action.ts +++ /dev/null @@ -1,386 +0,0 @@ -import * as fs from 'fs'; -import * as path from 'path'; -import { Construct, Node } from 'constructs'; -import * as codepipeline from '../../../../aws-codepipeline'; -import * as cpactions from '../../../../aws-codepipeline-actions'; -import * as events from '../../../../aws-events'; -import * as iam from '../../../../aws-iam'; -import { Aws, CfnCapabilities, Stack } from '../../../../core'; -import * as cxapi from '../../../../cx-api'; -import { appOf, assemblyBuilderOf } from '../../private/construct-internals'; -import { toPosixPath } from '../../private/fs'; - -/** - * Customization options for a DeployCdkStackAction - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface DeployCdkStackActionOptions { - /** - * Base name of the action - * - * @default stackName - */ - readonly baseActionName?: string; - - /** - * The CodePipeline artifact that holds the Cloud Assembly. - */ - readonly cloudAssemblyInput: codepipeline.Artifact; - - /** - * Run order for the Prepare action - * - * @default 1 - */ - readonly prepareRunOrder?: number; - - /** - * Run order for the Execute action - * - * @default - prepareRunOrder + 1 - */ - readonly executeRunOrder?: number; - - /** - * Artifact to write Stack Outputs to - * - * @default - No outputs - */ - readonly output?: codepipeline.Artifact; - - /** - * Filename in output to write Stack outputs to - * - * @default - Required when 'output' is set - */ - readonly outputFileName?: string; - - /** - * Name of the change set to create and deploy - * - * @default 'PipelineChange' - */ - readonly changeSetName?: string; -} - -/** - * Properties for a DeployCdkStackAction - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface DeployCdkStackActionProps extends DeployCdkStackActionOptions { - /** - * Relative path of template in the input artifact - */ - readonly templatePath: string; - - /** - * Role for the action to assume - * - * This controls the account to deploy into - */ - readonly actionRole: iam.IRole; - - /** - * The name of the stack that should be created/updated - */ - readonly stackName: string; - - /** - * Role to execute CloudFormation under - * - * @default - Execute CloudFormation using the action role - */ - readonly cloudFormationExecutionRole?: iam.IRole; - - /** - * Region to deploy into - * - * @default - Same region as pipeline - */ - readonly region?: string; - - /** - * Artifact ID for the stack deployed here - * - * Used for pipeline order checking. - * - * @default - Order will not be checked - */ - readonly stackArtifactId?: string; - - /** - * Artifact ID for the stacks this stack depends on - * - * Used for pipeline order checking. - * - * @default - No dependencies - */ - readonly dependencyStackArtifactIds?: string[]; - - /** - * Template configuration path relative to the input artifact - * - * @default - No template configuration - */ - readonly templateConfigurationPath?: string; -} - -/** - * Options for the 'fromStackArtifact' operation - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface CdkStackActionFromArtifactOptions extends DeployCdkStackActionOptions { - /** - * The name of the stack that should be created/updated - * - * @default - Same as stack artifact - */ - readonly stackName?: string; -} - -/** - * Action to deploy a CDK Stack - * - * Adds two CodePipeline Actions to the pipeline: one to create a ChangeSet - * and one to execute it. - * - * You do not need to instantiate this action yourself -- it will automatically - * be added by the pipeline when you add stack artifacts or entire stages. - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export class DeployCdkStackAction implements codepipeline.IAction { - /** - * Construct a DeployCdkStackAction from a Stack artifact - */ - public static fromStackArtifact(scope: Construct, artifact: cxapi.CloudFormationStackArtifact, options: CdkStackActionFromArtifactOptions) { - if (!artifact.assumeRoleArn) { - throw new Error(`Stack '${artifact.stackName}' does not have deployment role information; use the 'DefaultStackSynthesizer' synthesizer, or set the '@aws-cdk/core:newStyleStackSynthesis' context key.`); - } - - const artRegion = artifact.environment.region; - const region = artRegion === Stack.of(scope).region || artRegion === cxapi.UNKNOWN_REGION ? undefined : artRegion; - const artAccount = artifact.environment.account; - const account = artAccount === Stack.of(scope).account || artAccount === cxapi.UNKNOWN_ACCOUNT ? undefined : artAccount; - - const actionRole = roleFromPlaceholderArn(scope, region, account, artifact.assumeRoleArn); - const cloudFormationExecutionRole = roleFromPlaceholderArn(scope, region, account, artifact.cloudFormationExecutionRoleArn); - - // We need the path of the template relative to the root Cloud Assembly - // It should be easier to get this, but for now it is what it is. - const appAsmRoot = assemblyBuilderOf(appOf(scope)).outdir; - const fullTemplatePath = path.join(artifact.assembly.directory, artifact.templateFile); - - let fullConfigPath; - if (Object.keys(artifact.tags).length > 0) { - fullConfigPath = `${fullTemplatePath}.config.json`; - - // Write the template configuration file (for parameters into CreateChangeSet call that - // cannot be configured any other way). They must come from a file, and there's unfortunately - // no better hook to write this file (`construct.onSynthesize()` would have been the prime candidate - // but that is being deprecated--and DeployCdkStackAction isn't even a construct). - writeTemplateConfiguration(fullConfigPath, { - Tags: artifact.tags, - }); - } - - return new DeployCdkStackAction({ - actionRole, - cloudFormationExecutionRole, - templatePath: toPosixPath(path.relative(appAsmRoot, fullTemplatePath)), - templateConfigurationPath: fullConfigPath ? toPosixPath(path.relative(appAsmRoot, fullConfigPath)) : undefined, - region, - stackArtifactId: artifact.id, - dependencyStackArtifactIds: artifact.dependencies.filter(isStackArtifact).map(s => s.id), - stackName: options.stackName ?? artifact.stackName, - ...options, - }); - } - - /** - * The runorder for the prepare action - */ - public readonly prepareRunOrder: number; - - /** - * The runorder for the execute action - */ - public readonly executeRunOrder: number; - - /** - * Name of the deployed stack - */ - public readonly stackName: string; - - /** - * Artifact id of the artifact this action was based on - */ - public readonly stackArtifactId?: string; - - /** - * Artifact ids of the artifact this stack artifact depends on - */ - public readonly dependencyStackArtifactIds: string[]; - - private readonly prepareChangeSetAction: cpactions.CloudFormationCreateReplaceChangeSetAction; - private readonly executeChangeSetAction: cpactions.CloudFormationExecuteChangeSetAction; - - constructor(props: DeployCdkStackActionProps) { - if (props.output && !props.outputFileName) { - throw new Error('If \'output\' is set, \'outputFileName\' is also required'); - } - - this.stackArtifactId = props.stackArtifactId; - this.dependencyStackArtifactIds = props.dependencyStackArtifactIds ?? []; - - this.prepareRunOrder = props.prepareRunOrder ?? 1; - this.executeRunOrder = props.executeRunOrder ?? this.prepareRunOrder + 1; - this.stackName = props.stackName; - const baseActionName = props.baseActionName ?? this.stackName; - const changeSetName = props.changeSetName ?? 'PipelineChange'; - - this.prepareChangeSetAction = new cpactions.CloudFormationCreateReplaceChangeSetAction({ - actionName: `${baseActionName}.Prepare`, - changeSetName, - runOrder: this.prepareRunOrder, - stackName: this.stackName, - templatePath: props.cloudAssemblyInput.atPath(props.templatePath), - adminPermissions: false, - role: props.actionRole, - deploymentRole: props.cloudFormationExecutionRole, - region: props.region, - cfnCapabilities: [CfnCapabilities.NAMED_IAM, CfnCapabilities.AUTO_EXPAND], - templateConfiguration: props.templateConfigurationPath ? props.cloudAssemblyInput.atPath(props.templateConfigurationPath) : undefined, - }); - this.executeChangeSetAction = new cpactions.CloudFormationExecuteChangeSetAction({ - actionName: `${baseActionName}.Deploy`, - changeSetName, - runOrder: this.executeRunOrder, - stackName: this.stackName, - role: props.actionRole, - region: props.region, - outputFileName: props.outputFileName, - output: props.output, - }); - } - - /** - * Exists to implement IAction - */ - public bind(scope: Construct, stage: codepipeline.IStage, options: codepipeline.ActionBindOptions): - codepipeline.ActionConfig { - stage.addAction(this.prepareChangeSetAction); - - return this.executeChangeSetAction.bind(scope, stage, options); - } - - /** - * Exists to implement IAction - */ - public onStateChange(name: string, target?: events.IRuleTarget, options?: events.RuleProps): events.Rule { - return this.executeChangeSetAction.onStateChange(name, target, options); - } - - /** - * Exists to implement IAction - */ - public get actionProperties(): codepipeline.ActionProperties { - return this.executeChangeSetAction.actionProperties; - } -} - -function roleFromPlaceholderArn(scope: Construct, region: string | undefined, - account: string | undefined, arn: string): iam.IRole; -function roleFromPlaceholderArn(scope: Construct, region: string | undefined, - account: string | undefined, arn: string | undefined): iam.IRole | undefined; -function roleFromPlaceholderArn(scope: Construct, region: string | undefined, - account: string | undefined, arn: string | undefined): iam.IRole | undefined { - - if (!arn) { return undefined; } - - // Use placeholdered arn as construct ID. - const id = arn; - - // https://github.com/aws/aws-cdk/issues/7255 - let existingRole = Node.of(scope).tryFindChild(`ImmutableRole${id}`) as iam.IRole; - if (existingRole) { return existingRole; } - // For when #7255 is fixed. - existingRole = Node.of(scope).tryFindChild(id) as iam.IRole; - if (existingRole) { return existingRole; } - - const arnToImport = cxapi.EnvironmentPlaceholders.replace(arn, { - region: region ?? Aws.REGION, - accountId: account ?? Aws.ACCOUNT_ID, - partition: Aws.PARTITION, - }); - return iam.Role.fromRoleArn(scope, id, arnToImport, { mutable: false, addGrantsToResources: true }); -} - -/** - * Options for CdkDeployAction.fromStackArtifact - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface FromStackArtifactOptions { - /** - * The CodePipeline artifact that holds the Cloud Assembly. - */ - readonly cloudAssemblyInput: codepipeline.Artifact; - - /** - * Run order for the 2 actions that will be created - * - * @default 1 - */ - readonly prepareRunOrder?: number; - - /** - * Run order for the Execute action - * - * @default - prepareRunOrder + 1 - */ - readonly executeRunOrder?: number; - - /** - * Artifact to write Stack Outputs to - * - * @default - No outputs - */ - readonly output?: codepipeline.Artifact; - - /** - * Filename in output to write Stack outputs to - * - * @default - Required when 'output' is set - */ - readonly outputFileName?: string; -} - -function isStackArtifact(a: cxapi.CloudArtifact): a is cxapi.CloudFormationStackArtifact { - // instanceof is too risky, and we're at a too late stage to properly fix. - // return a instanceof cxapi.CloudFormationStackArtifact; - return a.constructor.name === 'CloudFormationStackArtifact'; -} - -/** - * Template configuration in a CodePipeline - * - * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/continuous-delivery-codepipeline-cfn-artifacts.html#w2ab1c13c17c15 - */ -interface TemplateConfiguration { - readonly Parameters?: Record; - readonly Tags?: Record; - readonly StackPolicy?: { - readonly Statements: Array>; - }; -} - -/** - * Write template configuration to the given file - */ -function writeTemplateConfiguration(filename: string, config: TemplateConfiguration) { - fs.writeFileSync(filename, JSON.stringify(config, undefined, 2), { encoding: 'utf-8' }); -} diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/actions/index.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/actions/index.ts deleted file mode 100644 index 834ded93472f2..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/actions/index.ts +++ /dev/null @@ -1,3 +0,0 @@ -export * from './deploy-cdk-stack-action'; -export * from './publish-assets-action'; -export * from './update-pipeline-action'; \ No newline at end of file diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/actions/publish-assets-action.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/actions/publish-assets-action.ts deleted file mode 100644 index 89bd087101972..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/actions/publish-assets-action.ts +++ /dev/null @@ -1,228 +0,0 @@ -import * as fs from 'fs'; -import * as path from 'path'; -import { IDependable, Construct } from 'constructs'; -import * as codebuild from '../../../../aws-codebuild'; -import * as codepipeline from '../../../../aws-codepipeline'; -import * as codepipeline_actions from '../../../../aws-codepipeline-actions'; -import * as ec2 from '../../../../aws-ec2'; -import * as events from '../../../../aws-events'; -import * as iam from '../../../../aws-iam'; -import { ISynthesisSession, Lazy, Stack, attachCustomSynthesis } from '../../../../core'; -import { AssetType } from '../../blueprint/asset-type'; -import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../../private/default-codebuild-image'; -import { toPosixPath } from '../../private/fs'; - -/** - * Props for a PublishAssetsAction - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface PublishAssetsActionProps { - /** - * Name of publishing action - */ - readonly actionName: string; - - /** - * The CodePipeline artifact that holds the Cloud Assembly. - */ - readonly cloudAssemblyInput: codepipeline.Artifact; - - /** - * AssetType we're publishing - */ - readonly assetType: AssetType; - - /** - * Version of CDK CLI to 'npm install'. - * - * @default - Latest version - */ - readonly cdkCliVersion?: string; - - /** - * Name of the CodeBuild project - * - * @default - Automatically generated - */ - readonly projectName?: string; - - /** - * Role to use for CodePipeline and CodeBuild to build and publish the assets. - * - * @default - Automatically generated - */ - readonly role?: iam.IRole; - - /** - * Any Dependable construct that the CodeBuild project needs to take a dependency on. - * - * @default - none - */ - readonly dependable?: IDependable; - - /** - * The VPC where to execute the PublishAssetsAction. - * - * @default - No VPC - */ - readonly vpc?: ec2.IVpc; - - /** - * Which subnets to use. - * - * Only used if 'vpc' is supplied. - * - * @default - All private subnets. - */ - readonly subnetSelection?: ec2.SubnetSelection; - - /** - * Custom BuildSpec that is merged with generated one - * - * @default - none - */ - readonly buildSpec?: codebuild.BuildSpec; - - /** - * Use a file buildspec written to the cloud assembly instead of an inline buildspec. - * This prevents size limitation errors as inline specs have a max length of 25600 characters - * - * @default false - */ - readonly createBuildspecFile?: boolean; - - /** - * Additional commands to run before installing cdk-assert - * Use this to setup proxies or npm mirrors - * - * @default - - */ - readonly preInstallCommands?: string[]; -} - -/** - * Action to publish an asset in the pipeline - * - * Creates a CodeBuild project which will use the CDK CLI - * to prepare and publish the asset. - * - * You do not need to instantiate this action -- it will automatically - * be added by the pipeline when you add stacks that use assets. - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export class PublishAssetsAction extends Construct implements codepipeline.IAction { - private readonly action: codepipeline.IAction; - private readonly commands = new Array(); - - private readonly buildSpec: codebuild.BuildSpec; - - constructor(scope: Construct, id: string, private readonly props: PublishAssetsActionProps) { - super(scope, id); - - const installSuffix = props.cdkCliVersion ? `@${props.cdkCliVersion}` : ''; - const installCommand = `npm install -g cdk-assets${installSuffix}`; - - const buildSpec = codebuild.BuildSpec.fromObject({ - version: '0.2', - phases: { - install: { - commands: props.preInstallCommands ? [...props.preInstallCommands, installCommand] : installCommand, - }, - build: { - commands: Lazy.list({ produce: () => this.commands }), - }, - }, - }); - this.buildSpec = props.buildSpec ? codebuild.mergeBuildSpecs(props.buildSpec, buildSpec) : buildSpec; - - const project = new codebuild.PipelineProject(this, 'Default', { - projectName: this.props.projectName, - environment: { - buildImage: CDKP_DEFAULT_CODEBUILD_IMAGE, - privileged: (props.assetType === AssetType.DOCKER_IMAGE) ? true : undefined, - }, - vpc: props.vpc, - subnetSelection: props.subnetSelection, - buildSpec: props.createBuildspecFile ? codebuild.BuildSpec.fromSourceFilename(this.getBuildSpecFileName()) : this.buildSpec, - role: props.role, - }); - - if (props.dependable) { - project.node.addDependency(props.dependable); - } - - this.action = new codepipeline_actions.CodeBuildAction({ - actionName: props.actionName, - project, - input: this.props.cloudAssemblyInput, - role: props.role, - // Add this purely so that the pipeline will selfupdate if the CLI version changes - environmentVariables: props.cdkCliVersion ? { - CDK_CLI_VERSION: { value: props.cdkCliVersion }, - } : undefined, - }); - - attachCustomSynthesis(this, { - onSynthesize: this._onSynth.bind(this), - }); - } - - private getBuildSpecFileName(): string { - return `buildspec-assets-${this.node.path.replace(new RegExp('/', 'g'), '-')}.yaml`; - } - - private _onSynth(session: ISynthesisSession): void { - if (this.props.createBuildspecFile) { - const specFile = path.join(session.outdir, this.getBuildSpecFileName()); - fs.writeFileSync(specFile, Stack.of(this).resolve(this.buildSpec.toBuildSpec()), { encoding: 'utf-8' }); - } - } - - /** - * Add a single publishing command - * - * Manifest path should be relative to the root Cloud Assembly. - */ - public addPublishCommand(relativeManifestPath: string, assetSelector: string) { - const command = `cdk-assets --path "${toPosixPath(relativeManifestPath)}" --verbose publish "${assetSelector}"`; - if (!this.commands.includes(command)) { - this.commands.push(command); - } - } - - /** - * Exists to implement IAction - */ - public bind(scope: Construct, stage: codepipeline.IStage, options: codepipeline.ActionBindOptions): - codepipeline.ActionConfig { - return this.action.bind(scope, stage, options); - } - - /** - * Exists to implement IAction - */ - public onStateChange(name: string, target?: events.IRuleTarget, options?: events.RuleProps): events.Rule { - return this.action.onStateChange(name, target, options); - } - - /** - * Exists to implement IAction - */ - public get actionProperties(): codepipeline.ActionProperties { - // FIXME: I have had to make this class a Construct, because: - // - // - It needs access to the Construct tree, because it is going to add a `PipelineProject`. - // - I would have liked to have done that in bind(), however, - // - `actionProperties` (this method) is called BEFORE bind() is called, and by that point I - // don't have the "inner" Action yet to forward the call to. - // - // I've therefore had to construct the inner CodeBuildAction in the constructor, which requires making this - // Action a Construct. - // - // Combined with how non-intuitive it is to make the "StackDeployAction", I feel there is something - // wrong with the Action abstraction here. - return this.action.actionProperties; - } -} diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/actions/update-pipeline-action.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/actions/update-pipeline-action.ts deleted file mode 100644 index 85672ab4a849f..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/actions/update-pipeline-action.ts +++ /dev/null @@ -1,183 +0,0 @@ -import { Construct } from 'constructs'; -import * as codebuild from '../../../../aws-codebuild'; -import * as codepipeline from '../../../../aws-codepipeline'; -import * as cpactions from '../../../../aws-codepipeline-actions'; -import * as events from '../../../../aws-events'; -import * as iam from '../../../../aws-iam'; -import { Stack } from '../../../../core'; -import { dockerCredentialsInstallCommands, DockerCredential, DockerCredentialUsage } from '../../docker-credentials'; -import { embeddedAsmPath } from '../../private/construct-internals'; -import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../../private/default-codebuild-image'; - -/** - * Props for the UpdatePipelineAction - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface UpdatePipelineActionProps { - /** - * The CodePipeline artifact that holds the Cloud Assembly. - */ - readonly cloudAssemblyInput: codepipeline.Artifact; - - /** - * Name of the pipeline stack - * - * @deprecated - Use `pipelineStackHierarchicalId` instead. - * @default - none - */ - readonly pipelineStackName?: string; - - /** - * Hierarchical id of the pipeline stack - */ - readonly pipelineStackHierarchicalId: string; - - /** - * Version of CDK CLI to 'npm install'. - * - * @default - Latest version - */ - readonly cdkCliVersion?: string; - - /** - * Name of the CodeBuild project - * - * @default - Automatically generated - */ - readonly projectName?: string; - - /** - * Whether the build step should run in privileged mode. - * - * @default - false - */ - readonly privileged?: boolean; - - /** - * Docker registries and associated credentials necessary during the pipeline - * self-update stage. - * - * @default [] - */ - readonly dockerCredentials?: DockerCredential[]; - - /** - * Custom BuildSpec that is merged with generated one - * - * @default - none - */ - readonly buildSpec?: codebuild.BuildSpec; -} - -/** - * Action to self-mutate the pipeline - * - * Creates a CodeBuild project which will use the CDK CLI - * to deploy the pipeline stack. - * - * You do not need to instantiate this action -- it will automatically - * be added by the pipeline. - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export class UpdatePipelineAction extends Construct implements codepipeline.IAction { - private readonly action: codepipeline.IAction; - - constructor(scope: Construct, id: string, props: UpdatePipelineActionProps) { - super(scope, id); - - const installSuffix = props.cdkCliVersion ? `@${props.cdkCliVersion}` : ''; - - const stackIdentifier = props.pipelineStackHierarchicalId ?? props.pipelineStackName; - const buildSpec = codebuild.BuildSpec.fromObject({ - version: '0.2', - phases: { - install: { - commands: [ - `npm install -g aws-cdk${installSuffix}`, - ...dockerCredentialsInstallCommands(DockerCredentialUsage.SELF_UPDATE, props.dockerCredentials), - ], - }, - build: { - commands: [ - // Cloud Assembly is in *current* directory. - `cdk -a ${embeddedAsmPath(scope)} deploy ${stackIdentifier} --require-approval=never --verbose`, - ], - }, - }, - }); - const selfMutationProject = new codebuild.PipelineProject(this, 'SelfMutation', { - projectName: props.projectName, - environment: { - buildImage: CDKP_DEFAULT_CODEBUILD_IMAGE, - privileged: props.privileged ?? false, - }, - buildSpec: props.buildSpec ? codebuild.mergeBuildSpecs(props.buildSpec, buildSpec) : buildSpec, - }); - - // allow the self-mutating project permissions to assume the bootstrap Action role - selfMutationProject.addToRolePolicy(new iam.PolicyStatement({ - actions: ['sts:AssumeRole'], - resources: [`arn:*:iam::${Stack.of(this).account}:role/*`], - conditions: { - 'ForAnyValue:StringEquals': { - 'iam:ResourceTag/aws-cdk:bootstrap-role': ['image-publishing', 'file-publishing', 'deploy'], - }, - }, - })); - selfMutationProject.addToRolePolicy(new iam.PolicyStatement({ - actions: ['cloudformation:DescribeStacks'], - resources: ['*'], // this is needed to check the status of the bootstrap stack when doing `cdk deploy` - })); - // S3 checks for the presence of the ListBucket permission - selfMutationProject.addToRolePolicy(new iam.PolicyStatement({ - actions: ['s3:ListBucket'], - resources: ['*'], - })); - (props.dockerCredentials ?? []).forEach(reg => reg.grantRead(selfMutationProject, DockerCredentialUsage.SELF_UPDATE)); - - this.action = new cpactions.CodeBuildAction({ - actionName: 'SelfMutate', - input: props.cloudAssemblyInput, - project: selfMutationProject, - // Add this purely so that the pipeline will selfupdate if the CLI version changes - environmentVariables: props.cdkCliVersion ? { - CDK_CLI_VERSION: { value: props.cdkCliVersion }, - } : undefined, - }); - } - - /** - * Exists to implement IAction - */ - public bind(scope: Construct, stage: codepipeline.IStage, options: codepipeline.ActionBindOptions): codepipeline.ActionConfig { - return this.action.bind(scope, stage, options); - } - - /** - * Exists to implement IAction - */ - public onStateChange(name: string, target?: events.IRuleTarget, options?: events.RuleProps): events.Rule { - return this.action.onStateChange(name, target, options); - } - - /** - * Exists to implement IAction - */ - public get actionProperties(): codepipeline.ActionProperties { - // FIXME: I have had to make this class a Construct, because: - // - // - It needs access to the Construct tree, because it is going to add a `PipelineProject`. - // - I would have liked to have done that in bind(), however, - // - `actionProperties` (this method) is called BEFORE bind() is called, and by that point I - // don't have the "inner" Action yet to forward the call to. - // - // I've therefore had to construct the inner CodeBuildAction in the constructor, which requires making this - // Action a Construct. - // - // Combined with how non-intuitive it is to make the "StackDeployAction", I feel there is something - // wrong with the Action abstraction here. - return this.action.actionProperties; - } -} diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/index.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/index.ts deleted file mode 100644 index ca2b108fcb0d8..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/index.ts +++ /dev/null @@ -1,5 +0,0 @@ -export * from './pipeline'; -export * from './stage'; -export * from './synths'; -export * from './actions'; -export * from './validation'; diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/pipeline.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/pipeline.ts deleted file mode 100644 index ea87b74b2f4de..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/pipeline.ts +++ /dev/null @@ -1,624 +0,0 @@ -import * as path from 'path'; -import { Construct } from 'constructs'; -import { DeployCdkStackAction, PublishAssetsAction, UpdatePipelineAction } from './actions'; -import { AddStageOptions, AssetPublishingCommand, BaseStageOptions, CdkStage, StackOutput } from './stage'; -import { SimpleSynthAction } from './synths'; -import * as codebuild from '../../../aws-codebuild'; -import * as codepipeline from '../../../aws-codepipeline'; -import * as ec2 from '../../../aws-ec2'; -import * as iam from '../../../aws-iam'; -import { Annotations, App, CfnOutput, PhysicalName, Stack, Stage } from '../../../core'; -import { AssetType } from '../blueprint/asset-type'; -import { dockerCredentialsInstallCommands, DockerCredential, DockerCredentialUsage } from '../docker-credentials'; -import { ApplicationSecurityCheck } from '../private/application-security-check'; -import { AssetSingletonRole } from '../private/asset-singleton-role'; -import { CachedFnSub } from '../private/cached-fnsub'; -import { preferredCliVersion } from '../private/cli-version'; -import { appOf, assemblyBuilderOf } from '../private/construct-internals'; - -const CODE_BUILD_LENGTH_LIMIT = 100; -/** - * Properties for a CdkPipeline - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface CdkPipelineProps { - /** - * The CodePipeline action used to retrieve the CDK app's source - * - * @default - Required unless `codePipeline` is given - */ - readonly sourceAction?: codepipeline.IAction; - - /** - * The CodePipeline action build and synthesis step of the CDK app - * - * @default - Required unless `codePipeline` or `sourceAction` is given - */ - readonly synthAction?: codepipeline.IAction; - - /** - * The artifact you have defined to be the artifact to hold the cloudAssemblyArtifact for the synth action - */ - readonly cloudAssemblyArtifact: codepipeline.Artifact; - - /** - * Existing CodePipeline to add deployment stages to - * - * Use this if you want more control over the CodePipeline that gets created. - * You can choose to not pass this value, in which case a new CodePipeline is - * created with default settings. - * - * If you pass an existing CodePipeline, it should have been created - * with `restartExecutionOnUpdate: true`. - * - * [disable-awslint:ref-via-interface] - * - * @default - A new CodePipeline is automatically generated - */ - readonly codePipeline?: codepipeline.Pipeline; - - /** - * Name of the pipeline - * - * Can only be set if `codePipeline` is not set. - * - * @default - A name is automatically generated - */ - readonly pipelineName?: string; - - /** - * Create KMS keys for cross-account deployments - * - * This controls whether the pipeline is enabled for cross-account deployments. - * - * Can only be set if `codePipeline` is not set. - * - * By default cross-account deployments are enabled, but this feature requires - * that KMS Customer Master Keys are created which have a cost of $1/month. - * - * If you do not need cross-account deployments, you can set this to `false` to - * not create those keys and save on that cost (the artifact bucket will be - * encrypted with an AWS-managed key). However, cross-account deployments will - * no longer be possible. - * - * @default true - */ - readonly crossAccountKeys?: boolean; - // @deprecated(v2): switch to default false - - /** - * Enables KMS key rotation for cross-account keys. - * - * Cannot be set if `crossAccountKeys` was set to `false`. - * - * Key rotation costs $1/month when enabled. - * - * @default - false (key rotation is disabled) - */ - readonly enableKeyRotation?: boolean; - - /** - * CDK CLI version to use in pipeline - * - * Some Actions in the pipeline will download and run a version of the CDK - * CLI. Specify the version here. - * - * @default - Latest version - */ - readonly cdkCliVersion?: string; - - /** - * The VPC where to execute the CdkPipeline actions. - * - * @default - No VPC - */ - readonly vpc?: ec2.IVpc; - - /** - * Which subnets to use. - * - * Only used if 'vpc' is supplied. - * - * @default - All private subnets. - */ - readonly subnetSelection?: ec2.SubnetSelection; - - /** - * Whether the pipeline will update itself - * - * This needs to be set to `true` to allow the pipeline to reconfigure - * itself when assets or stages are being added to it, and `true` is the - * recommended setting. - * - * You can temporarily set this to `false` while you are iterating - * on the pipeline itself and prefer to deploy changes using `cdk deploy`. - * - * @default true - */ - readonly selfMutating?: boolean; - - /** - * Custom BuildSpec that is merged with generated one (for self-mutation stage) - * - * @default - none - */ - readonly selfMutationBuildSpec?: codebuild.BuildSpec; - - /** - * Whether this pipeline creates one asset upload action per asset type or one asset upload per asset - * - * @default false - */ - readonly singlePublisherPerType?: boolean; - - /** - * Additional commands to run before installing cdk-assets during the asset publishing step - * Use this to setup proxies or npm mirrors - * - * @default - - */ - readonly assetPreInstallCommands?: string[]; - - /** - * Custom BuildSpec that is merged with generated one (for asset publishing actions) - * - * @default - none - */ - readonly assetBuildSpec?: codebuild.BuildSpec; - - /** - * Whether the pipeline needs to build Docker images in the UpdatePipeline stage. - * - * If the UpdatePipeline stage tries to build a Docker image and this flag is not - * set to `true`, the build step will run in non-privileged mode and consequently - * will fail with a message like: - * - * > Cannot connect to the Docker daemon at unix:///var/run/docker.sock. - * > Is the docker daemon running? - * - * This flag has an effect only if `selfMutating` is also `true`. - * - * @default - false - */ - readonly supportDockerAssets?: boolean; - - /** - * A list of credentials used to authenticate to Docker registries. - * - * Specify any credentials necessary within the pipeline to build, synth, update, or publish assets. - * - * @default [] - */ - readonly dockerCredentials?: DockerCredential[]; -} - -/** - * A Pipeline to deploy CDK apps - * - * Defines an AWS CodePipeline-based Pipeline to deploy CDK applications. - * - * Automatically manages the following: - * - * - Stack dependency order. - * - Asset publishing. - * - Keeping the pipeline up-to-date as the CDK apps change. - * - Using stack outputs later on in the pipeline. - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export class CdkPipeline extends Construct { - private readonly _pipeline: codepipeline.Pipeline; - private readonly _assets: AssetPublishing; - private readonly _stages: CdkStage[] = []; - private readonly _outputArtifacts: Record = {}; - private readonly _cloudAssemblyArtifact: codepipeline.Artifact; - private readonly _dockerCredentials: DockerCredential[]; - private _applicationSecurityCheck?: ApplicationSecurityCheck; - private readonly cliVersion?: string; - - constructor(scope: Construct, id: string, props: CdkPipelineProps) { - super(scope, id); - this.cliVersion = props.cdkCliVersion ?? preferredCliVersion(); - - if (!App.isApp(this.node.root)) { - throw new Error('CdkPipeline must be created under an App'); - } - - this._cloudAssemblyArtifact = props.cloudAssemblyArtifact; - this._dockerCredentials = props.dockerCredentials ?? []; - const pipelineStack = Stack.of(this); - - if (props.codePipeline) { - if (props.pipelineName) { - throw new Error('Cannot set \'pipelineName\' if an existing CodePipeline is given using \'codePipeline\''); - } - if (props.crossAccountKeys !== undefined) { - throw new Error('Cannot set \'crossAccountKeys\' if an existing CodePipeline is given using \'codePipeline\''); - } - if (props.enableKeyRotation !== undefined) { - throw new Error('Cannot set \'enableKeyRotation\' if an existing CodePipeline is given using \'codePipeline\''); - } - - this._pipeline = props.codePipeline; - } else { - this._pipeline = new codepipeline.Pipeline(this, 'Pipeline', { - pipelineName: props.pipelineName, - crossAccountKeys: props.crossAccountKeys, - enableKeyRotation: props.enableKeyRotation, - restartExecutionOnUpdate: true, - }); - } - - if (props.sourceAction && !props.synthAction) { - // Because of ordering limitations, you can: bring your own Source, bring your own - // Both, or bring your own Nothing. You cannot bring your own Build (which because of the - // current CodePipeline API must go BEFORE what we're adding) and then having us add a - // Source after it. That doesn't make any sense. - throw new Error('When passing a \'sourceAction\' you must also pass a \'synthAction\' (or a \'codePipeline\' that already has both)'); - } - if (!props.sourceAction && (!props.codePipeline || props.codePipeline.stages.length < 1)) { - throw new Error('You must pass a \'sourceAction\' (or a \'codePipeline\' that already has a Source stage)'); - } - - if (props.sourceAction) { - this._pipeline.addStage({ - stageName: 'Source', - actions: [props.sourceAction], - }); - } - - if (props.synthAction) { - if (props.synthAction instanceof SimpleSynthAction && this._dockerCredentials.length > 0) { - props.synthAction._addDockerCredentials(this._dockerCredentials); - } - - this._pipeline.addStage({ - stageName: 'Build', - actions: [props.synthAction], - }); - } - - if (props.selfMutating ?? true) { - this._pipeline.addStage({ - stageName: 'UpdatePipeline', - actions: [new UpdatePipelineAction(this, 'UpdatePipeline', { - cloudAssemblyInput: this._cloudAssemblyArtifact, - pipelineStackHierarchicalId: pipelineStack.node.path, - cdkCliVersion: this.cliVersion, - projectName: maybeSuffix(props.pipelineName, '-selfupdate'), - privileged: props.supportDockerAssets, - dockerCredentials: this._dockerCredentials, - buildSpec: props.selfMutationBuildSpec, - })], - }); - } - - this._assets = new AssetPublishing(this, 'Assets', { - cloudAssemblyInput: this._cloudAssemblyArtifact, - cdkCliVersion: this.cliVersion, - pipeline: this._pipeline, - projectName: maybeSuffix(props.pipelineName, '-publish'), - vpc: props.vpc, - subnetSelection: props.subnetSelection, - singlePublisherPerType: props.singlePublisherPerType, - preInstallCommands: props.assetPreInstallCommands, - buildSpec: props.assetBuildSpec, - dockerCredentials: this._dockerCredentials, - }); - - this.node.addValidation({ validate: () => this.validatePipeline() }); - } - - /** - * The underlying CodePipeline object - * - * You can use this to add more Stages to the pipeline, or Actions - * to Stages. - */ - public get codePipeline(): codepipeline.Pipeline { - return this._pipeline; - } - - /** - * Access one of the pipeline's stages by stage name - * - * You can use this to add more Actions to a stage. - */ - public stage(stageName: string): codepipeline.IStage { - return this._pipeline.stage(stageName); - } - - /** - * Get a cached version of an Application Security Check, which consists of: - * - CodeBuild Project to check for security changes in a stage - * - Lambda Function that approves the manual approval if no security changes are detected - * - * @internal - */ - public _getApplicationSecurityCheck(): ApplicationSecurityCheck { - if (!this._applicationSecurityCheck) { - this._applicationSecurityCheck = new ApplicationSecurityCheck(this, 'PipelineApplicationSecurityCheck', { - codePipeline: this._pipeline, - }); - } - return this._applicationSecurityCheck; - } - - /** - * Add pipeline stage that will deploy the given application stage - * - * The application construct should subclass `Stage` and can contain any - * number of `Stacks` inside it that may have dependency relationships - * on one another. - * - * All stacks in the application will be deployed in the appropriate order, - * and all assets found in the application will be added to the asset - * publishing stage. - */ - public addApplicationStage(appStage: Stage, options: AddStageOptions = {}): CdkStage { - const stage = this.addStage(appStage.stageName, options); - stage.addApplication(appStage, options); - return stage; - } - - /** - * Add a new, empty stage to the pipeline - * - * Prefer to use `addApplicationStage` if you are intended to deploy a CDK - * application, but you can use this method if you want to add other kinds of - * Actions to a pipeline. - */ - public addStage(stageName: string, options?: BaseStageOptions) { - const pipelineStage = this._pipeline.addStage({ - stageName, - }); - - const stage = new CdkStage(this, stageName, { - cloudAssemblyArtifact: this._cloudAssemblyArtifact, - pipelineStage, - stageName, - host: { - publishAsset: this._assets.addPublishAssetAction.bind(this._assets), - stackOutputArtifact: (artifactId) => this._outputArtifacts[artifactId], - }, - ...options, - }); - this._stages.push(stage); - return stage; - } - - /** - * Get the StackOutput object that holds this CfnOutput's value in this pipeline - * - * `StackOutput` can be used in validation actions later in the pipeline. - */ - public stackOutput(cfnOutput: CfnOutput): StackOutput { - const stack = Stack.of(cfnOutput); - - if (!this._outputArtifacts[stack.artifactId]) { - // We should have stored the ArtifactPath in the map, but its Artifact - // property isn't publicly readable... - const artifactName = `${stack.artifactId}_Outputs`; - const compactName = artifactName.slice(artifactName.length - Math.min(artifactName.length, CODE_BUILD_LENGTH_LIMIT)); - this._outputArtifacts[stack.artifactId] = new codepipeline.Artifact(compactName); - } - - return new StackOutput(this._outputArtifacts[stack.artifactId].atPath('outputs.json'), cfnOutput.logicalId); - } - - /** - * Validate that we don't have any stacks violating dependency order in the pipeline - * - * Our own convenience methods will never generate a pipeline that does that (although - * this is a nice verification), but a user can also add the stacks by hand. - */ - private validatePipeline(): string[] { - const ret = new Array(); - - ret.push(...this.validateDeployOrder()); - ret.push(...this.validateRequestedOutputs()); - - return ret; - } - - /** - * Return all StackDeployActions in an ordered list - */ - private get stackActions(): DeployCdkStackAction[] { - return flatMap(this._pipeline.stages, s => s.actions.filter(isDeployAction)); - } - - private * validateDeployOrder(): IterableIterator { - const stackActions = this.stackActions; - for (const stackAction of stackActions) { - // For every dependency, it must be executed in an action before this one is prepared. - for (const depId of stackAction.dependencyStackArtifactIds) { - const depAction = stackActions.find(s => s.stackArtifactId === depId); - - if (depAction === undefined) { - Annotations.of(this).addWarningV2('@aws-cdk/pipelines:dependencyOnNonPipelineStack', `Stack '${stackAction.stackName}' depends on stack ` + - `'${depId}', but that dependency is not deployed through the pipeline!`); - } else if (!(depAction.executeRunOrder < stackAction.prepareRunOrder)) { - yield `Stack '${stackAction.stackName}' depends on stack ` + - `'${depAction.stackName}', but is deployed before it in the pipeline!`; - } - } - } - } - - private * validateRequestedOutputs(): IterableIterator { - const artifactIds = this.stackActions.map(s => s.stackArtifactId); - - for (const artifactId of Object.keys(this._outputArtifacts)) { - if (!artifactIds.includes(artifactId)) { - yield `Trying to use outputs for Stack '${artifactId}', but Stack is not deployed in this pipeline. Add it to the pipeline.`; - } - } - } -} - -function isDeployAction(a: codepipeline.IAction): a is DeployCdkStackAction { - return a instanceof DeployCdkStackAction; -} - -function flatMap(xs: A[], f: (x: A) => B[]): B[] { - return Array.prototype.concat([], ...xs.map(f)); -} - -interface AssetPublishingProps { - readonly cloudAssemblyInput: codepipeline.Artifact; - readonly pipeline: codepipeline.Pipeline; - readonly cdkCliVersion?: string; - readonly projectName?: string; - readonly vpc?: ec2.IVpc; - readonly subnetSelection?: ec2.SubnetSelection; - readonly singlePublisherPerType?: boolean; - readonly preInstallCommands?: string[]; - readonly buildSpec?: codebuild.BuildSpec; - readonly dockerCredentials: DockerCredential[]; -} - -/** - * Add appropriate publishing actions to the asset publishing stage - */ -class AssetPublishing extends Construct { - // CodePipelines has a hard limit of 50 actions per stage. See https://github.com/aws/aws-cdk/issues/9353 - private readonly MAX_PUBLISHERS_PER_STAGE = 50; - - private readonly publishers: Record = {}; - private readonly assetRoles: Map = new Map(); - private readonly assetAttachedPolicies: Record = {}; - private readonly myCxAsmRoot: string; - private readonly cachedFnSub = new CachedFnSub(); - - private readonly lastStageBeforePublishing?: codepipeline.IStage; - private readonly stages: codepipeline.IStage[] = []; - private readonly pipeline: codepipeline.Pipeline; - private readonly dockerCredentials: DockerCredential[]; - - private _fileAssetCtr = 0; - private _dockerAssetCtr = 0; - - constructor(scope: Construct, id: string, private readonly props: AssetPublishingProps) { - super(scope, id); - this.myCxAsmRoot = path.resolve(assemblyBuilderOf(appOf(this)).outdir); - - this.pipeline = this.props.pipeline; - // Hacks to get access to the innards of Pipeline - const stages: codepipeline.IStage[] = (this.props.pipeline as any)._stages; - // Any asset publishing stages will be added directly after the last stage that currently exists. - this.lastStageBeforePublishing = stages.slice(-1)[0]; - - this.dockerCredentials = props.dockerCredentials; - } - - /** - * Make sure there is an action in the stage to publish the given asset - * - * Assets are grouped by asset ID (which represent individual assets) so all assets - * are published in parallel. For each assets, all destinations are published sequentially - * so that we can reuse expensive operations between them (mostly: building a Docker image). - */ - public addPublishAssetAction(command: AssetPublishingCommand) { - // FIXME: this is silly, we need the relative path here but no easy way to get it - const relativePath = path.relative(this.myCxAsmRoot, command.assetManifestPath); - - // The path cannot be outside the asm root. I don't really understand how this could ever - // come to pass, but apparently it has (see https://github.com/aws/aws-cdk/issues/9766). - // Add a sanity check here so we can catch it more quickly next time. - if (relativePath.startsWith(`..${path.sep}`)) { - throw new Error(`The asset manifest (${command.assetManifestPath}) cannot be outside the Cloud Assembly directory (${this.myCxAsmRoot}). Please report this error at https://github.com/aws/aws-cdk/issues to help us debug why this is happening.`); - } - - // Late-binding here (rather than in the constructor) to prevent creating the role in cases where no asset actions are created. - const assetRole = this.generateAssetRole(command.assetType); - // The ARNs include raw AWS pseudo parameters (e.g., ${AWS::Partition}), which need to be substituted. - assetRole.addAssumeRole(this.cachedFnSub.fnSub(command.assetPublishingRoleArn)); - const publisherKey = this.props.singlePublisherPerType ? command.assetType.toString() : command.assetId; - - let action = this.publishers[publisherKey]; - if (!action) { - // Dynamically create new stages as needed, with `MAX_PUBLISHERS_PER_STAGE` assets per stage. - const stageIndex = this.props.singlePublisherPerType ? 0 : - Math.floor((this._fileAssetCtr + this._dockerAssetCtr) / this.MAX_PUBLISHERS_PER_STAGE); - - if (!this.props.singlePublisherPerType && stageIndex >= this.stages.length) { - const previousStage = this.stages.slice(-1)[0] ?? this.lastStageBeforePublishing; - this.stages.push(this.pipeline.addStage({ - stageName: `Assets${stageIndex > 0 ? stageIndex + 1 : ''}`, - placement: { justAfter: previousStage }, - })); - } else if (this.props.singlePublisherPerType && this.stages.length == 0) { - this.stages.push(this.pipeline.addStage({ - stageName: 'Assets', - placement: { justAfter: this.lastStageBeforePublishing }, - })); - } - - // The asset ID would be a logical candidate for the construct path and project names, but if the asset - // changes it leads to recreation of a number of Role/Policy/Project resources which is slower than - // necessary. Number sequentially instead. - // - // FIXME: The ultimate best solution is probably to generate a single Project per asset type - // and reuse that for all assets. - const id = this.props.singlePublisherPerType ? - command.assetType === AssetType.FILE ? 'FileAsset' : 'DockerAsset' : - command.assetType === AssetType.FILE ? `FileAsset${++this._fileAssetCtr}` : `DockerAsset${++this._dockerAssetCtr}`; - - const credsInstallCommands = dockerCredentialsInstallCommands(DockerCredentialUsage.ASSET_PUBLISHING, this.dockerCredentials); - - // NOTE: It's important that asset changes don't force a pipeline self-mutation. - // This can cause an infinite loop of updates (see https://github.com/aws/aws-cdk/issues/9080). - // For that reason, we use the id as the actionName below, rather than the asset hash. - action = this.publishers[publisherKey] = new PublishAssetsAction(this, id, { - actionName: id, - cloudAssemblyInput: this.props.cloudAssemblyInput, - cdkCliVersion: this.props.cdkCliVersion, - assetType: command.assetType, - role: this.assetRoles.get(command.assetType), - dependable: this.assetAttachedPolicies[command.assetType], - vpc: this.props.vpc, - subnetSelection: this.props.subnetSelection, - buildSpec: this.props.buildSpec, - createBuildspecFile: this.props.singlePublisherPerType, - preInstallCommands: [...(this.props.preInstallCommands ?? []), ...credsInstallCommands], - }); - this.stages[stageIndex].addAction(action); - } - - action.addPublishCommand(relativePath, command.assetSelector); - } - - /** - * This role is used by both the CodePipeline build action and related CodeBuild project. Consolidating these two - * roles into one, and re-using across all assets, saves significant size of the final synthesized output. - * Modeled after the CodePipeline role and 'CodePipelineActionRole' roles. - * Generates one role per asset type to separate file and Docker/image-based permissions. - */ - private generateAssetRole(assetType: AssetType) { - const existing = this.assetRoles.get(assetType); - if (existing) { - return existing; - } - - const rolePrefix = assetType === AssetType.DOCKER_IMAGE ? 'Docker' : 'File'; - const assetRole = new AssetSingletonRole(this, `${rolePrefix}Role`, { - roleName: PhysicalName.GENERATE_IF_NEEDED, - assumedBy: new iam.CompositePrincipal(new iam.ServicePrincipal('codebuild.amazonaws.com'), new iam.AccountPrincipal(Stack.of(this).account)), - }); - - // Grant pull access for any ECR registries and secrets that exist - if (assetType === AssetType.DOCKER_IMAGE) { - this.dockerCredentials.forEach(reg => reg.grantRead(assetRole, DockerCredentialUsage.ASSET_PUBLISHING)); - } - - this.assetRoles.set(assetType, assetRole); - return assetRole; - } -} - -function maybeSuffix(x: string | undefined, suffix: string): string | undefined { - if (x === undefined) { return undefined; } - return `${x}${suffix}`; -} diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/stage.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/stage.ts deleted file mode 100644 index 79f224b87e583..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/stage.ts +++ /dev/null @@ -1,586 +0,0 @@ -import { Construct, Node } from 'constructs'; -import { DeployCdkStackAction } from './actions'; -import { CdkPipeline } from './pipeline'; -import * as codebuild from '../../../aws-codebuild'; -import * as codepipeline from '../../../aws-codepipeline'; -import * as cpactions from '../../../aws-codepipeline-actions'; -import { CodeBuildAction } from '../../../aws-codepipeline-actions'; -import * as sns from '../../../aws-sns'; -import { Stage, Aspects } from '../../../core'; -import * as cxapi from '../../../cx-api'; -import { AssetType } from '../blueprint/asset-type'; -import { ApplicationSecurityCheck } from '../private/application-security-check'; -import { AssetManifestReader, DockerImageManifestEntry, FileManifestEntry } from '../private/asset-manifest'; -import { pipelineSynth } from '../private/construct-internals'; -import { topologicalSort } from '../private/toposort'; - -/** - * Construction properties for a CdkStage - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface CdkStageProps { - /** - * Name of the stage that should be created - */ - readonly stageName: string; - - /** - * The underlying Pipeline Stage associated with thisCdkStage - */ - readonly pipelineStage: codepipeline.IStage; - - /** - * The CodePipeline Artifact with the Cloud Assembly - */ - readonly cloudAssemblyArtifact: codepipeline.Artifact; - - /** - * Features the Stage needs from its environment - */ - readonly host: IStageHost; - - /** - * Run a security check before every application prepare/deploy actions. - * - * Note: Stage level security check can be overriden per application as follows: - * `stage.addApplication(app, { confirmBroadeningPermissions: false })` - * - * @default false - */ - readonly confirmBroadeningPermissions?: boolean; - - /** - * Optional SNS topic to send notifications to when any security check registers - * changes within a application. - * - * Note: The Stage Notification Topic can be overriden per application as follows: - * `stage.addApplication(app, { securityNotificationTopic: newTopic })` - * - * @default undefined no stage level notification topic - */ - readonly securityNotificationTopic?: sns.ITopic; -} - -/** - * Stage in a CdkPipeline - * - * You don't need to instantiate this class directly. Use - * `cdkPipeline.addStage()` instead. - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export class CdkStage extends Construct { - private _nextSequentialRunOrder = 1; // Must start at 1 eh - private _manualApprovalCounter = 1; - private readonly pipelineStage: codepipeline.IStage; - private readonly cloudAssemblyArtifact: codepipeline.Artifact; - private readonly stacksToDeploy = new Array(); - private readonly stageName: string; - private readonly host: IStageHost; - private readonly confirmBroadeningPermissions: boolean; - private readonly pipeline?: CdkPipeline; - private readonly securityNotificationTopic?: sns.ITopic; - private _applicationSecurityCheck?: ApplicationSecurityCheck; - private _prepared = false; - - constructor(scope: Construct, id: string, props: CdkStageProps) { - super(scope, id); - - if (scope instanceof CdkPipeline) { - this.pipeline = scope; - } - - this.stageName = props.stageName; - this.pipelineStage = props.pipelineStage; - this.cloudAssemblyArtifact = props.cloudAssemblyArtifact; - this.host = props.host; - this.confirmBroadeningPermissions = props.confirmBroadeningPermissions ?? false; - this.securityNotificationTopic = props.securityNotificationTopic; - - Aspects.of(this).add({ visit: () => this.prepareStage() }); - } - - /** - * Add all stacks in the application Stage to this stage - * - * The application construct should subclass `Stage` and can contain any - * number of `Stacks` inside it that may have dependency relationships - * on one another. - * - * All stacks in the application will be deployed in the appropriate order, - * and all assets found in the application will be added to the asset - * publishing stage. - */ - public addApplication(appStage: Stage, options: AddStageOptions = {}) { - const asm = pipelineSynth(appStage); - const extraRunOrderSpace = options.extraRunOrderSpace ?? 0; - - if (options.confirmBroadeningPermissions ?? this.confirmBroadeningPermissions) { - this.addSecurityCheck(appStage, options); - } - - if (asm.stacks.length === 0) { - // If we don't check here, a more puzzling "stage contains no actions" - // error will be thrown come deployment time. - throw new Error(`The given Stage construct ('${appStage.node.path}') should contain at least one Stack`); - } - - const sortedTranches = topologicalSort(asm.stacks, - stack => stack.id, - stack => stack.dependencies.map(d => d.id)); - - for (const stacks of sortedTranches) { - const runOrder = this.nextSequentialRunOrder(extraRunOrderSpace + 2); // 2 actions for Prepare/Execute ChangeSet - let executeRunOrder = runOrder + extraRunOrderSpace + 1; - - // If we need to insert a manual approval action, then what's the executeRunOrder - // now is where we add a manual approval step, and we allocate 1 more runOrder - // for the execute. - if (options.manualApprovals) { - this.addManualApprovalAction({ runOrder: runOrder + 1 }); - executeRunOrder = this.nextSequentialRunOrder(); - } - - // These don't have a dependency on each other, so can all be added in parallel - for (const stack of stacks) { - this.addStackArtifactDeployment(stack, { runOrder, executeRunOrder }); - } - } - } - - /** - * Get a cached version of an ApplicationSecurityCheck, which consists of: - * - CodeBuild Project to check for security changes in a stage - * - Lambda Function that approves the manual approval if no security changes are detected - * - * The ApplicationSecurityCheck is cached from the pipeline **if** this stage is scoped - * to a CDK Pipeline. If this stage **is not** scoped to a pipeline, create an ApplicationSecurityCheck - * scoped to the stage itself. - * - * @internal - */ - private getApplicationSecurityCheck(): ApplicationSecurityCheck { - if (this._applicationSecurityCheck) { - return this._applicationSecurityCheck; - } - - this._applicationSecurityCheck = this.pipeline - ? this.pipeline._getApplicationSecurityCheck() - : new ApplicationSecurityCheck(this, 'StageApplicationSecurityCheck', { - codePipeline: this.pipelineStage.pipeline as codepipeline.Pipeline, - }); - return this._applicationSecurityCheck; - } - - /** - * Add a deployment action based on a stack artifact - */ - public addStackArtifactDeployment(stackArtifact: cxapi.CloudFormationStackArtifact, options: AddStackOptions = {}) { - // Get all assets manifests and add the assets in 'em to the asset publishing stage. - this.publishAssetDependencies(stackArtifact); - - // Remember for later, see 'prepare()' - // We know that deploying a stack is going to take up 2 runorder slots later on. - const runOrder = options.runOrder ?? this.nextSequentialRunOrder(2); - const executeRunOrder = options.executeRunOrder ?? runOrder + 1; - this.stacksToDeploy.push({ - prepareRunOrder: runOrder, - executeRunOrder, - stackArtifact, - }); - - this.advanceRunOrderPast(runOrder); - this.advanceRunOrderPast(executeRunOrder); - } - - /** - * Add a manual approval action - * - * If you need more flexibility than what this method offers, - * use `addAction` with a `ManualApprovalAction`. - */ - public addManualApprovalAction(options: AddManualApprovalOptions = {}) { - let actionName = options.actionName; - if (!actionName) { - actionName = `ManualApproval${this._manualApprovalCounter > 1 ? this._manualApprovalCounter : ''}`; - this._manualApprovalCounter += 1; - } - - this.addActions(new cpactions.ManualApprovalAction({ - actionName, - runOrder: options.runOrder ?? this.nextSequentialRunOrder(), - })); - } - - /** - * Add one or more CodePipeline Actions - * - * You need to make sure it is created with the right runOrder. Call `nextSequentialRunOrder()` - * for every action to get actions to execute in sequence. - */ - public addActions(...actions: codepipeline.IAction[]) { - for (const action of actions) { - this.pipelineStage.addAction(action); - } - } - - /** - * Return the runOrder number necessary to run the next Action in sequence with the rest - * - * FIXME: This is here because Actions are immutable and can't be reordered - * after creation, nor is there a way to specify relative priorities, which - * is a limitation that we should take away in the base library. - */ - public nextSequentialRunOrder(count: number = 1): number { - const ret = this._nextSequentialRunOrder; - this._nextSequentialRunOrder += count; - return ret; - } - - /** - * Whether this Stage contains an action to deploy the given stack, identified by its artifact ID - */ - public deploysStack(artifactId: string) { - return this.stacksToDeploy.map(s => s.stackArtifact.id).includes(artifactId); - } - - /** - * Actually add all the DeployStack actions to the stage. - * - * We do this late because before we can render the actual DeployActions, - * we need to know whether or not we need to capture the stack outputs. - * - * FIXME: This is here because Actions are immutable and can't be reordered - * after creation, nor is there a way to specify relative priorities, which - * is a limitation that we should take away in the base library. - */ - private prepareStage() { - // FIXME: Make sure this only gets run once. There seems to be an issue in the reconciliation - // loop that may trigger this more than once if it throws an error somewhere, and the exception - // that gets thrown here will then override the actual failure. - if (this._prepared) { return; } - this._prepared = true; - - for (const { prepareRunOrder, stackArtifact, executeRunOrder } of this.stacksToDeploy) { - const artifact = this.host.stackOutputArtifact(stackArtifact.id); - - this.pipelineStage.addAction(DeployCdkStackAction.fromStackArtifact(this, stackArtifact, { - baseActionName: this.simplifyStackName(stackArtifact.stackName), - cloudAssemblyInput: this.cloudAssemblyArtifact, - output: artifact, - outputFileName: artifact ? 'outputs.json' : undefined, - prepareRunOrder, - executeRunOrder, - })); - } - } - - /** - * Advance the runorder counter so that the next sequential number is higher than the given one - */ - private advanceRunOrderPast(lastUsed: number) { - this._nextSequentialRunOrder = Math.max(lastUsed + 1, this._nextSequentialRunOrder); - } - - /** - * Simplify the stack name by removing the `Stage-` prefix if it exists. - */ - private simplifyStackName(s: string) { - return stripPrefix(s, `${this.stageName}-`); - } - - /** - * Add a security check before the prepare/deploy actions of an CDK stage. - * The security check consists of two actions: - * - CodeBuild Action to check for security changes in a stage - * - Manual Approval Action that is auto approved via a Lambda if no security changes detected - */ - private addSecurityCheck(appStage: Stage, options?: BaseStageOptions) { - const { cdkDiffProject } = this.getApplicationSecurityCheck(); - const notificationTopic: sns.ITopic | undefined = options?.securityNotificationTopic ?? this.securityNotificationTopic; - notificationTopic?.grantPublish(cdkDiffProject); - - const appStageName = appStage.stageName; - const approveActionName = `${appStageName}ManualApproval`; - const diffAction = new CodeBuildAction({ - runOrder: this.nextSequentialRunOrder(), - actionName: `${appStageName}SecurityCheck`, - input: this.cloudAssemblyArtifact, - project: cdkDiffProject, - variablesNamespace: `${appStageName}SecurityCheck`, - environmentVariables: { - STAGE_PATH: { - value: Node.of(appStage).path, - type: codebuild.BuildEnvironmentVariableType.PLAINTEXT, - }, - STAGE_NAME: { - value: this.stageName, - type: codebuild.BuildEnvironmentVariableType.PLAINTEXT, - }, - ACTION_NAME: { - value: approveActionName, - type: codebuild.BuildEnvironmentVariableType.PLAINTEXT, - }, - ...notificationTopic ? { - NOTIFICATION_ARN: { - value: notificationTopic.topicArn, - type: codebuild.BuildEnvironmentVariableType.PLAINTEXT, - }, - NOTIFICATION_SUBJECT: { - value: `Confirm permission broadening in ${appStageName}`, - type: codebuild.BuildEnvironmentVariableType.PLAINTEXT, - }, - } : {}, - }, - }); - - const approve = new cpactions.ManualApprovalAction({ - actionName: approveActionName, - runOrder: this.nextSequentialRunOrder(), - additionalInformation: `#{${appStageName}SecurityCheck.MESSAGE}`, - externalEntityLink: `#{${appStageName}SecurityCheck.LINK}`, - }); - - this.addActions(diffAction, approve); - } - - /** - * Make sure all assets depended on by this stack are published in this pipeline - * - * Taking care to exclude the stack template itself -- it is being published - * as an asset because the CLI needs to know the asset publishing role when - * pushing the template to S3, but in the case of CodePipeline we always - * reference the template from the artifact bucket. - * - * (NOTE: this is only true for top-level stacks, not nested stacks. Nested - * Stack templates are always published as assets). - */ - private publishAssetDependencies(stackArtifact: cxapi.CloudFormationStackArtifact) { - const assetManifests = stackArtifact.dependencies.filter(isAssetManifest); - - for (const manifestArtifact of assetManifests) { - const manifest = AssetManifestReader.fromFile(manifestArtifact.file); - - for (const entry of manifest.entries) { - let assetType: AssetType; - if (entry instanceof DockerImageManifestEntry) { - assetType = AssetType.DOCKER_IMAGE; - } else if (entry instanceof FileManifestEntry) { - // Don't publish the template for this stack - if (entry.source.packaging === 'file' && entry.source.path === stackArtifact.templateFile) { - continue; - } - - assetType = AssetType.FILE; - } else { - throw new Error(`Unrecognized asset type: ${entry.type}`); - } - - if (!entry.destination.assumeRoleArn) { - throw new Error('assumeRoleArn is missing on asset and required'); - } - - this.host.publishAsset({ - assetManifestPath: manifestArtifact.file, - assetId: entry.id.assetId, - assetSelector: entry.id.toString(), - assetType, - assetPublishingRoleArn: entry.destination.assumeRoleArn, - }); - } - } - } -} - -/** - * Additional options for adding a stack deployment - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface AddStackOptions { - /** - * Base runorder - * - * @default - Next sequential runorder - */ - readonly runOrder?: number; - - /** - * Base runorder - * - * @default - runOrder + 1 - */ - readonly executeRunOrder?: number; -} - -/** - * A single output of a Stack - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export class StackOutput { - /** - * The artifact and file the output is stored in - */ - public readonly artifactFile: codepipeline.ArtifactPath; - - /** - * The name of the output in the JSON object in the file - */ - public readonly outputName: string; - - /** - * Build a StackOutput from a known artifact and an output name - */ - constructor(artifactFile: codepipeline.ArtifactPath, outputName: string) { - this.artifactFile = artifactFile; - this.outputName = outputName; - } -} - -function stripPrefix(s: string, prefix: string) { - return s.startsWith(prefix) ? s.slice(prefix.length) : s; -} - -function isAssetManifest(s: cxapi.CloudArtifact): s is cxapi.AssetManifestArtifact { - // instanceof is too risky, and we're at a too late stage to properly fix. - // return s instanceof cxapi.AssetManifestArtifact; - return s.constructor.name === 'AssetManifestArtifact'; -} - -/** - * Features that the Stage needs from its environment - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface IStageHost { - /** - * Make sure all the assets from the given manifest are published - */ - publishAsset(command: AssetPublishingCommand): void; - - /** - * Return the Artifact the given stack has to emit its outputs into, if any - */ - stackOutputArtifact(stackArtifactId: string): codepipeline.Artifact | undefined; -} - -/** - * Instructions to publish certain assets - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface AssetPublishingCommand { - /** - * Asset manifest path - */ - readonly assetManifestPath: string; - - /** - * Asset identifier - */ - readonly assetId: string; - - /** - * Asset selector to pass to `cdk-assets`. - */ - readonly assetSelector: string; - - /** - * Type of asset to publish - */ - readonly assetType: AssetType; - - /** - * ARN of the IAM Role used to publish this asset. - */ - readonly assetPublishingRoleArn: string; -} - -/** - * Base options for a pipelines stage - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface BaseStageOptions { - /** - * Runs a `cdk diff --security-only --fail` to pause the pipeline if there - * are any security changes. - * - * If the stage is configured with `confirmBroadeningPermissions` enabled, you can use this - * property to override the stage configuration. For example, Pipeline Stage - * "Prod" has confirmBroadeningPermissions enabled, with applications "A", "B", "C". All three - * applications will run a security check, but if we want to disable the one for "C", - * we run `stage.addApplication(C, { confirmBroadeningPermissions: false })` to override the pipeline - * stage behavior. - * - * Adds 1 to the run order space. - * - * @default false - */ - readonly confirmBroadeningPermissions?: boolean; - /** - * Optional SNS topic to send notifications to when the security check registers - * changes within the application. - * - * @default undefined no notification topic for security check manual approval action - */ - readonly securityNotificationTopic?: sns.ITopic; -} - -/** - * Options for adding an application stage to a pipeline - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface AddStageOptions extends BaseStageOptions { - /** - * Add manual approvals before executing change sets - * - * This gives humans the opportunity to confirm the change set looks alright - * before deploying it. - * - * @default false - */ - readonly manualApprovals?: boolean; - /** - * Add room for extra actions - * - * You can use this to make extra room in the runOrder sequence between the - * changeset 'prepare' and 'execute' actions and insert your own actions there. - * - * @default 0 - */ - readonly extraRunOrderSpace?: number; -} - -/** - * Options for addManualApproval - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface AddManualApprovalOptions { - /** - * The name of the manual approval action - * - * @default 'ManualApproval' with a rolling counter - */ - readonly actionName?: string; - - /** - * The runOrder for this action - * - * @default - The next sequential runOrder - */ - readonly runOrder?: number; -} - -/** - * Queued "deploy stack" command that is reified during prepare() - */ -interface DeployStackCommand { - prepareRunOrder: number; - executeRunOrder: number; - stackArtifact: cxapi.CloudFormationStackArtifact; -} diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/synths/_util.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/synths/_util.ts deleted file mode 100644 index 0a5a34c6f0eaa..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/synths/_util.ts +++ /dev/null @@ -1,15 +0,0 @@ -import * as codebuild from '../../../../aws-codebuild'; - -export function copyEnvironmentVariables(...names: string[]): Record { - const ret: Record = {}; - for (const name of names) { - if (process.env[name]) { - ret[name] = { value: process.env[name] }; - } - } - return ret; -} - -export function filterEmpty(xs: Array): string[] { - return xs.filter(x => x) as any; -} \ No newline at end of file diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/synths/index.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/synths/index.ts deleted file mode 100644 index 4764f7d9647c6..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/synths/index.ts +++ /dev/null @@ -1 +0,0 @@ -export * from './simple-synth-action'; \ No newline at end of file diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/synths/simple-synth-action.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/synths/simple-synth-action.ts deleted file mode 100644 index 8381668962d52..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/synths/simple-synth-action.ts +++ /dev/null @@ -1,591 +0,0 @@ -import * as crypto from 'crypto'; -import * as path from 'path'; -import { Construct } from 'constructs'; -import { copyEnvironmentVariables, filterEmpty } from './_util'; -import * as codebuild from '../../../../aws-codebuild'; -import * as codepipeline from '../../../../aws-codepipeline'; -import * as codepipeline_actions from '../../../../aws-codepipeline-actions'; -import * as ec2 from '../../../../aws-ec2'; -import * as events from '../../../../aws-events'; -import * as iam from '../../../../aws-iam'; -import { Stack } from '../../../../core'; -import { dockerCredentialsInstallCommands, DockerCredential, DockerCredentialUsage } from '../../docker-credentials'; -import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../../private/default-codebuild-image'; -import { toPosixPath } from '../../private/fs'; - -const DEFAULT_OUTPUT_DIR = 'cdk.out'; - -/** - * Configuration options for a SimpleSynth - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface SimpleSynthOptions { - /** - * The source artifact of the CodePipeline - */ - readonly sourceArtifact: codepipeline.Artifact; - - /** - * The artifact where the CloudAssembly should be emitted - */ - readonly cloudAssemblyArtifact: codepipeline.Artifact; - - /** - * Environment variables to send into build - * - * NOTE: You may run into the 1000-character limit for the Action configuration if you have a large - * number of variables or if their names or values are very long. - * If you do, pass them to the underlying CodeBuild project directly in `environment` instead. - * However, you will not be able to use CodePipeline Variables in this case. - * - * @default - No additional environment variables - */ - readonly environmentVariables?: Record; - - /** - * Environment variables to copy over from parent env - * - * These are environment variables that are being used by the build. - * - * @default - No environment variables copied - */ - readonly copyEnvironmentVariables?: string[]; - - /** - * Name of the build action - * - * @default 'Synth' - */ - readonly actionName?: string; - - /** - * Name of the CodeBuild project - * - * @default - Automatically generated - */ - readonly projectName?: string; - - /** - * Build environment to use for CodeBuild job - * - * @default BuildEnvironment.LinuxBuildImage.STANDARD_6_0 - */ - readonly environment?: codebuild.BuildEnvironment; - - /** - * Directory inside the source where package.json and cdk.json are located - * - * @default - Repository root - */ - readonly subdirectory?: string; - - /** - * Produce additional output artifacts after the build based on the given directories - * - * Can be used to produce additional artifacts during the build step, - * separate from the cloud assembly, which can be used further on in the - * pipeline. - * - * Directories are evaluated with respect to `subdirectory`. - * - * @default - No additional artifacts generated - */ - readonly additionalArtifacts?: AdditionalArtifact[]; - - /** - * Policy statements to add to role used during the synth - * - * Can be used to add acces to a CodeArtifact repository etc. - * - * @default - No policy statements added to CodeBuild Project Role - */ - readonly rolePolicyStatements?: iam.PolicyStatement[]; - - /** - * The VPC where to execute the SimpleSynth. - * - * @default - No VPC - */ - readonly vpc?: ec2.IVpc; - - /** - * Which subnets to use. - * - * Only used if 'vpc' is supplied. - * - * @default - All private subnets. - */ - readonly subnetSelection?: ec2.SubnetSelection; - - /** - * custom BuildSpec that is merged with the generated one - * - * @default - none - */ - readonly buildSpec?: codebuild.BuildSpec; -} - -/** - * Construction props for SimpleSynthAction - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface SimpleSynthActionProps extends SimpleSynthOptions { - /** - * The synth command - */ - readonly synthCommand: string; - - /** - * The install command - * - * If not provided by the build image or another dependency - * management tool, at least install the CDK CLI here using - * `npm install -g aws-cdk`. - * - * @default - No install required - * @deprecated Use `installCommands` instead - */ - readonly installCommand?: string; - - /** - * The build command - * - * If your programming language requires a compilation step, put the - * compilation command here. - * - * @default - No build required - * @deprecated Use `buildCommands` instead - */ - readonly buildCommand?: string; - - /** - * Install commands - * - * If not provided by the build image or another dependency - * management tool, at least install the CDK CLI here using - * `npm install -g aws-cdk`. - * - * @default - No install required - */ - readonly installCommands?: string[]; - - /** - * The build commands - * - * If your programming language requires a compilation step, put the - * compilation command here. - * - * @default - No build required - */ - readonly buildCommands?: string[]; - - /** - * Test commands - * - * These commands are run after the build commands but before the - * synth command. - * - * @default - No test commands - */ - readonly testCommands?: string[]; -} - -/** - * Specification of an additional artifact to generate - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface AdditionalArtifact { - /** - * Directory to be packaged - */ - readonly directory: string; - - /** - * Artifact to represent the build directory in the pipeline - */ - readonly artifact: codepipeline.Artifact; -} - -/** - * A standard synth with a generated buildspec - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export class SimpleSynthAction implements codepipeline.IAction, iam.IGrantable { - - /** - * Create a standard NPM synth action - * - * Uses `npm ci` to install dependencies and `npx cdk synth` to synthesize. - * - * If you need a build step, add `buildCommand: 'npm run build'`. - */ - public static standardNpmSynth(options: StandardNpmSynthOptions) { - return new SimpleSynthAction({ - ...options, - installCommand: options.installCommand ?? 'npm ci', - synthCommand: options.synthCommand ?? 'npx cdk synth', - vpc: options.vpc, - subnetSelection: options.subnetSelection, - environment: { - ...options.environment, - environmentVariables: { - // Need this in case the CDK CLI is not in the 'package.json' of the project, - // and 'npx' is going to download it; without this setting, 'npx' will not properly - // install the package into the root user's home directory - NPM_CONFIG_UNSAFE_PERM: { value: 'true' }, - ...options.environment?.environmentVariables, - }, - }, - }); - } - - /** - * Create a standard Yarn synth action - * - * Uses `yarn install --frozen-lockfile` to install dependencies and `npx cdk synth` to synthesize. - * - * If you need a build step, add `buildCommand: 'yarn build'`. - */ - public static standardYarnSynth(options: StandardYarnSynthOptions) { - return new SimpleSynthAction({ - ...options, - installCommand: options.installCommand ?? 'yarn install --frozen-lockfile', - synthCommand: options.synthCommand ?? 'npx cdk synth', - vpc: options.vpc, - subnetSelection: options.subnetSelection, - environment: { - ...options.environment, - environmentVariables: { - // Need this in case the CDK CLI is not in the 'package.json' of the project, - // and 'npx' is going to download it; without this setting, 'npx' will not properly - // install the package into the root user's home directory - NPM_CONFIG_UNSAFE_PERM: { value: 'true' }, - ...options.environment?.environmentVariables, - }, - }, - }); - } - - private _action?: codepipeline_actions.CodeBuildAction; - private _actionProperties: codepipeline.ActionProperties; - private _project?: codebuild.IProject; - private _dockerCredentials?: DockerCredential[]; - - constructor(private readonly props: SimpleSynthActionProps) { - // A number of actionProperties get read before bind() is even called (so before we - // have made the Project and can construct the actual CodeBuildAction) - // - // - actionName - // - resource - // - region - // - category - // - role - // - owner - this._actionProperties = { - actionName: props.actionName ?? 'Synth', - category: codepipeline.ActionCategory.BUILD, - provider: 'CodeBuild', - artifactBounds: { minInputs: 0, maxInputs: 5, minOutputs: 0, maxOutputs: 5 }, - inputs: [props.sourceArtifact], - outputs: [props.cloudAssemblyArtifact, ...(props.additionalArtifacts ?? []).map(a => a.artifact)], - }; - - if (this.props.installCommand && this.props.installCommands) { - throw new Error('Pass either \'installCommand\' or \'installCommands\', but not both'); - } - - if (this.props.buildCommand && this.props.buildCommands) { - throw new Error('Pass either \'buildCommand\' or \'buildCommands\', but not both'); - } - - const addls = props.additionalArtifacts ?? []; - if (Object.keys(addls).length > 0) { - if (!props.cloudAssemblyArtifact.artifactName) { - throw new Error('You must give all output artifacts, including the \'cloudAssemblyArtifact\', names when using \'additionalArtifacts\''); - } - for (const addl of addls) { - if (!addl.artifact.artifactName) { - throw new Error('You must give all output artifacts passed to SimpleSynthAction names when using \'additionalArtifacts\''); - } - } - } - } - - /** - * Exists to implement IAction - */ - public get actionProperties(): codepipeline.ActionProperties { - return this._actionProperties; - } - - /** - * Project generated to run the synth command - */ - public get project(): codebuild.IProject { - if (!this._project) { - throw new Error('Project becomes available after SimpleSynthAction has been bound to a stage'); - } - return this._project; - } - - /** - * Exists to implement IAction - */ - public bind(scope: Construct, stage: codepipeline.IStage, options: codepipeline.ActionBindOptions): codepipeline.ActionConfig { - const buildCommands = this.props.buildCommands ?? [this.props.buildCommand]; - const installCommands = this.props.installCommands ?? [this.props.installCommand]; - const testCommands = this.props.testCommands ?? []; - const synthCommand = this.props.synthCommand; - - const environment = { buildImage: CDKP_DEFAULT_CODEBUILD_IMAGE, ...this.props.environment }; - const osType = (environment.buildImage instanceof codebuild.WindowsBuildImage) - ? ec2.OperatingSystemType.WINDOWS - : ec2.OperatingSystemType.LINUX; - - const buildSpec = codebuild.BuildSpec.fromObject({ - version: '0.2', - phases: { - pre_build: { - commands: filterEmpty([ - this.props.subdirectory ? `cd ${this.props.subdirectory}` : '', - ...installCommands, - ...dockerCredentialsInstallCommands(DockerCredentialUsage.SYNTH, this._dockerCredentials, osType), - ]), - }, - build: { - commands: filterEmpty([ - ...buildCommands, - ...testCommands, - synthCommand, - ]), - }, - }, - artifacts: renderArtifacts(this), - }); - - const environmentVariables = { - ...copyEnvironmentVariables(...this.props.copyEnvironmentVariables || []), - }; - - const mergedBuildSpec = this.props.buildSpec ? codebuild.mergeBuildSpecs(this.props.buildSpec, buildSpec) : buildSpec; - - // A hash over the values that make the CodeBuild Project unique (and necessary - // to restart the pipeline if one of them changes). projectName is not necessary to include - // here because the pipeline will definitely restart if projectName changes. - // (Resolve tokens) - const projectConfigHash = hash(Stack.of(scope).resolve({ - environment: serializeBuildEnvironment(environment), - buildSpecString: mergedBuildSpec.toBuildSpec(), - environmentVariables, - })); - - const project = new codebuild.PipelineProject(scope, 'CdkBuildProject', { - projectName: this.props.projectName, - environment, - vpc: this.props.vpc, - subnetSelection: this.props.subnetSelection, - buildSpec: mergedBuildSpec, - environmentVariables, - }); - - if (this.props.rolePolicyStatements !== undefined) { - this.props.rolePolicyStatements.forEach(policyStatement => { - project.addToRolePolicy(policyStatement); - }); - } - - this._project = project; - - this._dockerCredentials?.forEach(reg => reg.grantRead(project.grantPrincipal, DockerCredentialUsage.SYNTH)); - - this._action = new codepipeline_actions.CodeBuildAction({ - actionName: this.actionProperties.actionName, - input: this.props.sourceArtifact, - outputs: [this.props.cloudAssemblyArtifact, ...(this.props.additionalArtifacts ?? []).map(a => a.artifact)], - - // Inclusion of the hash here will lead to the pipeline structure for any changes - // made the config of the underlying CodeBuild Project. - // Hence, the pipeline will be restarted. This is necessary if the users - // adds (for example) build or test commands to the buildspec. - environmentVariables: { - ...this.props.environmentVariables, - _PROJECT_CONFIG_HASH: { value: projectConfigHash }, - }, - project, - }); - this._actionProperties = this._action.actionProperties; - - return this._action.bind(scope, stage, options); - - function renderArtifacts(self: SimpleSynthAction) { - // save the generated files in the output artifact - // This part of the buildspec has to look completely different depending on whether we're - // using secondary artifacts or not. - - const cloudAsmArtifactSpec = { - 'base-directory': toPosixPath(path.join(self.props.subdirectory ?? '.', DEFAULT_OUTPUT_DIR)), - 'files': '**/*', - }; - - if (self.props.additionalArtifacts) { - const secondary: Record = {}; - if (!self.props.cloudAssemblyArtifact.artifactName) { - throw new Error('When using additional output artifacts, you must also name the CloudAssembly artifact'); - } - secondary[self.props.cloudAssemblyArtifact.artifactName] = cloudAsmArtifactSpec; - self.props.additionalArtifacts.forEach((art) => { - if (!art.artifact.artifactName) { - throw new Error('You must give the output artifact a name'); - } - secondary[art.artifact.artifactName] = { - 'base-directory': toPosixPath(path.join(self.props.subdirectory ?? '.', art.directory)), - 'files': '**/*', - }; - }); - - return { 'secondary-artifacts': secondary }; - } - - return cloudAsmArtifactSpec; - } - } - - /** - * The CodeBuild Project's principal - */ - public get grantPrincipal(): iam.IPrincipal { - return this.project.grantPrincipal; - } - - /** - * Exists to implement IAction - */ - public onStateChange(name: string, target?: events.IRuleTarget, options?: events.RuleProps): events.Rule { - if (!this._action) { - throw new Error('Need bind() first'); - } - - return this._action.onStateChange(name, target, options); - } - - /** - * Associate one or more Docker registries and associated credentials with the synth action. - * This will be used to inject installation commands to set up `cdk-assets`, - * and grant read access to the credentials. - * @internal - */ - public _addDockerCredentials(dockerCredentials: DockerCredential[]) { - this._dockerCredentials = dockerCredentials; - } -} - -/** - * Options for a convention-based synth using NPM - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface StandardNpmSynthOptions extends SimpleSynthOptions { - /** - * The install command - * - * @default 'npm ci' - */ - readonly installCommand?: string; - - /** - * The build command - * - * By default, we assume NPM projects are either written in JavaScript or are - * using `ts-node`, so don't need a build command. - * - * Otherwise, put the build command here, for example `npm run build`. - * - * @default - No build required - */ - readonly buildCommand?: string; - - /** - * The synth command - * - * @default 'npx cdk synth' - */ - readonly synthCommand?: string; - - /** - * Test commands - * - * These commands are run after the build commands but before the - * synth command. - * - * @default - No test commands - */ - readonly testCommands?: string[]; -} - -/** - * Options for a convention-based synth using Yarn - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface StandardYarnSynthOptions extends SimpleSynthOptions { - /** - * The install command - * - * @default 'yarn install --frozen-lockfile' - */ - readonly installCommand?: string; - - /** - * The build command - * - * By default, we assume NPM projects are either written in JavaScript or are - * using `ts-node`, so don't need a build command. - * - * Otherwise, put the build command here, for example `npm run build`. - * - * @default - No build required - */ - readonly buildCommand?: string; - - /** - * The synth command - * - * @default 'npx cdk synth' - */ - readonly synthCommand?: string; - - /** - * Test commands - * - * These commands are run after the build commands but before the - * synth command. - * - * @default - No test commands - */ - readonly testCommands?: string[]; -} - -function hash
(obj: A) { - const d = crypto.createHash('sha256'); - d.update(JSON.stringify(obj)); - return d.digest('hex'); -} - -/** - * Serialize a build environment to data (get rid of constructs & objects), so we can JSON.stringify it - */ -function serializeBuildEnvironment(env: codebuild.BuildEnvironment) { - return { - privileged: env.privileged, - environmentVariables: env.environmentVariables, - type: env.buildImage?.type, - imageId: env.buildImage?.imageId, - computeType: env.computeType, - imagePullPrincipalType: env.buildImage?.imagePullPrincipalType, - secretsManagerArn: env.buildImage?.secretsManagerCredentials?.secretArn, - }; -} diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/validation/_files.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/validation/_files.ts deleted file mode 100644 index 20192332e3b78..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/validation/_files.ts +++ /dev/null @@ -1,97 +0,0 @@ -import { Construct } from 'constructs'; -import * as codepipeline from '../../../../aws-codepipeline'; -import { IGrantable } from '../../../../aws-iam'; -import * as s3assets from '../../../../aws-s3-assets'; - -/** - * Additional files to use in a shell script - */ -export abstract class Files { - /** - * Use the files from a CodePipeline artifact - */ - public static fromArtifact(artifact: codepipeline.Artifact): Files { - if (!artifact) { - // Typechecking may mess up - throw new Error('Files.fromArtifact(): input artifact is required, got undefined'); - } - - return { - bind: () => ({ artifact }), - grantRead: () => { /* Not necessary */ }, - }; - } - - /** - * Create a new asset to bundle up the files in a directory on disk - */ - public static fromDirectory(directoryPath: string): Files { - let realFiles: Files; - return { - bind(scope: Construct) { - realFiles = Files.fromAsset(new s3assets.Asset(scope, directoryPath, { - path: directoryPath, - })); - - return realFiles.bind(scope); - }, - grantRead(grantee: IGrantable) { - if (!realFiles) { - throw new Error('bind() must be called first'); - } - realFiles.grantRead(grantee); - }, - }; - } - - /** - * Use an existing asset as a file source - */ - public static fromAsset(asset: s3assets.Asset): Files { - return { - bind: () => ({ - commands: [ - `echo "Downloading additional files from ${asset.s3ObjectUrl}"`, - `aws s3 cp ${asset.s3ObjectUrl} /tmp/dl.zip`, - 'unzip /tmp/dl.zip -d .', - ], - }), - grantRead: (grantee) => asset.grantRead(grantee), - }; - } - - protected constructor() { - } - - /** - * Bind the Files to a usage location - */ - public abstract bind(scope: Construct): FilesConfig; - - /** - * Grant read permissions to the file set to the given grantable - * - * Must be called after bind(). - */ - - public abstract grantRead(grantee: IGrantable): void; -} - -/** - * Config for a Files source - */ -export interface FilesConfig { - /** - * CodePipeline artifact to add to the set of input artifacts for the project - * - * @default - No artifact - */ - readonly artifact?: codepipeline.Artifact; - - /** - * Commands to add to the set of commands for the project - * - * @default - No commands - */ - readonly commands?: string[]; -} diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/validation/index.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/validation/index.ts deleted file mode 100644 index f2751fc92af49..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/validation/index.ts +++ /dev/null @@ -1 +0,0 @@ -export * from './shell-script-action'; \ No newline at end of file diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/validation/shell-script-action.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/validation/shell-script-action.ts deleted file mode 100644 index fa24517321942..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/validation/shell-script-action.ts +++ /dev/null @@ -1,253 +0,0 @@ -import { Construct } from 'constructs'; -import * as codebuild from '../../../../aws-codebuild'; -import * as codepipeline from '../../../../aws-codepipeline'; -import * as codepipeline_actions from '../../../../aws-codepipeline-actions'; -import * as ec2 from '../../../../aws-ec2'; -import * as events from '../../../../aws-events'; -import * as iam from '../../../../aws-iam'; -import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../../private/default-codebuild-image'; -import { StackOutput } from '../stage'; - -/** - * Properties for ShellScriptAction - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface ShellScriptActionProps { - /** - * Name of the validation action in the pipeline - */ - readonly actionName: string; - - /** - * Stack outputs to make available as environment variables - * - * @default - No outputs used - */ - readonly useOutputs?: Record; - - /** - * Commands to run - */ - readonly commands: string[]; - - /** - * Bash options to set at the start of the script - * - * @default '-eu' (errexit and nounset) - */ - readonly bashOptions?: string; - - /** - * Additional artifacts to use as input for the CodeBuild project - * - * You can use these files to load more complex test sets into the - * shellscript build environment. - * - * The files artifact given here will be unpacked into the current - * working directory, the other ones will be unpacked into directories - * which are available through the environment variables - * $CODEBUILD_SRC_DIR_. - * - * The CodeBuild job must have at least one input artifact, so you - * must provide either at least one additional artifact here or one - * stack output using `useOutput`. - * - * @default - No additional artifacts - */ - readonly additionalArtifacts?: codepipeline.Artifact[]; - - /** - * The CodeBuild environment where scripts are executed. - * - * @default LinuxBuildImage.STANDARD_7_0 - */ - readonly environment?: codebuild.BuildEnvironment; - - /** - * Environment variables to send into build - * - * @default - No additional environment variables - */ - readonly environmentVariables?: Record; - - /** - * RunOrder for this action - * - * Use this to sequence the shell script after the deployments. - * - * The default value is 100 so you don't have to supply the value if you just - * want to run this after the application stacks have been deployed, and you - * don't have more than 100 stacks. - * - * @default 100 - */ - readonly runOrder?: number; - - /** - * Additional policy statements to add to the execution role - * - * @default - No policy statements - */ - readonly rolePolicyStatements?: iam.PolicyStatement[]; - - /** - * The VPC where to execute the specified script. - * - * @default - No VPC - */ - readonly vpc?: ec2.IVpc; - - /** - * Which subnets to use. - * - * Only used if 'vpc' is supplied. - * - * @default - All private subnets. - */ - readonly subnetSelection?: ec2.SubnetSelection; - - /** - * Which security group to associate with the script's project network interfaces. - * If no security group is identified, one will be created automatically. - * - * Only used if 'vpc' is supplied. - * - * @default - Security group will be automatically created. - * - */ - readonly securityGroups?: ec2.ISecurityGroup[]; -} - -/** - * Validate a revision using shell commands - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export class ShellScriptAction implements codepipeline.IAction, iam.IGrantable { - private _project?: codebuild.IProject; - - private _action?: codepipeline_actions.CodeBuildAction; - private _actionProperties: codepipeline.ActionProperties; - - constructor(private readonly props: ShellScriptActionProps) { - // A number of actionProperties get read before bind() is even called (so before we - // have made the Project and can construct the actual CodeBuildAction) - // - // - actionName - // - resource - // - region - // - category - // - role - // - owner - this._actionProperties = { - actionName: props.actionName, - category: codepipeline.ActionCategory.BUILD, - provider: 'CodeBuild', - artifactBounds: { minInputs: 0, maxInputs: 5, minOutputs: 0, maxOutputs: 5 }, - inputs: [], - outputs: [], - }; - - if (Object.keys(props.useOutputs ?? {}).length + (props.additionalArtifacts ?? []).length === 0) { - throw new Error('You must supply either \'useOutputs\' or \'additionalArtifacts\', since a CodeBuild Action must always have at least one input artifact.'); - } - } - - /** - * The CodeBuild Project's principal - */ - public get grantPrincipal(): iam.IPrincipal { - return this.project.grantPrincipal; - } - - /** - * Exists to implement IAction - */ - public get actionProperties(): codepipeline.ActionProperties { - return this._actionProperties; - } - - /** - * Exists to implement IAction - */ - public bind(scope: Construct, stage: codepipeline.IStage, options: codepipeline.ActionBindOptions): codepipeline.ActionConfig { - const inputs = new Array(); - inputs.push(...this.props.additionalArtifacts ?? []); - - const envVarCommands = new Array(); - - const bashOptions = this.props.bashOptions ?? '-eu'; - if (bashOptions) { - envVarCommands.push(`set ${bashOptions}`); - } - for (const [varName, output] of Object.entries(this.props.useOutputs ?? {})) { - const outputArtifact = output.artifactFile; - - // Add the artifact to the list of inputs, if it's not in there already. Determine - // the location where CodeBuild is going to stick it based on whether it's the first (primary) - // input or an 'extra input', then parse. - let artifactIndex = inputs.findIndex(a => a.artifactName === outputArtifact.artifact.artifactName); - if (artifactIndex === -1) { - artifactIndex = inputs.push(outputArtifact.artifact) - 1; - } - const dirEnv = artifactIndex === 0 ? 'CODEBUILD_SRC_DIR' : `CODEBUILD_SRC_DIR_${outputArtifact.artifact.artifactName}`; - envVarCommands.push(`export ${varName}="$(node -pe 'require(process.env.${dirEnv} + "/${outputArtifact.fileName}")["${output.outputName}"]')"`); - } - - this._project = new codebuild.PipelineProject(scope, 'Project', { - environment: this.props.environment || { buildImage: CDKP_DEFAULT_CODEBUILD_IMAGE }, - vpc: this.props.vpc, - securityGroups: this.props.securityGroups, - subnetSelection: this.props.subnetSelection, - buildSpec: codebuild.BuildSpec.fromObject({ - version: '0.2', - phases: { - build: { - commands: [ - ...envVarCommands, - ...this.props.commands, - ], - }, - }, - }), - }); - for (const statement of this.props.rolePolicyStatements ?? []) { - this._project.addToRolePolicy(statement); - } - - this._action = new codepipeline_actions.CodeBuildAction({ - actionName: this.props.actionName, - input: inputs[0], - extraInputs: inputs.slice(1), - runOrder: this.props.runOrder ?? 100, - project: this._project, - environmentVariables: this.props.environmentVariables, - }); - // Replace the placeholder actionProperties at the last minute - this._actionProperties = this._action.actionProperties; - - return this._action.bind(scope, stage, options); - } - - /** - * Project generated to run the shell script in - */ - public get project(): codebuild.IProject { - if (!this._project) { - throw new Error('Project becomes available after ShellScriptAction has been bound to a stage'); - } - return this._project; - } - - /** - * Exists to implement IAction - */ - public onStateChange(name: string, target?: events.IRuleTarget, options?: events.RuleProps): events.Rule { - if (!this._action) { - throw new Error('Need bind() first'); - } - - return this._action.onStateChange(name, target, options); - } -} diff --git a/packages/aws-cdk-lib/pipelines/test/blueprint/logicalid-stability.test.ts b/packages/aws-cdk-lib/pipelines/test/blueprint/logicalid-stability.test.ts deleted file mode 100644 index cce5bd87ae81e..0000000000000 --- a/packages/aws-cdk-lib/pipelines/test/blueprint/logicalid-stability.test.ts +++ /dev/null @@ -1,126 +0,0 @@ -import { describeDeprecated } from '@aws-cdk/cdk-build-tools'; -import { Stack } from '../../../core'; -import { mkdict } from '../../lib/private/javascript'; -import { PIPELINE_ENV, TestApp, LegacyTestGitHubNpmPipeline, ModernTestGitHubNpmPipeline, MegaAssetsApp, stackTemplate } from '../testhelpers'; - -let legacyApp: TestApp; -let modernApp: TestApp; - -let legacyPipelineStack: Stack; -let modernPipelineStack: Stack; - -describeDeprecated('logical id stability', () => { - // this test suite verifies logical id between the new and old (deprecated) APIs. - // so it must be in a 'describeDeprecated' block - - beforeEach(() => { - legacyApp = new TestApp({ - context: { - '@aws-cdk/core:newStyleStackSynthesis': '1', - 'aws:cdk:enable-path-metadata': true, - }, - }); - modernApp = new TestApp({ - context: { - '@aws-cdk/core:newStyleStackSynthesis': '1', - 'aws:cdk:enable-path-metadata': true, - }, - }); - legacyPipelineStack = new Stack(legacyApp, 'PipelineStack', { env: PIPELINE_ENV }); - modernPipelineStack = new Stack(modernApp, 'PipelineStack', { env: PIPELINE_ENV }); - }); - - afterEach(() => { - legacyApp.cleanup(); - modernApp.cleanup(); - }); - - test('stateful or nameable resources have the same logicalID between old and new API', () => { - const legacyPipe = new LegacyTestGitHubNpmPipeline(legacyPipelineStack, 'Cdk'); - legacyPipe.addApplicationStage(new MegaAssetsApp(legacyPipelineStack, 'MyApp', { - numAssets: 2, - })); - - const modernPipe = new ModernTestGitHubNpmPipeline(modernPipelineStack, 'Cdk', { - crossAccountKeys: true, - }); - modernPipe.addStage(new MegaAssetsApp(modernPipelineStack, 'MyApp', { - numAssets: 2, - })); - - const legacyTemplate = stackTemplate(legacyPipelineStack).template; - const modernTemplate = stackTemplate(modernPipelineStack).template; - - const legacyStateful = filterR(legacyTemplate.Resources, isStateful); - const modernStateful = filterR(modernTemplate.Resources, isStateful); - - expect(mapR(modernStateful, typeOfRes)).toEqual(mapR(legacyStateful, typeOfRes)); - }); - - test('nameable resources have the same names between old and new API', () => { - const legacyPipe = new LegacyTestGitHubNpmPipeline(legacyPipelineStack, 'Cdk', { - pipelineName: 'asdf', - }); - legacyPipe.addApplicationStage(new MegaAssetsApp(legacyPipelineStack, 'MyApp', { - numAssets: 2, - })); - - const modernPipe = new ModernTestGitHubNpmPipeline(modernPipelineStack, 'Cdk', { - pipelineName: 'asdf', - crossAccountKeys: true, - }); - modernPipe.addStage(new MegaAssetsApp(modernPipelineStack, 'MyApp', { - numAssets: 2, - })); - - const legacyTemplate = stackTemplate(legacyPipelineStack).template; - const modernTemplate = stackTemplate(modernPipelineStack).template; - - const legacyNamed = filterR(legacyTemplate.Resources, hasName); - const modernNamed = filterR(modernTemplate.Resources, hasName); - - expect(mapR(modernNamed, nameProps)).toEqual(mapR(legacyNamed, nameProps)); - }); -}); - -const STATEFUL_TYPES = [ - // Holds state - 'AWS::S3::Bucket', - 'AWS::KMS::Key', - 'AWS::KMS::Alias', - // Can be physical-named so will be impossible to replace - 'AWS::CodePipeline::Pipeline', - 'AWS::CodeBuild::Project', -]; - -function filterR(resources: Record, fn: (x: Resource) => boolean): Record { - return mkdict(Object.entries(resources).filter(([, resource]) => fn(resource))); -} - -function mapR(resources: Record, fn: (x: Resource) => A): Record { - return mkdict(Object.entries(resources).map(([lid, resource]) => [lid, fn(resource)] as const)); -} - -function typeOfRes(r: Resource) { - return r.Type; -} - -function isStateful(r: Resource) { - return STATEFUL_TYPES.includes(r.Type); -} - -function nameProps(r: Resource) { - return Object.entries(r.Properties).filter(([prop, _]) => - // Don't care about policy names - prop.endsWith('Name') && prop !== 'PolicyName'); -} - -function hasName(r: Resource) { - return nameProps(r).length > 0; -} - -interface Resource { - readonly Type: string; - readonly Properties: Record; - readonly Metadata?: Record; -} \ No newline at end of file diff --git a/packages/aws-cdk-lib/pipelines/test/codepipeline/codepipeline-existing.test.ts b/packages/aws-cdk-lib/pipelines/test/codepipeline/codepipeline-existing.test.ts deleted file mode 100644 index 1da9b4ecfb71e..0000000000000 --- a/packages/aws-cdk-lib/pipelines/test/codepipeline/codepipeline-existing.test.ts +++ /dev/null @@ -1,65 +0,0 @@ -import { describeDeprecated } from '@aws-cdk/cdk-build-tools'; -import * as codePipeline from '../../../aws-codepipeline'; -import * as cdk from '../../../core'; -import * as cdkp from '../../lib'; - -describeDeprecated('codepipeline existing', () => { - - test('Does not allow setting a pipelineName if an existing CodePipeline is given', () => { - const app = new cdk.App(); - const stack = new cdk.Stack(app, 'PipelineStack'); - const existingCodePipeline = new codePipeline.Pipeline(stack, 'CustomCodePipeline'); - - expect(() => { - new cdkp.CdkPipeline(stack, 'CDKPipeline', { - pipelineName: 'CustomPipelineName', - codePipeline: existingCodePipeline, - cloudAssemblyArtifact: new codePipeline.Artifact(), - }); - }).toThrow("Cannot set 'pipelineName' if an existing CodePipeline is given using 'codePipeline'"); - }); - - test('Does not allow enabling crossAccountKeys if an existing CodePipeline is given', () => { - const app = new cdk.App(); - const stack = new cdk.Stack(app, 'PipelineStack'); - const existingCodePipeline = new codePipeline.Pipeline(stack, 'CustomCodePipeline'); - - expect(() => { - new cdkp.CdkPipeline(stack, 'CDKPipeline', { - crossAccountKeys: true, - codePipeline: existingCodePipeline, - cloudAssemblyArtifact: new codePipeline.Artifact(), - }); - }).toThrow("Cannot set 'crossAccountKeys' if an existing CodePipeline is given using 'codePipeline'"); - }); - - test('Does not allow enabling key rotation if an existing CodePipeline is given', () => { - const app = new cdk.App(); - const stack = new cdk.Stack(app, 'PipelineStack'); - const existingCodePipeline = new codePipeline.Pipeline(stack, 'CustomCodePipeline'); - - expect(() => { - new cdkp.CdkPipeline(stack, 'CDKPipeline', { - enableKeyRotation: true, - codePipeline: existingCodePipeline, - cloudAssemblyArtifact: new codePipeline.Artifact(), - }); - }).toThrow("Cannot set 'enableKeyRotation' if an existing CodePipeline is given using 'codePipeline'"); - }); - - test('Does not allow setting crossRegionReplicationBuckets if an existing CodePipeline is given', () => { - const app = new cdk.App(); - const stack = new cdk.Stack(app, 'PipelineStack'); - const existingCodePipeline = new codePipeline.Pipeline(stack, 'CustomCodePipeline'); - - expect(() => { - new cdkp.CodePipeline(stack, 'CDKPipeline', { - crossRegionReplicationBuckets: {}, // Even the empty set is forbidden. - codePipeline: existingCodePipeline, - synth: new cdkp.ShellStep('Synth', { - commands: ['echo hello'], - }), - }).buildPipeline(); - }).toThrow("Cannot set 'crossRegionReplicationBuckets' if an existing CodePipeline is given using 'codePipeline'"); - }); -}); \ No newline at end of file diff --git a/packages/aws-cdk-lib/pipelines/test/compliance/assets.test.ts b/packages/aws-cdk-lib/pipelines/test/compliance/assets.test.ts index 1f222fee6c439..87c1ace7e9515 100644 --- a/packages/aws-cdk-lib/pipelines/test/compliance/assets.test.ts +++ b/packages/aws-cdk-lib/pipelines/test/compliance/assets.test.ts @@ -5,7 +5,7 @@ import * as cb from '../../../aws-codebuild'; import * as ec2 from '../../../aws-ec2'; import { Stack, Stage } from '../../../core'; import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../../lib/private/default-codebuild-image'; -import { behavior, PIPELINE_ENV, TestApp, LegacyTestGitHubNpmPipeline, ModernTestGitHubNpmPipeline, FileAssetApp, MegaAssetsApp, TwoFileAssetsApp, DockerAssetApp, PlainStackApp, stringLike } from '../testhelpers'; +import { PIPELINE_ENV, TestApp, ModernTestGitHubNpmPipeline, FileAssetApp, MegaAssetsApp, TwoFileAssetsApp, DockerAssetApp, PlainStackApp, stringLike } from '../testhelpers'; const FILE_ASSET_SOURCE_HASH = '8289faf53c7da377bb2b90615999171adef5e1d8f6b88810e5fef75e6ca09ba5'; const FILE_ASSET_SOURCE_HASH2 = 'ac76997971c3f6ddf37120660003f1ced72b4fc58c498dfd99c78fa77e721e0e'; @@ -16,6 +16,61 @@ const IMAGE_PUBLISHING_ROLE = 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role let app: TestApp; let pipelineStack: Stack; +function expectedAssetRolePolicy(assumeRolePattern: string | string[], attachedRole: string) { + if (typeof assumeRolePattern === 'string') { assumeRolePattern = [assumeRolePattern]; } + + return { + PolicyDocument: { + Statement: [{ + Action: ['logs:CreateLogGroup', 'logs:CreateLogStream', 'logs:PutLogEvents'], + Effect: 'Allow', + Resource: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + `:logs:${PIPELINE_ENV.region}:${PIPELINE_ENV.account}:log-group:/aws/codebuild/*`, + ]], + }, + }, + { + Action: ['codebuild:CreateReportGroup', 'codebuild:CreateReport', 'codebuild:UpdateReport', 'codebuild:BatchPutTestCases', 'codebuild:BatchPutCodeCoverages'], + Effect: 'Allow', + Resource: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + `:codebuild:${PIPELINE_ENV.region}:${PIPELINE_ENV.account}:report-group/*`, + ]], + }, + }, + { + Action: ['codebuild:BatchGetBuilds', 'codebuild:StartBuild', 'codebuild:StopBuild'], + Effect: 'Allow', + Resource: '*', + }, + { + Action: 'sts:AssumeRole', + Effect: 'Allow', + Resource: unsingleton(assumeRolePattern.map(arn => { return { 'Fn::Sub': arn }; })), + }, + { + Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], + Effect: 'Allow', + Resource: [ + { 'Fn::GetAtt': ['CdkPipelineArtifactsBucket7B46C7BF', 'Arn'] }, + { 'Fn::Join': ['', [{ 'Fn::GetAtt': ['CdkPipelineArtifactsBucket7B46C7BF', 'Arn'] }, '/*']] }, + ], + }, + { + Action: ['kms:Decrypt', 'kms:DescribeKey'], + Effect: 'Allow', + Resource: { 'Fn::GetAtt': ['CdkPipelineArtifactsBucketEncryptionKeyDDD3258C', 'Arn'] }, + }], + }, + Roles: [{ Ref: attachedRole }], + }; +} + beforeEach(() => { app = new TestApp(); pipelineStack = new Stack(app, 'PipelineStack', { env: PIPELINE_ENV }); @@ -26,550 +81,170 @@ afterEach(() => { }); describe('basic pipeline', () => { - behavior('no assets stage if the application has no assets', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new PlainStackApp(app, 'App')); - THEN_codePipelineExpectation(); - }); + test('no assets stage if the application has no assets', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new PlainStackApp(app, 'App')); - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new PlainStackApp(app, 'App')); - - THEN_codePipelineExpectation(); + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.not(Match.arrayWith([Match.objectLike({ + Name: 'Assets', + })])), }); - - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.not(Match.arrayWith([Match.objectLike({ - Name: 'Assets', - })])), - }); - } }); - describe('asset stage placement', () => { - behavior('assets stage comes before any user-defined stages', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new FileAssetApp(app, 'App')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new FileAssetApp(app, 'App')); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: [ - Match.objectLike({ Name: 'Source' }), - Match.objectLike({ Name: 'Build' }), - Match.objectLike({ Name: 'UpdatePipeline' }), - Match.objectLike({ Name: 'Assets' }), - Match.objectLike({ Name: 'App' }), - ], - }); - } - }); - - behavior('up to 50 assets fit in a single stage', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new MegaAssetsApp(app, 'App', { numAssets: 50 })); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new MegaAssetsApp(app, 'App', { numAssets: 50 })); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: [ - Match.objectLike({ Name: 'Source' }), - Match.objectLike({ Name: 'Build' }), - Match.objectLike({ Name: 'UpdatePipeline' }), - Match.objectLike({ Name: 'Assets' }), - Match.objectLike({ Name: 'App' }), - ], - }); - } - }); - - behavior('51 assets triggers a second stage', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new MegaAssetsApp(app, 'App', { numAssets: 51 })); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - // WHEN - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new MegaAssetsApp(app, 'App', { numAssets: 51 })); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: [ - Match.objectLike({ Name: 'Source' }), - Match.objectLike({ Name: 'Build' }), - Match.objectLike({ Name: 'UpdatePipeline' }), - Match.objectLike({ Name: stringLike('Assets*') }), - Match.objectLike({ Name: stringLike('Assets*2') }), - Match.objectLike({ Name: 'App' }), - ], - }); - } - }); - - behavior('101 assets triggers a third stage', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new MegaAssetsApp(app, 'App', { numAssets: 101 })); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new MegaAssetsApp(app, 'App', { numAssets: 101 })); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: [ - Match.objectLike({ Name: 'Source' }), - Match.objectLike({ Name: 'Build' }), - Match.objectLike({ Name: 'UpdatePipeline' }), - Match.objectLike({ Name: stringLike('Assets*') }), // 'Assets' vs 'Assets.1' - Match.objectLike({ Name: stringLike('Assets*2') }), - Match.objectLike({ Name: stringLike('Assets*3') }), - Match.objectLike({ Name: 'App' }), - ], - }); - } + test('assets stage comes before any user-defined stages', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new FileAssetApp(app, 'App')); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: [ + Match.objectLike({ Name: 'Source' }), + Match.objectLike({ Name: 'Build' }), + Match.objectLike({ Name: 'UpdatePipeline' }), + Match.objectLike({ Name: 'Assets' }), + Match.objectLike({ Name: 'App' }), + ], }); }); - behavior('command line properly locates assets in subassembly', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new FileAssetApp(app, 'FileAssetApp')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new FileAssetApp(app, 'FileAssetApp')); - - THEN_codePipelineExpectation(); + test('up to 50 assets fit in a single stage', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new MegaAssetsApp(app, 'App', { numAssets: 50 })); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: [ + Match.objectLike({ Name: 'Source' }), + Match.objectLike({ Name: 'Build' }), + Match.objectLike({ Name: 'UpdatePipeline' }), + Match.objectLike({ Name: 'Assets' }), + Match.objectLike({ Name: 'App' }), + ], }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - build: { - commands: Match.arrayWith([`cdk-assets --path "assembly-FileAssetApp/FileAssetAppStackEADD68C5.assets.json" --verbose publish "${FILE_ASSET_SOURCE_HASH}:current_account-current_region"`]), - }, - }, - })), - }, - }); - } }); - behavior('multiple assets are published in parallel', (suite) => { - suite.legacy(() => { + describe('asset stage placement', () => { + test('51 assets triggers a second stage', () => { // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new TwoFileAssetsApp(app, 'FileAssetApp')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new TwoFileAssetsApp(app, 'FileAssetApp')); + pipeline.addStage(new MegaAssetsApp(app, 'App', { numAssets: 51 })); - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Assets', - Actions: [ - Match.objectLike({ RunOrder: 1 }), - Match.objectLike({ RunOrder: 1 }), - ], - }]), + Stages: [ + Match.objectLike({ Name: 'Source' }), + Match.objectLike({ Name: 'Build' }), + Match.objectLike({ Name: 'UpdatePipeline' }), + Match.objectLike({ Name: stringLike('Assets*') }), + Match.objectLike({ Name: stringLike('Assets*2') }), + Match.objectLike({ Name: 'App' }), + ], }); - } - }); - - behavior('assets are also published when using the lower-level addStackArtifactDeployment', (suite) => { - suite.legacy(() => { - // GIVEN - const asm = new FileAssetApp(app, 'FileAssetApp').synth(); + }, + ); - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage('SomeStage').addStackArtifactDeployment(asm.getStackByName('FileAssetApp-Stack')); + test('101 assets triggers a third stage', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new MegaAssetsApp(app, 'App', { numAssets: 101 })); - // THEN Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Assets', - Actions: [ - Match.objectLike({ - Name: 'FileAsset1', - RunOrder: 1, - }), - ], - }]), + Stages: [ + Match.objectLike({ Name: 'Source' }), + Match.objectLike({ Name: 'Build' }), + Match.objectLike({ Name: 'UpdatePipeline' }), + Match.objectLike({ Name: stringLike('Assets*') }), // 'Assets' vs 'Assets.1' + Match.objectLike({ Name: stringLike('Assets*2') }), + Match.objectLike({ Name: stringLike('Assets*3') }), + Match.objectLike({ Name: 'App' }), + ], }); - }); - - // This function does not exist in the modern API - suite.doesNotApply.modern(); + }, + ); }); - behavior('file image asset publishers do not use privilegedmode', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new FileAssetApp(app, 'FileAssetApp')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - // WHEN - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new FileAssetApp(app, 'FileAssetApp')); - - THEN_codePipelineExpectation(); - }); + test('command line properly locates assets in subassembly', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new FileAssetApp(app, 'FileAssetApp')); - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - build: { - commands: Match.arrayWith([stringLike('cdk-assets *')]), - }, + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + build: { + commands: Match.arrayWith([`cdk-assets --path "assembly-FileAssetApp/FileAssetAppStackEADD68C5.assets.json" --verbose publish "${FILE_ASSET_SOURCE_HASH}:current_account-current_region"`]), }, - })), - }, - Environment: Match.objectLike({ - PrivilegedMode: false, - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }), - }); - } - }); - - behavior('docker image asset publishers use privilegedmode', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new DockerAssetApp(app, 'DockerAssetApp')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new DockerAssetApp(app, 'DockerAssetApp')); - - THEN_codePipelineExpectation(); + }, + })), + }, }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - build: { - commands: Match.arrayWith([stringLike('cdk-assets *')]), - }, - }, - })), - }, - Environment: Match.objectLike({ - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - PrivilegedMode: true, - }), - }); - } }); - behavior('can control fix/CLI version used in asset publishing', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - cdkCliVersion: '1.2.3', - }); - pipeline.addApplicationStage(new FileAssetApp(pipelineStack, 'FileAssetApp')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - cliVersion: '1.2.3', - }); - pipeline.addStage(new FileAssetApp(pipelineStack, 'FileAssetApp')); + test('multiple assets are published in parallel', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new TwoFileAssetsApp(app, 'FileAssetApp')); - THEN_codePipelineExpectation(); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Assets', + Actions: [ + Match.objectLike({ RunOrder: 1 }), + Match.objectLike({ RunOrder: 1 }), + ], + }]), }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - install: { - commands: ['npm install -g cdk-assets@1.2.3'], - }, - }, - })), - }, - }); - } }); - describe('asset roles and policies', () => { - behavior('includes file publishing assets role for apps with file assets', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new FileAssetApp(app, 'App1')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - // Expectation expects to see KMS key policy permissions - crossAccountKeys: true, - }); - pipeline.addStage(new FileAssetApp(app, 'App1')); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Role', { - AssumeRolePolicyDocument: { - Statement: [ - { - Action: 'sts:AssumeRole', - Effect: 'Allow', - Principal: { - Service: 'codebuild.amazonaws.com', - }, - }, - ], - }, - }); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', - expectedAssetRolePolicy(FILE_PUBLISHING_ROLE, 'CdkAssetsFileRole6BE17A07')); - } - }); - - behavior('publishing assets role may assume roles from multiple environments', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new FileAssetApp(app, 'App1')); - pipeline.addApplicationStage(new FileAssetApp(app, 'App2', { - env: { - account: '0123456789012', - region: 'eu-west-1', - }, - })); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - // Expectation expects to see KMS key policy permissions - crossAccountKeys: true, - }); - - pipeline.addStage(new FileAssetApp(app, 'App1')); - pipeline.addStage(new FileAssetApp(app, 'App2', { - env: { - account: '0123456789012', - region: 'eu-west-1', - }, - })); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', - expectedAssetRolePolicy([FILE_PUBLISHING_ROLE, 'arn:${AWS::Partition}:iam::0123456789012:role/cdk-hnb659fds-file-publishing-role-0123456789012-eu-west-1'], - 'CdkAssetsFileRole6BE17A07')); - } - }); - - behavior('publishing assets role de-dupes assumed roles', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new FileAssetApp(app, 'App1')); - pipeline.addApplicationStage(new FileAssetApp(app, 'App2')); - pipeline.addApplicationStage(new FileAssetApp(app, 'App3')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - // Expectation expects to see KMS key policy permissions - crossAccountKeys: true, - }); - pipeline.addStage(new FileAssetApp(app, 'App1')); - pipeline.addStage(new FileAssetApp(app, 'App2')); - pipeline.addStage(new FileAssetApp(app, 'App3')); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', - expectedAssetRolePolicy(FILE_PUBLISHING_ROLE, 'CdkAssetsFileRole6BE17A07')); - } - }); - - behavior('includes image publishing assets role for apps with Docker assets', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new DockerAssetApp(app, 'App1')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - // Expectation expects to see KMS key policy permissions - crossAccountKeys: true, - }); - pipeline.addStage(new DockerAssetApp(app, 'App1')); - - THEN_codePipelineExpectation(); - }); + test('file image asset publishers do not use privilegedmode', () => { + // WHEN + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new FileAssetApp(app, 'FileAssetApp')); - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Role', { - AssumeRolePolicyDocument: { - Statement: [ - { - Action: 'sts:AssumeRole', - Effect: 'Allow', - Principal: { - Service: 'codebuild.amazonaws.com', - }, - }, - ], + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + build: { + commands: Match.arrayWith([stringLike('cdk-assets *')]), + }, }, - }); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', - expectedAssetRolePolicy(IMAGE_PUBLISHING_ROLE, 'CdkAssetsDockerRole484B6DD3')); - } - }); - - behavior('includes both roles for apps with both file and Docker assets', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new FileAssetApp(app, 'App1')); - pipeline.addApplicationStage(new DockerAssetApp(app, 'App2')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - // Expectation expects to see KMS key policy permissions - crossAccountKeys: true, - }); - pipeline.addStage(new FileAssetApp(app, 'App1')); - pipeline.addStage(new DockerAssetApp(app, 'App2')); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', - expectedAssetRolePolicy(FILE_PUBLISHING_ROLE, 'CdkAssetsFileRole6BE17A07')); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', - expectedAssetRolePolicy(IMAGE_PUBLISHING_ROLE, 'CdkAssetsDockerRole484B6DD3')); - } + })), + }, + Environment: Match.objectLike({ + PrivilegedMode: false, + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }), }); }); -}); -behavior('can supply pre-install scripts to asset upload', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - assetPreInstallCommands: [ - 'npm config set registry https://registry.com', - ], - }); - pipeline.addApplicationStage(new FileAssetApp(app, 'FileAssetApp')); - - THEN_codePipelineExpectation(); - }); + test('docker image asset publishers use privilegedmode', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new DockerAssetApp(app, 'DockerAssetApp')); - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - assetPublishingCodeBuildDefaults: { - partialBuildSpec: cb.BuildSpec.fromObject({ - version: '0.2', + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ phases: { - install: { - commands: [ - 'npm config set registry https://registry.com', - ], + build: { + commands: Match.arrayWith([stringLike('cdk-assets *')]), }, }, - }), + })), }, + Environment: Match.objectLike({ + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + PrivilegedMode: true, + }), }); - pipeline.addStage(new FileAssetApp(app, 'FileAssetApp')); - - THEN_codePipelineExpectation(); }); - function THEN_codePipelineExpectation() { + test('can control fix/CLI version used in asset publishing', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + cliVersion: '1.2.3', + }); + pipeline.addStage(new FileAssetApp(pipelineStack, 'FileAssetApp')); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { Environment: { Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, @@ -578,379 +253,297 @@ behavior('can supply pre-install scripts to asset upload', (suite) => { BuildSpec: Match.serializedJson(Match.objectLike({ phases: { install: { - commands: ['npm config set registry https://registry.com', 'npm install -g cdk-assets@2'], + commands: ['npm install -g cdk-assets@1.2.3'], }, }, - })), - }, - }); - } -}); - -describe('pipeline with VPC', () => { - let vpc: ec2.Vpc; - beforeEach(() => { - vpc = new ec2.Vpc(pipelineStack, 'Vpc'); - }); - - behavior('asset CodeBuild Project uses VPC subnets', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - vpc, - }); - pipeline.addApplicationStage(new DockerAssetApp(app, 'DockerAssetApp')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - codeBuildDefaults: { vpc }, - }); - pipeline.addStage(new DockerAssetApp(app, 'DockerAssetApp')); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - VpcConfig: Match.objectLike({ - SecurityGroupIds: [ - { 'Fn::GetAtt': ['CdkAssetsDockerAsset1SecurityGroup078F5C66', 'GroupId'] }, - ], - Subnets: [ - { Ref: 'VpcPrivateSubnet1Subnet536B997A' }, - { Ref: 'VpcPrivateSubnet2Subnet3788AAA1' }, - { Ref: 'VpcPrivateSubnet3SubnetF258B56E' }, - ], - VpcId: { Ref: 'Vpc8378EB38' }, - }), - }); - } - }); - - behavior('Pipeline-generated CodeBuild Projects have appropriate execution role permissions', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - vpc, - }); - pipeline.addApplicationStage(new DockerAssetApp(app, 'DockerAssetApp')); - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - codeBuildDefaults: { vpc }, - }); - pipeline.addStage(new DockerAssetApp(app, 'DockerAssetApp')); - THEN_codePipelineExpectation(); + })), + }, }); - - function THEN_codePipelineExpectation() { - // Assets Project - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - Roles: [ - { Ref: 'CdkAssetsDockerRole484B6DD3' }, - ], - PolicyDocument: { - Statement: Match.arrayWith([{ - Action: Match.arrayWith(['ec2:DescribeSecurityGroups']), - Effect: 'Allow', - Resource: '*', - }]), - }, - }); - } }); - behavior('Asset publishing CodeBuild Projects have correct VPC permissions', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - vpc, - }); - pipeline.addApplicationStage(new DockerAssetApp(app, 'DockerAssetApp')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { + describe('asset roles and policies', () => { + test('includes file publishing assets role for apps with file assets', () => { const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - codeBuildDefaults: { vpc }, + // Expectation expects to see KMS key policy permissions + crossAccountKeys: true, }); - pipeline.addStage(new DockerAssetApp(app, 'DockerAssetApp')); - THEN_codePipelineExpectation(); - }); + pipeline.addStage(new FileAssetApp(app, 'App1')); - function THEN_codePipelineExpectation() { - // Assets Project - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Role', { + AssumeRolePolicyDocument: { Statement: [ - Match.objectLike({ - Resource: '*', - Action: [ - 'ec2:CreateNetworkInterface', - 'ec2:DescribeNetworkInterfaces', - 'ec2:DeleteNetworkInterface', - 'ec2:DescribeSubnets', - 'ec2:DescribeSecurityGroups', - 'ec2:DescribeDhcpOptions', - 'ec2:DescribeVpcs', - ], - }), + { + Action: 'sts:AssumeRole', + Effect: 'Allow', + Principal: { + Service: 'codebuild.amazonaws.com', + }, + }, ], }, - Roles: [{ Ref: 'CdkAssetsDockerRole484B6DD3' }], }); - Template.fromStack(pipelineStack).hasResource('AWS::CodeBuild::Project', { - Properties: { - ServiceRole: { 'Fn::GetAtt': ['CdkAssetsDockerRole484B6DD3', 'Arn'] }, - }, - DependsOn: [ - 'CdkAssetsDockerAsset1PolicyDocument8DA96A22', - ], - }); - } - }); -}); - -describe('pipeline with single asset publisher', () => { - behavior('multiple assets are using the same job in singlePublisherMode', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - singlePublisherPerType: true, - }); - pipeline.addApplicationStage(new TwoFileAssetsApp(app, 'FileAssetApp')); - - THEN_codePipelineExpectation(); - }); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', + expectedAssetRolePolicy(FILE_PUBLISHING_ROLE, 'CdkAssetsFileRole6BE17A07')); + }, + ); - suite.modern(() => { + test('publishing assets role may assume roles from multiple environments', () => { const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - publishAssetsInParallel: false, + // Expectation expects to see KMS key policy permissions + crossAccountKeys: true, }); - pipeline.addStage(new TwoFileAssetsApp(app, 'FileAssetApp')); - - THEN_codePipelineExpectation(); - }); - function THEN_codePipelineExpectation() { - // THEN - const buildSpecName = new Capture(stringLike('buildspec-*.yaml')); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Assets', - Actions: [ - // Only one file asset action - Match.objectLike({ RunOrder: 1, Name: 'FileAsset' }), - ], - }]), - }); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: buildSpecName, + pipeline.addStage(new FileAssetApp(app, 'App1')); + pipeline.addStage(new FileAssetApp(app, 'App2', { + env: { + account: '0123456789012', + region: 'eu-west-1', }, - }); - const assembly = synthesize(pipelineStack); - - const actualFileName = buildSpecName.asString(); + })); - const buildSpec = JSON.parse(fs.readFileSync(path.join(assembly.directory, actualFileName), { encoding: 'utf-8' })); - expect(buildSpec.phases.build.commands).toContain(`cdk-assets --path "assembly-FileAssetApp/FileAssetAppStackEADD68C5.assets.json" --verbose publish "${FILE_ASSET_SOURCE_HASH}:current_account-current_region"`); - expect(buildSpec.phases.build.commands).toContain(`cdk-assets --path "assembly-FileAssetApp/FileAssetAppStackEADD68C5.assets.json" --verbose publish "${FILE_ASSET_SOURCE_HASH2}:current_account-current_region"`); - } - }); - - behavior('other pipeline writes to separate assets build spec file', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - singlePublisherPerType: true, - }); - pipeline.addApplicationStage(new TwoFileAssetsApp(app, 'FileAssetApp')); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', + expectedAssetRolePolicy([FILE_PUBLISHING_ROLE, 'arn:${AWS::Partition}:iam::0123456789012:role/cdk-hnb659fds-file-publishing-role-0123456789012-eu-west-1'], + 'CdkAssetsFileRole6BE17A07')); + }, + ); - const pipelineStack2 = new Stack(app, 'PipelineStack2', { env: PIPELINE_ENV }); - const otherPipeline = new LegacyTestGitHubNpmPipeline(pipelineStack2, 'Cdk', { - singlePublisherPerType: true, + test('publishing assets role de-dupes assumed roles', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + // Expectation expects to see KMS key policy permissions + crossAccountKeys: true, }); - otherPipeline.addApplicationStage(new TwoFileAssetsApp(app, 'OtherFileAssetApp')); + pipeline.addStage(new FileAssetApp(app, 'App1')); + pipeline.addStage(new FileAssetApp(app, 'App2')); + pipeline.addStage(new FileAssetApp(app, 'App3')); - THEN_codePipelineExpectation(pipelineStack2); - }); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', + expectedAssetRolePolicy(FILE_PUBLISHING_ROLE, 'CdkAssetsFileRole6BE17A07')); + }, + ); - suite.modern(() => { + test('includes image publishing assets role for apps with Docker assets', () => { const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - publishAssetsInParallel: false, - }); - pipeline.addStage(new TwoFileAssetsApp(app, 'FileAssetApp')); - - const pipelineStack2 = new Stack(app, 'PipelineStack2', { env: PIPELINE_ENV }); - const otherPipeline = new ModernTestGitHubNpmPipeline(pipelineStack2, 'Cdk', { - publishAssetsInParallel: false, + // Expectation expects to see KMS key policy permissions + crossAccountKeys: true, }); - otherPipeline.addStage(new TwoFileAssetsApp(app, 'OtherFileAssetApp')); - - THEN_codePipelineExpectation(pipelineStack2); - }); + pipeline.addStage(new DockerAssetApp(app, 'App1')); - function THEN_codePipelineExpectation(pipelineStack2: Stack) { - // THEN - const buildSpecName1 = new Capture(stringLike('buildspec-*.yaml')); - const buildSpecName2 = new Capture(stringLike('buildspec-*.yaml')); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Source: { - BuildSpec: buildSpecName1, + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Role', { + AssumeRolePolicyDocument: { + Statement: [ + { + Action: 'sts:AssumeRole', + Effect: 'Allow', + Principal: { + Service: 'codebuild.amazonaws.com', + }, + }, + ], }, }); - Template.fromStack(pipelineStack2).hasResourceProperties('AWS::CodeBuild::Project', { - Source: { - BuildSpec: buildSpecName2, - }, + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', + expectedAssetRolePolicy(IMAGE_PUBLISHING_ROLE, 'CdkAssetsDockerRole484B6DD3')); + }, + ); + + test('includes both roles for apps with both file and Docker assets', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + // Expectation expects to see KMS key policy permissions + crossAccountKeys: true, }); + pipeline.addStage(new FileAssetApp(app, 'App1')); + pipeline.addStage(new DockerAssetApp(app, 'App2')); - expect(buildSpecName1.asString()).not.toEqual(buildSpecName2.asString()); - } + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', + expectedAssetRolePolicy(FILE_PUBLISHING_ROLE, 'CdkAssetsFileRole6BE17A07')); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', + expectedAssetRolePolicy(IMAGE_PUBLISHING_ROLE, 'CdkAssetsDockerRole484B6DD3')); + }, + ); }); }); -describe('pipeline with custom asset publisher BuildSpec', () => { - - behavior('custom buildspec is merged correctly', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - singlePublisherPerType: true, - assetBuildSpec: cb.BuildSpec.fromObject({ - phases: { - pre_install: { - commands: 'preinstall', - }, +test('can supply pre-install scripts to asset upload', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + assetPublishingCodeBuildDefaults: { + partialBuildSpec: cb.BuildSpec.fromObject({ + version: '0.2', + phases: { + install: { + commands: [ + 'npm config set registry https://registry.com', + ], }, - cache: { - paths: 'node_modules', + }, + }), + }, + }); + pipeline.addStage(new FileAssetApp(app, 'FileAssetApp')); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + install: { + commands: ['npm config set registry https://registry.com', 'npm install -g cdk-assets@2'], }, - }), - }); - pipeline.addApplicationStage(new TwoFileAssetsApp(app, 'FileAssetApp')); + }, + })), + }, + }); +}); + +describe('pipeline with VPC', () => { + let vpc: ec2.Vpc; + beforeEach(() => { + vpc = new ec2.Vpc(pipelineStack, 'Vpc'); + }); - THEN_codePipelineExpectation(); + test('asset CodeBuild Project uses VPC subnets', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + codeBuildDefaults: { vpc }, }); + pipeline.addStage(new DockerAssetApp(app, 'DockerAssetApp')); - suite.modern(() => { - // WHEN - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - publishAssetsInParallel: false, - assetPublishingCodeBuildDefaults: { - partialBuildSpec: cb.BuildSpec.fromObject({ - phases: { - pre_install: { - commands: 'preinstall', - }, - }, - cache: { - paths: 'node_modules', - }, - }), - }, - }); - pipeline.addStage(new TwoFileAssetsApp(app, 'FileAssetApp')); + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + VpcConfig: Match.objectLike({ + SecurityGroupIds: [ + { 'Fn::GetAtt': ['CdkAssetsDockerAsset1SecurityGroup078F5C66', 'GroupId'] }, + ], + Subnets: [ + { Ref: 'VpcPrivateSubnet1Subnet536B997A' }, + { Ref: 'VpcPrivateSubnet2Subnet3788AAA1' }, + { Ref: 'VpcPrivateSubnet3SubnetF258B56E' }, + ], + VpcId: { Ref: 'Vpc8378EB38' }, + }), + }); + }); - THEN_codePipelineExpectation(); + test('Pipeline-generated CodeBuild Projects have appropriate execution role permissions', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + codeBuildDefaults: { vpc }, + }); + pipeline.addStage(new DockerAssetApp(app, 'DockerAssetApp')); + // Assets Project + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + Roles: [ + { Ref: 'CdkAssetsDockerRole484B6DD3' }, + ], + PolicyDocument: { + Statement: Match.arrayWith([{ + Action: Match.arrayWith(['ec2:DescribeSecurityGroups']), + Effect: 'Allow', + Resource: '*', + }]), + }, }); + }); - function THEN_codePipelineExpectation() { - const buildSpecName = new Capture(stringLike('buildspec-*')); + test('Asset publishing CodeBuild Projects have correct VPC permissions', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + codeBuildDefaults: { vpc }, + }); + pipeline.addStage(new DockerAssetApp(app, 'DockerAssetApp')); + // Assets Project + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: [ + Match.objectLike({ + Resource: '*', + Action: [ + 'ec2:CreateNetworkInterface', + 'ec2:DescribeNetworkInterfaces', + 'ec2:DeleteNetworkInterface', + 'ec2:DescribeSubnets', + 'ec2:DescribeSecurityGroups', + 'ec2:DescribeDhcpOptions', + 'ec2:DescribeVpcs', + ], + }), + ], + }, + Roles: [{ Ref: 'CdkAssetsDockerRole484B6DD3' }], + }); + Template.fromStack(pipelineStack).hasResource('AWS::CodeBuild::Project', { + Properties: { + ServiceRole: { 'Fn::GetAtt': ['CdkAssetsDockerRole484B6DD3', 'Arn'] }, + }, + DependsOn: [ + 'CdkAssetsDockerAsset1PolicyDocument8DA96A22', + ], + }); + }); +}); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Assets', - Actions: [ - // Only one file asset action - Match.objectLike({ RunOrder: 1, Name: 'FileAsset' }), - ], - }]), - }); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: buildSpecName, +test('adding environment variable to assets job adds SecretsManager permissions', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Pipeline', { + assetPublishingCodeBuildDefaults: { + buildEnvironment: { + environmentVariables: { + FOOBAR: { + value: 'FoobarSecret', + type: cb.BuildEnvironmentVariableType.SECRETS_MANAGER, + }, }, - }); - const assembly = synthesize(pipelineStack); - const buildSpec = JSON.parse(fs.readFileSync(path.join(assembly.directory, buildSpecName.asString())).toString()); - expect(buildSpec.phases.build.commands).toContain(`cdk-assets --path "assembly-FileAssetApp/FileAssetAppStackEADD68C5.assets.json" --verbose publish "${FILE_ASSET_SOURCE_HASH}:current_account-current_region"`); - expect(buildSpec.phases.build.commands).toContain(`cdk-assets --path "assembly-FileAssetApp/FileAssetAppStackEADD68C5.assets.json" --verbose publish "${FILE_ASSET_SOURCE_HASH2}:current_account-current_region"`); - expect(buildSpec.phases.pre_install.commands).toContain('preinstall'); - expect(buildSpec.cache.paths).toContain('node_modules'); - } + }, + }, + }); + pipeline.addStage(new FileAssetApp(pipelineStack, 'MyApp')); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([ + Match.objectLike({ + Action: 'secretsmanager:GetSecretValue', + Effect: 'Allow', + Resource: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':secretsmanager:us-pipeline:123pipeline:secret:FoobarSecret-??????', + ]], + }, + }), + ]), + }, }); }); -function expectedAssetRolePolicy(assumeRolePattern: string | string[], attachedRole: string) { - if (typeof assumeRolePattern === 'string') { assumeRolePattern = [assumeRolePattern]; } +describe('pipeline with single asset publisher', () => { + test('other pipeline writes to separate assets build spec file', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk-1', { + publishAssetsInParallel: false, + }); + pipeline.addStage(new TwoFileAssetsApp(app, 'FileAssetApp')); - return { - PolicyDocument: { - Statement: [{ - Action: ['logs:CreateLogGroup', 'logs:CreateLogStream', 'logs:PutLogEvents'], - Effect: 'Allow', - Resource: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - `:logs:${PIPELINE_ENV.region}:${PIPELINE_ENV.account}:log-group:/aws/codebuild/*`, - ]], - }, - }, - { - Action: ['codebuild:CreateReportGroup', 'codebuild:CreateReport', 'codebuild:UpdateReport', 'codebuild:BatchPutTestCases', 'codebuild:BatchPutCodeCoverages'], - Effect: 'Allow', - Resource: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - `:codebuild:${PIPELINE_ENV.region}:${PIPELINE_ENV.account}:report-group/*`, - ]], - }, - }, - { - Action: ['codebuild:BatchGetBuilds', 'codebuild:StartBuild', 'codebuild:StopBuild'], - Effect: 'Allow', - Resource: '*', - }, - { - Action: 'sts:AssumeRole', - Effect: 'Allow', - Resource: unsingleton(assumeRolePattern.map(arn => { return { 'Fn::Sub': arn }; })), + const pipelineStack2 = new Stack(app, 'PipelineStack2', { env: PIPELINE_ENV }); + const otherPipeline = new ModernTestGitHubNpmPipeline(pipelineStack2, 'Cdk-2', { + publishAssetsInParallel: false, + }); + otherPipeline.addStage(new TwoFileAssetsApp(app, 'OtherFileAssetApp')); + // THEN + const buildSpecName1 = new Capture(stringLike('buildspec-*.yaml')); + const buildSpecName2 = new Capture(stringLike('buildspec-*.yaml')); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Source: { + BuildSpec: buildSpecName1, }, - { - Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], - Effect: 'Allow', - Resource: [ - { 'Fn::GetAtt': ['CdkPipelineArtifactsBucket7B46C7BF', 'Arn'] }, - { 'Fn::Join': ['', [{ 'Fn::GetAtt': ['CdkPipelineArtifactsBucket7B46C7BF', 'Arn'] }, '/*']] }, - ], + }); + Template.fromStack(pipelineStack2).hasResourceProperties('AWS::CodeBuild::Project', { + Source: { + BuildSpec: buildSpecName2, }, - { - Action: ['kms:Decrypt', 'kms:DescribeKey'], - Effect: 'Allow', - Resource: { 'Fn::GetAtt': ['CdkPipelineArtifactsBucketEncryptionKeyDDD3258C', 'Arn'] }, - }], - }, - Roles: [{ Ref: attachedRole }], - }; -} + }); -behavior('necessary secrets manager permissions get added to asset roles', suite => { - // Not possible to configure this for legacy pipelines - suite.doesNotApply.legacy(); + expect(buildSpecName1.asString()).not.toEqual(buildSpecName2.asString()); + }); - suite.modern(() => { + test('necessary secrets manager permissions get added to asset roles', () => { const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Pipeline', { assetPublishingCodeBuildDefaults: { buildEnvironment: { @@ -965,10 +558,6 @@ behavior('necessary secrets manager permissions get added to asset roles', suite }); pipeline.addStage(new FileAssetApp(pipelineStack, 'MyApp')); - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { PolicyDocument: { Statement: Match.arrayWith([{ @@ -990,50 +579,94 @@ behavior('necessary secrets manager permissions get added to asset roles', suite { Ref: 'PipelineAssetsFileRole59943A77' }, ], }); - } -}); + }); + + test('multiple assets are using the same job in singlePublisherMode', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + publishAssetsInParallel: false, + }); + pipeline.addStage(new TwoFileAssetsApp(app, 'FileAssetApp')); + + // THEN + const buildSpecName = new Capture(stringLike('buildspec-*.yaml')); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Assets', + Actions: [ + // Only one file asset action + Match.objectLike({ RunOrder: 1, Name: 'FileAsset' }), + ], + }]), + }); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: buildSpecName, + }, + }); + const assembly = synthesize(pipelineStack); -behavior('adding environment variable to assets job adds SecretsManager permissions', suite => { - // No way to manipulate buildEnvironment in legacy API - suite.doesNotApply.legacy(); + const actualFileName = buildSpecName.asString(); - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Pipeline', { + const buildSpec = JSON.parse(fs.readFileSync(path.join(assembly.directory, actualFileName), { encoding: 'utf-8' })); + expect(buildSpec.phases.build.commands).toContain(`cdk-assets --path "assembly-FileAssetApp/FileAssetAppStackEADD68C5.assets.json" --verbose publish "${FILE_ASSET_SOURCE_HASH}:current_account-current_region"`); + expect(buildSpec.phases.build.commands).toContain(`cdk-assets --path "assembly-FileAssetApp/FileAssetAppStackEADD68C5.assets.json" --verbose publish "${FILE_ASSET_SOURCE_HASH2}:current_account-current_region"`); + }); +}); + +describe('pipeline with custom asset publisher BuildSpec', () => { + test('custom buildspec is merged correctly', () => { + // WHEN + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + publishAssetsInParallel: false, assetPublishingCodeBuildDefaults: { - buildEnvironment: { - environmentVariables: { - FOOBAR: { - value: 'FoobarSecret', - type: cb.BuildEnvironmentVariableType.SECRETS_MANAGER, + partialBuildSpec: cb.BuildSpec.fromObject({ + phases: { + pre_install: { + commands: 'preinstall', }, }, - }, + cache: { + paths: 'node_modules', + }, + }), }, }); - pipeline.addStage(new FileAssetApp(pipelineStack, 'MyApp')); + pipeline.addStage(new TwoFileAssetsApp(app, 'FileAssetApp')); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: Match.arrayWith([ - Match.objectLike({ - Action: 'secretsmanager:GetSecretValue', - Effect: 'Allow', - Resource: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':secretsmanager:us-pipeline:123pipeline:secret:FoobarSecret-??????', - ]], - }, - }), - ]), + const buildSpecName = new Capture(stringLike('buildspec-*')); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Assets', + Actions: [ + // Only one file asset action + Match.objectLike({ RunOrder: 1, Name: 'FileAsset' }), + ], + }]), + }); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: buildSpecName, }, }); + + const assembly = synthesize(pipelineStack); + const buildSpec = JSON.parse(fs.readFileSync(path.join(assembly.directory, buildSpecName.asString())).toString()); + expect(buildSpec.phases.build.commands).toContain(`cdk-assets --path "assembly-FileAssetApp/FileAssetAppStackEADD68C5.assets.json" --verbose publish "${FILE_ASSET_SOURCE_HASH}:current_account-current_region"`); + expect(buildSpec.phases.build.commands).toContain(`cdk-assets --path "assembly-FileAssetApp/FileAssetAppStackEADD68C5.assets.json" --verbose publish "${FILE_ASSET_SOURCE_HASH2}:current_account-current_region"`); + expect(buildSpec.phases.pre_install.commands).toContain('preinstall'); + expect(buildSpec.cache.paths).toContain('node_modules'); }); }); function synthesize(stack: Stack) { - const root = stack.node.root; + const root = Stage.of(stack); if (!Stage.isStage(root)) { throw new Error('unexpected: all stacks must be part of a Stage'); } diff --git a/packages/aws-cdk-lib/pipelines/test/compliance/basic-behavior.test.ts b/packages/aws-cdk-lib/pipelines/test/compliance/basic-behavior.test.ts index 75d58084dadfb..8ca4d83650a8f 100644 --- a/packages/aws-cdk-lib/pipelines/test/compliance/basic-behavior.test.ts +++ b/packages/aws-cdk-lib/pipelines/test/compliance/basic-behavior.test.ts @@ -4,7 +4,7 @@ import * as path from 'path'; import { Construct } from 'constructs'; import { Capture, Match, Template } from '../../../assertions'; import { Stack, Stage, StageProps, Tags } from '../../../core'; -import { behavior, LegacyTestGitHubNpmPipeline, OneStackApp, BucketStack, PIPELINE_ENV, TestApp, ModernTestGitHubNpmPipeline, stringLike } from '../testhelpers'; +import { OneStackApp, BucketStack, PIPELINE_ENV, TestApp, ModernTestGitHubNpmPipeline, stringLike } from '../testhelpers'; let app: TestApp; let pipelineStack: Stack; @@ -18,204 +18,132 @@ afterEach(() => { app.cleanup(); }); -behavior('stack templates in nested assemblies are correctly addressed', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new OneStackApp(app, 'App')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - // WHEN - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new OneStackApp(app, 'App')); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'App', - Actions: Match.arrayWith([ - Match.objectLike({ - Name: stringLike('*Prepare'), - InputArtifacts: [Match.objectLike({})], - Configuration: Match.objectLike({ - StackName: 'App-Stack', - TemplatePath: stringLike('*::assembly-App/*.template.json'), - }), +test('stack templates in nested assemblies are correctly addressed', () => { + + // WHEN + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new OneStackApp(app, 'App')); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'App', + Actions: Match.arrayWith([ + Match.objectLike({ + Name: stringLike('*Prepare'), + InputArtifacts: [Match.objectLike({})], + Configuration: Match.objectLike({ + StackName: 'App-Stack', + TemplatePath: stringLike('*::assembly-App/*.template.json'), }), - ]), - }]), - }); - } + }), + ]), + }]), + }); }); -behavior('obvious error is thrown when stage contains no stacks', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - - // WHEN - expect(() => { - pipeline.addApplicationStage(new Stage(app, 'EmptyStage')); - }).toThrow(/should contain at least one Stack/); - }); +test('obvious error is thrown when stage contains no stacks', () => { - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - // WHEN - expect(() => { - pipeline.addStage(new Stage(app, 'EmptyStage')); - }).toThrow(/should contain at least one Stack/); - }); + // WHEN + expect(() => { + pipeline.addStage(new Stage(app, 'EmptyStage')); + }).toThrow(/should contain at least one Stack/); }); -behavior('overridden stack names are respected', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new OneStackAppWithCustomName(app, 'App1')); - pipeline.addApplicationStage(new OneStackAppWithCustomName(app, 'App2')); - - THEN_codePipelineExpectation(); - }); +test('overridden stack names are respected', () => { - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new OneStackAppWithCustomName(app, 'App1')); - pipeline.addStage(new OneStackAppWithCustomName(app, 'App2')); + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new OneStackAppWithCustomName(app, 'App1')); + pipeline.addStage(new OneStackAppWithCustomName(app, 'App2')); - THEN_codePipelineExpectation(); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([ + { + Name: 'App1', + Actions: Match.arrayWith([Match.objectLike({ + Name: stringLike('*Prepare'), + Configuration: Match.objectLike({ + StackName: 'MyFancyStack', + }), + })]), + }, + { + Name: 'App2', + Actions: Match.arrayWith([Match.objectLike({ + Name: stringLike('*Prepare'), + Configuration: Match.objectLike({ + StackName: 'MyFancyStack', + }), + })]), + }, + ]), }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([ - { - Name: 'App1', - Actions: Match.arrayWith([Match.objectLike({ - Name: stringLike('*Prepare'), - Configuration: Match.objectLike({ - StackName: 'MyFancyStack', - }), - })]), - }, - { - Name: 'App2', - Actions: Match.arrayWith([Match.objectLike({ - Name: stringLike('*Prepare'), - Configuration: Match.objectLike({ - StackName: 'MyFancyStack', - }), - })]), - }, - ]), - }); - } }); -behavior('changing CLI version leads to a different pipeline structure (restarting it)', (suite) => { - suite.legacy(() => { - // GIVEN - const stack2 = new Stack(app, 'Stack2', { env: PIPELINE_ENV }); - const stack3 = new Stack(app, 'Stack3', { env: PIPELINE_ENV }); +test('changing CLI version leads to a different pipeline structure (restarting it)', () => { - // WHEN - new LegacyTestGitHubNpmPipeline(stack2, 'Cdk', { - cdkCliVersion: '1.2.3', - }); - new LegacyTestGitHubNpmPipeline(stack3, 'Cdk', { - cdkCliVersion: '4.5.6', - }); + // GIVEN + const stack2 = new Stack(app, 'Stack2', { env: PIPELINE_ENV }); + const stack3 = new Stack(app, 'Stack3', { env: PIPELINE_ENV }); - THEN_codePipelineExpectation(stack2, stack3); + // WHEN + new ModernTestGitHubNpmPipeline(stack2, 'Cdk', { + cliVersion: '1.2.3', }); - - suite.modern(() => { - // GIVEN - const stack2 = new Stack(app, 'Stack2', { env: PIPELINE_ENV }); - const stack3 = new Stack(app, 'Stack3', { env: PIPELINE_ENV }); - - // WHEN - new ModernTestGitHubNpmPipeline(stack2, 'Cdk', { - cliVersion: '1.2.3', - }); - new ModernTestGitHubNpmPipeline(stack3, 'Cdk', { - cliVersion: '4.5.6', - }); - - THEN_codePipelineExpectation(stack2, stack3); + new ModernTestGitHubNpmPipeline(stack3, 'Cdk', { + cliVersion: '4.5.6', }); - function THEN_codePipelineExpectation(stack2: Stack, stack3: Stack) { - // THEN - const structure2 = new Capture(); - const structure3 = new Capture(); - - Template.fromStack(stack2).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: structure2, - }); - Template.fromStack(stack3).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: structure3, - }); - - expect(JSON.stringify(structure2.asArray())).not.toEqual(JSON.stringify(structure3.asArray())); - } -}); - -behavior('tags get reflected in pipeline', (suite) => { - suite.legacy(() => { - // WHEN - const stage = new OneStackApp(app, 'App'); - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - Tags.of(stage).add('CostCenter', 'F00B4R'); - pipeline.addApplicationStage(stage); + // THEN + const structure2 = new Capture(); + const structure3 = new Capture(); - THEN_codePipelineExpectation(); + Template.fromStack(stack2).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: structure2, }); - - suite.modern(() => { - // WHEN - const stage = new OneStackApp(app, 'App'); - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - Tags.of(stage).add('CostCenter', 'F00B4R'); - pipeline.addStage(stage); - THEN_codePipelineExpectation(); + Template.fromStack(stack3).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: structure3, }); - function THEN_codePipelineExpectation() { - // THEN - const templateConfig = new Capture(); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'App', - Actions: Match.arrayWith([ - Match.objectLike({ - Name: stringLike('*Prepare'), - InputArtifacts: [Match.objectLike({})], - Configuration: Match.objectLike({ - StackName: 'App-Stack', - TemplateConfiguration: templateConfig, - }), + expect(JSON.stringify(structure2.asArray())).not.toEqual(JSON.stringify(structure3.asArray())); +}); + +test('tags get reflected in pipeline', () => { + + // WHEN + const stage = new OneStackApp(app, 'App'); + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + Tags.of(stage).add('CostCenter', 'F00B4R'); + pipeline.addStage(stage); + + // THEN + const templateConfig = new Capture(); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'App', + Actions: Match.arrayWith([ + Match.objectLike({ + Name: stringLike('*Prepare'), + InputArtifacts: [Match.objectLike({})], + Configuration: Match.objectLike({ + StackName: 'App-Stack', + TemplateConfiguration: templateConfig, }), - ]), - }]), - }); + }), + ]), + }]), + }); - expect(templateConfig.asString()).toMatch(/::assembly-App\/.*\.template\..*json/); - const [, relConfigFile] = templateConfig.asString().split('::'); - const absConfigFile = path.join(app.outdir, relConfigFile); - const configFile = JSON.parse(fs.readFileSync(absConfigFile, { encoding: 'utf-8' })); - expect(configFile).toEqual(expect.objectContaining({ - Tags: { - CostCenter: 'F00B4R', - }, - })); - } + expect(templateConfig.asString()).toMatch(/::assembly-App\/.*\.template\..*json/); + const [, relConfigFile] = templateConfig.asString().split('::'); + const absConfigFile = path.join(app.outdir, relConfigFile); + const configFile = JSON.parse(fs.readFileSync(absConfigFile, { encoding: 'utf-8' })); + expect(configFile).toEqual(expect.objectContaining({ + Tags: { + CostCenter: 'F00B4R', + }, + })); }); class OneStackAppWithCustomName extends Stage { diff --git a/packages/aws-cdk-lib/pipelines/test/compliance/docker-credentials.test.ts b/packages/aws-cdk-lib/pipelines/test/compliance/docker-credentials.test.ts index e0266239dff2d..60f38abc0bd49 100644 --- a/packages/aws-cdk-lib/pipelines/test/compliance/docker-credentials.test.ts +++ b/packages/aws-cdk-lib/pipelines/test/compliance/docker-credentials.test.ts @@ -6,7 +6,7 @@ import { Stack } from '../../../core'; import * as cdkp from '../../lib'; import { CodeBuildStep } from '../../lib'; import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../../lib/private/default-codebuild-image'; -import { behavior, PIPELINE_ENV, TestApp, LegacyTestGitHubNpmPipeline, ModernTestGitHubNpmPipeline, DockerAssetApp, stringLike } from '../testhelpers'; +import { PIPELINE_ENV, TestApp, ModernTestGitHubNpmPipeline, DockerAssetApp, stringLike } from '../testhelpers'; const secretSynthArn = 'arn:aws:secretsmanager:eu-west-1:0123456789012:secret:synth-012345'; const secretUpdateArn = 'arn:aws:secretsmanager:eu-west-1:0123456789012:secret:update-012345'; @@ -30,248 +30,173 @@ afterEach(() => { app.cleanup(); }); -behavior('synth action receives install commands and access to relevant credentials', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyPipelineWithCreds(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new DockerAssetApp(app, 'App1')); +test('synth action receives install commands and access to relevant credentials', () => { - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernPipelineWithCreds(pipelineStack, 'Cdk'); - pipeline.addStage(new DockerAssetApp(app, 'App1')); + const pipeline = new ModernPipelineWithCreds(pipelineStack, 'Cdk'); + pipeline.addStage(new DockerAssetApp(app, 'App1')); - THEN_codePipelineExpectation(); + const expectedCredsConfig = JSON.stringify({ + version: '1.0', + domainCredentials: { 'synth.example.com': { secretsManagerSecretId: secretSynthArn } }, }); - function THEN_codePipelineExpectation() { - const expectedCredsConfig = JSON.stringify({ - version: '1.0', - domainCredentials: { 'synth.example.com': { secretsManagerSecretId: secretSynthArn } }, - }); - - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - pre_build: { - commands: Match.arrayWith([ - 'mkdir $HOME/.cdk', - `echo '${expectedCredsConfig}' > $HOME/.cdk/cdk-docker-creds.json`, - ]), - }, - // Prove we're looking at the Synth project - build: { - commands: Match.arrayWith([stringLike('*cdk*synth*')]), - }, + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + pre_build: { + commands: Match.arrayWith([ + 'mkdir $HOME/.cdk', + `echo '${expectedCredsConfig}' > $HOME/.cdk/cdk-docker-creds.json`, + ]), }, - })), - }, - }); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: Match.arrayWith([{ - Action: ['secretsmanager:GetSecretValue', 'secretsmanager:DescribeSecret'], - Effect: 'Allow', - Resource: secretSynthArn, - }]), - Version: '2012-10-17', - }, - Roles: [{ Ref: stringLike('Cdk*BuildProjectRole*') }], - }); - } + // Prove we're looking at the Synth project + build: { + commands: Match.arrayWith([stringLike('*cdk*synth*')]), + }, + }, + })), + }, + }); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([{ + Action: ['secretsmanager:GetSecretValue', 'secretsmanager:DescribeSecret'], + Effect: 'Allow', + Resource: secretSynthArn, + }]), + Version: '2012-10-17', + }, + Roles: [{ Ref: stringLike('Cdk*BuildProjectRole*') }], + }); }); -behavior('synth action receives Windows install commands if a Windows image is detected', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyPipelineWithCreds(pipelineStack, 'Cdk2', { - npmSynthOptions: { - environment: { - buildImage: cb.WindowsBuildImage.WINDOWS_BASE_2_0, - }, +test('synth action receives Windows install commands if a Windows image is detected', () => { + const pipeline = new ModernPipelineWithCreds(pipelineStack, 'Cdk2', { + synth: new CodeBuildStep('Synth', { + commands: ['cdk synth'], + primaryOutputDirectory: 'cdk.out', + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + buildEnvironment: { + buildImage: cb.WindowsBuildImage.WINDOWS_BASE_2_0, + computeType: cb.ComputeType.MEDIUM, }, - }); - pipeline.addApplicationStage(new DockerAssetApp(app, 'App1')); - - THEN_codePipelineExpectation(); + }), }); + pipeline.addStage(new DockerAssetApp(app, 'App1')); - suite.modern(() => { - const pipeline = new ModernPipelineWithCreds(pipelineStack, 'Cdk2', { - synth: new CodeBuildStep('Synth', { - commands: ['cdk synth'], - primaryOutputDirectory: 'cdk.out', - input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), - buildEnvironment: { - buildImage: cb.WindowsBuildImage.WINDOWS_BASE_2_0, - computeType: cb.ComputeType.MEDIUM, - }, - }), - }); - pipeline.addStage(new DockerAssetApp(app, 'App1')); - - THEN_codePipelineExpectation(); + const expectedCredsConfig = JSON.stringify({ + version: '1.0', + domainCredentials: { 'synth.example.com': { secretsManagerSecretId: secretSynthArn } }, }); - function THEN_codePipelineExpectation() { - const expectedCredsConfig = JSON.stringify({ - version: '1.0', - domainCredentials: { 'synth.example.com': { secretsManagerSecretId: secretSynthArn } }, - }); - - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { Image: 'aws/codebuild/windows-base:2.0' }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - pre_build: { - commands: Match.arrayWith([ - 'mkdir %USERPROFILE%\\.cdk', - `echo '${expectedCredsConfig}' > %USERPROFILE%\\.cdk\\cdk-docker-creds.json`, - ]), - }, - // Prove we're looking at the Synth project - build: { - commands: Match.arrayWith([stringLike('*cdk*synth*')]), - }, + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { Image: 'aws/codebuild/windows-base:2.0' }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + pre_build: { + commands: Match.arrayWith([ + 'mkdir %USERPROFILE%\\.cdk', + `echo '${expectedCredsConfig}' > %USERPROFILE%\\.cdk\\cdk-docker-creds.json`, + ]), }, - })), - }, - }); - } -}); - -behavior('self-update receives install commands and access to relevant credentials', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyPipelineWithCreds(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new DockerAssetApp(app, 'App1')); - - THEN_codePipelineExpectation('install'); + // Prove we're looking at the Synth project + build: { + commands: Match.arrayWith([stringLike('*cdk*synth*')]), + }, + }, + })), + }, }); +}); - suite.modern(() => { - const pipeline = new ModernPipelineWithCreds(pipelineStack, 'Cdk'); - pipeline.addStage(new DockerAssetApp(app, 'App1')); +test('self-update receives install commands and access to relevant credentials', () => { + const pipeline = new ModernPipelineWithCreds(pipelineStack, 'Cdk'); + pipeline.addStage(new DockerAssetApp(app, 'App1')); - THEN_codePipelineExpectation('pre_build'); + const expectedCredsConfig = JSON.stringify({ + version: '1.0', + domainCredentials: { 'selfupdate.example.com': { secretsManagerSecretId: secretUpdateArn } }, }); - function THEN_codePipelineExpectation(expectedPhase: string) { - const expectedCredsConfig = JSON.stringify({ - version: '1.0', - domainCredentials: { 'selfupdate.example.com': { secretsManagerSecretId: secretUpdateArn } }, - }); - - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - [expectedPhase]: { - commands: Match.arrayWith([ - 'mkdir $HOME/.cdk', - `echo '${expectedCredsConfig}' > $HOME/.cdk/cdk-docker-creds.json`, - ]), - }, - // Prove we're looking at the SelfMutate project - build: { - commands: Match.arrayWith([ - stringLike('cdk * deploy PipelineStack*'), - ]), - }, + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + pre_build: { + commands: Match.arrayWith([ + 'mkdir $HOME/.cdk', + `echo '${expectedCredsConfig}' > $HOME/.cdk/cdk-docker-creds.json`, + ]), }, - })), - }, - }); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: Match.arrayWith([{ - Action: ['secretsmanager:GetSecretValue', 'secretsmanager:DescribeSecret'], - Effect: 'Allow', - Resource: secretUpdateArn, - }]), - Version: '2012-10-17', - }, - Roles: [{ Ref: stringLike('*SelfMutat*Role*') }], - }); - } + // Prove we're looking at the SelfMutate project + build: { + commands: Match.arrayWith([ + stringLike('cdk * deploy PipelineStack*'), + ]), + }, + }, + })), + }, + }); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([{ + Action: ['secretsmanager:GetSecretValue', 'secretsmanager:DescribeSecret'], + Effect: 'Allow', + Resource: secretUpdateArn, + }]), + Version: '2012-10-17', + }, + Roles: [{ Ref: stringLike('*SelfMutat*Role*') }], + }); }); -behavior('asset publishing receives install commands and access to relevant credentials', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyPipelineWithCreds(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new DockerAssetApp(app, 'App1')); - - THEN_codePipelineExpectation('install'); - }); +test('asset publishing receives install commands and access to relevant credentials', () => { - suite.modern(() => { - const pipeline = new ModernPipelineWithCreds(pipelineStack, 'Cdk'); - pipeline.addStage(new DockerAssetApp(app, 'App1')); + const pipeline = new ModernPipelineWithCreds(pipelineStack, 'Cdk'); + pipeline.addStage(new DockerAssetApp(app, 'App1')); - THEN_codePipelineExpectation('pre_build'); + const expectedCredsConfig = JSON.stringify({ + version: '1.0', + domainCredentials: { 'publish.example.com': { secretsManagerSecretId: secretPublishArn } }, }); - function THEN_codePipelineExpectation(expectedPhase: string) { - const expectedCredsConfig = JSON.stringify({ - version: '1.0', - domainCredentials: { 'publish.example.com': { secretsManagerSecretId: secretPublishArn } }, - }); - - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - [expectedPhase]: { - commands: Match.arrayWith([ - 'mkdir $HOME/.cdk', - `echo '${expectedCredsConfig}' > $HOME/.cdk/cdk-docker-creds.json`, - ]), - }, - // Prove we're looking at the Publishing project - build: { - commands: Match.arrayWith([stringLike('cdk-assets*')]), - }, + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + pre_build: { + commands: Match.arrayWith([ + 'mkdir $HOME/.cdk', + `echo '${expectedCredsConfig}' > $HOME/.cdk/cdk-docker-creds.json`, + ]), }, - })), - }, - }); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: Match.arrayWith([{ - Action: ['secretsmanager:GetSecretValue', 'secretsmanager:DescribeSecret'], - Effect: 'Allow', - Resource: secretPublishArn, - }]), - Version: '2012-10-17', - }, - Roles: [{ Ref: 'CdkAssetsDockerRole484B6DD3' }], - }); - } + // Prove we're looking at the Publishing project + build: { + commands: Match.arrayWith([stringLike('cdk-assets*')]), + }, + }, + })), + }, + }); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([{ + Action: ['secretsmanager:GetSecretValue', 'secretsmanager:DescribeSecret'], + Effect: 'Allow', + Resource: secretPublishArn, + }]), + Version: '2012-10-17', + }, + Roles: [{ Ref: 'CdkAssetsDockerRole484B6DD3' }], + }); }); -class LegacyPipelineWithCreds extends LegacyTestGitHubNpmPipeline { - constructor(scope: Construct, id: string, props?: ConstructorParameters[2]) { - super(scope, id, { - dockerCredentials: [ - cdkp.DockerCredential.customRegistry('synth.example.com', secretSynth, { - usages: [cdkp.DockerCredentialUsage.SYNTH], - }), - cdkp.DockerCredential.customRegistry('selfupdate.example.com', secretUpdate, { - usages: [cdkp.DockerCredentialUsage.SELF_UPDATE], - }), - cdkp.DockerCredential.customRegistry('publish.example.com', secretPublish, { - usages: [cdkp.DockerCredentialUsage.ASSET_PUBLISHING], - }), - ], - ...props, - }); - } -} - class ModernPipelineWithCreds extends ModernTestGitHubNpmPipeline { constructor(scope: Construct, id: string, props?: ConstructorParameters[2]) { super(scope, id, { diff --git a/packages/aws-cdk-lib/pipelines/test/compliance/environments.test.ts b/packages/aws-cdk-lib/pipelines/test/compliance/environments.test.ts index 777ffb83a0d2c..7af68c900ff43 100644 --- a/packages/aws-cdk-lib/pipelines/test/compliance/environments.test.ts +++ b/packages/aws-cdk-lib/pipelines/test/compliance/environments.test.ts @@ -1,7 +1,7 @@ /* eslint-disable import/no-extraneous-dependencies */ import { Match, Template } from '../../../assertions'; import { Stack } from '../../../core'; -import { behavior, LegacyTestGitHubNpmPipeline, OneStackApp, PIPELINE_ENV, TestApp, ModernTestGitHubNpmPipeline, stringLike } from '../testhelpers'; +import { OneStackApp, PIPELINE_ENV, TestApp, ModernTestGitHubNpmPipeline, stringLike } from '../testhelpers'; let app: TestApp; let pipelineStack: Stack; @@ -15,378 +15,387 @@ afterEach(() => { app.cleanup(); }); -behavior('action has right settings for same-env deployment', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new OneStackApp(app, 'Same')); - - THEN_codePipelineExpection(agnosticRole); - }); - - suite.additional('legacy: even if env is specified but the same as the pipeline', () => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new OneStackApp(app, 'Same', { - env: PIPELINE_ENV, - })); - - THEN_codePipelineExpection(pipelineEnvRole); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new OneStackApp(app, 'Same')); - - THEN_codePipelineExpection(agnosticRole); - }); - - suite.additional('modern: even if env is specified but the same as the pipeline', () => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new OneStackApp(app, 'Same', { - env: PIPELINE_ENV, - })); - - THEN_codePipelineExpection(pipelineEnvRole); - }); - - function THEN_codePipelineExpection(roleArn: (x: string) => any) { - // THEN: pipeline structure is correct - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Same', - Actions: [ - Match.objectLike({ - Name: stringLike('*Prepare'), - RoleArn: roleArn('deploy-role'), - Configuration: Match.objectLike({ - StackName: 'Same-Stack', - RoleArn: roleArn('cfn-exec-role'), - }), - }), - Match.objectLike({ - Name: stringLike('*Deploy'), - RoleArn: roleArn('deploy-role'), - Configuration: Match.objectLike({ - StackName: 'Same-Stack', - }), - }), - ], - }]), - }); - - // THEN: artifact bucket can be read by deploy role - Template.fromStack(pipelineStack).hasResourceProperties('AWS::S3::BucketPolicy', { - PolicyDocument: { - Statement: Match.arrayWith([Match.objectLike({ - Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], - Principal: { - AWS: roleArn('deploy-role'), +test('action has right settings for same-env deployment', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new OneStackApp(app, 'Same')); + + // THEN: pipeline structure is correct + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Same', + Actions: [ + Match.objectLike({ + Name: stringLike('*Prepare'), + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':iam::', + { Ref: 'AWS::AccountId' }, + ':role/cdk-hnb659fds-deploy-role-', + { Ref: 'AWS::AccountId' }, + '-', + { Ref: 'AWS::Region' }, + ]], }, - })]), - }, - }); - } -}); - -behavior('action has right settings for cross-account deployment', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new OneStackApp(app, 'CrossAccount', { env: { account: 'you' } })); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - // WHEN - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - crossAccountKeys: true, - }); - pipeline.addStage(new OneStackApp(app, 'CrossAccount', { env: { account: 'you' } })); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - // THEN: Pipelien structure is correct - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'CrossAccount', - Actions: [ - Match.objectLike({ - Name: stringLike('*Prepare'), + Configuration: Match.objectLike({ + StackName: 'Same-Stack', RoleArn: { 'Fn::Join': ['', [ 'arn:', { Ref: 'AWS::Partition' }, - ':iam::you:role/cdk-hnb659fds-deploy-role-you-', + ':iam::', + { Ref: 'AWS::AccountId' }, + ':role/cdk-hnb659fds-cfn-exec-role-', + { Ref: 'AWS::AccountId' }, + '-', { Ref: 'AWS::Region' }, ]], }, - Configuration: Match.objectLike({ - StackName: 'CrossAccount-Stack', - RoleArn: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':iam::you:role/cdk-hnb659fds-cfn-exec-role-you-', - { Ref: 'AWS::Region' }, - ]], - }, - }), }), - Match.objectLike({ - Name: stringLike('*Deploy'), + }), + Match.objectLike({ + Name: stringLike('*Deploy'), + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':iam::', + { Ref: 'AWS::AccountId' }, + ':role/cdk-hnb659fds-deploy-role-', + { Ref: 'AWS::AccountId' }, + '-', + { Ref: 'AWS::Region' }, + ]], + }, + Configuration: Match.objectLike({ + StackName: 'Same-Stack', + }), + }), + ], + }]), + }); + + // THEN: artifact bucket can be read by deploy role + Template.fromStack(pipelineStack).hasResourceProperties('AWS::S3::BucketPolicy', { + PolicyDocument: { + Statement: Match.arrayWith([Match.objectLike({ + Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], + Principal: { + AWS: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':iam::', + { Ref: 'AWS::AccountId' }, + ':role/cdk-hnb659fds-deploy-role-', + { Ref: 'AWS::AccountId' }, + '-', + { Ref: 'AWS::Region' }, + ]], + }, + }, + })]), + }, + }); +}); + +test('even if env is specified but the same as the pipeline', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new OneStackApp(app, 'Same', { + env: PIPELINE_ENV, + })); + + // THEN: pipeline structure is correct + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Same', + Actions: [ + Match.objectLike({ + Name: stringLike('*Prepare'), + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + `:iam::${PIPELINE_ENV.account}:role/cdk-hnb659fds-deploy-role-${PIPELINE_ENV.account}-${PIPELINE_ENV.region}`, + ]], + }, + Configuration: Match.objectLike({ + StackName: 'Same-Stack', RoleArn: { 'Fn::Join': ['', [ 'arn:', { Ref: 'AWS::Partition' }, - ':iam::you:role/cdk-hnb659fds-deploy-role-you-', - { Ref: 'AWS::Region' }, + `:iam::${PIPELINE_ENV.account}:role/cdk-hnb659fds-cfn-exec-role-${PIPELINE_ENV.account}-${PIPELINE_ENV.region}`, ]], }, - Configuration: Match.objectLike({ - StackName: 'CrossAccount-Stack', - }), }), - ], - }]), - }); + }), + Match.objectLike({ + Name: stringLike('*Deploy'), + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + `:iam::${PIPELINE_ENV.account}:role/cdk-hnb659fds-deploy-role-${PIPELINE_ENV.account}-${PIPELINE_ENV.region}`, + ]], + }, + Configuration: Match.objectLike({ + StackName: 'Same-Stack', + }), + }), + ], + }]), + }); + + // THEN: artifact bucket can be read by deploy role + Template.fromStack(pipelineStack).hasResourceProperties('AWS::S3::BucketPolicy', { + PolicyDocument: { + Statement: Match.arrayWith([Match.objectLike({ + Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], + Principal: { + AWS: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + `:iam::${PIPELINE_ENV.account}:role/cdk-hnb659fds-deploy-role-${PIPELINE_ENV.account}-${PIPELINE_ENV.region}`, + ]], + }, + }, + })]), + }, + }); +}); - // THEN: Artifact bucket can be read by deploy role - Template.fromStack(pipelineStack).hasResourceProperties('AWS::S3::BucketPolicy', { - PolicyDocument: { - Statement: Match.arrayWith([Match.objectLike({ - Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], - Principal: { - AWS: { +test('action has right settings for cross-account deployment', () => { + // WHEN + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + crossAccountKeys: true, + }); + pipeline.addStage(new OneStackApp(app, 'CrossAccount', { env: { account: 'you' } })); + + // THEN: Pipelien structure is correct + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'CrossAccount', + Actions: [ + Match.objectLike({ + Name: stringLike('*Prepare'), + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':iam::you:role/cdk-hnb659fds-deploy-role-you-', + { Ref: 'AWS::Region' }, + ]], + }, + Configuration: Match.objectLike({ + StackName: 'CrossAccount-Stack', + RoleArn: { 'Fn::Join': ['', [ 'arn:', { Ref: 'AWS::Partition' }, - stringLike('*-deploy-role-*'), + ':iam::you:role/cdk-hnb659fds-cfn-exec-role-you-', { Ref: 'AWS::Region' }, ]], }, + }), + }), + Match.objectLike({ + Name: stringLike('*Deploy'), + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':iam::you:role/cdk-hnb659fds-deploy-role-you-', + { Ref: 'AWS::Region' }, + ]], }, - })]), - }, - }); - } -}); - -behavior('action has right settings for cross-region deployment', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new OneStackApp(app, 'CrossRegion', { env: { region: 'elsewhere' } })); + Configuration: Match.objectLike({ + StackName: 'CrossAccount-Stack', + }), + }), + ], + }]), + }); - THEN_codePipelineExpectation(); + // THEN: Artifact bucket can be read by deploy role + Template.fromStack(pipelineStack).hasResourceProperties('AWS::S3::BucketPolicy', { + PolicyDocument: { + Statement: Match.arrayWith([Match.objectLike({ + Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], + Principal: { + AWS: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + stringLike('*-deploy-role-*'), + { Ref: 'AWS::Region' }, + ]], + }, + }, + })]), + }, }); +}); - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - crossAccountKeys: true, - }); - pipeline.addStage(new OneStackApp(app, 'CrossRegion', { env: { region: 'elsewhere' } })); +test('action has right settings for cross-region deployment', () => { - THEN_codePipelineExpectation(); + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + crossAccountKeys: true, }); - - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'CrossRegion', - Actions: [ - Match.objectLike({ - Name: stringLike('*Prepare'), + pipeline.addStage(new OneStackApp(app, 'CrossRegion', { env: { region: 'elsewhere' } })); + + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'CrossRegion', + Actions: [ + Match.objectLike({ + Name: stringLike('*Prepare'), + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':iam::', + { Ref: 'AWS::AccountId' }, + ':role/cdk-hnb659fds-deploy-role-', + { Ref: 'AWS::AccountId' }, + '-elsewhere', + ]], + }, + Region: 'elsewhere', + Configuration: Match.objectLike({ + StackName: 'CrossRegion-Stack', RoleArn: { 'Fn::Join': ['', [ 'arn:', { Ref: 'AWS::Partition' }, ':iam::', { Ref: 'AWS::AccountId' }, - ':role/cdk-hnb659fds-deploy-role-', + ':role/cdk-hnb659fds-cfn-exec-role-', { Ref: 'AWS::AccountId' }, '-elsewhere', ]], }, - Region: 'elsewhere', - Configuration: Match.objectLike({ - StackName: 'CrossRegion-Stack', - RoleArn: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':iam::', - { Ref: 'AWS::AccountId' }, - ':role/cdk-hnb659fds-cfn-exec-role-', - { Ref: 'AWS::AccountId' }, - '-elsewhere', - ]], - }, - }), }), - Match.objectLike({ - Name: stringLike('*Deploy'), - RoleArn: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':iam::', - { Ref: 'AWS::AccountId' }, - ':role/cdk-hnb659fds-deploy-role-', - { Ref: 'AWS::AccountId' }, - '-elsewhere', - ]], - }, - Region: 'elsewhere', - Configuration: Match.objectLike({ - StackName: 'CrossRegion-Stack', - }), + }), + Match.objectLike({ + Name: stringLike('*Deploy'), + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':iam::', + { Ref: 'AWS::AccountId' }, + ':role/cdk-hnb659fds-deploy-role-', + { Ref: 'AWS::AccountId' }, + '-elsewhere', + ]], + }, + Region: 'elsewhere', + Configuration: Match.objectLike({ + StackName: 'CrossRegion-Stack', }), - ], - }]), - }); - } -}); - -behavior('action has right settings for cross-account/cross-region deployment', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new OneStackApp(app, 'CrossBoth', { - env: { - account: 'you', - region: 'elsewhere', - }, - })); - - THEN_codePipelineExpectations(); + }), + ], + }]), }); +}); - suite.modern(() => { - // WHEN - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - crossAccountKeys: true, - }); - pipeline.addStage(new OneStackApp(app, 'CrossBoth', { - env: { - account: 'you', - region: 'elsewhere', - }, - })); - - THEN_codePipelineExpectations(); +test('action has right settings for cross-account/cross-region deployment', () => { + // WHEN + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + crossAccountKeys: true, }); - - function THEN_codePipelineExpectations() { - // THEN: pipeline structure must be correct - const stack = app.stackArtifact(pipelineStack); - expect(stack).toBeDefined(); - Template.fromStack(stack!).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'CrossBoth', - Actions: [ - Match.objectLike({ - Name: stringLike('*Prepare'), + pipeline.addStage(new OneStackApp(app, 'CrossBoth', { + env: { + account: 'you', + region: 'elsewhere', + }, + })); + + // THEN: pipeline structure must be correct + const stack = app.stackArtifact(pipelineStack); + expect(stack).toBeDefined(); + Template.fromStack(stack!).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'CrossBoth', + Actions: [ + Match.objectLike({ + Name: stringLike('*Prepare'), + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':iam::you:role/cdk-hnb659fds-deploy-role-you-elsewhere', + ]], + }, + Region: 'elsewhere', + Configuration: Match.objectLike({ + StackName: 'CrossBoth-Stack', RoleArn: { 'Fn::Join': ['', [ 'arn:', { Ref: 'AWS::Partition' }, - ':iam::you:role/cdk-hnb659fds-deploy-role-you-elsewhere', + ':iam::you:role/cdk-hnb659fds-cfn-exec-role-you-elsewhere', ]], }, - Region: 'elsewhere', - Configuration: Match.objectLike({ - StackName: 'CrossBoth-Stack', - RoleArn: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':iam::you:role/cdk-hnb659fds-cfn-exec-role-you-elsewhere', - ]], - }, - }), }), - Match.objectLike({ - Name: stringLike('*Deploy'), - RoleArn: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':iam::you:role/cdk-hnb659fds-deploy-role-you-elsewhere', - ]], - }, - Region: 'elsewhere', - Configuration: Match.objectLike({ - StackName: 'CrossBoth-Stack', - }), + }), + Match.objectLike({ + Name: stringLike('*Deploy'), + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':iam::you:role/cdk-hnb659fds-deploy-role-you-elsewhere', + ]], + }, + Region: 'elsewhere', + Configuration: Match.objectLike({ + StackName: 'CrossBoth-Stack', }), - ], - }]), - }); + }), + ], + }]), + }); - // THEN: artifact bucket can be read by deploy role - const supportStack = app.stackArtifact('PipelineStack-support-elsewhere'); - expect(supportStack).toBeDefined(); - Template.fromStack(supportStack!).hasResourceProperties('AWS::S3::BucketPolicy', { - PolicyDocument: { - Statement: Match.arrayWith([Match.objectLike({ - Action: Match.arrayWith(['s3:GetObject*', 's3:GetBucket*', 's3:List*']), - Principal: { - AWS: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - stringLike('*-deploy-role-*'), - ]], - }, + // THEN: artifact bucket can be read by deploy role + const supportStack = app.stackArtifact('PipelineStack-support-elsewhere'); + expect(supportStack).toBeDefined(); + Template.fromStack(supportStack!).hasResourceProperties('AWS::S3::BucketPolicy', { + PolicyDocument: { + Statement: Match.arrayWith([Match.objectLike({ + Action: Match.arrayWith(['s3:GetObject*', 's3:GetBucket*', 's3:List*']), + Principal: { + AWS: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + stringLike('*-deploy-role-*'), + ]], }, - })]), - }, - }); + }, + })]), + }, + }); - // And the key to go along with it - Template.fromStack(supportStack!).hasResourceProperties('AWS::KMS::Key', { - KeyPolicy: { - Statement: Match.arrayWith([Match.objectLike({ - Action: Match.arrayWith(['kms:Decrypt', 'kms:DescribeKey']), - Principal: { - AWS: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - stringLike('*-deploy-role-*'), - ]], - }, + // And the key to go along with it + Template.fromStack(supportStack!).hasResourceProperties('AWS::KMS::Key', { + KeyPolicy: { + Statement: Match.arrayWith([Match.objectLike({ + Action: Match.arrayWith(['kms:Decrypt', 'kms:DescribeKey']), + Principal: { + AWS: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + stringLike('*-deploy-role-*'), + ]], }, - })]), - }, - }); - } -}); - -function agnosticRole(roleName: string) { - return { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':iam::', - { Ref: 'AWS::AccountId' }, - `:role/cdk-hnb659fds-${roleName}-`, - { Ref: 'AWS::AccountId' }, - '-', - { Ref: 'AWS::Region' }, - ]], - }; -} - -function pipelineEnvRole(roleName: string) { - return { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - `:iam::${PIPELINE_ENV.account}:role/cdk-hnb659fds-${roleName}-${PIPELINE_ENV.account}-${PIPELINE_ENV.region}`, - ]], - }; -} \ No newline at end of file + }, + })]), + }, + }); +}); \ No newline at end of file diff --git a/packages/aws-cdk-lib/pipelines/test/compliance/escape-hatching.test.ts b/packages/aws-cdk-lib/pipelines/test/compliance/escape-hatching.test.ts index a6bf349aee638..8130e6d23cf95 100644 --- a/packages/aws-cdk-lib/pipelines/test/compliance/escape-hatching.test.ts +++ b/packages/aws-cdk-lib/pipelines/test/compliance/escape-hatching.test.ts @@ -1,23 +1,19 @@ -import { describeDeprecated } from '@aws-cdk/cdk-build-tools'; import { Match, Template } from '../../../assertions'; import * as cp from '../../../aws-codepipeline'; import * as cpa from '../../../aws-codepipeline-actions'; import { SecretValue, Stack } from '../../../core'; import * as cdkp from '../../lib'; -import { CodePipelineFileSet } from '../../lib'; -import { behavior, FileAssetApp, LegacyTestGitHubNpmPipeline, ModernTestGitHubNpmPipeline, PIPELINE_ENV, TestApp, TestGitHubAction } from '../testhelpers'; +import { ModernTestGitHubNpmPipeline, PIPELINE_ENV, TestApp } from '../testhelpers'; let app: TestApp; let pipelineStack: Stack; let sourceArtifact: cp.Artifact; -let cloudAssemblyArtifact: cp.Artifact; let codePipeline: cp.Pipeline; beforeEach(() => { app = new TestApp(); pipelineStack = new Stack(app, 'PipelineStack', { env: PIPELINE_ENV }); sourceArtifact = new cp.Artifact(); - cloudAssemblyArtifact = new cp.Artifact(); }); afterEach(() => { @@ -29,247 +25,90 @@ describe('with empty existing CodePipeline', () => { codePipeline = new cp.Pipeline(pipelineStack, 'CodePipeline'); }); - behavior('both actions are required', (suite) => { - suite.legacy(() => { - // WHEN - expect(() => { - new cdkp.CdkPipeline(pipelineStack, 'Cdk', { cloudAssemblyArtifact, codePipeline }); - }).toThrow(/You must pass a 'sourceAction'/); - }); - - // 'synth' is not optional so this doesn't apply - suite.doesNotApply.modern(); - }); + test('can give both actions', () => { - behavior('can give both actions', (suite) => { - suite.legacy(() => { - // WHEN - new cdkp.CdkPipeline(pipelineStack, 'Cdk', { - cloudAssemblyArtifact, - codePipeline, - sourceAction: new TestGitHubAction(sourceArtifact), - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ sourceArtifact, cloudAssemblyArtifact }), - }); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - // WHEN - new cdkp.CodePipeline(pipelineStack, 'Cdk', { - codePipeline, - synth: new cdkp.ShellStep('Synth', { - input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), - commands: ['true'], - }), - }); - - THEN_codePipelineExpectation(); + // WHEN + new cdkp.CodePipeline(pipelineStack, 'Cdk', { + codePipeline, + synth: new cdkp.ShellStep('Synth', { + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + commands: ['true'], + }), }); - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: [ - Match.objectLike({ Name: 'Source' }), - Match.objectLike({ Name: 'Build' }), - Match.objectLike({ Name: 'UpdatePipeline' }), - ], - }); - } - }); -}); - -describe('with custom Source stage in existing Pipeline', () => { - beforeEach(() => { - codePipeline = new cp.Pipeline(pipelineStack, 'CodePipeline', { - stages: [ - { - stageName: 'CustomSource', - actions: [new TestGitHubAction(sourceArtifact)], - }, + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: [ + Match.objectLike({ Name: 'Source' }), + Match.objectLike({ Name: 'Build' }), + Match.objectLike({ Name: 'UpdatePipeline' }), ], }); - }); - - behavior('Work with synthAction', (suite) => { - suite.legacy(() => { - // WHEN - new cdkp.CdkPipeline(pipelineStack, 'Cdk', { - codePipeline, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ sourceArtifact, cloudAssemblyArtifact }), - }); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - new cdkp.CodePipeline(pipelineStack, 'Cdk', { - codePipeline, - synth: new cdkp.ShellStep('Synth', { - input: cdkp.CodePipelineFileSet.fromArtifact(sourceArtifact), - commands: ['true'], - }), - }); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: [ - Match.objectLike({ Name: 'CustomSource' }), - Match.objectLike({ Name: 'Build' }), - Match.objectLike({ Name: 'UpdatePipeline' }), - ], - }); - } - }); + }, + ); }); -describeDeprecated('with Source and Build stages in existing Pipeline', () => { +describe('with custom Source stage in existing Pipeline', () => { beforeEach(() => { codePipeline = new cp.Pipeline(pipelineStack, 'CodePipeline', { stages: [ { stageName: 'CustomSource', - actions: [new TestGitHubAction(sourceArtifact)], - }, - { - stageName: 'CustomBuild', - actions: [cdkp.SimpleSynthAction.standardNpmSynth({ sourceArtifact, cloudAssemblyArtifact })], + actions: [new cpa.GitHubSourceAction({ + actionName: 'GitHub', + output: sourceArtifact, + oauthToken: SecretValue.unsafePlainText('$3kr1t'), + owner: 'test', + repo: 'test', + trigger: cpa.GitHubTrigger.POLL, + })], }, ], }); }); - behavior('can supply no actions', (suite) => { - suite.legacy(() => { - // WHEN - new cdkp.CdkPipeline(pipelineStack, 'Cdk', { - codePipeline, - cloudAssemblyArtifact, - }); + test('Work with synthAction', () => { - THEN_codePipelineExpectation(); + new cdkp.CodePipeline(pipelineStack, 'Cdk', { + codePipeline, + synth: new cdkp.ShellStep('Synth', { + input: cdkp.CodePipelineFileSet.fromArtifact(sourceArtifact), + commands: ['true'], + }), }); - suite.modern(() => { - new cdkp.CodePipeline(pipelineStack, 'Cdk', { - codePipeline, - synth: cdkp.CodePipelineFileSet.fromArtifact(cloudAssemblyArtifact), - }); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: [ - Match.objectLike({ Name: 'CustomSource' }), - Match.objectLike({ Name: 'CustomBuild' }), - Match.objectLike({ Name: 'UpdatePipeline' }), - ], - }); - } - }); -}); - -behavior('can add another action to an existing stage', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.stage('Source').addAction(new cpa.GitHubSourceAction({ - actionName: 'GitHub2', - oauthToken: SecretValue.unsafePlainText('oops'), - output: new cp.Artifact(), - owner: 'OWNER', - repo: 'REPO', - })); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.buildPipeline(); - - pipeline.pipeline.stages[0].addAction(new cpa.GitHubSourceAction({ - actionName: 'GitHub2', - oauthToken: SecretValue.unsafePlainText('oops'), - output: new cp.Artifact(), - owner: 'OWNER', - repo: 'REPO', - })); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { + // THEN Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Source', - Actions: [ - Match.objectLike({ ActionTypeId: Match.objectLike({ Provider: 'GitHub' }) }), - Match.objectLike({ ActionTypeId: Match.objectLike({ Provider: 'GitHub' }), Name: 'GitHub2' }), - ], - }]), + Stages: [ + Match.objectLike({ Name: 'CustomSource' }), + Match.objectLike({ Name: 'Build' }), + Match.objectLike({ Name: 'UpdatePipeline' }), + ], }); - } + }, + ); }); -behavior('assets stage inserted after existing pipeline actions', (suite) => { - let existingCodePipeline: cp.Pipeline; - beforeEach(() => { - existingCodePipeline = new cp.Pipeline(pipelineStack, 'CodePipeline', { - stages: [ - { - stageName: 'CustomSource', - actions: [new TestGitHubAction(sourceArtifact)], - }, - { - stageName: 'CustomBuild', - actions: [cdkp.SimpleSynthAction.standardNpmSynth({ sourceArtifact, cloudAssemblyArtifact })], - }, +test('can add another action to an existing stage', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.buildPipeline(); + + pipeline.pipeline.stages[0].addAction(new cpa.GitHubSourceAction({ + actionName: 'GitHub2', + oauthToken: SecretValue.unsafePlainText('oops'), + output: new cp.Artifact(), + owner: 'OWNER', + repo: 'REPO', + })); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Source', + Actions: [ + Match.objectLike({ ActionTypeId: Match.objectLike({ Provider: 'GitHub' }) }), + Match.objectLike({ ActionTypeId: Match.objectLike({ Provider: 'GitHub' }), Name: 'GitHub2' }), ], - }); - }); - - suite.legacy(() => { - const pipeline = new cdkp.CdkPipeline(pipelineStack, 'CdkEmptyPipeline', { - cloudAssemblyArtifact: cloudAssemblyArtifact, - selfMutating: false, - codePipeline: existingCodePipeline, - // No source/build actions - }); - pipeline.addApplicationStage(new FileAssetApp(app, 'App')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new cdkp.CodePipeline(pipelineStack, 'CdkEmptyPipeline', { - codePipeline: existingCodePipeline, - selfMutation: false, - synth: CodePipelineFileSet.fromArtifact(cloudAssemblyArtifact), - // No source/build actions - }); - pipeline.addStage(new FileAssetApp(app, 'App')); - - THEN_codePipelineExpectation(); + }]), }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: [ - Match.objectLike({ Name: 'CustomSource' }), - Match.objectLike({ Name: 'CustomBuild' }), - Match.objectLike({ Name: 'Assets' }), - Match.objectLike({ Name: 'App' }), - ], - }); - } }); + diff --git a/packages/aws-cdk-lib/pipelines/test/compliance/security-check.test.ts b/packages/aws-cdk-lib/pipelines/test/compliance/security-check.test.ts index 88138cb2b840f..a6d75ea6cdbd4 100644 --- a/packages/aws-cdk-lib/pipelines/test/compliance/security-check.test.ts +++ b/packages/aws-cdk-lib/pipelines/test/compliance/security-check.test.ts @@ -3,8 +3,7 @@ import { Topic } from '../../../aws-sns'; import { Stack } from '../../../core'; import * as cdkp from '../../lib'; import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../../lib/private/default-codebuild-image'; -import { LegacyTestGitHubNpmPipeline, ModernTestGitHubNpmPipeline, OneStackApp, PIPELINE_ENV, TestApp, stringLike } from '../testhelpers'; -import { behavior } from '../testhelpers/compliance'; +import { ModernTestGitHubNpmPipeline, OneStackApp, PIPELINE_ENV, TestApp, stringLike } from '../testhelpers'; let app: TestApp; let pipelineStack: Stack; @@ -18,417 +17,205 @@ afterEach(() => { app.cleanup(); }); -behavior('security check option generates lambda/codebuild at pipeline scope', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new OneStackApp(app, 'App'), { confirmBroadeningPermissions: true }); +test('security check option generates lambda/codebuild at pipeline scope', () => { - THEN_codePipelineExpectation(); + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + const stage = new OneStackApp(app, 'App'); + pipeline.addStage(stage, { + pre: [ + new cdkp.ConfirmPermissionsBroadening('Check', { + stage, + }), + ], }); - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - const stage = new OneStackApp(app, 'App'); - pipeline.addStage(stage, { - pre: [ - new cdkp.ConfirmPermissionsBroadening('Check', { - stage, - }), + const template = Template.fromStack(pipelineStack); + template.resourceCountIs('AWS::Lambda::Function', 1); + template.hasResourceProperties('AWS::Lambda::Function', { + Role: { + 'Fn::GetAtt': [ + stringLike('CdkPipeline*SecurityCheckCDKPipelinesAutoApproveServiceRole*'), + 'Arn', ], - }); - - THEN_codePipelineExpectation(); + }, }); - - function THEN_codePipelineExpectation() { - const template = Template.fromStack(pipelineStack); - template.resourceCountIs('AWS::Lambda::Function', 1); - template.hasResourceProperties('AWS::Lambda::Function', { - Role: { - 'Fn::GetAtt': [ - stringLike('CdkPipeline*SecurityCheckCDKPipelinesAutoApproveServiceRole*'), - 'Arn', - ], + // 1 for github build, 1 for synth stage, and 1 for the application security check + template.resourceCountIs('AWS::CodeBuild::Project', 3); + + // No CodeBuild project has a build image that is not the standard iamge + const projects = template.findResources('AWS::CodeBuild::Project', { + Properties: { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, }, - }); - // 1 for github build, 1 for synth stage, and 1 for the application security check - template.resourceCountIs('AWS::CodeBuild::Project', 3); - - // No CodeBuild project has a build image that is not the standard iamge - const projects = template.findResources('AWS::CodeBuild::Project', { - Properties: { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - }, - }); - expect(Object.keys(projects).length).toEqual(3); - } -}); - -behavior('security check option passes correct environment variables to check project', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new OneStackApp(pipelineStack, 'App'), { confirmBroadeningPermissions: true }); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - const stage = new OneStackApp(pipelineStack, 'App'); - pipeline.addStage(stage, { - pre: [ - new cdkp.ConfirmPermissionsBroadening('Check', { - stage, - }), - ], - }); - - THEN_codePipelineExpectation(); + }, }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([ - { - Name: 'App', - Actions: Match.arrayWith([ - Match.objectLike({ - Name: stringLike('*Check'), - Configuration: Match.objectLike({ - EnvironmentVariables: Match.serializedJson([ - { name: 'STAGE_PATH', type: 'PLAINTEXT', value: 'PipelineSecurityStack/App' }, - { name: 'STAGE_NAME', type: 'PLAINTEXT', value: 'App' }, - { name: 'ACTION_NAME', type: 'PLAINTEXT', value: Match.anyValue() }, - ]), - }), - }), - ]), - }, - ]), - }); - } + expect(Object.keys(projects).length).toEqual(3); }); -behavior('pipeline created with auto approve tags and lambda/codebuild w/ valid permissions', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new OneStackApp(app, 'App'), { confirmBroadeningPermissions: true }); +test('security check option passes correct environment variables to check project', () => { - THEN_codePipelineExpectation(); + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + const stage = new OneStackApp(pipelineStack, 'App'); + pipeline.addStage(stage, { + pre: [ + new cdkp.ConfirmPermissionsBroadening('Check', { + stage, + }), + ], }); - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - const stage = new OneStackApp(app, 'App'); - pipeline.addStage(stage, { - pre: [ - new cdkp.ConfirmPermissionsBroadening('Check', { - stage, - }), - ], - }); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - // CodePipeline must be tagged as SECURITY_CHECK=ALLOW_APPROVE - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Tags: [ - { - Key: 'SECURITY_CHECK', - Value: 'ALLOW_APPROVE', - }, - ], - }); - // Lambda Function only has access to pipelines tagged SECURITY_CHECK=ALLOW_APPROVE - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: [ - { - Action: ['codepipeline:GetPipelineState', 'codepipeline:PutApprovalResult'], - Condition: { - StringEquals: { 'aws:ResourceTag/SECURITY_CHECK': 'ALLOW_APPROVE' }, - }, - Effect: 'Allow', - Resource: '*', - }, - ], - }, - }); - // CodeBuild must have access to the stacks and invoking the lambda function - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: Match.arrayWith([ - { - Action: 'sts:AssumeRole', - Condition: { - 'ForAnyValue:StringEquals': { - 'iam:ResourceTag/aws-cdk:bootstrap-role': [ - 'deploy', - ], - }, - }, - Effect: 'Allow', - Resource: '*', - }, - { - Action: 'lambda:InvokeFunction', - Effect: 'Allow', - Resource: [ - { - 'Fn::GetAtt': [ - stringLike('*AutoApprove*'), - 'Arn', - ], - }, - { - 'Fn::Join': [ - '', - [ - { - 'Fn::GetAtt': [ - stringLike('*AutoApprove*'), - 'Arn', - ], - }, - ':*', - ], - ], - }, - ], - }, + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([ + { + Name: 'App', + Actions: Match.arrayWith([ + Match.objectLike({ + Name: stringLike('*Check'), + Configuration: Match.objectLike({ + EnvironmentVariables: Match.serializedJson([ + { name: 'STAGE_PATH', type: 'PLAINTEXT', value: 'PipelineSecurityStack/App' }, + { name: 'STAGE_NAME', type: 'PLAINTEXT', value: 'App' }, + { name: 'ACTION_NAME', type: 'PLAINTEXT', value: Match.anyValue() }, + ]), + }), + }), ]), }, - }); - } + ]), + }); }); -behavior('confirmBroadeningPermissions option at addApplicationStage runs security check on all apps unless overriden', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - const securityStage = pipeline.addApplicationStage(new OneStackApp(app, 'StageSecurityCheckStack'), { confirmBroadeningPermissions: true }); - securityStage.addApplication(new OneStackApp(app, 'AnotherStack')); - securityStage.addApplication(new OneStackApp(app, 'SkipCheckStack'), { confirmBroadeningPermissions: false }); +test('pipeline created with auto approve tags and lambda/codebuild w/ valid permissions', () => { - THEN_codePipelineExpectation(); + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + const stage = new OneStackApp(app, 'App'); + pipeline.addStage(stage, { + pre: [ + new cdkp.ConfirmPermissionsBroadening('Check', { + stage, + }), + ], }); - // For the modern API, there is no inheritance - suite.doesNotApply.modern(); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: [ - { - Actions: [Match.objectLike({ Name: 'GitHub', RunOrder: 1 })], - Name: 'Source', - }, - { - Actions: [Match.objectLike({ Name: 'Synth', RunOrder: 1 })], - Name: 'Build', - }, - { - Actions: [Match.objectLike({ Name: 'SelfMutate', RunOrder: 1 })], - Name: 'UpdatePipeline', - }, + // CodePipeline must be tagged as SECURITY_CHECK=ALLOW_APPROVE + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Tags: [ + { + Key: 'SECURITY_CHECK', + Value: 'ALLOW_APPROVE', + }, + ], + }); + // Lambda Function only has access to pipelines tagged SECURITY_CHECK=ALLOW_APPROVE + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: [ { - Actions: [ - Match.objectLike({ Name: 'StageSecurityCheckStackSecurityCheck', RunOrder: 1 }), - Match.objectLike({ Name: 'StageSecurityCheckStackManualApproval', RunOrder: 2 }), - Match.objectLike({ Name: 'AnotherStackSecurityCheck', RunOrder: 5 }), - Match.objectLike({ Name: 'AnotherStackManualApproval', RunOrder: 6 }), - Match.objectLike({ Name: 'Stack.Prepare', RunOrder: 3 }), - Match.objectLike({ Name: 'Stack.Deploy', RunOrder: 4 }), - Match.objectLike({ Name: 'AnotherStack-Stack.Prepare', RunOrder: 7 }), - Match.objectLike({ Name: 'AnotherStack-Stack.Deploy', RunOrder: 8 }), - Match.objectLike({ Name: 'SkipCheckStack-Stack.Prepare', RunOrder: 9 }), - Match.objectLike({ Name: 'SkipCheckStack-Stack.Deploy', RunOrder: 10 }), - ], - Name: 'StageSecurityCheckStack', + Action: ['codepipeline:GetPipelineState', 'codepipeline:PutApprovalResult'], + Condition: { + StringEquals: { 'aws:ResourceTag/SECURITY_CHECK': 'ALLOW_APPROVE' }, + }, + Effect: 'Allow', + Resource: '*', }, ], - }); - } -}); - -behavior('confirmBroadeningPermissions option at addApplication runs security check only on selected application', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - const noSecurityStage = pipeline.addApplicationStage(new OneStackApp(app, 'NoSecurityCheckStack')); - noSecurityStage.addApplication(new OneStackApp(app, 'EnableCheckStack'), { confirmBroadeningPermissions: true }); - - THEN_codePipelineExpectation(); + }, }); - - // For the modern API, there is no inheritance - suite.doesNotApply.modern(); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: [ - { - Actions: [Match.objectLike({ Name: 'GitHub', RunOrder: 1 })], - Name: 'Source', - }, + // CodeBuild must have access to the stacks and invoking the lambda function + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([ { - Actions: [Match.objectLike({ Name: 'Synth', RunOrder: 1 })], - Name: 'Build', - }, - { - Actions: [Match.objectLike({ Name: 'SelfMutate', RunOrder: 1 })], - Name: 'UpdatePipeline', + Action: 'sts:AssumeRole', + Condition: { + 'ForAnyValue:StringEquals': { + 'iam:ResourceTag/aws-cdk:bootstrap-role': [ + 'deploy', + ], + }, + }, + Effect: 'Allow', + Resource: '*', }, { - Actions: [ - Match.objectLike({ Name: 'EnableCheckStackSecurityCheck', RunOrder: 3 }), - Match.objectLike({ Name: 'EnableCheckStackManualApproval', RunOrder: 4 }), - Match.objectLike({ Name: 'Stack.Prepare', RunOrder: 1 }), - Match.objectLike({ Name: 'Stack.Deploy', RunOrder: 2 }), - Match.objectLike({ Name: 'EnableCheckStack-Stack.Prepare', RunOrder: 5 }), - Match.objectLike({ Name: 'EnableCheckStack-Stack.Deploy', RunOrder: 6 }), + Action: 'lambda:InvokeFunction', + Effect: 'Allow', + Resource: [ + { + 'Fn::GetAtt': [ + stringLike('*AutoApprove*'), + 'Arn', + ], + }, + { + 'Fn::Join': [ + '', + [ + { + 'Fn::GetAtt': [ + stringLike('*AutoApprove*'), + 'Arn', + ], + }, + ':*', + ], + ], + }, ], - Name: 'NoSecurityCheckStack', }, - ], - }); - } -}); - -behavior('confirmBroadeningPermissions and notification topic options generates the right resources', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - const topic = new Topic(pipelineStack, 'NotificationTopic'); - pipeline.addApplicationStage(new OneStackApp(app, 'MyStack'), { - confirmBroadeningPermissions: true, - securityNotificationTopic: topic, - }); - - THEN_codePipelineExpectation(); + ]), + }, }); +}); - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - const topic = new Topic(pipelineStack, 'NotificationTopic'); - const stage = new OneStackApp(app, 'MyStack'); - pipeline.addStage(stage, { - pre: [ - new cdkp.ConfirmPermissionsBroadening('Approve', { - stage, - notificationTopic: topic, - }), - ], - }); - - THEN_codePipelineExpectation(); +test('confirmBroadeningPermissions and notification topic options generates the right resources', () => { + + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + const topic = new Topic(pipelineStack, 'NotificationTopic'); + const stage = new OneStackApp(app, 'MyStack'); + pipeline.addStage(stage, { + pre: [ + new cdkp.ConfirmPermissionsBroadening('Approve', { + stage, + notificationTopic: topic, + }), + ], }); - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).resourceCountIs('AWS::SNS::Topic', 1); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([ - { - Name: 'MyStack', - Actions: [ - Match.objectLike({ - Configuration: { - ProjectName: { Ref: stringLike('*SecurityCheck*') }, - EnvironmentVariables: { - 'Fn::Join': ['', [ - stringLike('*'), - { Ref: 'NotificationTopicEB7A0DF1' }, - stringLike('*'), - ]], - }, - }, - Name: stringLike('*Check'), - Namespace: stringLike('*'), - RunOrder: 1, - }), - Match.objectLike({ - Configuration: { - CustomData: stringLike('#{*.MESSAGE}'), - ExternalEntityLink: stringLike('#{*.LINK}'), + Template.fromStack(pipelineStack).resourceCountIs('AWS::SNS::Topic', 1); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([ + { + Name: 'MyStack', + Actions: [ + Match.objectLike({ + Configuration: { + ProjectName: { Ref: stringLike('*SecurityCheck*') }, + EnvironmentVariables: { + 'Fn::Join': ['', [ + stringLike('*'), + { Ref: 'NotificationTopicEB7A0DF1' }, + stringLike('*'), + ]], }, - Name: stringLike('*Approv*'), - RunOrder: 2, - }), - Match.objectLike({ Name: 'Stack.Prepare', RunOrder: 3 }), - Match.objectLike({ Name: 'Stack.Deploy', RunOrder: 4 }), - ], - }, - ]), - }); - } -}); - -behavior('Stages declared outside the pipeline create their own ApplicationSecurityCheck', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - const pipelineStage = pipeline.codePipeline.addStage({ - stageName: 'UnattachedStage', - }); - - const unattachedStage = new cdkp.CdkStage(pipelineStack, 'UnattachedStage', { - stageName: 'UnattachedStage', - pipelineStage, - cloudAssemblyArtifact: pipeline.cloudAssemblyArtifact, - host: { - publishAsset: () => undefined, - stackOutputArtifact: () => undefined, + }, + Name: stringLike('*Check'), + Namespace: stringLike('*'), + RunOrder: 1, + }), + Match.objectLike({ + Configuration: { + CustomData: stringLike('#{*.MESSAGE}'), + ExternalEntityLink: stringLike('#{*.LINK}'), + }, + Name: stringLike('*Approv*'), + RunOrder: 2, + }), + Match.objectLike({ Name: 'Stack.Prepare', RunOrder: 3 }), + Match.objectLike({ Name: 'Stack.Deploy', RunOrder: 4 }), + ], }, - }); - - unattachedStage.addApplication(new OneStackApp(app, 'UnattachedStage'), { - confirmBroadeningPermissions: true, - }); - - THEN_codePipelineExpectation(); + ]), }); - - // Not a valid use of the modern API - suite.doesNotApply.modern(); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).resourceCountIs('AWS::Lambda::Function', 1); - // 1 for github build, 1 for synth stage, and 1 for the application security check - Template.fromStack(pipelineStack).resourceCountIs('AWS::CodeBuild::Project', 3); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Tags: [ - { - Key: 'SECURITY_CHECK', - Value: 'ALLOW_APPROVE', - }, - ], - Stages: [ - Match.objectLike({ Name: 'Source' }), - Match.objectLike({ Name: 'Build' }), - Match.objectLike({ Name: 'UpdatePipeline' }), - { - Actions: [ - Match.objectLike({ - Configuration: { - ProjectName: { Ref: 'UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckADCE795B' }, - }, - Name: 'UnattachedStageSecurityCheck', - RunOrder: 1, - }), - Match.objectLike({ - Configuration: { - CustomData: '#{UnattachedStageSecurityCheck.MESSAGE}', - ExternalEntityLink: '#{UnattachedStageSecurityCheck.LINK}', - }, - Name: 'UnattachedStageManualApproval', - RunOrder: 2, - }), - Match.objectLike({ Name: 'Stack.Prepare', RunOrder: 3 }), - Match.objectLike({ Name: 'Stack.Deploy', RunOrder: 4 }), - ], - Name: 'UnattachedStage', - }, - ], - }); - } }); \ No newline at end of file diff --git a/packages/aws-cdk-lib/pipelines/test/compliance/self-mutation.test.ts b/packages/aws-cdk-lib/pipelines/test/compliance/self-mutation.test.ts index 98828dc57eb47..6b62207ba9bc7 100644 --- a/packages/aws-cdk-lib/pipelines/test/compliance/self-mutation.test.ts +++ b/packages/aws-cdk-lib/pipelines/test/compliance/self-mutation.test.ts @@ -4,7 +4,7 @@ import * as cb from '../../../aws-codebuild'; import * as cp from '../../../aws-codepipeline'; import { Stack, Stage } from '../../../core'; import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../../lib/private/default-codebuild-image'; -import { behavior, LegacyTestGitHubNpmPipeline, PIPELINE_ENV, TestApp, ModernTestGitHubNpmPipeline } from '../testhelpers'; +import { PIPELINE_ENV, TestApp, ModernTestGitHubNpmPipeline } from '../testhelpers'; let app: TestApp; let pipelineStack: Stack; @@ -18,288 +18,186 @@ afterEach(() => { app.cleanup(); }); -behavior('CodePipeline has self-mutation stage', (suite) => { - suite.legacy(() => { - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - THEN_codePipelineExpectation(); - }); +test('CodePipeline has self-mutation stage', () => { - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - THEN_codePipelineExpectation(); - }); + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'UpdatePipeline', - Actions: [ - Match.objectLike({ - Name: 'SelfMutate', - Configuration: Match.objectLike({ - ProjectName: { Ref: Match.anyValue() }, - }), + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'UpdatePipeline', + Actions: [ + Match.objectLike({ + Name: 'SelfMutate', + Configuration: Match.objectLike({ + ProjectName: { Ref: Match.anyValue() }, }), - ], - }]), - }); - - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - install: { - commands: ['npm install -g aws-cdk@2'], - }, - build: { - commands: Match.arrayWith(['cdk -a . deploy PipelineStack --require-approval=never --verbose']), - }, - }, - })), - Type: 'CODEPIPELINE', - }, - }); - } -}); - -behavior('selfmutation stage correctly identifies nested assembly of pipeline stack', (suite) => { - suite.legacy(() => { - const pipelineStage = new Stage(app, 'PipelineStage'); - const nestedPipelineStack = new Stack(pipelineStage, 'PipelineStack', { env: PIPELINE_ENV }); - new LegacyTestGitHubNpmPipeline(nestedPipelineStack, 'Cdk'); - - THEN_codePipelineExpectation(nestedPipelineStack); - }); - - suite.modern(() => { - const pipelineStage = new Stage(app, 'PipelineStage'); - const nestedPipelineStack = new Stack(pipelineStage, 'PipelineStack', { env: PIPELINE_ENV }); - new ModernTestGitHubNpmPipeline(nestedPipelineStack, 'Cdk'); - - THEN_codePipelineExpectation(nestedPipelineStack); + }), + ], + }]), }); - function THEN_codePipelineExpectation(nestedPipelineStack: Stack) { - Template.fromStack(nestedPipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - build: { - commands: Match.arrayWith(['cdk -a assembly-PipelineStage deploy PipelineStage/PipelineStack --require-approval=never --verbose']), - }, + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + install: { + commands: ['npm install -g aws-cdk@2'], + }, + build: { + commands: Match.arrayWith(['cdk -a . deploy PipelineStack --require-approval=never --verbose']), }, - })), - }, - }); - } + }, + })), + Type: 'CODEPIPELINE', + }, + }); }); -behavior('selfmutation feature can be turned off', (suite) => { - suite.legacy(() => { - const cloudAssemblyArtifact = new cp.Artifact(); - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - cloudAssemblyArtifact, - selfMutating: false, - }); +test('selfmutation stage correctly identifies nested assembly of pipeline stack', () => { - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - // WHEN - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - selfMutation: false, - }); + const pipelineStage = new Stage(app, 'PipelineStage'); + const nestedPipelineStack = new Stack(pipelineStage, 'PipelineStack', { env: PIPELINE_ENV }); + new ModernTestGitHubNpmPipeline(nestedPipelineStack, 'Cdk'); - THEN_codePipelineExpectation(); + Template.fromStack(nestedPipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + build: { + commands: Match.arrayWith(['cdk -a assembly-PipelineStage deploy PipelineStage/PipelineStack --require-approval=never --verbose']), + }, + }, + })), + }, }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.not(Match.arrayWith([{ - Name: 'UpdatePipeline', - Actions: Match.anyValue(), - }])), - }); - } }); -behavior('can control fix/CLI version used in pipeline selfupdate', (suite) => { - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - pipelineName: 'vpipe', - cdkCliVersion: '1.2.3', - }); +test('selfmutation feature can be turned off', () => { - THEN_codePipelineExpectation(); + // WHEN + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + selfMutation: false, }); - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - pipelineName: 'vpipe', - cliVersion: '1.2.3', - }); - - THEN_codePipelineExpectation(); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.not(Match.arrayWith([{ + Name: 'UpdatePipeline', + Actions: Match.anyValue(), + }])), }); - - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Name: 'vpipe-selfupdate', - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - install: { - commands: ['npm install -g aws-cdk@1.2.3'], - }, - }, - })), - }, - }); - } }); -behavior('Pipeline stack itself can use assets (has implications for selfupdate)', (suite) => { - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'PrivilegedPipeline', { - supportDockerAssets: true, - }); - - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - PrivilegedMode: true, - }, - }); +test('can control fix/CLI version used in pipeline selfupdate', () => { + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + pipelineName: 'vpipe', + cliVersion: '1.2.3', }); - suite.modern(() => { - // WHEN - new ModernTestGitHubNpmPipeline(pipelineStack, 'PrivilegedPipeline', { - dockerEnabledForSelfMutation: true, - }); - - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - PrivilegedMode: true, - }, - }); + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Name: 'vpipe-selfupdate', + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + install: { + commands: ['npm install -g aws-cdk@1.2.3'], + }, + }, + })), + }, }); }); -behavior('self-update project role uses tagged bootstrap-role permissions', (suite) => { - suite.legacy(() => { - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); +test('Pipeline stack itself can use assets (has implications for selfupdate)', () => { - THEN_codePipelineExpectations(); + // WHEN + new ModernTestGitHubNpmPipeline(pipelineStack, 'PrivilegedPipeline', { + dockerEnabledForSelfMutation: true, }); - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - THEN_codePipelineExpectations(); + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + PrivilegedMode: true, + }, }); +}); - function THEN_codePipelineExpectations() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: Match.arrayWith([ - { - Action: 'sts:AssumeRole', - Effect: 'Allow', - Resource: 'arn:*:iam::123pipeline:role/*', - Condition: { - 'ForAnyValue:StringEquals': { - 'iam:ResourceTag/aws-cdk:bootstrap-role': ['image-publishing', 'file-publishing', 'deploy'], - }, +test('self-update project role uses tagged bootstrap-role permissions', () => { + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([ + { + Action: 'sts:AssumeRole', + Effect: 'Allow', + Resource: 'arn:*:iam::123pipeline:role/*', + Condition: { + 'ForAnyValue:StringEquals': { + 'iam:ResourceTag/aws-cdk:bootstrap-role': ['image-publishing', 'file-publishing', 'deploy'], }, }, - { - Action: 'cloudformation:DescribeStacks', - Effect: 'Allow', - Resource: '*', - }, - { - Action: 's3:ListBucket', - Effect: 'Allow', - Resource: '*', - }, - ]), - }, - }); - } + }, + { + Action: 'cloudformation:DescribeStacks', + Effect: 'Allow', + Resource: '*', + }, + { + Action: 's3:ListBucket', + Effect: 'Allow', + Resource: '*', + }, + ]), + }, + }); }); -behavior('self-mutation stage can be customized with BuildSpec', (suite) => { - suite.legacy(() => { - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - selfMutationBuildSpec: cb.BuildSpec.fromObject({ +test('self-mutation stage can be customized with BuildSpec', () => { + + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + selfMutationCodeBuildDefaults: { + partialBuildSpec: cb.BuildSpec.fromObject({ phases: { install: { - commands: 'npm config set registry example.com', + commands: ['npm config set registry example.com'], }, }, cache: { - paths: 'node_modules', + paths: ['node_modules'], }, }), - }); - - THEN_codePipelineExpectation(); + }, }); - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - selfMutationCodeBuildDefaults: { - partialBuildSpec: cb.BuildSpec.fromObject({ - phases: { - install: { - commands: ['npm config set registry example.com'], - }, + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + PrivilegedMode: false, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + install: { + commands: ['npm config set registry example.com', 'npm install -g aws-cdk@2'], }, - cache: { - paths: ['node_modules'], + build: { + commands: Match.arrayWith(['cdk -a . deploy PipelineStack --require-approval=never --verbose']), }, - }), - }, - }); - - THEN_codePipelineExpectation(); + }, + cache: { + paths: ['node_modules'], + }, + })), + Type: 'CODEPIPELINE', + }, }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - PrivilegedMode: false, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - install: { - commands: ['npm config set registry example.com', 'npm install -g aws-cdk@2'], - }, - build: { - commands: Match.arrayWith(['cdk -a . deploy PipelineStack --require-approval=never --verbose']), - }, - }, - cache: { - paths: ['node_modules'], - }, - })), - Type: 'CODEPIPELINE', - }, - }); - } }); diff --git a/packages/aws-cdk-lib/pipelines/test/compliance/stack-ordering.test.ts b/packages/aws-cdk-lib/pipelines/test/compliance/stack-ordering.test.ts index 827c2839a6462..489bd2a295289 100644 --- a/packages/aws-cdk-lib/pipelines/test/compliance/stack-ordering.test.ts +++ b/packages/aws-cdk-lib/pipelines/test/compliance/stack-ordering.test.ts @@ -1,6 +1,6 @@ import { Match, Template } from '../../../assertions'; import { App, Stack } from '../../../core'; -import { behavior, LegacyTestGitHubNpmPipeline, ModernTestGitHubNpmPipeline, OneStackApp, PIPELINE_ENV, sortByRunOrder, TestApp, ThreeStackApp, TwoStackApp } from '../testhelpers'; +import { ModernTestGitHubNpmPipeline, PIPELINE_ENV, sortByRunOrder, TestApp, ThreeStackApp, TwoStackApp } from '../testhelpers'; let app: App; let pipelineStack: Stack; @@ -10,169 +10,41 @@ beforeEach(() => { pipelineStack = new Stack(app, 'PipelineStack', { env: PIPELINE_ENV }); }); -behavior('interdependent stacks are in the right order', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new TwoStackApp(app, 'MyApp')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new TwoStackApp(app, 'MyApp')); - - THEN_codePipelineExpectation(); +test('interdependent stacks are in the right order', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new TwoStackApp(app, 'MyApp')); + + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'MyApp', + Actions: sortByRunOrder([ + Match.objectLike({ Name: 'Stack1.Prepare' }), + Match.objectLike({ Name: 'Stack1.Deploy' }), + Match.objectLike({ Name: 'Stack2.Prepare' }), + Match.objectLike({ Name: 'Stack2.Deploy' }), + ]), + }]), }); - - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'MyApp', - Actions: sortByRunOrder([ - Match.objectLike({ Name: 'Stack1.Prepare' }), - Match.objectLike({ Name: 'Stack1.Deploy' }), - Match.objectLike({ Name: 'Stack2.Prepare' }), - Match.objectLike({ Name: 'Stack2.Deploy' }), - ]), - }]), - }); - } }); -behavior('multiple independent stacks go in parallel', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new ThreeStackApp(app, 'MyApp')); - - THEN_codePipelineExpectation(); +test('multiple independent stacks go in parallel', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new ThreeStackApp(app, 'MyApp')); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'MyApp', + Actions: sortByRunOrder([ + // 1 and 2 in parallel + Match.objectLike({ Name: 'Stack1.Prepare' }), + Match.objectLike({ Name: 'Stack2.Prepare' }), + Match.objectLike({ Name: 'Stack1.Deploy' }), + Match.objectLike({ Name: 'Stack2.Deploy' }), + // Then 3 + Match.objectLike({ Name: 'Stack3.Prepare' }), + Match.objectLike({ Name: 'Stack3.Deploy' }), + ]), + }]), }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new ThreeStackApp(app, 'MyApp')); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'MyApp', - Actions: sortByRunOrder([ - // 1 and 2 in parallel - Match.objectLike({ Name: 'Stack1.Prepare' }), - Match.objectLike({ Name: 'Stack2.Prepare' }), - Match.objectLike({ Name: 'Stack1.Deploy' }), - Match.objectLike({ Name: 'Stack2.Deploy' }), - // Then 3 - Match.objectLike({ Name: 'Stack3.Prepare' }), - Match.objectLike({ Name: 'Stack3.Deploy' }), - ]), - }]), - }); - } -}); - -behavior('user can request manual change set approvals', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new TwoStackApp(app, 'MyApp'), { - manualApprovals: true, - }); - - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'MyApp', - Actions: sortByRunOrder([ - Match.objectLike({ Name: 'Stack1.Prepare' }), - Match.objectLike({ Name: 'ManualApproval' }), - Match.objectLike({ Name: 'Stack1.Deploy' }), - Match.objectLike({ Name: 'Stack2.Prepare' }), - Match.objectLike({ Name: 'ManualApproval2' }), - Match.objectLike({ Name: 'Stack2.Deploy' }), - ]), - }]), - }); - }); - - // No change set approvals in Modern API for now. - suite.doesNotApply.modern(); -}); - -behavior('user can request extra runorder space between prepare and deploy', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new TwoStackApp(app, 'MyApp'), { - extraRunOrderSpace: 1, - }); - - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'MyApp', - Actions: sortByRunOrder([ - Match.objectLike({ - Name: 'Stack1.Prepare', - RunOrder: 1, - }), - Match.objectLike({ - Name: 'Stack1.Deploy', - RunOrder: 3, - }), - Match.objectLike({ - Name: 'Stack2.Prepare', - RunOrder: 4, - }), - Match.objectLike({ - Name: 'Stack2.Deploy', - RunOrder: 6, - }), - ]), - }]), - }); - }); - - // No change set approvals in Modern API for now. - suite.doesNotApply.modern(); -}); - -behavior('user can request both manual change set approval and extraRunOrderSpace', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new OneStackApp(app, 'MyApp'), { - extraRunOrderSpace: 1, - manualApprovals: true, - }); - - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'MyApp', - Actions: sortByRunOrder([ - Match.objectLike({ - Name: 'Stack.Prepare', - RunOrder: 1, - }), - Match.objectLike({ - Name: 'ManualApproval', - RunOrder: 2, - }), - Match.objectLike({ - Name: 'Stack.Deploy', - RunOrder: 4, - }), - ]), - }]), - }); - }); - - // No change set approvals in Modern API for now. - suite.doesNotApply.modern(); }); diff --git a/packages/aws-cdk-lib/pipelines/test/compliance/synths.test.ts b/packages/aws-cdk-lib/pipelines/test/compliance/synths.test.ts index 30cbed9db1faf..ce52f6a2df0a8 100644 --- a/packages/aws-cdk-lib/pipelines/test/compliance/synths.test.ts +++ b/packages/aws-cdk-lib/pipelines/test/compliance/synths.test.ts @@ -9,7 +9,7 @@ import { Stack } from '../../../core'; import * as cdkp from '../../lib'; import { CodeBuildStep } from '../../lib'; import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../../lib/private/default-codebuild-image'; -import { behavior, PIPELINE_ENV, TestApp, LegacyTestGitHubNpmPipeline, ModernTestGitHubNpmPipeline, ModernTestGitHubNpmPipelineProps, OneStackApp } from '../testhelpers'; +import { PIPELINE_ENV, TestApp, ModernTestGitHubNpmPipeline, ModernTestGitHubNpmPipelineProps, OneStackApp } from '../testhelpers'; let app: TestApp; let pipelineStack: Stack; @@ -19,10 +19,6 @@ let cloudAssemblyArtifact: codepipeline.Artifact; // Must be unique across all test files, but preferably also consistent const OUTDIR = 'testcdk0.out'; -// What phase install commands get rendered to -const LEGACY_INSTALLS = 'pre_build'; -const MODERN_INSTALLS = 'install'; - beforeEach(() => { app = new TestApp({ outdir: OUTDIR }); pipelineStack = new Stack(app, 'PipelineStack', { env: PIPELINE_ENV }); @@ -34,1124 +30,737 @@ afterEach(() => { app.cleanup(); }); -behavior('synth takes arrays of commands', (suite) => { - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: new cdkp.SimpleSynthAction({ - sourceArtifact, - cloudAssemblyArtifact, - installCommands: ['install1', 'install2'], - buildCommands: ['build1', 'build2'], - testCommands: ['test1', 'test2'], - synthCommand: 'cdk synth', - }), - }); - - THEN_codePipelineExpectation(LEGACY_INSTALLS); - }); - - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - installCommands: ['install1', 'install2'], - commands: ['build1', 'build2', 'test1', 'test2', 'cdk synth'], - }); - - THEN_codePipelineExpectation(MODERN_INSTALLS); - }); - - function THEN_codePipelineExpectation(installPhase: string) { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - [installPhase]: { - commands: [ - 'install1', - 'install2', - ], - }, - build: { - commands: [ - 'build1', - 'build2', - 'test1', - 'test2', - 'cdk synth', - ], - }, +test('synth takes arrays of commands', () => { + + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + installCommands: ['install1', 'install2'], + commands: ['build1', 'build2', 'test1', 'test2', 'cdk synth'], + }); + + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + install: { + commands: [ + 'install1', + 'install2', + ], }, - })), - }, - }); - } + build: { + commands: [ + 'build1', + 'build2', + 'test1', + 'test2', + 'cdk synth', + ], + }, + }, + })), + }, + }); }); -behavior('synth sets artifact base-directory to cdk.out', (suite) => { - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ sourceArtifact, cloudAssemblyArtifact }), - }); - THEN_codePipelineExpectation(); - }); +test('synth sets artifact base-directory to cdk.out', () => { - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - THEN_codePipelineExpectation(); + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + artifacts: { + 'base-directory': 'cdk.out', + }, + })), + }, }); +}); - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - artifacts: { - 'base-directory': 'cdk.out', +test('synth supports setting subdirectory', () => { + + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + installCommands: ['cd subdir'], + commands: ['true'], + primaryOutputDirectory: 'subdir/cdk.out', + }); + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + install: { + commands: Match.arrayWith(['cd subdir']), }, - })), - }, - }); - } + }, + artifacts: { + 'base-directory': 'subdir/cdk.out', + }, + })), + }, + }); }); -behavior('synth supports setting subdirectory', (suite) => { - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - subdirectory: 'subdir', - }), - }); +test('npm synth sets, or allows setting, UNSAFE_PERM=true', () => { - THEN_codePipelineExpectation(LEGACY_INSTALLS); + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + env: { + NPM_CONFIG_UNSAFE_PERM: 'true', + }, }); - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - installCommands: ['cd subdir'], - commands: ['true'], - primaryOutputDirectory: 'subdir/cdk.out', - }); - THEN_codePipelineExpectation(MODERN_INSTALLS); + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + EnvironmentVariables: [ + { + Name: 'NPM_CONFIG_UNSAFE_PERM', + Type: 'PLAINTEXT', + Value: 'true', + }, + ], + }, }); - - function THEN_codePipelineExpectation(installPhase: string) { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - [installPhase]: { - commands: Match.arrayWith(['cd subdir']), - }, - }, - artifacts: { - 'base-directory': 'subdir/cdk.out', - }, - })), - }, - }); - } }); -behavior('npm synth sets, or allows setting, UNSAFE_PERM=true', (suite) => { - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - }), - }); - - THEN_codePipelineExpectation(); +test('Magic CodePipeline variables passed to synth envvars must be rendered in the action', () => { + + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + env: { + VERSION: codepipeline.GlobalVariables.executionId, + }, + }); + + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Build', + Actions: [ + Match.objectLike({ + Name: 'Synth', + Configuration: Match.objectLike({ + EnvironmentVariables: Match.serializedJson(Match.arrayWith([ + { + name: 'VERSION', + type: 'PLAINTEXT', + value: '#{codepipeline.PipelineExecutionId}', + }, + ])), + }), + }), + ], + }]), }); +}); - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { +test('CodeBuild: environment variables specified in multiple places are correctly merged', () => { + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk-1', { + synth: new CodeBuildStep('Synth', { env: { - NPM_CONFIG_UNSAFE_PERM: 'true', + SOME_ENV_VAR: 'SomeValue', }, - }); - - THEN_codePipelineExpectation(); + installCommands: [ + 'install1', + 'install2', + ], + commands: ['synth'], + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + primaryOutputDirectory: 'cdk.out', + buildEnvironment: { + environmentVariables: { + INNER_VAR: { value: 'InnerValue' }, + }, + privileged: true, + }, + }), }); - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - EnvironmentVariables: [ - { - Name: 'NPM_CONFIG_UNSAFE_PERM', - Type: 'PLAINTEXT', - Value: 'true', + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: Match.objectLike({ + PrivilegedMode: true, + EnvironmentVariables: Match.arrayWith([ + { + Name: 'INNER_VAR', + Type: 'PLAINTEXT', + Value: 'InnerValue', + }, + { + Name: 'SOME_ENV_VAR', + Type: 'PLAINTEXT', + Value: 'SomeValue', + }, + ]), + }), + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + install: { + commands: ['install1', 'install2'], }, - ], - }, - }); - } -}); - -behavior('synth assumes a JavaScript project by default (no build, yes synth)', (suite) => { - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ sourceArtifact, cloudAssemblyArtifact }), - }); - - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - pre_build: { - commands: ['npm ci'], - }, - build: { - commands: ['npx cdk synth'], - }, + build: { + commands: ['synth'], }, - })), - }, - }); - }); - - // Modern pipeline does not assume anything anymore - suite.doesNotApply.modern(); -}); - -behavior('Magic CodePipeline variables passed to synth envvars must be rendered in the action', (suite) => { - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: new cdkp.SimpleSynthAction({ - sourceArtifact, - cloudAssemblyArtifact, - environmentVariables: { - VERSION: { value: codepipeline.GlobalVariables.executionId }, }, - synthCommand: 'synth', - }), - }); - THEN_codePipelineExpectation(); + })), + }, }); - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk-2', { + synth: new cdkp.CodeBuildStep('Synth', { + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + primaryOutputDirectory: '.', env: { - VERSION: codepipeline.GlobalVariables.executionId, + SOME_ENV_VAR: 'SomeValue', }, - }); - - THEN_codePipelineExpectation(); + installCommands: [ + 'install1', + 'install2', + ], + commands: ['synth'], + buildEnvironment: { + environmentVariables: { + INNER_VAR: { value: 'InnerValue' }, + }, + privileged: true, + }, + }), }); - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Build', - Actions: [ - Match.objectLike({ - Name: 'Synth', - Configuration: Match.objectLike({ - EnvironmentVariables: Match.serializedJson(Match.arrayWith([ - { - name: 'VERSION', - type: 'PLAINTEXT', - value: '#{codepipeline.PipelineExecutionId}', - }, - ])), - }), - }), - ], - }]), - }); - } -}); - -behavior('CodeBuild: environment variables specified in multiple places are correctly merged', (suite) => { - // We don't support merging environment variables in this way in the legacy API - suite.doesNotApply.legacy(); - - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - synth: new CodeBuildStep('Synth', { - env: { - SOME_ENV_VAR: 'SomeValue', + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: Match.objectLike({ + PrivilegedMode: true, + EnvironmentVariables: Match.arrayWith([ + { + Name: 'INNER_VAR', + Type: 'PLAINTEXT', + Value: 'InnerValue', }, - installCommands: [ - 'install1', - 'install2', - ], - commands: ['synth'], - input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), - primaryOutputDirectory: 'cdk.out', - buildEnvironment: { - environmentVariables: { - INNER_VAR: { value: 'InnerValue' }, + { + Name: 'SOME_ENV_VAR', + Type: 'PLAINTEXT', + Value: 'SomeValue', + }, + ]), + }), + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + install: { + commands: ['install1', 'install2'], + }, + build: { + commands: ['synth'], }, - privileged: true, }, - }), - }); - THEN_codePipelineExpectation(MODERN_INSTALLS); + })), + }, }); +}); - suite.additional('modern2, using the specific CodeBuild action', () => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - synth: new cdkp.CodeBuildStep('Synth', { - input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), - primaryOutputDirectory: '.', - env: { - SOME_ENV_VAR: 'SomeValue', - }, - installCommands: [ - 'install1', - 'install2', - ], - commands: ['synth'], - buildEnvironment: { - environmentVariables: { - INNER_VAR: { value: 'InnerValue' }, +test('install command can be overridden/specified', () => { + // WHEN + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + installCommands: ['/bin/true'], + }); + + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + install: { + commands: ['/bin/true'], }, - privileged: true, }, - }), - }); - THEN_codePipelineExpectation(MODERN_INSTALLS); + })), + }, }); +}); - function THEN_codePipelineExpectation(installPhase: string) { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: Match.objectLike({ - PrivilegedMode: true, - EnvironmentVariables: Match.arrayWith([ - { - Name: 'INNER_VAR', - Type: 'PLAINTEXT', - Value: 'InnerValue', - }, - { - Name: 'SOME_ENV_VAR', - Type: 'PLAINTEXT', - Value: 'SomeValue', - }, - ]), - }), - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - [installPhase]: { - commands: ['install1', 'install2'], +test('Synth can output additional artifacts', () => { + + // WHEN + const synth = new cdkp.ShellStep('Synth', { + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + commands: ['cdk synth'], + }); + synth.addOutputDirectory('test'); + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + synth: synth, + }); + + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + artifacts: { + 'secondary-artifacts': { + Synth_Output: { + 'base-directory': 'cdk.out', + 'files': '**/*', }, - build: { - commands: ['synth'], + Synth_test: { + 'base-directory': 'test', + 'files': '**/*', }, }, - })), - }, - }); - } + }, + })), + }, + }); }); -behavior('install command can be overridden/specified', (suite) => { - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - installCommand: '/bin/true', - }), - }); +test('Synth can be made to run in a VPC', () => { + const vpc: ec2.Vpc = new ec2.Vpc(pipelineStack, 'NpmSynthTestVpc'); - THEN_codePipelineExpectation(LEGACY_INSTALLS); + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + codeBuildDefaults: { vpc }, }); - suite.modern(() => { - // WHEN - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - installCommands: ['/bin/true'], - }); + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + VpcConfig: { + SecurityGroupIds: [ + { 'Fn::GetAtt': ['CdkPipelineBuildSynthCdkBuildProjectSecurityGroupEA44D7C2', 'GroupId'] }, + ], + Subnets: [ + { Ref: 'NpmSynthTestVpcPrivateSubnet1Subnet81E3AA56' }, + { Ref: 'NpmSynthTestVpcPrivateSubnet2SubnetC1CA3EF0' }, + { Ref: 'NpmSynthTestVpcPrivateSubnet3SubnetA04163EE' }, + ], + VpcId: { Ref: 'NpmSynthTestVpc5E703F25' }, + }, + }); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + Roles: [ + { Ref: 'CdkPipelineBuildSynthCdkBuildProjectRole5E173C62' }, + ], + PolicyDocument: { + Statement: Match.arrayWith([{ + Action: Match.arrayWith(['ec2:DescribeSecurityGroups']), + Effect: 'Allow', + Resource: '*', + }]), + }, + }); +}); - THEN_codePipelineExpectation(MODERN_INSTALLS); +test('Modern, using the synthCodeBuildDefaults', () => { + const vpc: ec2.Vpc = new ec2.Vpc(pipelineStack, 'NpmSynthTestVpc'); + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + synthCodeBuildDefaults: { vpc }, }); - function THEN_codePipelineExpectation(installPhase: string) { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - [installPhase]: { - commands: ['/bin/true'], - }, - }, - })), - }, - }); - } + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + VpcConfig: { + SecurityGroupIds: [ + { 'Fn::GetAtt': ['CdkPipelineBuildSynthCdkBuildProjectSecurityGroupEA44D7C2', 'GroupId'] }, + ], + Subnets: [ + { Ref: 'NpmSynthTestVpcPrivateSubnet1Subnet81E3AA56' }, + { Ref: 'NpmSynthTestVpcPrivateSubnet2SubnetC1CA3EF0' }, + { Ref: 'NpmSynthTestVpcPrivateSubnet3SubnetA04163EE' }, + ], + VpcId: { Ref: 'NpmSynthTestVpc5E703F25' }, + }, + }); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + Roles: [ + { Ref: 'CdkPipelineBuildSynthCdkBuildProjectRole5E173C62' }, + ], + PolicyDocument: { + Statement: Match.arrayWith([{ + Action: Match.arrayWith(['ec2:DescribeSecurityGroups']), + Effect: 'Allow', + Resource: '*', + }]), + }, + }); }); -behavior('synth can have its test commands set', (suite) => { - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - installCommand: '/bin/true', - testCommands: ['echo "Running tests"'], - }), - }); - - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - pre_build: { - commands: ['/bin/true'], - }, - build: { - commands: ['echo "Running tests"', 'npx cdk synth'], - }, - }, - })), +test('Modern, using CodeBuildStep', () => { + const vpc: ec2.Vpc = new ec2.Vpc(pipelineStack, 'NpmSynthTestVpc'); + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + synth: new CodeBuildStep('Synth', { + commands: ['asdf'], + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + primaryOutputDirectory: 'cdk.out', + buildEnvironment: { + computeType: cbuild.ComputeType.LARGE, }, - }); + }), + codeBuildDefaults: { vpc }, }); - // There are no implicit commands in modern synth - suite.doesNotApply.modern(); + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + VpcConfig: { + SecurityGroupIds: [ + { 'Fn::GetAtt': ['CdkPipelineBuildSynthCdkBuildProjectSecurityGroupEA44D7C2', 'GroupId'] }, + ], + Subnets: [ + { Ref: 'NpmSynthTestVpcPrivateSubnet1Subnet81E3AA56' }, + { Ref: 'NpmSynthTestVpcPrivateSubnet2SubnetC1CA3EF0' }, + { Ref: 'NpmSynthTestVpcPrivateSubnet3SubnetA04163EE' }, + ], + VpcId: { Ref: 'NpmSynthTestVpc5E703F25' }, + }, + }); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + Roles: [ + { Ref: 'CdkPipelineBuildSynthCdkBuildProjectRole5E173C62' }, + ], + PolicyDocument: { + Statement: Match.arrayWith([{ + Action: Match.arrayWith(['ec2:DescribeSecurityGroups']), + Effect: 'Allow', + Resource: '*', + }]), + }, + }); }); -behavior('Synth can output additional artifacts', (suite) => { - suite.legacy(() => { - // WHEN - const addlArtifact = new codepipeline.Artifact('IntegTest'); - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - additionalArtifacts: [ - { - artifact: addlArtifact, - directory: 'test', - }, - ], - }), - }); +test('Pipeline action contains a hash that changes as the buildspec changes', () => { + const hash1 = modernSynthWithAction(() => ({ commands: ['asdf'] })); - THEN_codePipelineExpectation('CloudAsm', 'IntegTest'); - }); + // To make sure the hash is not just random :) + const hash1prime = modernSynthWithAction(() => ({ commands: ['asdf'] })); - suite.modern(() => { - // WHEN - const synth = new cdkp.ShellStep('Synth', { + const hash2 = modernSynthWithAction(() => ({ + installCommands: ['do install'], + })); + const hash3 = modernSynthWithAction(() => ({ + synth: new CodeBuildStep('Synth', { + commands: ['asdf'], input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), - commands: ['cdk synth'], - }); - synth.addOutputDirectory('test'); - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - synth: synth, - }); - - THEN_codePipelineExpectation('Synth_Output', 'Synth_test'); - }); - - function THEN_codePipelineExpectation(asmArtifact: string, testArtifact: string) { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - artifacts: { - 'secondary-artifacts': { - [asmArtifact]: { - 'base-directory': 'cdk.out', - 'files': '**/*', - }, - [testArtifact]: { - 'base-directory': 'test', - 'files': '**/*', - }, - }, - }, - })), + primaryOutputDirectory: 'cdk.out', + buildEnvironment: { + computeType: cbuild.ComputeType.LARGE, }, - }); - } + }), + })); + + const hash4 = modernSynthWithAction(() => ({ + env: { + xyz: 'SOME-VALUE', + }, + })); + + expect(hash1).toEqual(hash1prime); + + expect(hash1).not.toEqual(hash2); + expect(hash1).not.toEqual(hash3); + expect(hash1).not.toEqual(hash4); + expect(hash2).not.toEqual(hash3); + expect(hash2).not.toEqual(hash4); + expect(hash3).not.toEqual(hash4); }); -behavior('Synth can be made to run in a VPC', (suite) => { - let vpc: ec2.Vpc; - beforeEach(() => { - vpc = new ec2.Vpc(pipelineStack, 'NpmSynthTestVpc'); +function modernSynthWithAction(cb: () => ModernTestGitHubNpmPipelineProps) { + const _app = new TestApp({ outdir: OUTDIR }); + const _pipelineStack = new Stack(_app, 'PipelineStack', { env: PIPELINE_ENV }); + + new ModernTestGitHubNpmPipeline(_pipelineStack, 'Cdk', cb()); + + return captureProjectConfigHash(_pipelineStack); +} + +function captureProjectConfigHash(_pipelineStack: Stack) { + const theHash = new Capture(); + Template.fromStack(_pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Build', + Actions: [ + Match.objectLike({ + Name: 'Synth', + Configuration: Match.objectLike({ + EnvironmentVariables: Match.serializedJson([ + { + name: '_PROJECT_CONFIG_HASH', + type: 'PLAINTEXT', + value: theHash, + }, + ]), + }), + }), + ], + }]), }); - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - vpc, - sourceArtifact, - cloudAssemblyArtifact, - }), - }); + return theHash.asString(); +} - THEN_codePipelineExpectation(); - }); +test('Synth CodeBuild project role can be granted permissions', () => { + const bucket: s3.IBucket = s3.Bucket.fromBucketArn(pipelineStack, 'Bucket', 'arn:aws:s3:::this-particular-bucket'); - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - codeBuildDefaults: { vpc }, - }); + // GIVEN + const pipe = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipe.buildPipeline(); - THEN_codePipelineExpectation(); - }); + // WHEN + bucket.grantRead(pipe.synthProject); - suite.additional('Modern, using the synthCodeBuildDefaults', () => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - synthCodeBuildDefaults: { vpc }, - }); - - THEN_codePipelineExpectation(); + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([Match.objectLike({ + Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], + Resource: ['arn:aws:s3:::this-particular-bucket', 'arn:aws:s3:::this-particular-bucket/*'], + })]), + }, }); +}); - suite.additional('Modern, using CodeBuildStep', () => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - synth: new CodeBuildStep('Synth', { - commands: ['asdf'], - input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), - primaryOutputDirectory: 'cdk.out', - buildEnvironment: { - computeType: cbuild.ComputeType.LARGE, - }, - }), - codeBuildDefaults: { vpc }, - }); - - THEN_codePipelineExpectation(); - }); +test('Synth can reference an imported ECR repo', () => { - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - VpcConfig: { - SecurityGroupIds: [ - { 'Fn::GetAtt': ['CdkPipelineBuildSynthCdkBuildProjectSecurityGroupEA44D7C2', 'GroupId'] }, - ], - Subnets: [ - { Ref: 'NpmSynthTestVpcPrivateSubnet1Subnet81E3AA56' }, - { Ref: 'NpmSynthTestVpcPrivateSubnet2SubnetC1CA3EF0' }, - { Ref: 'NpmSynthTestVpcPrivateSubnet3SubnetA04163EE' }, - ], - VpcId: { Ref: 'NpmSynthTestVpc5E703F25' }, + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + synth: new cdkp.CodeBuildStep('Synth', { + commands: ['build'], + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + primaryOutputDirectory: 'cdk.out', + buildEnvironment: { + buildImage: cbuild.LinuxBuildImage.fromEcrRepository( + ecr.Repository.fromRepositoryName(pipelineStack, 'ECRImage', 'my-repo-name'), + ), }, - }); + }), + }); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - Roles: [ - { Ref: 'CdkPipelineBuildSynthCdkBuildProjectRole5E173C62' }, - ], - PolicyDocument: { - Statement: Match.arrayWith([{ - Action: Match.arrayWith(['ec2:DescribeSecurityGroups']), - Effect: 'Allow', - Resource: '*', - }]), - }, - }); - } + // THEN -- no exception (necessary for linter) + expect(true).toBeTruthy(); }); -behavior('Pipeline action contains a hash that changes as the buildspec changes', (suite) => { - suite.legacy(() => { - const hash1 = legacySynthWithAction((sa, cxa) => cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact: sa, - cloudAssemblyArtifact: cxa, - })); - - // To make sure the hash is not just random :) - const hash1prime = legacySynthWithAction((sa, cxa) => cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact: sa, - cloudAssemblyArtifact: cxa, - })); - - const hash2 = legacySynthWithAction((sa, cxa) => cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact: sa, - cloudAssemblyArtifact: cxa, - installCommand: 'do install', - })); - const hash3 = legacySynthWithAction((sa, cxa) => cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact: sa, - cloudAssemblyArtifact: cxa, - environment: { - computeType: cbuild.ComputeType.LARGE, - }, - })); - const hash4 = legacySynthWithAction((sa, cxa) => cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact: sa, - cloudAssemblyArtifact: cxa, - environment: { - environmentVariables: { - xyz: { value: 'SOME-VALUE' }, - }, - }, - })); +test('CodeBuild: Can specify additional policy statements', () => { - expect(hash1).toEqual(hash1prime); + // WHEN + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + synth: new cdkp.CodeBuildStep('Synth', { + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + primaryOutputDirectory: '.', + commands: ['synth'], + rolePolicyStatements: [ + new iam.PolicyStatement({ + actions: ['codeartifact:*', 'sts:GetServiceBearerToken'], + resources: ['arn:my:arn'], + }), + ], + }), + }); - expect(hash1).not.toEqual(hash2); - expect(hash1).not.toEqual(hash3); - expect(hash1).not.toEqual(hash4); - expect(hash2).not.toEqual(hash3); - expect(hash2).not.toEqual(hash4); - expect(hash3).not.toEqual(hash4); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([Match.objectLike({ + Action: [ + 'codeartifact:*', + 'sts:GetServiceBearerToken', + ], + Resource: 'arn:my:arn', + })]), + }, }); +}); - suite.modern(() => { - const hash1 = modernSynthWithAction(() => ({ commands: ['asdf'] })); - - // To make sure the hash is not just random :) - const hash1prime = modernSynthWithAction(() => ({ commands: ['asdf'] })); - - const hash2 = modernSynthWithAction(() => ({ - installCommands: ['do install'], - })); - const hash3 = modernSynthWithAction(() => ({ - synth: new CodeBuildStep('Synth', { - commands: ['asdf'], - input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), - primaryOutputDirectory: 'cdk.out', - buildEnvironment: { - computeType: cbuild.ComputeType.LARGE, - }, - }), - })); +test('Multiple input sources in side-by-side directories', () => { - const hash4 = modernSynthWithAction(() => ({ - env: { - xyz: 'SOME-VALUE', + // WHEN + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + synth: new cdkp.ShellStep('Synth', { + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + commands: ['false'], + additionalInputs: { + '../sibling': cdkp.CodePipelineSource.gitHub('foo/bar', 'main'), + 'sub': new cdkp.ShellStep('Prebuild', { + input: cdkp.CodePipelineSource.gitHub('pre/build', 'main'), + commands: ['true'], + primaryOutputDirectory: 'built', + }), }, - })); - - expect(hash1).toEqual(hash1prime); - - expect(hash1).not.toEqual(hash2); - expect(hash1).not.toEqual(hash3); - expect(hash1).not.toEqual(hash4); - expect(hash2).not.toEqual(hash3); - expect(hash2).not.toEqual(hash4); - expect(hash3).not.toEqual(hash4); + }), }); - // eslint-disable-next-line max-len - function legacySynthWithAction(cb: (sourceArtifact: codepipeline.Artifact, cloudAssemblyArtifact: codepipeline.Artifact) => codepipeline.IAction) { - const _app = new TestApp({ outdir: OUTDIR }); - const _pipelineStack = new Stack(_app, 'PipelineStack', { env: PIPELINE_ENV }); - const _sourceArtifact = new codepipeline.Artifact(); - const _cloudAssemblyArtifact = new codepipeline.Artifact('CloudAsm'); - - new LegacyTestGitHubNpmPipeline(_pipelineStack, 'Cdk', { - sourceArtifact: _sourceArtifact, - cloudAssemblyArtifact: _cloudAssemblyArtifact, - synthAction: cb(_sourceArtifact, _cloudAssemblyArtifact), - }); - - return captureProjectConfigHash(_pipelineStack); - } - - function modernSynthWithAction(cb: () => ModernTestGitHubNpmPipelineProps) { - const _app = new TestApp({ outdir: OUTDIR }); - const _pipelineStack = new Stack(_app, 'PipelineStack', { env: PIPELINE_ENV }); - - new ModernTestGitHubNpmPipeline(_pipelineStack, 'Cdk', cb()); - - return captureProjectConfigHash(_pipelineStack); - } - - function captureProjectConfigHash(_pipelineStack: Stack) { - const theHash = new Capture(); - Template.fromStack(_pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([ + { + Name: 'Source', + Actions: [ + Match.objectLike({ Configuration: Match.objectLike({ Repo: 'bar' }) }), + Match.objectLike({ Configuration: Match.objectLike({ Repo: 'build' }) }), + Match.objectLike({ Configuration: Match.objectLike({ Repo: 'test' }) }), + ], + }, + { Name: 'Build', Actions: [ + Match.objectLike({ Name: 'Prebuild', RunOrder: 1 }), Match.objectLike({ Name: 'Synth', - Configuration: Match.objectLike({ - EnvironmentVariables: Match.serializedJson([ - { - name: '_PROJECT_CONFIG_HASH', - type: 'PLAINTEXT', - value: theHash, - }, - ]), - }), + RunOrder: 2, + InputArtifacts: [ + // 3 input artifacts + Match.anyValue(), + Match.anyValue(), + Match.anyValue(), + ], }), ], - }]), - }); - - return theHash.asString(); - } -}); - -behavior('Synth CodeBuild project role can be granted permissions', (suite) => { - let bucket: s3.IBucket; - beforeEach(() => { - bucket = s3.Bucket.fromBucketArn(pipelineStack, 'Bucket', 'arn:aws:s3:::this-particular-bucket'); - }); - - suite.legacy(() => { - // GIVEN - const synthAction = cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - }); - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction, - }); - - // WHEN - bucket.grantRead(synthAction); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - // GIVEN - const pipe = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipe.buildPipeline(); - - // WHEN - bucket.grantRead(pipe.synthProject); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: Match.arrayWith([Match.objectLike({ - Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], - Resource: ['arn:aws:s3:::this-particular-bucket', 'arn:aws:s3:::this-particular-bucket/*'], - })]), }, - }); - } -}); - -behavior('Synth can reference an imported ECR repo', (suite) => { - // Repro from https://github.com/aws/aws-cdk/issues/10535 - - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - environment: { - buildImage: cbuild.LinuxBuildImage.fromEcrRepository( - ecr.Repository.fromRepositoryName(pipelineStack, 'ECRImage', 'my-repo-name'), - ), - }, - }), - }); - - // THEN -- no exception (necessary for linter) - expect(true).toBeTruthy(); - }); - - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - synth: new cdkp.CodeBuildStep('Synth', { - commands: ['build'], - input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), - primaryOutputDirectory: 'cdk.out', - buildEnvironment: { - buildImage: cbuild.LinuxBuildImage.fromEcrRepository( - ecr.Repository.fromRepositoryName(pipelineStack, 'ECRImage', 'my-repo-name'), - ), + ]), + }); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + install: { + commands: [ + '[ ! -d "../sibling" ] || { echo \'additionalInputs: "../sibling" must not exist yet. If you want to merge multiple artifacts, use a "cp" command.\'; exit 1; } && ln -s -- "$CODEBUILD_SRC_DIR_foo_bar_Source" "../sibling"', + '[ ! -d "sub" ] || { echo \'additionalInputs: "sub" must not exist yet. If you want to merge multiple artifacts, use a "cp" command.\'; exit 1; } && ln -s -- "$CODEBUILD_SRC_DIR_Prebuild_Output" "sub"', + ], + }, + build: { + commands: [ + 'false', + ], + }, }, - }), - }); - - // THEN -- no exception (necessary for linter) - expect(true).toBeTruthy(); - }); -}); - -behavior('CodeBuild: Can specify additional policy statements', (suite) => { - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - rolePolicyStatements: [ - new iam.PolicyStatement({ - actions: ['codeartifact:*', 'sts:GetServiceBearerToken'], - resources: ['arn:my:arn'], - }), - ], - }), - }); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - // WHEN - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - synth: new cdkp.CodeBuildStep('Synth', { - input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), - primaryOutputDirectory: '.', - commands: ['synth'], - rolePolicyStatements: [ - new iam.PolicyStatement({ - actions: ['codeartifact:*', 'sts:GetServiceBearerToken'], - resources: ['arn:my:arn'], - }), - ], - }), - }); - - THEN_codePipelineExpectation(); + })), + }, }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: Match.arrayWith([Match.objectLike({ - Action: [ - 'codeartifact:*', - 'sts:GetServiceBearerToken', - ], - Resource: 'arn:my:arn', - })]), - }, - }); - } }); -behavior('Multiple input sources in side-by-side directories', (suite) => { - // Legacy API does not support this - suite.doesNotApply.legacy(); - - suite.modern(() => { - // WHEN - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - synth: new cdkp.ShellStep('Synth', { - input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), - commands: ['false'], - additionalInputs: { - '../sibling': cdkp.CodePipelineSource.gitHub('foo/bar', 'main'), - 'sub': new cdkp.ShellStep('Prebuild', { - input: cdkp.CodePipelineSource.gitHub('pre/build', 'main'), - commands: ['true'], - primaryOutputDirectory: 'built', - }), - }, - }), - }); - - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([ - { - Name: 'Source', - Actions: [ - Match.objectLike({ Configuration: Match.objectLike({ Repo: 'bar' }) }), - Match.objectLike({ Configuration: Match.objectLike({ Repo: 'build' }) }), - Match.objectLike({ Configuration: Match.objectLike({ Repo: 'test' }) }), - ], - }, - { - Name: 'Build', - Actions: [ - Match.objectLike({ Name: 'Prebuild', RunOrder: 1 }), - Match.objectLike({ - Name: 'Synth', - RunOrder: 2, - InputArtifacts: [ - // 3 input artifacts - Match.anyValue(), - Match.anyValue(), - Match.anyValue(), - ], - }), - ], - }, - ]), - }); - - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - install: { - commands: [ - '[ ! -d "../sibling" ] || { echo \'additionalInputs: "../sibling" must not exist yet. If you want to merge multiple artifacts, use a "cp" command.\'; exit 1; } && ln -s -- "$CODEBUILD_SRC_DIR_foo_bar_Source" "../sibling"', - '[ ! -d "sub" ] || { echo \'additionalInputs: "sub" must not exist yet. If you want to merge multiple artifacts, use a "cp" command.\'; exit 1; } && ln -s -- "$CODEBUILD_SRC_DIR_Prebuild_Output" "sub"', - ], - }, - build: { - commands: [ - 'false', - ], - }, +test('Can easily switch on privileged mode for synth', () => { + + // WHEN + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + dockerEnabledForSynth: true, + commands: ['LookAtMe'], + }); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: Match.objectLike({ + PrivilegedMode: true, + }), + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + build: { + commands: [ + 'LookAtMe', + ], }, - })), - }, - }); + }, + })), + }, }); }); -behavior('Can easily switch on privileged mode for synth', (suite) => { - // Legacy API does not support this - suite.doesNotApply.legacy(); +test('can provide custom BuildSpec that is merged with generated one', () => { - suite.modern(() => { - // WHEN - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - dockerEnabledForSynth: true, - commands: ['LookAtMe'], - }); - - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: Match.objectLike({ - PrivilegedMode: true, - }), - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - build: { - commands: [ - 'LookAtMe', - ], - }, - }, - })), + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + synth: new cdkp.CodeBuildStep('Synth', { + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + env: { + SOME_ENV_VAR: 'SomeValue', }, - }); - }); -}); - -behavior('can provide custom BuildSpec that is merged with generated one', (suite) => { - suite.legacy(() => { - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: new cdkp.SimpleSynthAction({ - sourceArtifact, - cloudAssemblyArtifact, + buildEnvironment: { environmentVariables: { - SOME_ENV_VAR: { value: 'SomeValue' }, + INNER_VAR: { value: 'InnerValue' }, }, - environment: { - environmentVariables: { - INNER_VAR: { value: 'InnerValue' }, + privileged: true, + }, + installCommands: [ + 'install1', + 'install2', + ], + commands: ['synth'], + partialBuildSpec: cbuild.BuildSpec.fromObject({ + env: { + variables: { + FOO: 'bar', }, - privileged: true, }, - installCommands: [ - 'install1', - 'install2', - ], - synthCommand: 'synth', - buildSpec: cbuild.BuildSpec.fromObject({ - env: { - variables: { - FOO: 'bar', - }, + phases: { + pre_build: { + commands: ['installCustom'], }, - phases: { - pre_build: { - commands: 'installCustom', - }, - }, - cache: { - paths: ['node_modules'], - }, - }), + }, + cache: { + paths: ['node_modules'], + }, }), - }); - - THEN_codePipelineExpectation(); + }), }); - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - synth: new cdkp.CodeBuildStep('Synth', { - input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), - env: { - SOME_ENV_VAR: 'SomeValue', + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: Match.objectLike({ + PrivilegedMode: true, + EnvironmentVariables: Match.arrayWith([ + { + Name: 'INNER_VAR', + Type: 'PLAINTEXT', + Value: 'InnerValue', }, - buildEnvironment: { - environmentVariables: { - INNER_VAR: { value: 'InnerValue' }, + ]), + }), + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + env: { + variables: { + FOO: 'bar', }, - privileged: true, }, - installCommands: [ - 'install1', - 'install2', - ], - commands: ['synth'], - partialBuildSpec: cbuild.BuildSpec.fromObject({ - env: { - variables: { - FOO: 'bar', - }, - }, - phases: { - pre_build: { - commands: ['installCustom'], - }, + phases: { + pre_build: { + commands: Match.arrayWith(['installCustom']), }, - cache: { - paths: ['node_modules'], + build: { + commands: ['synth'], }, - }), - }), - }); - - THEN_codePipelineExpectation(); + }, + cache: { + paths: ['node_modules'], + }, + })), + }, }); - - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: Match.objectLike({ - PrivilegedMode: true, - EnvironmentVariables: Match.arrayWith([ - { - Name: 'INNER_VAR', - Type: 'PLAINTEXT', - Value: 'InnerValue', - }, - ]), - }), - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - env: { - variables: { - FOO: 'bar', - }, - }, - phases: { - pre_build: { - commands: Match.arrayWith(['installCustom']), - }, - build: { - commands: ['synth'], - }, - }, - cache: { - paths: ['node_modules'], - }, - })), - }, - }); - } }); -behavior('stacks synthesized for pipeline will be checked during synth', (suite) => { - let stage: OneStackApp; - beforeEach(() => { - stage = new OneStackApp(pipelineStack, 'MyApp'); - }); - - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: new cdkp.SimpleSynthAction({ - sourceArtifact, - cloudAssemblyArtifact, - installCommands: ['install1', 'install2'], - buildCommands: ['build1', 'build2'], - testCommands: ['test1', 'test2'], - synthCommand: 'cdk synth', - }), - }); - pipeline.addApplicationStage(stage); - - THEN(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - installCommands: ['install1', 'install2'], - commands: ['build1', 'build2', 'test1', 'test2', 'cdk synth'], - }); - pipeline.addStage(stage); +test('stacks synthesized for pipeline will be checked during synth', () => { + let stage: OneStackApp = new OneStackApp(pipelineStack, 'MyApp'); - THEN(); + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + installCommands: ['install1', 'install2'], + commands: ['build1', 'build2', 'test1', 'test2', 'cdk synth'], }); + pipeline.addStage(stage); - function THEN() { - // All stacks in the ASM have been synthesized with 'validateOnSynth: true' - const asm = stage.synth(); - for (const stack of asm.stacks) { - expect(stack.validateOnSynth).toEqual(true); - } + // All stacks in the ASM have been synthesized with 'validateOnSynth: true' + const asm = stage.synth(); + for (const stack of asm.stacks) { + expect(stack.validateOnSynth).toEqual(true); } }); \ No newline at end of file diff --git a/packages/aws-cdk-lib/pipelines/test/compliance/validations.test.ts b/packages/aws-cdk-lib/pipelines/test/compliance/validations.test.ts index f1a560fdae911..5af4eb5733394 100644 --- a/packages/aws-cdk-lib/pipelines/test/compliance/validations.test.ts +++ b/packages/aws-cdk-lib/pipelines/test/compliance/validations.test.ts @@ -9,7 +9,7 @@ import { Stack } from '../../../core'; import * as cdkp from '../../lib'; import { CodePipelineSource, ShellStep } from '../../lib'; import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../../lib/private/default-codebuild-image'; -import { AppWithOutput, behavior, LegacyTestGitHubNpmPipeline, ModernTestGitHubNpmPipeline, OneStackApp, PIPELINE_ENV, sortByRunOrder, StageWithStackOutput, stringNoLongerThan, TestApp, TwoStackApp } from '../testhelpers'; +import { AppWithOutput, ModernTestGitHubNpmPipeline, OneStackApp, PIPELINE_ENV, sortByRunOrder, StageWithStackOutput, stringNoLongerThan, TestApp, TwoStackApp } from '../testhelpers'; let app: TestApp; let pipelineStack: Stack; @@ -23,775 +23,471 @@ afterEach(() => { app.cleanup(); }); -behavior('can add manual approval after app', (suite) => { - // No need to be backwards compatible - suite.doesNotApply.legacy(); +test('can add manual approval after app', () => { - suite.modern(() => { - // WHEN - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new TwoStackApp(app, 'MyApp'), { - post: [ - new cdkp.ManualApprovalStep('Approve'), - ], - }); - - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'MyApp', - Actions: sortByRunOrder([ - Match.objectLike({ Name: 'Stack1.Prepare' }), - Match.objectLike({ Name: 'Stack1.Deploy' }), - Match.objectLike({ Name: 'Stack2.Prepare' }), - Match.objectLike({ Name: 'Stack2.Deploy' }), - Match.objectLike({ Name: 'Approve' }), - ]), - }]), - }); + // WHEN + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new TwoStackApp(app, 'MyApp'), { + post: [ + new cdkp.ManualApprovalStep('Approve'), + ], + }); + + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'MyApp', + Actions: sortByRunOrder([ + Match.objectLike({ Name: 'Stack1.Prepare' }), + Match.objectLike({ Name: 'Stack1.Deploy' }), + Match.objectLike({ Name: 'Stack2.Prepare' }), + Match.objectLike({ Name: 'Stack2.Deploy' }), + Match.objectLike({ Name: 'Approve' }), + ]), + }]), }); }); -behavior('can add steps to wave', (suite) => { - // No need to be backwards compatible - suite.doesNotApply.legacy(); +test('can add steps to wave', () => { - suite.modern(() => { - // WHEN - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - const wave = pipeline.addWave('MyWave', { - post: [ - new cdkp.ManualApprovalStep('Approve'), - ], - }); - wave.addStage(new OneStackApp(pipelineStack, 'Stage1')); - wave.addStage(new OneStackApp(pipelineStack, 'Stage2')); - wave.addStage(new OneStackApp(pipelineStack, 'Stage3')); - - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'MyWave', - Actions: sortByRunOrder([ - Match.objectLike({ Name: 'Stage1.Stack.Prepare' }), - Match.objectLike({ Name: 'Stage2.Stack.Prepare' }), - Match.objectLike({ Name: 'Stage3.Stack.Prepare' }), - Match.objectLike({ Name: 'Stage1.Stack.Deploy' }), - Match.objectLike({ Name: 'Stage2.Stack.Deploy' }), - Match.objectLike({ Name: 'Stage3.Stack.Deploy' }), - Match.objectLike({ Name: 'Approve' }), - ]), - }]), - }); + // WHEN + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + const wave = pipeline.addWave('MyWave', { + post: [ + new cdkp.ManualApprovalStep('Approve'), + ], + }); + wave.addStage(new OneStackApp(pipelineStack, 'Stage1')); + wave.addStage(new OneStackApp(pipelineStack, 'Stage2')); + wave.addStage(new OneStackApp(pipelineStack, 'Stage3')); + + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'MyWave', + Actions: sortByRunOrder([ + Match.objectLike({ Name: 'Stage1.Stack.Prepare' }), + Match.objectLike({ Name: 'Stage2.Stack.Prepare' }), + Match.objectLike({ Name: 'Stage3.Stack.Prepare' }), + Match.objectLike({ Name: 'Stage1.Stack.Deploy' }), + Match.objectLike({ Name: 'Stage2.Stack.Deploy' }), + Match.objectLike({ Name: 'Stage3.Stack.Deploy' }), + Match.objectLike({ Name: 'Approve' }), + ]), + }]), }); }); -behavior('script validation steps can use stack outputs as environment variables', (suite) => { - suite.legacy(() => { - // GIVEN - const { pipeline } = legacySetup(); - const stage = new StageWithStackOutput(app, 'MyApp'); - - // WHEN - const pipeStage = pipeline.addApplicationStage(stage); - pipeStage.addActions(new cdkp.ShellScriptAction({ - actionName: 'TestOutput', - useOutputs: { - BUCKET_NAME: pipeline.stackOutput(stage.output), - }, - commands: ['echo $BUCKET_NAME'], - })); - - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'MyApp', - Actions: Match.arrayWith([ - Match.objectLike({ - ActionTypeId: { - Provider: 'CodeBuild', - }, - Configuration: { - ProjectName: Match.anyValue(), - }, - InputArtifacts: [{ Name: Match.anyValue() }], - Name: 'TestOutput', - }), - Match.objectLike({ - Name: 'Stack.Deploy', - OutputArtifacts: [{ Name: Match.anyValue() }], - Configuration: { - OutputFileName: 'outputs.json', - }, - }), - ]), - }]), - }); +test('script validation steps can use stack outputs as environment variables', () => { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - build: { - commands: [ - 'set -eu', - 'export BUCKET_NAME="$(node -pe \'require(process.env.CODEBUILD_SRC_DIR + "/outputs.json")["BucketName"]\')"', - 'echo $BUCKET_NAME', - ], - }, - }, - })), - Type: 'CODEPIPELINE', - }, - }); - }); - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - const myApp = new AppWithOutput(app, 'Alpha'); - pipeline.addStage(myApp, { - post: [ - new cdkp.ShellStep('Approve', { - commands: ['/bin/true'], - envFromCfnOutputs: { - THE_OUTPUT: myApp.theOutput, - }, - }), - ], - }); - - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Alpha', - Actions: Match.arrayWith([ - Match.objectLike({ - Name: 'Stack.Deploy', - Namespace: 'AlphaStack6B3389FA', - }), - Match.objectLike({ - Name: 'Approve', - Configuration: Match.objectLike({ - EnvironmentVariables: Match.serializedJson([ - { name: 'THE_OUTPUT', value: '#{AlphaStack6B3389FA.MyOutput}', type: 'PLAINTEXT' }, - ]), - }), - }), - ]), - }]), - }); + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + const myApp = new AppWithOutput(app, 'Alpha'); + pipeline.addStage(myApp, { + post: [ + new cdkp.ShellStep('Approve', { + commands: ['/bin/true'], + envFromCfnOutputs: { + THE_OUTPUT: myApp.theOutput, + }, + }), + ], }); -}); -behavior('stackOutput generates names limited to 100 characters', (suite) => { - suite.legacy(() => { - const { pipeline } = legacySetup(); - const stage = new StageWithStackOutput(app, 'APreposterouslyLongAndComplicatedNameMadeUpJustToMakeItExceedTheLimitDefinedByCodeBuild'); - const pipeStage = pipeline.addApplicationStage(stage); - pipeStage.addActions(new cdkp.ShellScriptAction({ - actionName: 'TestOutput', - useOutputs: { - BUCKET_NAME: pipeline.stackOutput(stage.output), - }, - commands: ['echo $BUCKET_NAME'], - })); - - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'APreposterouslyLongAndComplicatedNameMadeUpJustToMakeItExceedTheLimitDefinedByCodeBuild', - Actions: Match.arrayWith([ - Match.objectLike({ - ActionTypeId: { - Provider: 'CodeBuild', - }, - Configuration: { - ProjectName: Match.anyValue(), - }, - InputArtifacts: [{ Name: stringNoLongerThan(100) }], - Name: 'TestOutput', - }), - Match.objectLike({ - Name: 'Stack.Deploy', - OutputArtifacts: [{ Name: stringNoLongerThan(100) }], - Configuration: { - OutputFileName: 'outputs.json', - }, - }), - ]), - }]), - }); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - const stage = new StageWithStackOutput(app, 'APreposterouslyLongAndComplicatedNameMadeUpJustToMakeItExceedTheLimitDefinedByCodeBuild'); - pipeline.addStage(stage, { - post: [ - new cdkp.ShellStep('TestOutput', { - commands: ['echo $BUCKET_NAME'], - envFromCfnOutputs: { - BUCKET_NAME: stage.output, - }, + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Alpha', + Actions: Match.arrayWith([ + Match.objectLike({ + Name: 'Stack.Deploy', + Namespace: 'AlphaStack6B3389FA', }), - ], - }); - - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'APreposterouslyLongAndComplicatedNameMadeUpJustToMakeItExceedTheLimitDefinedByCodeBuild', - Actions: Match.arrayWith([ - Match.objectLike({ - Name: 'Stack.Deploy', - Namespace: stringNoLongerThan(100), + Match.objectLike({ + Name: 'Approve', + Configuration: Match.objectLike({ + EnvironmentVariables: Match.serializedJson([ + { name: 'THE_OUTPUT', value: '#{AlphaStack6B3389FA.MyOutput}', type: 'PLAINTEXT' }, + ]), }), - ]), - }]), - }); + }), + ]), + }]), }); }); -behavior('validation step can run from scripts in source', (suite) => { - suite.legacy(() => { - const { pipeline, sourceArtifact } = legacySetup(); - - // WHEN - pipeline.addStage('Test').addActions(new cdkp.ShellScriptAction({ - actionName: 'UseSources', - additionalArtifacts: [sourceArtifact], - commands: ['true'], - })); +test('stackOutput generates names limited to 100 characters', () => { - THEN_codePipelineExpectation(); + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + const stage = new StageWithStackOutput(app, 'APreposterouslyLongAndComplicatedNameMadeUpJustToMakeItExceedTheLimitDefinedByCodeBuild'); + pipeline.addStage(stage, { + post: [ + new cdkp.ShellStep('TestOutput', { + commands: ['echo $BUCKET_NAME'], + envFromCfnOutputs: { + BUCKET_NAME: stage.output, + }, + }), + ], }); - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new TwoStackApp(app, 'Test'), { - post: [ - new cdkp.ShellStep('UseSources', { - input: pipeline.gitHubSource, - commands: ['set -eu', 'true'], + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'APreposterouslyLongAndComplicatedNameMadeUpJustToMakeItExceedTheLimitDefinedByCodeBuild', + Actions: Match.arrayWith([ + Match.objectLike({ + Name: 'Stack.Deploy', + Namespace: stringNoLongerThan(100), }), - ], - }); - - THEN_codePipelineExpectation(); + ]), + }]), }); - - function THEN_codePipelineExpectation() { - const sourceArtifact = new Capture(); - - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Source', - Actions: [ - Match.objectLike({ - OutputArtifacts: [{ Name: sourceArtifact }], - }), - ], - }]), - }); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Test', - Actions: Match.arrayWith([ - Match.objectLike({ - Name: 'UseSources', - InputArtifacts: [{ Name: sourceArtifact.asString() }], - }), - ]), - }]), - }); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - build: { - commands: [ - 'set -eu', - 'true', - ], - }, - }, - })), - }, - }); - } }); -behavior('can use additional output artifacts from build', (suite) => { - suite.legacy(() => { - // WHEN - const { pipeline, integTestArtifact } = legacySetup(); - pipeline.addStage('Test').addActions(new cdkp.ShellScriptAction({ - actionName: 'UseBuildArtifact', - additionalArtifacts: [integTestArtifact], - commands: ['true'], - })); +test('validation step can run from scripts in source', () => { - THEN_codePipelineExpectation(); + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new TwoStackApp(app, 'Test'), { + post: [ + new cdkp.ShellStep('UseSources', { + input: pipeline.gitHubSource, + commands: ['set -eu', 'true'], + }), + ], }); - suite.modern(() => { - const synth = new ShellStep('Synth', { - input: CodePipelineSource.gitHub('test/test', 'main'), - commands: ['synth'], - }); + const sourceArtifact = new Capture(); - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - synth, - }); - pipeline.addStage(new TwoStackApp(app, 'Test'), { - post: [ - new cdkp.ShellStep('UseBuildArtifact', { - input: synth.addOutputDirectory('test'), - commands: ['set -eu', 'true'], + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Source', + Actions: [ + Match.objectLike({ + OutputArtifacts: [{ Name: sourceArtifact }], }), ], - }); - - THEN_codePipelineExpectation(); + }]), }); - - function THEN_codePipelineExpectation() { - const integArtifact = new Capture(); - - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Build', - Actions: [ - Match.objectLike({ - Name: 'Synth', - OutputArtifacts: [ - { Name: Match.anyValue() }, // It's not the first output - { Name: integArtifact }, + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Test', + Actions: Match.arrayWith([ + Match.objectLike({ + Name: 'UseSources', + InputArtifacts: [{ Name: sourceArtifact.asString() }], + }), + ]), + }]), + }); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + build: { + commands: [ + 'set -eu', + 'true', ], - }), - ], - }]), - }); - - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Test', - Actions: Match.arrayWith([ - Match.objectLike({ - Name: 'UseBuildArtifact', - InputArtifacts: [{ Name: integArtifact.asString() }], - }), - ]), - }]), - }); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - build: { - commands: [ - 'set -eu', - 'true', - ], - }, }, - })), - }, - }); - } + }, + })), + }, + }); }); -behavior('can add policy statements to shell script action', (suite) => { - suite.legacy(() => { - // WHEN - const { pipeline, integTestArtifact } = legacySetup(); - pipeline.addStage('Test').addActions(new cdkp.ShellScriptAction({ - actionName: 'Boop', - additionalArtifacts: [integTestArtifact], - commands: ['true'], - rolePolicyStatements: [ - new iam.PolicyStatement({ - actions: ['s3:Banana'], - resources: ['*'], - }), - ], - })); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - // WHEN - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new TwoStackApp(app, 'Test'), { - post: [ - new cdkp.CodeBuildStep('Boop', { - commands: ['true'], - rolePolicyStatements: [ - new iam.PolicyStatement({ - actions: ['s3:Banana'], - resources: ['*'], - }), +test('can use additional output artifacts from build', () => { + const synth = new ShellStep('Synth', { + input: CodePipelineSource.gitHub('test/test', 'main'), + commands: ['synth'], + }); + + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + synth, + }); + pipeline.addStage(new TwoStackApp(app, 'Test'), { + post: [ + new cdkp.ShellStep('UseBuildArtifact', { + input: synth.addOutputDirectory('test'), + commands: ['set -eu', 'true'], + }), + ], + }); + + const integArtifact = new Capture(); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Build', + Actions: [ + Match.objectLike({ + Name: 'Synth', + OutputArtifacts: [ + { Name: Match.anyValue() }, // It's not the first output + { Name: integArtifact }, ], }), ], - }); - - THEN_codePipelineExpectation(); + }]), }); - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: Match.arrayWith([Match.objectLike({ - Action: 's3:Banana', - Resource: '*', - })]), - }, - }); - } -}); - -behavior('can grant permissions to shell script action', (suite) => { - let bucket: s3.IBucket; - beforeEach(() => { - bucket = s3.Bucket.fromBucketArn(pipelineStack, 'Bucket', 'arn:aws:s3:::this-particular-bucket'); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Test', + Actions: Match.arrayWith([ + Match.objectLike({ + Name: 'UseBuildArtifact', + InputArtifacts: [{ Name: integArtifact.asString() }], + }), + ]), + }]), }); - - suite.legacy(() => { - const { pipeline, integTestArtifact } = legacySetup(); - const action = new cdkp.ShellScriptAction({ - actionName: 'Boop', - additionalArtifacts: [integTestArtifact], - commands: ['true'], - }); - pipeline.addStage('Test').addActions(action); - - // WHEN - bucket.grantRead(action); - THEN_codePipelineExpectation(); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + build: { + commands: [ + 'set -eu', + 'true', + ], + }, + }, + })), + }, }); +}); - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); +test('can add policy statements to shell script action', () => { - const codeBuildStep = new cdkp.CodeBuildStep('Boop', { - commands: ['true'], - }); + // WHEN + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new TwoStackApp(app, 'Test'), { + post: [ + new cdkp.CodeBuildStep('Boop', { + commands: ['true'], + rolePolicyStatements: [ + new iam.PolicyStatement({ + actions: ['s3:Banana'], + resources: ['*'], + }), + ], + }), + ], + }); - pipeline.addStage(new TwoStackApp(app, 'Test'), { - post: [codeBuildStep], - }); + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([Match.objectLike({ + Action: 's3:Banana', + Resource: '*', + })]), + }, + }); +}); - pipeline.buildPipeline(); +test('can grant permissions to shell script action', () => { + const bucket: s3.IBucket = s3.Bucket.fromBucketArn(pipelineStack, 'Bucket', 'arn:aws:s3:::this-particular-bucket'); - // WHEN - bucket.grantRead(codeBuildStep.project); + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - THEN_codePipelineExpectation(); + const codeBuildStep = new cdkp.CodeBuildStep('Boop', { + commands: ['true'], }); - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: Match.arrayWith([Match.objectLike({ - Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], - Resource: ['arn:aws:s3:::this-particular-bucket', 'arn:aws:s3:::this-particular-bucket/*'], - })]), - }, - }); - } -}); - -behavior('can run shell script actions in a VPC', (suite) => { - let vpc: ec2.Vpc; - beforeEach(() => { - vpc = new ec2.Vpc(pipelineStack, 'VPC'); + pipeline.addStage(new TwoStackApp(app, 'Test'), { + post: [codeBuildStep], }); - suite.legacy(() => { - const { pipeline, integTestArtifact } = legacySetup(); + pipeline.buildPipeline(); - pipeline.addStage('Test').addActions(new cdkp.ShellScriptAction({ - vpc, - actionName: 'VpcAction', - additionalArtifacts: [integTestArtifact], - commands: ['true'], - })); + // WHEN + bucket.grantRead(codeBuildStep.project); - THEN_codePipelineExpectation(); + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([Match.objectLike({ + Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], + Resource: ['arn:aws:s3:::this-particular-bucket', 'arn:aws:s3:::this-particular-bucket/*'], + })]), + }, }); +}); - suite.modern(() => { - // All CodeBuild jobs automatically go into the VPC - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - codeBuildDefaults: { vpc }, - }); +test('can run shell script actions in a VPC', () => { + const vpc: ec2.Vpc = new ec2.Vpc(pipelineStack, 'VPC'); - pipeline.addStage(new TwoStackApp(app, 'MyApp'), { - post: [new cdkp.ShellStep('VpcAction', { - commands: ['set -eu', 'true'], - })], - }); - - THEN_codePipelineExpectation(); + // All CodeBuild jobs automatically go into the VPC + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk-1', { + codeBuildDefaults: { vpc }, }); - suite.additional('modern, alternate API', () => { - // Can also explicitly specify a VPC when going to the "full config" class - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new TwoStackApp(app, 'MyApp-1'), { + post: [new cdkp.ShellStep('VpcAction', { + commands: ['set -eu', 'true'], + })], + }); - pipeline.addStage(new TwoStackApp(app, 'MyApp'), { - post: [new cdkp.CodeBuildStep('VpcAction', { - commands: ['set -eu', 'true'], - vpc, - })], - }); + // Can also explicitly specify a VPC when going to the "full config" class + const pipeline2 = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk-2'); - THEN_codePipelineExpectation(); + pipeline2.addStage(new TwoStackApp(app, 'MyApp-2'), { + post: [new cdkp.CodeBuildStep('VpcAction', { + commands: ['set -eu', 'true'], + vpc, + })], }); - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - VpcConfig: { - Subnets: [ - { - Ref: 'VPCPrivateSubnet1Subnet8BCA10E0', - }, - { - Ref: 'VPCPrivateSubnet2SubnetCFCDAA7A', - }, - { - Ref: 'VPCPrivateSubnet3Subnet3EDCD457', - }, - ], - VpcId: { - Ref: 'VPCB9E5F0B4', + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + VpcConfig: { + Subnets: [ + { + Ref: 'VPCPrivateSubnet1Subnet8BCA10E0', }, + { + Ref: 'VPCPrivateSubnet2SubnetCFCDAA7A', + }, + { + Ref: 'VPCPrivateSubnet3Subnet3EDCD457', + }, + ], + VpcId: { + Ref: 'VPCB9E5F0B4', }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - build: { - commands: [ - 'set -eu', - 'true', - ], - }, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + build: { + commands: [ + 'set -eu', + 'true', + ], }, - })), - }, - }); - } + }, + })), + }, + }); }); -behavior('can run shell script actions with a specific SecurityGroup', (suite) => { - let vpc: ec2.Vpc; - let sg: ec2.SecurityGroup; - beforeEach(() => { - vpc = new ec2.Vpc(pipelineStack, 'VPC'); - sg = new ec2.SecurityGroup(pipelineStack, 'SG', { vpc }); - }); +test('can run shell script actions with a specific SecurityGroup', () => { + const vpc: ec2.Vpc = new ec2.Vpc(pipelineStack, 'VPC'); + const sg: ec2.SecurityGroup = new ec2.SecurityGroup(pipelineStack, 'SG', { vpc }); + + // All CodeBuild jobs automatically go into the VPC + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - suite.legacy(() => { - // WHEN - const { pipeline, integTestArtifact } = legacySetup(); - pipeline.addStage('Test').addActions(new cdkp.ShellScriptAction({ + pipeline.addStage(new TwoStackApp(app, 'Test'), { + post: [new cdkp.CodeBuildStep('sgAction', { + commands: ['set -eu', 'true'], vpc, securityGroups: [sg], - actionName: 'sgAction', - additionalArtifacts: [integTestArtifact], - commands: ['true'], - })); - - THEN_codePipelineExpectation(); + })], }); - suite.modern(() => { - // All CodeBuild jobs automatically go into the VPC - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - - pipeline.addStage(new TwoStackApp(app, 'Test'), { - post: [new cdkp.CodeBuildStep('sgAction', { - commands: ['set -eu', 'true'], - vpc, - securityGroups: [sg], - })], - }); - - THEN_codePipelineExpectation(); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Test', + Actions: Match.arrayWith([ + Match.objectLike({ + Name: 'sgAction', + }), + ]), + }]), }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Test', - Actions: Match.arrayWith([ - Match.objectLike({ - Name: 'sgAction', - }), - ]), - }]), - }); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - VpcConfig: { - SecurityGroupIds: [ - { - 'Fn::GetAtt': [ - 'SGADB53937', - 'GroupId', - ], - }, - ], - VpcId: { - Ref: 'VPCB9E5F0B4', + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + VpcConfig: { + SecurityGroupIds: [ + { + 'Fn::GetAtt': [ + 'SGADB53937', + 'GroupId', + ], }, + ], + VpcId: { + Ref: 'VPCB9E5F0B4', }, - }); - } + }, + }); }); -behavior('can run scripts with specified BuildEnvironment', (suite) => { - suite.legacy(() => { - let { pipeline, integTestArtifact } = legacySetup(); - - // WHEN - pipeline.addStage('Test').addActions(new cdkp.ShellScriptAction({ - actionName: 'imageAction', - additionalArtifacts: [integTestArtifact], - commands: ['true'], - environment: { buildImage: codebuild.LinuxBuildImage.STANDARD_2_0 }, - })); - - THEN_codePipelineExpectation(); - }); +test('can run scripts with specified BuildEnvironment', () => { - suite.modern(() => { - // Run all Build jobs with the given image - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - codeBuildDefaults: { - buildEnvironment: { - buildImage: codebuild.LinuxBuildImage.STANDARD_2_0, - }, + // Run all Build jobs with the given image + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk-1', { + codeBuildDefaults: { + buildEnvironment: { + buildImage: codebuild.LinuxBuildImage.STANDARD_2_0, }, - }); - - pipeline.addStage(new TwoStackApp(app, 'Test'), { - post: [new cdkp.ShellStep('imageAction', { - commands: ['true'], - })], - }); - - THEN_codePipelineExpectation(); + }, }); - suite.additional('modern, alternative API', () => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new TwoStackApp(app, 'Test-1'), { + post: [new cdkp.ShellStep('imageAction', { + commands: ['true'], + })], + }); - pipeline.addStage(new TwoStackApp(app, 'Test'), { - post: [new cdkp.CodeBuildStep('imageAction', { - commands: ['true'], - buildEnvironment: { - buildImage: codebuild.LinuxBuildImage.STANDARD_2_0, - }, - })], - }); + const pipeline2 = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk-2'); - THEN_codePipelineExpectation(); + pipeline2.addStage(new TwoStackApp(app, 'Test-2'), { + post: [new cdkp.CodeBuildStep('imageAction', { + commands: ['true'], + buildEnvironment: { + buildImage: codebuild.LinuxBuildImage.STANDARD_2_0, + }, + })], }); - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: 'aws/codebuild/standard:2.0', - }, - }); - } + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: 'aws/codebuild/standard:2.0', + }, + }); }); -behavior('can run scripts with magic environment variables', (suite) => { - suite.legacy(() => { - const { pipeline, integTestArtifact } = legacySetup(); - pipeline.addStage('Test').addActions(new cdkp.ShellScriptAction({ - actionName: 'imageAction', - additionalArtifacts: [integTestArtifact], +test('can run scripts with magic environment variables', () => { + + // Run all Build jobs with the given image + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + + pipeline.addStage(new TwoStackApp(app, 'Test'), { + post: [new cdkp.ShellStep('imageAction', { commands: ['true'], - environmentVariables: { - VERSION: { value: codepipeline.GlobalVariables.executionId }, + env: { + VERSION: codepipeline.GlobalVariables.executionId, }, - })); - - THEN_codePipelineExpectation(); + })], }); - suite.modern(() => { - // Run all Build jobs with the given image - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - - pipeline.addStage(new TwoStackApp(app, 'Test'), { - post: [new cdkp.ShellStep('imageAction', { - commands: ['true'], - env: { - VERSION: codepipeline.GlobalVariables.executionId, - }, - })], - }); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Test', - Actions: Match.arrayWith([ - Match.objectLike({ - Name: 'imageAction', - Configuration: Match.objectLike({ - EnvironmentVariables: Match.serializedJson([ - { - name: 'VERSION', - type: 'PLAINTEXT', - value: '#{codepipeline.PipelineExecutionId}', - }, - ]), - }), + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Test', + Actions: Match.arrayWith([ + Match.objectLike({ + Name: 'imageAction', + Configuration: Match.objectLike({ + EnvironmentVariables: Match.serializedJson([ + { + name: 'VERSION', + type: 'PLAINTEXT', + value: '#{codepipeline.PipelineExecutionId}', + }, + ]), }), - ]), - }]), - }); - } -}); - -/** - * Some shared setup for legacy API tests - */ -function legacySetup() { - const sourceArtifact = new codepipeline.Artifact(); - const cloudAssemblyArtifact = new codepipeline.Artifact('CloudAsm'); - const integTestArtifact = new codepipeline.Artifact('IntegTests'); - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - additionalArtifacts: [{ directory: 'test', artifact: integTestArtifact }], - }), - }); - - return { sourceArtifact, cloudAssemblyArtifact, integTestArtifact, pipeline }; -} \ No newline at end of file + }), + ]), + }]), + }); +}); \ No newline at end of file diff --git a/packages/aws-cdk-lib/pipelines/test/legacy/fs.test.ts b/packages/aws-cdk-lib/pipelines/test/fs.test.ts similarity index 85% rename from packages/aws-cdk-lib/pipelines/test/legacy/fs.test.ts rename to packages/aws-cdk-lib/pipelines/test/fs.test.ts index da49fa9cf2986..49cbe2458e64a 100644 --- a/packages/aws-cdk-lib/pipelines/test/legacy/fs.test.ts +++ b/packages/aws-cdk-lib/pipelines/test/fs.test.ts @@ -1,5 +1,5 @@ import * as path from 'path'; -import { toPosixPath } from '../../lib/private/fs'; +import { toPosixPath } from '../lib/private/fs'; test('translate path.sep', () => { expect(toPosixPath(`a${path.sep}b${path.sep}c`)).toEqual('a/b/c'); diff --git a/packages/aws-cdk-lib/pipelines/test/testhelpers/compliance.ts b/packages/aws-cdk-lib/pipelines/test/testhelpers/compliance.ts index 2d3c4ebed35ba..d50366234083f 100644 --- a/packages/aws-cdk-lib/pipelines/test/testhelpers/compliance.ts +++ b/packages/aws-cdk-lib/pipelines/test/testhelpers/compliance.ts @@ -1,68 +1,13 @@ import { describeDeprecated } from '@aws-cdk/cdk-build-tools'; interface SkippedSuite { - legacy(reason?: string): void; - modern(reason?: string): void; } interface Suite { readonly doesNotApply: SkippedSuite; - legacy(fn: () => void): void; - modern(fn: () => void): void; additional(description: string, fn: () => void): void; -} - -// eslint-disable-next-line jest/no-export -export function behavior(name: string, cb: (suite: Suite) => void) { - // Since the goal of the compliance test suites is to compare modern and legacy (i.e. deprecated) APIs, - // use `describeDeprecated()` block here since usage of the legacy API is inevitable. - describeDeprecated(name, () => { - const unwritten = new Set(['modern', 'legacy']); - - function scratchOff(flavor: string) { - if (!unwritten.has(flavor)) { - throw new Error(`Already had test for ${flavor}. Use .additional() to add more tests.`); - } - unwritten.delete(flavor); - } - - cb({ - legacy: (testFn) => { - scratchOff('legacy'); - test('legacy', testFn); - }, - modern: (testFn) => { - scratchOff('modern'); - test('modern', testFn); - }, - additional: test, - doesNotApply: { - modern: (reason?: string) => { - scratchOff('modern'); - - if (reason != null) { - // eslint-disable-next-line jest/no-disabled-tests - test.skip(`modern - ${reason}`, () => {}); - } - }, - - legacy: (reason?: string) => { - scratchOff('legacy'); - - if (reason != null) { - // eslint-disable-next-line jest/no-disabled-tests - test.skip(`legacy - ${reason}`, () => {}); - } - }, - }, - }); - - for (const missing of unwritten) { - test.todo(missing); - } - }); -} +} \ No newline at end of file diff --git a/packages/aws-cdk-lib/pipelines/test/testhelpers/index.ts b/packages/aws-cdk-lib/pipelines/test/testhelpers/index.ts index fbc50d3b1a003..866d791e45856 100644 --- a/packages/aws-cdk-lib/pipelines/test/testhelpers/index.ts +++ b/packages/aws-cdk-lib/pipelines/test/testhelpers/index.ts @@ -1,5 +1,4 @@ export * from './compliance'; -export * from './legacy-pipeline'; export * from './modern-pipeline'; export * from './test-app'; export * from './matchers'; \ No newline at end of file diff --git a/packages/aws-cdk-lib/pipelines/test/testhelpers/legacy-pipeline.ts b/packages/aws-cdk-lib/pipelines/test/testhelpers/legacy-pipeline.ts deleted file mode 100644 index cc5340b74e7c8..0000000000000 --- a/packages/aws-cdk-lib/pipelines/test/testhelpers/legacy-pipeline.ts +++ /dev/null @@ -1,47 +0,0 @@ -import { Construct } from 'constructs'; -import * as codepipeline from '../../../aws-codepipeline'; -import * as codepipeline_actions from '../../../aws-codepipeline-actions'; -import { SecretValue } from '../../../core'; -import * as cdkp from '../../lib'; - -export interface LegacyTestGitHubNpmPipelineExtraProps { - readonly sourceArtifact?: codepipeline.Artifact; - readonly npmSynthOptions?: Partial; -} - -export class LegacyTestGitHubNpmPipeline extends cdkp.CdkPipeline { - public readonly sourceArtifact: codepipeline.Artifact; - public readonly cloudAssemblyArtifact: codepipeline.Artifact; - - constructor(scope: Construct, id: string, props?: Partial & LegacyTestGitHubNpmPipelineExtraProps) { - const sourceArtifact = props?.sourceArtifact ?? new codepipeline.Artifact(); - const cloudAssemblyArtifact = props?.cloudAssemblyArtifact ?? new codepipeline.Artifact(); - - super(scope, id, { - sourceAction: new TestGitHubAction(sourceArtifact), - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - ...props?.npmSynthOptions, - }), - cloudAssemblyArtifact, - ...props, - }); - - this.sourceArtifact = sourceArtifact; - this.cloudAssemblyArtifact = cloudAssemblyArtifact; - } -} - -export class TestGitHubAction extends codepipeline_actions.GitHubSourceAction { - constructor(sourceArtifact: codepipeline.Artifact) { - super({ - actionName: 'GitHub', - output: sourceArtifact, - oauthToken: SecretValue.unsafePlainText('$3kr1t'), - owner: 'test', - repo: 'test', - trigger: codepipeline_actions.GitHubTrigger.POLL, - }); - } -} diff --git a/packages/aws-cdk/README.md b/packages/aws-cdk/README.md index 2b06a12c6b2d4..25a058a2fcbd1 100644 --- a/packages/aws-cdk/README.md +++ b/packages/aws-cdk/README.md @@ -165,6 +165,8 @@ $ # Diff against the currently deployed stack with quiet parameter enabled $ cdk diff --quiet --app='node bin/main.js' MyStackName ``` +Note that the CDK::Metadata resource and the `CheckBootstrapVersion` Rule are excluded from `cdk diff` by default. You can force `cdk diff` to display them by passing the `--strict` flag. + The `change-set` flag will make `diff` create a change set and extract resource replacement data from it. This is a bit slower, but will provide no false positives for resource replacement. The `--no-change-set` mode will consider any change to a property that requires replacement to be a resource replacement, even if the change is purely cosmetic (like replacing a resource reference with a hardcoded arn). diff --git a/packages/aws-cdk/THIRD_PARTY_LICENSES b/packages/aws-cdk/THIRD_PARTY_LICENSES index bdd874b45cfec..263960abeb50d 100644 --- a/packages/aws-cdk/THIRD_PARTY_LICENSES +++ b/packages/aws-cdk/THIRD_PARTY_LICENSES @@ -1,6 +1,6 @@ The aws-cdk package includes the following third-party software/licensing: -** @jsii/check-node@1.101.0 - https://www.npmjs.com/package/@jsii/check-node/v/1.101.0 | Apache-2.0 +** @jsii/check-node@1.102.0 - https://www.npmjs.com/package/@jsii/check-node/v/1.102.0 | Apache-2.0 jsii Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved. @@ -294,6 +294,16 @@ This product includes software developed at Amazon Web Services, Inc. (http://aws.amazon.com/). +---------------- + +** aws-sdk@2.1675.0 - https://www.npmjs.com/package/aws-sdk/v/2.1675.0 | Apache-2.0 +AWS SDK for JavaScript +Copyright 2012-2017 Amazon.com, Inc. or its affiliates. All Rights Reserved. + +This product includes software developed at +Amazon Web Services, Inc. (http://aws.amazon.com/). + + ---------------- ** balanced-match@1.0.2 - https://www.npmjs.com/package/balanced-match/v/1.0.2 | MIT @@ -2954,6 +2964,26 @@ ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +---------------- + +** semver@7.6.3 - https://www.npmjs.com/package/semver/v/7.6.3 | ISC +The ISC License + +Copyright (c) Isaac Z. Schlueter and Contributors + +Permission to use, copy, modify, and/or distribute this software for any +purpose with or without fee is hereby granted, provided that the above +copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR +IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + + ---------------- ** slice-ansi@4.0.0 - https://www.npmjs.com/package/slice-ansi/v/4.0.0 | MIT diff --git a/packages/aws-cdk/lib/cdk-toolkit.ts b/packages/aws-cdk/lib/cdk-toolkit.ts index 854b7ec6419c2..af64056e2fc29 100644 --- a/packages/aws-cdk/lib/cdk-toolkit.ts +++ b/packages/aws-cdk/lib/cdk-toolkit.ts @@ -105,7 +105,7 @@ export class CdkToolkit { public async metadata(stackName: string, json: boolean) { const stacks = await this.selectSingleStackByName(stackName); - data(serializeStructure(stacks.firstStack.manifest.metadata ?? {}, json)); + printSerializedObject(stacks.firstStack.manifest.metadata ?? {}, json); } public async acknowledge(noticeId: string) { @@ -632,7 +632,7 @@ export class CdkToolkit { }); if (options.long && options.showDeps) { - data(serializeStructure(stacks, options.json ?? false)); + printSerializedObject(stacks, options.json ?? false); return 0; } @@ -646,7 +646,7 @@ export class CdkToolkit { }); } - data(serializeStructure(stackDeps, options.json ?? false)); + printSerializedObject(stackDeps, options.json ?? false); return 0; } @@ -660,7 +660,7 @@ export class CdkToolkit { environment: stack.environment, }); } - data(serializeStructure(long, options.json ?? false)); + printSerializedObject(long, options.json ?? false); return 0; } @@ -687,7 +687,7 @@ export class CdkToolkit { // if we have a single stack, print it to STDOUT if (stacks.stackCount === 1) { if (!quiet) { - data(serializeStructure(stacks.firstStack.template, json ?? false)); + printSerializedObject(obscureTemplate(stacks.firstStack.template), json ?? false); } return undefined; } @@ -701,7 +701,7 @@ export class CdkToolkit { // behind an environment variable. const isIntegMode = process.env.CDK_INTEG_MODE === '1'; if (isIntegMode) { - data(serializeStructure(stacks.stackArtifacts.map(s => s.template), json ?? false)); + printSerializedObject(stacks.stackArtifacts.map(s => obscureTemplate(s.template)), json ?? false); } // not outputting template to stdout, let's explain things to the user a little bit... @@ -1045,6 +1045,13 @@ export class CdkToolkit { } } +/** + * Print a serialized object (YAML or JSON) to stdout. + */ +function printSerializedObject(obj: any, json: boolean) { + data(serializeStructure(obj, json)); +} + export interface DiffOptions { /** * Stack names to diff @@ -1526,3 +1533,21 @@ function buildParameterMap(parameters: { return parameterMap; } + +/** + * Remove any template elements that we don't want to show users. + */ +function obscureTemplate(template: any = {}) { + if (template.Rules) { + // see https://github.com/aws/aws-cdk/issues/17942 + if (template.Rules.CheckBootstrapVersion) { + if (Object.keys(template.Rules).length > 1) { + delete template.Rules.CheckBootstrapVersion; + } else { + delete template.Rules; + } + } + } + + return template; +} diff --git a/packages/aws-cdk/lib/cli.ts b/packages/aws-cdk/lib/cli.ts index 2c15bb7b9949f..a05a0cbb4625c 100644 --- a/packages/aws-cdk/lib/cli.ts +++ b/packages/aws-cdk/lib/cli.ts @@ -260,7 +260,7 @@ async function parseCommandLineArguments(args: string[]) { .option('exclusively', { type: 'boolean', alias: 'e', desc: 'Only diff requested stacks, don\'t include dependencies' }) .option('context-lines', { type: 'number', desc: 'Number of context lines to include in arbitrary JSON diff rendering', default: 3, requiresArg: true }) .option('template', { type: 'string', desc: 'The path to the CloudFormation template to compare with', requiresArg: true }) - .option('strict', { type: 'boolean', desc: 'Do not filter out AWS::CDK::Metadata resources or mangled non-ASCII characters', default: false }) + .option('strict', { type: 'boolean', desc: 'Do not filter out AWS::CDK::Metadata resources, mangled non-ASCII characters, or the CheckBootstrapVersionRule', default: false }) .option('security-only', { type: 'boolean', desc: 'Only diff for broadened security changes', default: false }) .option('fail', { type: 'boolean', desc: 'Fail with exit code 1 in case of diff' }) .option('processed', { type: 'boolean', desc: 'Whether to compare against the template with Transforms already processed', default: false }) diff --git a/packages/aws-cdk/lib/diff.ts b/packages/aws-cdk/lib/diff.ts index 2fc043fcd38a3..0e9f1c15543dc 100644 --- a/packages/aws-cdk/lib/diff.ts +++ b/packages/aws-cdk/lib/diff.ts @@ -19,7 +19,7 @@ import { print, warning } from './logging'; * * @param oldTemplate the old/current state of the stack. * @param newTemplate the new/target state of the stack. - * @param strict do not filter out AWS::CDK::Metadata + * @param strict do not filter out AWS::CDK::Metadata or Rules * @param context lines of context to use in arbitrary JSON diff * @param quiet silences \'There were no differences\' messages * @@ -50,13 +50,9 @@ export function printStackDiff( } // filter out 'AWS::CDK::Metadata' resources from the template - if (diff.resources && !strict) { - diff.resources = diff.resources.filter(change => { - if (!change) { return true; } - if (change.newResourceType === 'AWS::CDK::Metadata') { return false; } - if (change.oldResourceType === 'AWS::CDK::Metadata') { return false; } - return true; - }); + // filter out 'CheckBootstrapVersion' rules from the template + if (!strict) { + obscureDiff(diff); } let stackDiffCount = 0; @@ -165,3 +161,30 @@ function logicalIdMapFromTemplate(template: any) { } return ret; } + +/** + * Remove any template elements that we don't want to show users. + * This is currently: + * - AWS::CDK::Metadata resource + * - CheckBootstrapVersion Rule + */ +function obscureDiff(diff: TemplateDiff) { + if (diff.unknown) { + // see https://github.com/aws/aws-cdk/issues/17942 + diff.unknown = diff.unknown.filter(change => { + if (!change) { return true; } + if (change.newValue?.CheckBootstrapVersion) { return false; } + if (change.oldValue?.CheckBootstrapVersion) { return false; } + return true; + }); + } + + if (diff.resources) { + diff.resources = diff.resources.filter(change => { + if (!change) { return true; } + if (change.newResourceType === 'AWS::CDK::Metadata') { return false; } + if (change.oldResourceType === 'AWS::CDK::Metadata') { return false; } + return true; + }); + } +} diff --git a/packages/aws-cdk/package.json b/packages/aws-cdk/package.json index 8162bb751544d..5f827d871a9e9 100644 --- a/packages/aws-cdk/package.json +++ b/packages/aws-cdk/package.json @@ -96,15 +96,15 @@ "xml-js": "^1.6.11" }, "dependencies": { - "@aws-cdk/cloud-assembly-schema": "0.0.0", + "@aws-cdk/cloud-assembly-schema": "^36.0.5", "@aws-cdk/cloudformation-diff": "0.0.0", "@aws-cdk/cx-api": "0.0.0", "@aws-cdk/region-info": "0.0.0", - "@jsii/check-node": "1.101.0", + "@jsii/check-node": "1.102.0", "archiver": "^5.3.2", "aws-sdk": "^2.1653.0", "camelcase": "^6.3.0", - "cdk-assets": "0.0.0", + "cdk-assets": "^2.151.2", "cdk-from-cfn": "^0.162.0", "chalk": "^4", "chokidar": "^3.6.0", diff --git a/packages/aws-cdk/test/api/cloudformation-deployments.test.ts b/packages/aws-cdk/test/api/cloudformation-deployments.test.ts index 7d6288ba10249..cbaf7c3d8746c 100644 --- a/packages/aws-cdk/test/api/cloudformation-deployments.test.ts +++ b/packages/aws-cdk/test/api/cloudformation-deployments.test.ts @@ -756,7 +756,7 @@ test('readCurrentTemplateWithNestedStacks() caches calls to listStackResources() expect(numberOfTimesListStackResourcesWasCalled).toEqual(1); }); -test('readCurrentTemplateWithNestedStacks() successfully ignores stacks without metadata', async () => { +test('readCurrentTemplateWithNestedStacks() succesfully ignores stacks without metadata', async () => { // GIVEN const cfnStack = new FakeCloudformationStack({ stackName: 'MetadataRoot', diff --git a/packages/aws-cdk/test/api/exec.test.ts b/packages/aws-cdk/test/api/exec.test.ts index d15f9ac9c0ce2..a8c32aed06d8a 100644 --- a/packages/aws-cdk/test/api/exec.test.ts +++ b/packages/aws-cdk/test/api/exec.test.ts @@ -76,7 +76,7 @@ test('cli throws when manifest version > schema version', async () => { } const expectedError = 'This CDK CLI is not compatible with the CDK library used by your application. Please upgrade the CLI to the latest version.' - + `\n(Cloud assembly schema version mismatch: Maximum schema version supported is ${currentSchemaVersion}, but found ${mockManifestVersion})`; + + `\n(Cloud assembly schema version mismatch: Maximum schema version supported is ${semver.major(currentSchemaVersion)}.x.x, but found ${mockManifestVersion})`; config.settings.set(['app'], 'cdk.out'); diff --git a/packages/aws-cdk/test/diff.test.ts b/packages/aws-cdk/test/diff.test.ts index 0155f74dd192d..ffaa157e5fc20 100644 --- a/packages/aws-cdk/test/diff.test.ts +++ b/packages/aws-cdk/test/diff.test.ts @@ -855,6 +855,95 @@ Resources }); }); +describe('--strict', () => { + const templatePath = 'oldTemplate.json'; + beforeEach(() => { + const oldTemplate = {}; + + cloudExecutable = new MockCloudExecutable({ + stacks: [{ + stackName: 'A', + template: { + Resources: { + MetadataResource: { + Type: 'AWS::CDK::Metadata', + Properties: { + newMeta: 'newData', + }, + }, + SomeOtherResource: { + Type: 'AWS::Something::Amazing', + }, + }, + Rules: { + CheckBootstrapVersion: { + newCheck: 'newBootstrapVersion', + }, + }, + }, + }], + }); + + toolkit = new CdkToolkit({ + cloudExecutable, + deployments: cloudFormation, + configuration: cloudExecutable.configuration, + sdkProvider: cloudExecutable.sdkProvider, + }); + + fs.writeFileSync(templatePath, JSON.stringify(oldTemplate)); + }); + + afterEach(() => fs.rmSync(templatePath)); + + test('--strict does not obscure CDK::Metadata or CheckBootstrapVersion', async () => { + // GIVEN + const buffer = new StringWritable(); + + // WHEN + const exitCode = await toolkit.diff({ + stackNames: ['A'], + stream: buffer, + strict: true, + }); + + // THEN + const plainTextOutput = buffer.data.replace(/\x1B\[[0-?]*[ -/]*[@-~]/g, ''); + expect(plainTextOutput.trim()).toEqual(`Stack A +Resources +[+] AWS::CDK::Metadata MetadataResource +[+] AWS::Something::Amazing SomeOtherResource + +Other Changes +[+] Unknown Rules: {\"CheckBootstrapVersion\":{\"newCheck\":\"newBootstrapVersion\"}} + + +✨ Number of stacks with differences: 1`); + expect(exitCode).toBe(0); + }); + + test('--no-strict obscures CDK::Metadata and CheckBootstrapVersion', async () => { + // GIVEN + const buffer = new StringWritable(); + + // WHEN + const exitCode = await toolkit.diff({ + stackNames: ['A'], + stream: buffer, + }); + + // THEN + const plainTextOutput = buffer.data.replace(/\x1B\[[0-?]*[ -/]*[@-~]/g, ''); + expect(plainTextOutput.trim()).toEqual(`Stack A +Resources +[+] AWS::Something::Amazing SomeOtherResource + + +✨ Number of stacks with differences: 1`); + expect(exitCode).toBe(0); + }); +}); + class StringWritable extends Writable { public data: string; private readonly _decoder: StringDecoder; diff --git a/packages/aws-cdk/tsconfig.json b/packages/aws-cdk/tsconfig.json index c810cbc0b0aab..86529a2bdeb65 100644 --- a/packages/aws-cdk/tsconfig.json +++ b/packages/aws-cdk/tsconfig.json @@ -35,9 +35,6 @@ "references": [ { "path": "../@aws-cdk/cloudformation-diff" - }, - { - "path": "../cdk-assets" } ] } diff --git a/packages/awslint/package.json b/packages/awslint/package.json index f9ba600f5ba97..39b7b0a6ababb 100644 --- a/packages/awslint/package.json +++ b/packages/awslint/package.json @@ -18,10 +18,10 @@ "awslint": "bin/awslint" }, "dependencies": { - "@jsii/spec": "1.101.0", + "@jsii/spec": "1.102.0", "chalk": "^4", "fs-extra": "^9.1.0", - "jsii-reflect": "1.101.0", + "jsii-reflect": "1.102.0", "change-case": "^4.1.2", "yargs": "^16.2.0" }, @@ -71,4 +71,4 @@ "publishConfig": { "tag": "latest" } -} +} \ No newline at end of file diff --git a/packages/cdk-assets/.eslintrc.js b/packages/cdk-assets/.eslintrc.js deleted file mode 100644 index 2658ee8727166..0000000000000 --- a/packages/cdk-assets/.eslintrc.js +++ /dev/null @@ -1,3 +0,0 @@ -const baseConfig = require('@aws-cdk/cdk-build-tools/config/eslintrc'); -baseConfig.parserOptions.project = __dirname + '/tsconfig.json'; -module.exports = baseConfig; diff --git a/packages/cdk-assets/.gitignore b/packages/cdk-assets/.gitignore deleted file mode 100644 index d24092a6feda2..0000000000000 --- a/packages/cdk-assets/.gitignore +++ /dev/null @@ -1,28 +0,0 @@ -*.js -*.js.map -*.d.ts -!lib/init-templates/**/javascript/**/* -node_modules -dist - -# Generated by generate.sh -build-info.json - -.LAST_BUILD -.nyc_output -coverage -nyc.config.js -.LAST_PACKAGE -*.snk - -!test/integ/run-wrappers/dist -!test/integ/cli/**/* -assets.json -npm-shrinkwrap.json -!.eslintrc.js -!jest.config.js - -junit.xml - -# Ignore this symlink, we recreate it at test time -test/test-archive-follow/data/linked diff --git a/packages/cdk-assets/.npmignore b/packages/cdk-assets/.npmignore deleted file mode 100644 index 45b8808bdd7ac..0000000000000 --- a/packages/cdk-assets/.npmignore +++ /dev/null @@ -1,30 +0,0 @@ -# Don't include original .ts files when doing `npm pack` -*.ts -!*.template.ts -!*.d.ts -coverage -.nyc_output -*.tgz - -dist -.LAST_PACKAGE -.LAST_BUILD -*.snk - -!lib/init-templates/*/*/tsconfig.json -!test/integ/cli/**/*.js -!test/integ/run-wrappers/dist - -*.tsbuildinfo - -tsconfig.json - -# init templates include default tsconfig.json files which we need -!lib/init-templates/**/tsconfig.json -.eslintrc.js -jest.config.js - -# exclude cdk artifacts -**/cdk.out -junit.xml -test/ \ No newline at end of file diff --git a/packages/cdk-assets/LICENSE b/packages/cdk-assets/LICENSE deleted file mode 100644 index dcf28b52a83af..0000000000000 --- a/packages/cdk-assets/LICENSE +++ /dev/null @@ -1,201 +0,0 @@ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright 2018-2024 Amazon.com, Inc. or its affiliates. All Rights Reserved. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/packages/cdk-assets/NOTICE b/packages/cdk-assets/NOTICE deleted file mode 100644 index c0b1f046c881a..0000000000000 --- a/packages/cdk-assets/NOTICE +++ /dev/null @@ -1,2 +0,0 @@ -AWS Cloud Development Kit (AWS CDK) -Copyright 2018-2024 Amazon.com, Inc. or its affiliates. All Rights Reserved. diff --git a/packages/cdk-assets/README.md b/packages/cdk-assets/README.md deleted file mode 100644 index 7c8bc78aca51b..0000000000000 --- a/packages/cdk-assets/README.md +++ /dev/null @@ -1,190 +0,0 @@ -# cdk-assets - - ---- - -![cdk-constructs: Stable](https://img.shields.io/badge/cdk--constructs-stable-success.svg?style=for-the-badge) - ---- - - - - -A tool for publishing CDK assets to AWS environments. - -## Overview - -`cdk-assets` requires an asset manifest file called `assets.json`, in a CDK -CloudAssembly (`cdk.out/assets.json`). It will take the assets listed in the -manifest, prepare them as required and upload them to the locations indicated in -the manifest. - -Currently the following asset types are supported: - -* Files and archives, uploaded to S3 -* Docker Images, uploaded to ECR -* Files, archives, and Docker images built by external utilities - -S3 buckets and ECR repositories to upload to are expected to exist already. - -We expect assets to be immutable, and we expect that immutability to be -reflected both in the asset ID and in the destination location. This reflects -itself in the following behaviors: - -* If the indicated asset already exists in the given destination location, it - will not be packaged and uploaded. -* If some locally cached artifact (depending on the asset type a file or an - image in the local Docker cache) already exists named after the asset's ID, it - will not be packaged, but will be uploaded directly to the destination - location. - -For assets build by external utilities, the contract is such that cdk-assets -expects the utility to manage dedupe detection as well as path/image tag generation. -This means that cdk-assets will call the external utility every time generation -is warranted, and it is up to the utility to a) determine whether to do a -full rebuild; and b) to return only one thing on stdout: the path to the file/archive -asset, or the name of the local Docker image. - -## Usage - -The `cdk-asset` tool can be used programmatically and via the CLI. Use -programmatic access if you need more control over authentication than the -default [`aws-sdk`](https://github.com/aws/aws-sdk-js) implementation allows. - -Command-line use looks like this: - -```console -$ cdk-assets /path/to/cdk.out [ASSET:DEST] [ASSET] [:DEST] [...] -``` - -Credentials will be taken from the `AWS_ACCESS_KEY...` environment variables -or the `default` profile (or another profile if `AWS_PROFILE` is set). - -A subset of the assets and destinations can be uploaded by specifying their -asset IDs or destination IDs. - -## Manifest Example - -An asset manifest looks like this: - -```json -{ - "version": "1.22.0", - "files": { - "7aac5b80b050e7e4e168f84feffa5893": { - "source": { - "path": "some_directory", - "packaging": "zip" - }, - "destinations": { - "us-east-1": { - "region": "us-east-1", - "assumeRoleArn": "arn:aws:iam::12345789012:role/my-account", - "bucketName": "MyBucket", - "objectKey": "7aac5b80b050e7e4e168f84feffa5893.zip" - } - } - }, - "3dfe2b80b050e7e4e168f84feff678d4": { - "source": { - "executable": ["myzip"] - }, - "destinations": { - "us-east-1": { - "region": "us-east-1", - "assumeRoleArn": "arn:aws:iam::12345789012:role/my-account", - "bucketName": "MySpecialBucket", - "objectKey": "3dfe2b80b050e7e4e168f84feff678d4.zip" - } - } - }, - }, - "dockerImages": { - "b48783c58a86f7b8c68a4591c4f9be31": { - "source": { - "directory": "dockerdir", - }, - "destinations": { - "us-east-1": { - "region": "us-east-1", - "assumeRoleArn": "arn:aws:iam::12345789012:role/my-account", - "repositoryName": "MyRepository", - "imageTag": "b48783c58a86f7b8c68a4591c4f9be31", - "imageUri": "123456789012.dkr.ecr.us-east-1.amazonaws.com/MyRepository:1234567891b48783c58a86f7b8c68a4591c4f9be31", - } - } - }, - "d92753c58a86f7b8c68a4591c4f9cf28": { - "source": { - "executable": ["mytool", "package", "dockerdir"], - }, - "destinations": { - "us-east-1": { - "region": "us-east-1", - "assumeRoleArn": "arn:aws:iam::12345789012:role/my-account", - "repositoryName": "MyRepository2", - "imageTag": "d92753c58a86f7b8c68a4591c4f9cf28", - "imageUri": "123456789987.dkr.ecr.us-east-1.amazonaws.com/MyRepository2:1234567891b48783c58a86f7b8c68a4591c4f9be31", - } - } - } - } -} -``` - -### Placeholders - -The `destination` block of an asset manifest may contain the following region -and account placeholders: - -* `${AWS::Region}` -* `${AWS::AccountId}` - -These will be substituted with the region and account IDs currently configured -on the AWS SDK (through environment variables or `~/.aws/...` config files). - -* The `${AWS::AccountId}` placeholder will *not* be re-evaluated after - performing the `AssumeRole` call. -* If `${AWS::Region}` is used, it will principally be replaced with the value - in the `region` key. If the default region is intended, leave the `region` - key out of the manifest at all. - -## Docker image credentials - -For Docker image asset publishing, `cdk-assets` will `docker login` with -credentials from ECR GetAuthorizationToken prior to building and publishing, so -that the Dockerfile can reference images in the account's ECR repo. - -`cdk-assets` can also be configured to read credentials from both ECR and -SecretsManager prior to build by creating a credential configuration at -'~/.cdk/cdk-docker-creds.json' (override this location by setting the -CDK_DOCKER_CREDS_FILE environment variable). The credentials file has the -following format: - -```json -{ - "version": "1.0", - "domainCredentials": { - "domain1.example.com": { - "secretsManagerSecretId": "mySecret", // Can be the secret ID or full ARN - "roleArn": "arn:aws:iam::0123456789012:role/my-role" // (Optional) role with permissions to the secret - }, - "domain2.example.com": { - "ecrRepository": true, - "roleArn": "arn:aws:iam::0123456789012:role/my-role" // (Optional) role with permissions to the repo - } - } -} -``` - -If the credentials file is present, `docker` will be configured to use the -`docker-credential-cdk-assets` credential helper for each of the domains listed -in the file. This helper will assume the role provided (if present), and then fetch -the login credentials from either SecretsManager or ECR. - -## Using Drop-in Docker Replacements - -By default, the AWS CDK will build and publish Docker image assets using the -`docker` command. However, by specifying the `CDK_DOCKER` environment variable, -you can override the command that will be used to build and publish your -assets. diff --git a/packages/cdk-assets/bin/cdk-assets b/packages/cdk-assets/bin/cdk-assets deleted file mode 100755 index 09c08dd446846..0000000000000 --- a/packages/cdk-assets/bin/cdk-assets +++ /dev/null @@ -1,2 +0,0 @@ -#!/usr/bin/env node -require('./cdk-assets.js'); \ No newline at end of file diff --git a/packages/cdk-assets/bin/cdk-assets.ts b/packages/cdk-assets/bin/cdk-assets.ts deleted file mode 100644 index 4547051334449..0000000000000 --- a/packages/cdk-assets/bin/cdk-assets.ts +++ /dev/null @@ -1,67 +0,0 @@ -import * as yargs from 'yargs'; -import { list } from './list'; -import { setLogThreshold, VERSION } from './logging'; -import { publish } from './publish'; -import { AssetManifest } from '../lib'; - -async function main() { - const argv = yargs - .usage('$0 [args]') - .option('verbose', { - alias: 'v', - type: 'boolean', - desc: 'Increase logging verbosity', - count: true, - default: 0, - }) - .option('path', { - alias: 'p', - type: 'string', - desc: 'The path (file or directory) to load the assets from. If a directory, ' + - `the file '${AssetManifest.DEFAULT_FILENAME}' will be loaded from it.`, - default: '.', - requiresArg: true, - }) - .command('ls', 'List assets from the given manifest', command => command - , wrapHandler(async args => { - await list(args); - })) - .command('publish [ASSET..]', 'Publish assets in the given manifest', command => command - .option('profile', { type: 'string', describe: 'Profile to use from AWS Credentials file' }) - .positional('ASSET', { type: 'string', array: true, describe: 'Assets to publish (format: "ASSET[:DEST]"), default all' }) - , wrapHandler(async args => { - await publish({ - path: args.path, - assets: args.ASSET, - profile: args.profile, - }); - })) - .demandCommand() - .help() - .strict() // Error on wrong command - .version(VERSION) - .showHelpOnFail(false) - .argv; - - // Evaluating .argv triggers the parsing but the command gets implicitly executed, - // so we don't need the output. - Array.isArray(argv); -} - -/** - * Wrap a command's handler with standard pre- and post-work - */ -function wrapHandler(handler: (x: A) => Promise) { - return async (argv: A) => { - if (argv.verbose) { - setLogThreshold('verbose'); - } - await handler(argv); - }; -} - -main().catch(e => { - // eslint-disable-next-line no-console - console.error(e.stack); - process.exitCode = 1; -}); diff --git a/packages/cdk-assets/bin/docker-credential-cdk-assets b/packages/cdk-assets/bin/docker-credential-cdk-assets deleted file mode 100755 index 3829057860102..0000000000000 --- a/packages/cdk-assets/bin/docker-credential-cdk-assets +++ /dev/null @@ -1,2 +0,0 @@ -#!/usr/bin/env node -require('./docker-credential-cdk-assets.js'); diff --git a/packages/cdk-assets/bin/docker-credential-cdk-assets.ts b/packages/cdk-assets/bin/docker-credential-cdk-assets.ts deleted file mode 100644 index 6dccb5521cf55..0000000000000 --- a/packages/cdk-assets/bin/docker-credential-cdk-assets.ts +++ /dev/null @@ -1,42 +0,0 @@ -/** - * Docker Credential Helper to retrieve credentials based on an external configuration file. - * Supports loading credentials from ECR repositories and from Secrets Manager, - * optionally via an assumed role. - * - * The only operation currently supported by this credential helper at this time is the `get` - * command, which receives a domain name as input on stdin and returns a Username/Secret in - * JSON format on stdout. - * - * IMPORTANT - The credential helper must not output anything else besides the final credentials - * in any success case; doing so breaks docker's parsing of the output and causes the login to fail. - */ - -import * as fs from 'fs'; -import { DefaultAwsClient } from '../lib'; - -import { cdkCredentialsConfig, cdkCredentialsConfigFile, fetchDockerLoginCredentials } from '../lib/private/docker-credentials'; - -async function main() { - // Expected invocation is [node, docker-credential-cdk-assets, get] with input fed via STDIN - // For other valid docker commands (store, list, erase), we no-op. - if (process.argv.length !== 3 || process.argv[2] !== 'get') { - process.exit(0); - } - - const config = cdkCredentialsConfig(); - if (!config) { - throw new Error(`unable to find CDK Docker credentials at: ${cdkCredentialsConfigFile()}`); - } - - // Read the domain to fetch from stdin - let endpoint = fs.readFileSync(0, { encoding: 'utf-8' }).trim(); - const credentials = await fetchDockerLoginCredentials(new DefaultAwsClient(), config, endpoint); - // Write the credentials back to stdout - fs.writeFileSync(1, JSON.stringify(credentials)); -} - -main().catch(e => { - // eslint-disable-next-line no-console - console.error(e.stack); - process.exitCode = 1; -}); diff --git a/packages/cdk-assets/bin/list.ts b/packages/cdk-assets/bin/list.ts deleted file mode 100644 index e93358cd729fd..0000000000000 --- a/packages/cdk-assets/bin/list.ts +++ /dev/null @@ -1,9 +0,0 @@ -import { AssetManifest } from '../lib'; - -export async function list(args: { - path: string; -}) { - const manifest = AssetManifest.fromPath(args.path); - // eslint-disable-next-line no-console - console.log(manifest.list().join('\n')); -} \ No newline at end of file diff --git a/packages/cdk-assets/bin/logging.ts b/packages/cdk-assets/bin/logging.ts deleted file mode 100644 index ead34deeaa70c..0000000000000 --- a/packages/cdk-assets/bin/logging.ts +++ /dev/null @@ -1,24 +0,0 @@ -import * as fs from 'fs'; -import * as path from 'path'; - -export type LogLevel = 'verbose' | 'info' | 'error'; -let logThreshold: LogLevel = 'info'; - -export const VERSION = JSON.parse(fs.readFileSync(path.join(__dirname, '..', 'package.json'), { encoding: 'utf-8' })).version; - -const LOG_LEVELS: Record = { - verbose: 1, - info: 2, - error: 3, -}; - -export function setLogThreshold(threshold: LogLevel) { - logThreshold = threshold; -} - -export function log(level: LogLevel, message: string) { - if (LOG_LEVELS[level] >= LOG_LEVELS[logThreshold]) { - // eslint-disable-next-line no-console - console.error(`${level.padEnd(7, ' ')}: ${message}`); - } -} \ No newline at end of file diff --git a/packages/cdk-assets/bin/publish.ts b/packages/cdk-assets/bin/publish.ts deleted file mode 100644 index 87ead6eac14ae..0000000000000 --- a/packages/cdk-assets/bin/publish.ts +++ /dev/null @@ -1,56 +0,0 @@ -import { log, LogLevel } from './logging'; -import { - AssetManifest, AssetPublishing, DefaultAwsClient, DestinationPattern, EventType, - IPublishProgress, IPublishProgressListener, -} from '../lib'; - -export async function publish(args: { - path: string; - assets?: string[]; - profile?: string; -}) { - - let manifest = AssetManifest.fromPath(args.path); - log('verbose', `Loaded manifest from ${args.path}: ${manifest.entries.length} assets found`); - - if (args.assets && args.assets.length > 0) { - const selection = args.assets.map(a => DestinationPattern.parse(a)); - manifest = manifest.select(selection); - log('verbose', `Applied selection: ${manifest.entries.length} assets selected.`); - } - - const pub = new AssetPublishing(manifest, { - aws: new DefaultAwsClient(args.profile), - progressListener: new ConsoleProgress(), - throwOnError: false, - }); - - await pub.publish(); - - if (pub.hasFailures) { - for (const failure of pub.failures) { - // eslint-disable-next-line no-console - console.error('Failure:', failure.error.stack); - } - - process.exitCode = 1; - } -} - -const EVENT_TO_LEVEL: Record = { - build: 'verbose', - cached: 'verbose', - check: 'verbose', - debug: 'verbose', - fail: 'error', - found: 'verbose', - start: 'info', - success: 'info', - upload: 'verbose', -}; - -class ConsoleProgress implements IPublishProgressListener { - public onPublishEvent(type: EventType, event: IPublishProgress): void { - log(EVENT_TO_LEVEL[type], `[${event.percentComplete}%] ${type}: ${event.message}`); - } -} diff --git a/packages/cdk-assets/jest.config.js b/packages/cdk-assets/jest.config.js deleted file mode 100644 index 4147a830a714b..0000000000000 --- a/packages/cdk-assets/jest.config.js +++ /dev/null @@ -1,11 +0,0 @@ -const baseConfig = require('@aws-cdk/cdk-build-tools/config/jest.config'); -module.exports = { - ...baseConfig, - coverageThreshold: { - global: { - ...baseConfig.coverageThreshold.global, - statements: 75, - branches: 60, - }, - }, -}; diff --git a/packages/cdk-assets/lib/asset-manifest.ts b/packages/cdk-assets/lib/asset-manifest.ts deleted file mode 100644 index 0cb92396ff424..0000000000000 --- a/packages/cdk-assets/lib/asset-manifest.ts +++ /dev/null @@ -1,313 +0,0 @@ -import * as fs from 'fs'; -import * as path from 'path'; -import { - AssetManifest as AssetManifestSchema, DockerImageDestination, DockerImageSource, - FileDestination, FileSource, Manifest, -} from '@aws-cdk/cloud-assembly-schema'; - -/** - * A manifest of assets - */ -export class AssetManifest { - /** - * The default name of the asset manifest in a cdk.out directory - */ - public static readonly DEFAULT_FILENAME = 'assets.json'; - - /** - * Load an asset manifest from the given file - */ - public static fromFile(fileName: string) { - try { - const obj = Manifest.loadAssetManifest(fileName); - return new AssetManifest(path.dirname(fileName), obj); - } catch (e: any) { - throw new Error(`Canot read asset manifest '${fileName}': ${e.message}`); - } - } - - /** - * Load an asset manifest from the given file or directory - * - * If the argument given is a directoy, the default asset file name will be used. - */ - public static fromPath(filePath: string) { - let st; - try { - st = fs.statSync(filePath); - } catch (e: any) { - throw new Error(`Cannot read asset manifest at '${filePath}': ${e.message}`); - } - if (st.isDirectory()) { - return AssetManifest.fromFile(path.join(filePath, AssetManifest.DEFAULT_FILENAME)); - } - return AssetManifest.fromFile(filePath); - } - - /** - * The directory where the manifest was found - */ - public readonly directory: string; - - constructor(directory: string, private readonly manifest: AssetManifestSchema) { - this.directory = directory; - } - - /** - * Select a subset of assets and destinations from this manifest. - * - * Only assets with at least 1 selected destination are retained. - * - * If selection is not given, everything is returned. - */ - public select(selection?: DestinationPattern[]): AssetManifest { - if (selection === undefined) { return this; } - - const ret: AssetManifestSchema & Required> - = { version: this.manifest.version, dockerImages: {}, files: {} }; - - for (const assetType of ASSET_TYPES) { - for (const [assetId, asset] of Object.entries(this.manifest[assetType] || {})) { - const filteredDestinations = filterDict( - asset.destinations, - (_, destId) => selection.some(sel => sel.matches(new DestinationIdentifier(assetId, destId)))); - - if (Object.keys(filteredDestinations).length > 0) { - ret[assetType][assetId] = { - ...asset, - destinations: filteredDestinations, - }; - } - } - } - - return new AssetManifest(this.directory, ret); - } - - /** - * Describe the asset manifest as a list of strings - */ - public list() { - return [ - ...describeAssets('file', this.manifest.files || {}), - ...describeAssets('docker-image', this.manifest.dockerImages || {}), - ]; - - function describeAssets(type: string, assets: Record }>) { - const ret = new Array(); - for (const [assetId, asset] of Object.entries(assets || {})) { - ret.push(`${assetId} ${type} ${JSON.stringify(asset.source)}`); - - const destStrings = Object.entries(asset.destinations).map(([destId, dest]) => ` ${assetId}:${destId} ${JSON.stringify(dest)}`); - ret.push(...prefixTreeChars(destStrings, ' ')); - } - return ret; - } - } - - /** - * List of assets per destination - * - * Returns one asset for every publishable destination. Multiple asset - * destinations may share the same asset source. - */ - public get entries(): IManifestEntry[] { - return [ - ...makeEntries(this.manifest.files || {}, FileManifestEntry), - ...makeEntries(this.manifest.dockerImages || {}, DockerImageManifestEntry), - ]; - } - - /** - * List of file assets, splat out to destinations - */ - public get files(): FileManifestEntry[] { - return makeEntries(this.manifest.files || {}, FileManifestEntry); - } -} - -function makeEntries( - assets: Record }>, - ctor: new (id: DestinationIdentifier, source: A, destination: B) => C): C[] { - - const ret = new Array(); - for (const [assetId, asset] of Object.entries(assets)) { - for (const [destId, destination] of Object.entries(asset.destinations)) { - ret.push(new ctor(new DestinationIdentifier(assetId, destId), asset.source, destination)); - } - } - return ret; -} - -type AssetType = 'files' | 'dockerImages'; - -const ASSET_TYPES: AssetType[] = ['files', 'dockerImages']; - -/** - * A single asset from an asset manifest' - */ -export interface IManifestEntry { - /** - * The identifier of the asset and its destination - */ - readonly id: DestinationIdentifier; - - /** - * The type of asset - */ - readonly type: string; - - /** - * Type-dependent source data - */ - readonly genericSource: unknown; - - /** - * Type-dependent destination data - */ - readonly genericDestination: unknown; -} - -/** - * A manifest entry for a file asset - */ -export class FileManifestEntry implements IManifestEntry { - public readonly genericSource: unknown; - public readonly genericDestination: unknown; - public readonly type = 'file'; - - constructor( - /** Identifier for this asset */ - public readonly id: DestinationIdentifier, - /** Source of the file asset */ - public readonly source: FileSource, - /** Destination for the file asset */ - public readonly destination: FileDestination, - ) { - this.genericSource = source; - this.genericDestination = destination; - } -} - -/** - * A manifest entry for a docker image asset - */ -export class DockerImageManifestEntry implements IManifestEntry { - public readonly genericSource: unknown; - public readonly genericDestination: unknown; - public readonly type = 'docker-image'; - - constructor( - /** Identifier for this asset */ - public readonly id: DestinationIdentifier, - /** Source of the file asset */ - public readonly source: DockerImageSource, - /** Destination for the file asset */ - public readonly destination: DockerImageDestination, - ) { - this.genericSource = source; - this.genericDestination = destination; - } -} - -/** - * Identify an asset destination in an asset manifest - * - * When stringified, this will be a combination of the source - * and destination IDs. - */ -export class DestinationIdentifier { - /** - * Identifies the asset, by source. - * - * The assetId will be the same between assets that represent - * the same physical file or image. - */ - public readonly assetId: string; - - /** - * Identifies the destination where this asset will be published - */ - public readonly destinationId: string; - - constructor(assetId: string, destinationId: string) { - this.assetId = assetId; - this.destinationId = destinationId; - } - - /** - * Return a string representation for this asset identifier - */ - public toString() { - return this.destinationId ? `${this.assetId}:${this.destinationId}` : this.assetId; - } -} - -function filterDict(xs: Record, pred: (x: A, key: string) => boolean): Record { - const ret: Record = {}; - for (const [key, value] of Object.entries(xs)) { - if (pred(value, key)) { - ret[key] = value; - } - } - return ret; -} - -/** - * A filter pattern for an destination identifier - */ -export class DestinationPattern { - /** - * Parse a ':'-separated string into an asset/destination identifier - */ - public static parse(s: string) { - if (!s) { throw new Error('Empty string is not a valid destination identifier'); } - const parts = s.split(':').map(x => x !== '*' ? x : undefined); - if (parts.length === 1) { return new DestinationPattern(parts[0]); } - if (parts.length === 2) { return new DestinationPattern(parts[0] || undefined, parts[1] || undefined); } - throw new Error(`Asset identifier must contain at most 2 ':'-separated parts, got '${s}'`); - } - - /** - * Identifies the asset, by source. - */ - public readonly assetId?: string; - - /** - * Identifies the destination where this asset will be published - */ - public readonly destinationId?: string; - - constructor(assetId?: string, destinationId?: string) { - this.assetId = assetId; - this.destinationId = destinationId; - } - - /** - * Whether or not this pattern matches the given identifier - */ - public matches(id: DestinationIdentifier) { - return (this.assetId === undefined || this.assetId === id.assetId) - && (this.destinationId === undefined || this.destinationId === id.destinationId); - } - - /** - * Return a string representation for this asset identifier - */ - public toString() { - return `${this.assetId ?? '*'}:${this.destinationId ?? '*'}`; - } -} - -/** - * Prefix box-drawing characters to make lines look like a hanging tree - */ -function prefixTreeChars(xs: string[], prefix = '') { - const ret = new Array(); - for (let i = 0; i < xs.length; i++) { - const isLast = i === xs.length - 1; - const boxChar = isLast ? '└' : '├'; - ret.push(`${prefix}${boxChar}${xs[i]}`); - } - return ret; -} diff --git a/packages/cdk-assets/lib/aws.ts b/packages/cdk-assets/lib/aws.ts deleted file mode 100644 index d78e29f24cc3e..0000000000000 --- a/packages/cdk-assets/lib/aws.ts +++ /dev/null @@ -1,163 +0,0 @@ -import * as os from 'os'; - -/** - * AWS SDK operations required by Asset Publishing - */ -export interface IAws { - discoverPartition(): Promise; - discoverDefaultRegion(): Promise; - discoverCurrentAccount(): Promise; - - discoverTargetAccount(options: ClientOptions): Promise; - s3Client(options: ClientOptions): Promise; - ecrClient(options: ClientOptions): Promise; - secretsManagerClient(options: ClientOptions): Promise; -} - -export interface ClientOptions { - region?: string; - assumeRoleArn?: string; - assumeRoleExternalId?: string; - quiet?: boolean; -} - -/** - * An AWS account - * - * An AWS account always exists in only one partition. Usually we don't care about - * the partition, but when we need to form ARNs we do. - */ -export interface Account { - /** - * The account number - */ - readonly accountId: string; - - /** - * The partition ('aws' or 'aws-cn' or otherwise) - */ - readonly partition: string; -} - -/** - * AWS client using the AWS SDK for JS with no special configuration - */ -export class DefaultAwsClient implements IAws { - private readonly AWS: typeof import('aws-sdk'); - private account?: Account; - - constructor(profile?: string) { - // Force AWS SDK to look in ~/.aws/credentials and potentially use the configured profile. - process.env.AWS_SDK_LOAD_CONFIG = '1'; - process.env.AWS_STS_REGIONAL_ENDPOINTS = 'regional'; - process.env.AWS_NODEJS_CONNECTION_REUSE_ENABLED = '1'; - if (profile) { - process.env.AWS_PROFILE = profile; - } - // Stop SDKv2 from displaying a warning for now. We are aware and will migrate at some point, - // our customer don't need to be bothered with this. - process.env.AWS_SDK_JS_SUPPRESS_MAINTENANCE_MODE_MESSAGE = '1'; - - // We need to set the environment before we load this library for the first time. - // eslint-disable-next-line @typescript-eslint/no-require-imports - this.AWS = require('aws-sdk'); - } - - public async s3Client(options: ClientOptions) { - return new this.AWS.S3(await this.awsOptions(options)); - } - - public async ecrClient(options: ClientOptions) { - return new this.AWS.ECR(await this.awsOptions(options)); - } - - public async secretsManagerClient(options: ClientOptions) { - return new this.AWS.SecretsManager(await this.awsOptions(options)); - } - - public async discoverPartition(): Promise { - return (await this.discoverCurrentAccount()).partition; - } - - public async discoverDefaultRegion(): Promise { - return this.AWS.config.region || 'us-east-1'; - } - - public async discoverCurrentAccount(): Promise { - if (this.account === undefined) { - const sts = new this.AWS.STS(); - const response = await sts.getCallerIdentity().promise(); - if (!response.Account || !response.Arn) { - throw new Error(`Unrecognized response from STS: '${JSON.stringify(response)}'`); - } - this.account = { - accountId: response.Account!, - partition: response.Arn!.split(':')[1], - }; - } - - return this.account; - } - - public async discoverTargetAccount(options: ClientOptions): Promise { - const sts = new this.AWS.STS(await this.awsOptions(options)); - const response = await sts.getCallerIdentity().promise(); - if (!response.Account || !response.Arn) { - throw new Error(`Unrecognized response from STS: '${JSON.stringify(response)}'`); - } - return { - accountId: response.Account!, - partition: response.Arn!.split(':')[1], - }; - } - - private async awsOptions(options: ClientOptions) { - let credentials; - - if (options.assumeRoleArn) { - credentials = await this.assumeRole(options.region, options.assumeRoleArn, options.assumeRoleExternalId); - } - - return { - region: options.region, - customUserAgent: 'cdk-assets', - credentials, - }; - } - - /** - * Explicit manual AssumeRole call - * - * Necessary since I can't seem to get the built-in support for ChainableTemporaryCredentials to work. - * - * It needs an explicit configuration of `masterCredentials`, we need to put - * a `DefaultCredentialProverChain()` in there but that is not possible. - */ - private async assumeRole(region: string | undefined, roleArn: string, externalId?: string): Promise { - return new this.AWS.ChainableTemporaryCredentials({ - params: { - RoleArn: roleArn, - ExternalId: externalId, - RoleSessionName: `cdk-assets-${safeUsername()}`, - }, - stsConfig: { - region, - customUserAgent: 'cdk-assets', - }, - }); - } -} - -/** - * Return the username with characters invalid for a RoleSessionName removed - * - * @see https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html#API_AssumeRole_RequestParameters - */ -function safeUsername() { - try { - return os.userInfo().username.replace(/[^\w+=,.@-]/g, '@'); - } catch { - return 'noname'; - } -} - diff --git a/packages/cdk-assets/lib/index.ts b/packages/cdk-assets/lib/index.ts deleted file mode 100644 index 26f81852f3601..0000000000000 --- a/packages/cdk-assets/lib/index.ts +++ /dev/null @@ -1,4 +0,0 @@ -export * from './publishing'; -export * from './asset-manifest'; -export * from './aws'; -export * from './progress'; diff --git a/packages/cdk-assets/lib/private/archive.ts b/packages/cdk-assets/lib/private/archive.ts deleted file mode 100644 index 8e0d9a900b46e..0000000000000 --- a/packages/cdk-assets/lib/private/archive.ts +++ /dev/null @@ -1,92 +0,0 @@ -import { createWriteStream, promises as fs } from 'fs'; -import * as path from 'path'; -import * as glob from 'glob'; - -// namespace object imports won't work in the bundle for function exports -// eslint-disable-next-line @typescript-eslint/no-require-imports -const archiver = require('archiver'); - -type Logger = (x: string) => void; - -export async function zipDirectory(directory: string, outputFile: string, logger: Logger): Promise { - // We write to a temporary file and rename at the last moment. This is so that if we are - // interrupted during this process, we don't leave a half-finished file in the target location. - const temporaryOutputFile = `${outputFile}.${randomString()}._tmp`; - await writeZipFile(directory, temporaryOutputFile); - await moveIntoPlace(temporaryOutputFile, outputFile, logger); -} - -function writeZipFile(directory: string, outputFile: string): Promise { - return new Promise(async (ok, fail) => { - // The below options are needed to support following symlinks when building zip files: - // - nodir: This will prevent symlinks themselves from being copied into the zip. - // - follow: This will follow symlinks and copy the files within. - const globOptions = { - dot: true, - nodir: true, - follow: true, - cwd: directory, - }; - const files = glob.sync('**', globOptions); // The output here is already sorted - - const output = createWriteStream(outputFile); - - const archive = archiver('zip'); - archive.on('warning', fail); - archive.on('error', fail); - - // archive has been finalized and the output file descriptor has closed, resolve promise - // this has to be done before calling `finalize` since the events may fire immediately after. - // see https://www.npmjs.com/package/archiver - output.once('close', ok); - - archive.pipe(output); - - // Append files serially to ensure file order - for (const file of files) { - const fullPath = path.resolve(directory, file); - const [data, stat] = await Promise.all([fs.readFile(fullPath), fs.stat(fullPath)]); - archive.append(data, { - name: file, - date: new Date('1980-01-01T00:00:00.000Z'), // reset dates to get the same hash for the same content - mode: stat.mode, - }); - } - - await archive.finalize(); - }); -} - -/** - * Rename the file to the target location, taking into account: - * - * - That we may see EPERM on Windows while an Antivirus scanner still has the - * file open, so retry a couple of times. - * - This same function may be called in parallel and be interrupted at any point. - */ -async function moveIntoPlace(source: string, target: string, logger: Logger) { - let delay = 100; - let attempts = 5; - while (true) { - try { - // 'rename' is guaranteed to overwrite an existing target, as long as it is a file (not a directory) - await fs.rename(source, target); - return; - } catch (e: any) { - if (e.code !== 'EPERM' || attempts-- <= 0) { - throw e; - } - logger(e.message); - await sleep(Math.floor(Math.random() * delay)); - delay *= 2; - } - } -} - -function sleep(ms: number) { - return new Promise(ok => setTimeout(ok, ms)); -} - -function randomString() { - return Math.random().toString(36).replace(/[^a-z0-9]+/g, ''); -} diff --git a/packages/cdk-assets/lib/private/asset-handler.ts b/packages/cdk-assets/lib/private/asset-handler.ts deleted file mode 100644 index baafb3cd0317e..0000000000000 --- a/packages/cdk-assets/lib/private/asset-handler.ts +++ /dev/null @@ -1,38 +0,0 @@ -import { DockerFactory } from './docker'; -import { IAws } from '../aws'; -import { EventType } from '../progress'; - -/** - * Handler for asset building and publishing. - */ -export interface IAssetHandler { - /** - * Build the asset. - */ - build(): Promise; - - /** - * Publish the asset. - */ - publish(): Promise; - - /** - * Return whether the asset already exists - */ - isPublished(): Promise; -} - -export interface IHandlerHost { - readonly aws: IAws; - readonly aborted: boolean; - readonly dockerFactory: DockerFactory; - - emitMessage(type: EventType, m: string): void; -} - -export interface IHandlerOptions { - /** - * Suppress all output - */ - readonly quiet?: boolean; -} diff --git a/packages/cdk-assets/lib/private/docker-credentials.ts b/packages/cdk-assets/lib/private/docker-credentials.ts deleted file mode 100644 index c46add8caeefb..0000000000000 --- a/packages/cdk-assets/lib/private/docker-credentials.ts +++ /dev/null @@ -1,93 +0,0 @@ -import * as fs from 'fs'; -import * as os from 'os'; -import * as path from 'path'; -import { Logger } from './shell'; -import { IAws } from '../aws'; - -export interface DockerCredentials { - readonly Username: string; - readonly Secret: string; -} - -export interface DockerCredentialsConfig { - readonly version: string; - readonly domainCredentials: Record; -} - -export interface DockerDomainCredentialSource { - readonly secretsManagerSecretId?: string; - readonly secretsUsernameField?: string; - readonly secretsPasswordField?: string; - readonly ecrRepository?: boolean; - readonly assumeRoleArn?: string; -} - -/** Returns the presumed location of the CDK Docker credentials config file */ -export function cdkCredentialsConfigFile(): string { - return process.env.CDK_DOCKER_CREDS_FILE ?? path.join((os.userInfo().homedir ?? os.homedir()).trim() || '/', '.cdk', 'cdk-docker-creds.json'); -} - -let _cdkCredentials: DockerCredentialsConfig | undefined; -/** Loads and parses the CDK Docker credentials configuration, if it exists. */ -export function cdkCredentialsConfig(): DockerCredentialsConfig | undefined { - if (!_cdkCredentials) { - try { - _cdkCredentials = JSON.parse(fs.readFileSync(cdkCredentialsConfigFile(), { encoding: 'utf-8' })) as DockerCredentialsConfig; - } catch { } - } - return _cdkCredentials; -} - -/** Fetches login credentials from the configured source (e.g., SecretsManager, ECR) */ -export async function fetchDockerLoginCredentials(aws: IAws, config: DockerCredentialsConfig, endpoint: string) { - // Paranoid handling to ensure new URL() doesn't throw if the schema is missing - // For official docker registry, docker will pass https://index.docker.io/v1/ - endpoint = endpoint.includes('://') ? endpoint : `https://${endpoint}`; - const domain = new URL(endpoint).hostname; - - if (!Object.keys(config.domainCredentials).includes(domain) && !Object.keys(config.domainCredentials).includes(endpoint)) { - throw new Error(`unknown domain ${domain}`); - } - - let domainConfig = config.domainCredentials[domain] ?? config.domainCredentials[endpoint]; - - if (domainConfig.secretsManagerSecretId) { - const sm = await aws.secretsManagerClient({ assumeRoleArn: domainConfig.assumeRoleArn }); - const secretValue = await sm.getSecretValue({ SecretId: domainConfig.secretsManagerSecretId }).promise(); - if (!secretValue.SecretString) { throw new Error(`unable to fetch SecretString from secret: ${domainConfig.secretsManagerSecretId}`); }; - - const secret = JSON.parse(secretValue.SecretString); - - const usernameField = domainConfig.secretsUsernameField ?? 'username'; - const secretField = domainConfig.secretsPasswordField ?? 'secret'; - if (!secret[usernameField] || !secret[secretField]) { - throw new Error(`malformed secret string ("${usernameField}" or "${secretField}" field missing)`); - } - - return { Username: secret[usernameField], Secret: secret[secretField] }; - } else if (domainConfig.ecrRepository) { - const ecr = await aws.ecrClient({ assumeRoleArn: domainConfig.assumeRoleArn }); - const ecrAuthData = await obtainEcrCredentials(ecr); - - return { Username: ecrAuthData.username, Secret: ecrAuthData.password }; - } else { - throw new Error('unknown credential type: no secret ID or ECR repo'); - } -} - -export async function obtainEcrCredentials(ecr: AWS.ECR, logger?: Logger) { - if (logger) { logger('Fetching ECR authorization token'); } - const authData = (await ecr.getAuthorizationToken({ }).promise()).authorizationData || []; - if (authData.length === 0) { - throw new Error('No authorization data received from ECR'); - } - const token = Buffer.from(authData[0].authorizationToken!, 'base64').toString('ascii'); - const [username, password] = token.split(':'); - if (!username || !password) { throw new Error('unexpected ECR authData format'); } - - return { - username, - password, - endpoint: authData[0].proxyEndpoint!, - }; -} diff --git a/packages/cdk-assets/lib/private/docker.ts b/packages/cdk-assets/lib/private/docker.ts deleted file mode 100644 index f321bac3c11b6..0000000000000 --- a/packages/cdk-assets/lib/private/docker.ts +++ /dev/null @@ -1,279 +0,0 @@ -import * as fs from 'fs'; -import * as os from 'os'; -import * as path from 'path'; -import { cdkCredentialsConfig, obtainEcrCredentials } from './docker-credentials'; -import { Logger, shell, ShellOptions, ProcessFailedError } from './shell'; -import { createCriticalSection } from './util'; - -interface BuildOptions { - readonly directory: string; - - /** - * Tag the image with a given repoName:tag combination - */ - readonly tag: string; - readonly target?: string; - readonly file?: string; - readonly buildArgs?: Record; - readonly buildSecrets?: Record; - readonly buildSsh?: string; - readonly networkMode?: string; - readonly platform?: string; - readonly outputs?: string[]; - readonly cacheFrom?: DockerCacheOption[]; - readonly cacheTo?: DockerCacheOption; - readonly cacheDisabled?: boolean; - readonly quiet?: boolean; -} - -interface PushOptions { - readonly tag: string; - readonly quiet?: boolean; -} - -export interface DockerCredentialsConfig { - readonly version: string; - readonly domainCredentials: Record; -} - -export interface DockerDomainCredentials { - readonly secretsManagerSecretId?: string; - readonly ecrRepository?: string; -} - -enum InspectImageErrorCode { - Docker = 1, - Podman = 125, -} - -export interface DockerCacheOption { - readonly type: string; - readonly params?: { [key: string]: string }; -} - -export class Docker { - - private configDir: string | undefined = undefined; - - constructor(private readonly logger?: Logger) { - } - - /** - * Whether an image with the given tag exists - */ - public async exists(tag: string) { - try { - await this.execute(['inspect', tag], { quiet: true }); - return true; - } catch (e: any) { - const error: ProcessFailedError = e; - - /** - * The only error we expect to be thrown will have this property and value. - * If it doesn't, it's unrecognized so re-throw it. - */ - if (error.code !== 'PROCESS_FAILED') { - throw error; - } - - /** - * If we know the shell command above returned an error, check to see - * if the exit code is one we know to actually mean that the image doesn't - * exist. - */ - switch (error.exitCode) { - case InspectImageErrorCode.Docker: - case InspectImageErrorCode.Podman: - // Docker and Podman will return this exit code when an image doesn't exist, return false - // context: https://github.com/aws/aws-cdk/issues/16209 - return false; - default: - // This is an error but it's not an exit code we recognize, throw. - throw error; - } - } - } - - public async build(options: BuildOptions) { - const buildCommand = [ - 'build', - ...flatten(Object.entries(options.buildArgs || {}).map(([k, v]) => ['--build-arg', `${k}=${v}`])), - ...flatten(Object.entries(options.buildSecrets || {}).map(([k, v]) => ['--secret', `id=${k},${v}`])), - ...options.buildSsh ? ['--ssh', options.buildSsh] : [], - '--tag', options.tag, - ...options.target ? ['--target', options.target] : [], - ...options.file ? ['--file', options.file] : [], - ...options.networkMode ? ['--network', options.networkMode] : [], - ...options.platform ? ['--platform', options.platform] : [], - ...options.outputs ? options.outputs.map(output => [`--output=${output}`]) : [], - ...options.cacheFrom ? [...options.cacheFrom.map(cacheFrom => ['--cache-from', this.cacheOptionToFlag(cacheFrom)]).flat()] : [], - ...options.cacheTo ? ['--cache-to', this.cacheOptionToFlag(options.cacheTo)] : [], - ...options.cacheDisabled ? ['--no-cache'] : [], - '.', - ]; - await this.execute(buildCommand, { - cwd: options.directory, - quiet: options.quiet, - }); - } - - /** - * Get credentials from ECR and run docker login - */ - public async login(ecr: AWS.ECR) { - const credentials = await obtainEcrCredentials(ecr); - - // Use --password-stdin otherwise docker will complain. Loudly. - await this.execute(['login', - '--username', credentials.username, - '--password-stdin', - credentials.endpoint], { - input: credentials.password, - - // Need to quiet otherwise Docker will complain - // 'WARNING! Your password will be stored unencrypted' - // doesn't really matter since it's a token. - quiet: true, - }); - } - - public async tag(sourceTag: string, targetTag: string) { - await this.execute(['tag', sourceTag, targetTag]); - } - - public async push(options: PushOptions) { - await this.execute(['push', options.tag], { quiet: options.quiet }); - } - - /** - * If a CDK Docker Credentials file exists, creates a new Docker config directory. - * Sets up `docker-credential-cdk-assets` to be the credential helper for each domain in the CDK config. - * All future commands (e.g., `build`, `push`) will use this config. - * - * See https://docs.docker.com/engine/reference/commandline/login/#credential-helpers for more details on cred helpers. - * - * @returns true if CDK config was found and configured, false otherwise - */ - public configureCdkCredentials(): boolean { - const config = cdkCredentialsConfig(); - if (!config) { return false; } - - this.configDir = fs.mkdtempSync(path.join(os.tmpdir(), 'cdkDockerConfig')); - - const domains = Object.keys(config.domainCredentials); - const credHelpers = domains.reduce((map: Record, domain) => { - map[domain] = 'cdk-assets'; // Use docker-credential-cdk-assets for this domain - return map; - }, {}); - fs.writeFileSync(path.join(this.configDir, 'config.json'), JSON.stringify({ credHelpers }), { encoding: 'utf-8' }); - - return true; - } - - /** - * Removes any configured Docker config directory. - * All future commands (e.g., `build`, `push`) will use the default config. - * - * This is useful after calling `configureCdkCredentials` to reset to default credentials. - */ - public resetAuthPlugins() { - this.configDir = undefined; - } - - private async execute(args: string[], options: ShellOptions = {}) { - const configArgs = this.configDir ? ['--config', this.configDir] : []; - - const pathToCdkAssets = path.resolve(__dirname, '..', '..', 'bin'); - try { - await shell([getDockerCmd(), ...configArgs, ...args], { - logger: this.logger, - ...options, - env: { - ...process.env, - ...options.env, - PATH: `${pathToCdkAssets}${path.delimiter}${options.env?.PATH ?? process.env.PATH}`, - }, - }); - } catch (e: any) { - if (e.code === 'ENOENT') { - throw new Error('Unable to execute \'docker\' in order to build a container asset. Please install \'docker\' and try again.'); - } - throw e; - } - } - - private cacheOptionToFlag(option: DockerCacheOption): string { - let flag = `type=${option.type}`; - if (option.params) { - flag += ',' + Object.entries(option.params).map(([k, v]) => `${k}=${v}`).join(','); - } - return flag; - } -} - -export interface DockerFactoryOptions { - readonly repoUri: string; - readonly ecr: AWS.ECR; - readonly logger: (m: string) => void; -} - -/** - * Helps get appropriately configured Docker instances during the container - * image publishing process. - */ -export class DockerFactory { - private enterLoggedInDestinationsCriticalSection = createCriticalSection(); - private loggedInDestinations = new Set(); - - /** - * Gets a Docker instance for building images. - */ - public async forBuild(options: DockerFactoryOptions): Promise { - const docker = new Docker(options.logger); - - // Default behavior is to login before build so that the Dockerfile can reference images in the ECR repo - // However, if we're in a pipelines environment (for example), - // we may have alternative credentials to the default ones to use for the build itself. - // If the special config file is present, delay the login to the default credentials until the push. - // If the config file is present, we will configure and use those credentials for the build. - let cdkDockerCredentialsConfigured = docker.configureCdkCredentials(); - if (!cdkDockerCredentialsConfigured) { - await this.loginOncePerDestination(docker, options); - } - - return docker; - } - - /** - * Gets a Docker instance for pushing images to ECR. - */ - public async forEcrPush(options: DockerFactoryOptions) { - const docker = new Docker(options.logger); - await this.loginOncePerDestination(docker, options); - return docker; - } - - private async loginOncePerDestination(docker: Docker, options: DockerFactoryOptions) { - // Changes: 012345678910.dkr.ecr.us-west-2.amazonaws.com/tagging-test - // To this: 012345678910.dkr.ecr.us-west-2.amazonaws.com - const repositoryDomain = options.repoUri.split('/')[0]; - - // Ensure one-at-a-time access to loggedInDestinations. - await this.enterLoggedInDestinationsCriticalSection(async () => { - if (this.loggedInDestinations.has(repositoryDomain)) { - return; - } - - await docker.login(options.ecr); - this.loggedInDestinations.add(repositoryDomain); - }); - } -} - -function getDockerCmd(): string { - return process.env.CDK_DOCKER ?? 'docker'; -} - -function flatten(x: string[][]) { - return Array.prototype.concat([], ...x); -} diff --git a/packages/cdk-assets/lib/private/fs-extra.ts b/packages/cdk-assets/lib/private/fs-extra.ts deleted file mode 100644 index ac865789eb269..0000000000000 --- a/packages/cdk-assets/lib/private/fs-extra.ts +++ /dev/null @@ -1,31 +0,0 @@ -import * as fs from 'fs'; -import * as path from 'path'; - -const pfs = fs.promises; - -export async function pathExists(pathName: string) { - try { - await pfs.stat(pathName); - return true; - } catch (e: any) { - if (e.code !== 'ENOENT') { throw e; } - return false; - } -} - -export function emptyDirSync(dir: string) { - fs.readdirSync(dir, { withFileTypes: true }).forEach(dirent => { - const fullPath = path.join(dir, dirent.name); - if (dirent.isDirectory()) { - emptyDirSync(fullPath); - fs.rmdirSync(fullPath); - } else { - fs.unlinkSync(fullPath); - } - }); -} - -export function rmRfSync(dir: string) { - emptyDirSync(dir); - fs.rmdirSync(dir); -} diff --git a/packages/cdk-assets/lib/private/handlers/container-images.ts b/packages/cdk-assets/lib/private/handlers/container-images.ts deleted file mode 100644 index 8764b1e9c41b3..0000000000000 --- a/packages/cdk-assets/lib/private/handlers/container-images.ts +++ /dev/null @@ -1,238 +0,0 @@ -import * as path from 'path'; -import { DockerImageDestination } from '@aws-cdk/cloud-assembly-schema'; -import type * as AWS from 'aws-sdk'; -import { DockerImageManifestEntry } from '../../asset-manifest'; -import { EventType } from '../../progress'; -import { IAssetHandler, IHandlerHost, IHandlerOptions } from '../asset-handler'; -import { Docker } from '../docker'; -import { replaceAwsPlaceholders } from '../placeholders'; -import { shell } from '../shell'; - -interface ContainerImageAssetHandlerInit { - readonly ecr: AWS.ECR; - readonly repoUri: string; - readonly imageUri: string; - readonly destinationAlreadyExists: boolean; -} - -export class ContainerImageAssetHandler implements IAssetHandler { - private init?: ContainerImageAssetHandlerInit; - - constructor( - private readonly workDir: string, - private readonly asset: DockerImageManifestEntry, - private readonly host: IHandlerHost, - private readonly options: IHandlerOptions) { - } - - public async build(): Promise { - const initOnce = await this.initOnce(); - - if (initOnce.destinationAlreadyExists) { return; } - if (this.host.aborted) { return; } - - const dockerForBuilding = await this.host.dockerFactory.forBuild({ - repoUri: initOnce.repoUri, - logger: (m: string) => this.host.emitMessage(EventType.DEBUG, m), - ecr: initOnce.ecr, - }); - - const builder = new ContainerImageBuilder(dockerForBuilding, this.workDir, this.asset, this.host, { - quiet: this.options.quiet, - }); - const localTagName = await builder.build(); - - if (localTagName === undefined || this.host.aborted) { return; } - if (this.host.aborted) { return; } - - await dockerForBuilding.tag(localTagName, initOnce.imageUri); - } - - public async isPublished(): Promise { - try { - const initOnce = await this.initOnce({ quiet: true }); - return initOnce.destinationAlreadyExists; - } catch (e: any) { - this.host.emitMessage(EventType.DEBUG, `${e.message}`); - } - return false; - } - - public async publish(): Promise { - const initOnce = await this.initOnce(); - - if (initOnce.destinationAlreadyExists) { return; } - if (this.host.aborted) { return; } - - const dockerForPushing = await this.host.dockerFactory.forEcrPush({ - repoUri: initOnce.repoUri, - logger: (m: string) => this.host.emitMessage(EventType.DEBUG, m), - ecr: initOnce.ecr, - }); - - if (this.host.aborted) { return; } - - this.host.emitMessage(EventType.UPLOAD, `Push ${initOnce.imageUri}`); - await dockerForPushing.push({ tag: initOnce.imageUri, quiet: this.options.quiet }); - } - - private async initOnce(options: { quiet?: boolean } = {}): Promise { - if (this.init) { - return this.init; - } - - const destination = await replaceAwsPlaceholders(this.asset.destination, this.host.aws); - const ecr = await this.host.aws.ecrClient({ - ...destination, - quiet: options.quiet, - }); - const account = async () => (await this.host.aws.discoverCurrentAccount())?.accountId; - - const repoUri = await repositoryUri(ecr, destination.repositoryName); - if (!repoUri) { - throw new Error(`No ECR repository named '${destination.repositoryName}' in account ${await account()}. Is this account bootstrapped?`); - } - - const imageUri = `${repoUri}:${destination.imageTag}`; - - this.init = { - imageUri, - ecr, - repoUri, - destinationAlreadyExists: await this.destinationAlreadyExists(ecr, destination, imageUri), - }; - - return this.init; - } - - /** - * Check whether the image already exists in the ECR repo - * - * Use the fields from the destination to do the actual check. The imageUri - * should correspond to that, but is only used to print Docker image location - * for user benefit (the format is slightly different). - */ - private async destinationAlreadyExists(ecr: AWS.ECR, destination: DockerImageDestination, imageUri: string): Promise { - this.host.emitMessage(EventType.CHECK, `Check ${imageUri}`); - if (await imageExists(ecr, destination.repositoryName, destination.imageTag)) { - this.host.emitMessage(EventType.FOUND, `Found ${imageUri}`); - return true; - } - - return false; - } -} - -interface ContainerImageBuilderOptions { - readonly quiet?: boolean; -} - -class ContainerImageBuilder { - constructor( - private readonly docker: Docker, - private readonly workDir: string, - private readonly asset: DockerImageManifestEntry, - private readonly host: IHandlerHost, - private readonly options: ContainerImageBuilderOptions) { - } - - async build(): Promise { - return this.asset.source.executable - ? this.buildExternalAsset(this.asset.source.executable) - : this.buildDirectoryAsset(); - } - - /** - * Build a (local) Docker asset from a directory with a Dockerfile - * - * Tags under a deterministic, unique, local identifier wich will skip - * the build if it already exists. - */ - private async buildDirectoryAsset(): Promise { - const localTagName = `cdkasset-${this.asset.id.assetId.toLowerCase()}`; - - if (!(await this.isImageCached(localTagName))) { - if (this.host.aborted) { return undefined; } - - await this.buildImage(localTagName); - } - - return localTagName; - } - - /** - * Build a (local) Docker asset by running an external command - * - * External command is responsible for deduplicating the build if possible, - * and is expected to return the generated image identifier on stdout. - */ - private async buildExternalAsset(executable: string[], cwd?: string): Promise { - const assetPath = cwd ?? this.workDir; - - this.host.emitMessage(EventType.BUILD, `Building Docker image using command '${executable}'`); - if (this.host.aborted) { return undefined; } - - return (await shell(executable, { cwd: assetPath, quiet: true })).trim(); - } - - private async buildImage(localTagName: string): Promise { - const source = this.asset.source; - if (!source.directory) { - throw new Error(`'directory' is expected in the DockerImage asset source, got: ${JSON.stringify(source)}`); - } - - const fullPath = path.resolve(this.workDir, source.directory); - this.host.emitMessage(EventType.BUILD, `Building Docker image at ${fullPath}`); - - await this.docker.build({ - directory: fullPath, - tag: localTagName, - buildArgs: source.dockerBuildArgs, - buildSecrets: source.dockerBuildSecrets, - buildSsh: source.dockerBuildSsh, - target: source.dockerBuildTarget, - file: source.dockerFile, - networkMode: source.networkMode, - platform: source.platform, - outputs: source.dockerOutputs, - cacheFrom: source.cacheFrom, - cacheTo: source.cacheTo, - cacheDisabled: source.cacheDisabled, - quiet: this.options.quiet, - }); - } - - private async isImageCached(localTagName: string): Promise { - if (await this.docker.exists(localTagName)) { - this.host.emitMessage(EventType.CACHED, `Cached ${localTagName}`); - return true; - } - - return false; - } -} - -async function imageExists(ecr: AWS.ECR, repositoryName: string, imageTag: string) { - try { - await ecr.describeImages({ repositoryName, imageIds: [{ imageTag }] }).promise(); - return true; - } catch (e: any) { - if (e.code !== 'ImageNotFoundException') { throw e; } - return false; - } -} - -/** - * Return the URI for the repository with the given name - * - * Returns undefined if the repository does not exist. - */ -async function repositoryUri(ecr: AWS.ECR, repositoryName: string): Promise { - try { - const response = await ecr.describeRepositories({ repositoryNames: [repositoryName] }).promise(); - return (response.repositories || [])[0]?.repositoryUri; - } catch (e: any) { - if (e.code !== 'RepositoryNotFoundException') { throw e; } - return undefined; - } -} diff --git a/packages/cdk-assets/lib/private/handlers/files.ts b/packages/cdk-assets/lib/private/handlers/files.ts deleted file mode 100644 index 12008fd220323..0000000000000 --- a/packages/cdk-assets/lib/private/handlers/files.ts +++ /dev/null @@ -1,292 +0,0 @@ -import { createReadStream, promises as fs } from 'fs'; -import * as path from 'path'; -import { FileAssetPackaging, FileSource } from '@aws-cdk/cloud-assembly-schema'; -import * as mime from 'mime'; -import { FileManifestEntry } from '../../asset-manifest'; -import { EventType } from '../../progress'; -import { zipDirectory } from '../archive'; -import { IAssetHandler, IHandlerHost } from '../asset-handler'; -import { pathExists } from '../fs-extra'; -import { replaceAwsPlaceholders } from '../placeholders'; -import { shell } from '../shell'; - -/** - * The size of an empty zip file is 22 bytes - * - * Ref: https://en.wikipedia.org/wiki/ZIP_(file_format) - */ -const EMPTY_ZIP_FILE_SIZE = 22; - -export class FileAssetHandler implements IAssetHandler { - private readonly fileCacheRoot: string; - - constructor( - private readonly workDir: string, - private readonly asset: FileManifestEntry, - private readonly host: IHandlerHost) { - this.fileCacheRoot = path.join(workDir, '.cache'); - } - - public async build(): Promise {} - - public async isPublished(): Promise { - const destination = await replaceAwsPlaceholders(this.asset.destination, this.host.aws); - const s3Url = `s3://${destination.bucketName}/${destination.objectKey}`; - try { - const s3 = await this.host.aws.s3Client({ - ...destination, - quiet: true, - }); - this.host.emitMessage(EventType.CHECK, `Check ${s3Url}`); - - if (await objectExists(s3, destination.bucketName, destination.objectKey)) { - this.host.emitMessage(EventType.FOUND, `Found ${s3Url}`); - return true; - } - } catch (e: any) { - this.host.emitMessage(EventType.DEBUG, `${e.message}`); - } - return false; - } - - public async publish(): Promise { - const destination = await replaceAwsPlaceholders(this.asset.destination, this.host.aws); - const s3Url = `s3://${destination.bucketName}/${destination.objectKey}`; - const s3 = await this.host.aws.s3Client(destination); - this.host.emitMessage(EventType.CHECK, `Check ${s3Url}`); - - const bucketInfo = BucketInformation.for(this.host); - - // A thunk for describing the current account. Used when we need to format an error - // message, not in the success case. - const account = async () => (await this.host.aws.discoverTargetAccount(destination))?.accountId; - switch (await bucketInfo.bucketOwnership(s3, destination.bucketName)) { - case BucketOwnership.MINE: - break; - case BucketOwnership.DOES_NOT_EXIST: - throw new Error(`No bucket named '${destination.bucketName}'. Is account ${await account()} bootstrapped?`); - case BucketOwnership.SOMEONE_ELSES_OR_NO_ACCESS: - throw new Error(`Bucket named '${destination.bucketName}' exists, but not in account ${await account()}. Wrong account?`); - } - - if (await objectExists(s3, destination.bucketName, destination.objectKey)) { - this.host.emitMessage(EventType.FOUND, `Found ${s3Url}`); - return; - } - - // Identify the the bucket encryption type to set the header on upload - // required for SCP rules denying uploads without encryption header - let paramsEncryption: {[index: string]:any}= {}; - const encryption2 = await bucketInfo.bucketEncryption(s3, destination.bucketName); - switch (encryption2.type) { - case 'no_encryption': - break; - case 'aes256': - paramsEncryption = { ServerSideEncryption: 'AES256' }; - break; - case 'kms': - // We must include the key ID otherwise S3 will encrypt with the default key - paramsEncryption = { - ServerSideEncryption: 'aws:kms', - SSEKMSKeyId: encryption2.kmsKeyId, - }; - break; - case 'does_not_exist': - this.host.emitMessage(EventType.DEBUG, `No bucket named '${destination.bucketName}'. Is account ${await account()} bootstrapped?`); - break; - case 'access_denied': - this.host.emitMessage(EventType.DEBUG, `Could not read encryption settings of bucket '${destination.bucketName}': uploading with default settings ("cdk bootstrap" to version 9 if your organization's policies prevent a successful upload or to get rid of this message).`); - break; - } - - if (this.host.aborted) { return; } - const publishFile = this.asset.source.executable ? - await this.externalPackageFile(this.asset.source.executable) : await this.packageFile(this.asset.source); - - this.host.emitMessage(EventType.UPLOAD, `Upload ${s3Url}`); - - const params = Object.assign({}, { - Bucket: destination.bucketName, - Key: destination.objectKey, - Body: createReadStream(publishFile.packagedPath), - ContentType: publishFile.contentType, - }, - paramsEncryption); - - await s3.upload(params).promise(); - } - - private async packageFile(source: FileSource): Promise { - if (!source.path) { - throw new Error(`'path' is expected in the File asset source, got: ${JSON.stringify(source)}`); - } - - const fullPath = path.resolve(this.workDir, source.path); - - if (source.packaging === FileAssetPackaging.ZIP_DIRECTORY) { - const contentType = 'application/zip'; - - await fs.mkdir(this.fileCacheRoot, { recursive: true }); - const packagedPath = path.join(this.fileCacheRoot, `${this.asset.id.assetId}.zip`); - - if (await pathExists(packagedPath)) { - this.host.emitMessage(EventType.CACHED, `From cache ${packagedPath}`); - return { packagedPath, contentType }; - } - - this.host.emitMessage(EventType.BUILD, `Zip ${fullPath} -> ${packagedPath}`); - await zipDirectory(fullPath, packagedPath, (m) => this.host.emitMessage(EventType.DEBUG, m)); - return { packagedPath, contentType }; - } else { - const contentType = mime.getType(fullPath) ?? 'application/octet-stream'; - return { packagedPath: fullPath, contentType }; - } - } - - private async externalPackageFile(executable: string[]): Promise { - this.host.emitMessage(EventType.BUILD, `Building asset source using command: '${executable}'`); - - return { - packagedPath: (await shell(executable, { quiet: true })).trim(), - contentType: 'application/zip', - }; - } -} - -enum BucketOwnership { - DOES_NOT_EXIST, - MINE, - SOMEONE_ELSES_OR_NO_ACCESS, -} - -type BucketEncryption = - | { readonly type: 'no_encryption' } - | { readonly type: 'aes256' } - | { readonly type: 'kms'; readonly kmsKeyId?: string } - | { readonly type: 'access_denied' } - | { readonly type: 'does_not_exist' } - ; - -async function objectExists(s3: AWS.S3, bucket: string, key: string) { - /* - * The object existence check here refrains from using the `headObject` operation because this - * would create a negative cache entry, making GET-after-PUT eventually consistent. This has been - * observed to result in CloudFormation issuing "ValidationError: S3 error: Access Denied", for - * example in https://github.com/aws/aws-cdk/issues/6430. - * - * To prevent this, we are instead using the listObjectsV2 call, using the looked up key as the - * prefix, and limiting results to 1. Since the list operation returns keys ordered by binary - * UTF-8 representation, the key we are looking for is guaranteed to always be the first match - * returned if it exists. - * - * If the file is too small, we discount it as a cache hit. There is an issue - * somewhere that sometimes produces empty zip files, and we would otherwise - * never retry building those assets without users having to manually clear - * their bucket, which is a bad experience. - */ - const response = await s3.listObjectsV2({ Bucket: bucket, Prefix: key, MaxKeys: 1 }).promise(); - return ( - response.Contents != null && - response.Contents.some( - (object) => object.Key === key && (object.Size == null || object.Size > EMPTY_ZIP_FILE_SIZE), - ) - ); -} - -/** - * A packaged asset which can be uploaded (either a single file or directory) - */ -interface PackagedFileAsset { - /** - * Path of the file or directory - */ - readonly packagedPath: string; - - /** - * Content type to be added in the S3 upload action - * - * @default - No content type - */ - readonly contentType?: string; -} - -/** - * Cache for bucket information, so we don't have to keep doing the same calls again and again - * - * We scope the lifetime of the cache to the lifetime of the host, so that we don't have to do - * anything special for tests and yet the cache will live for the entire lifetime of the asset - * upload session when used by the CLI. - */ -class BucketInformation { - public static for(host: IHandlerHost) { - const existing = BucketInformation.caches.get(host); - if (existing) { return existing; } - - const fresh = new BucketInformation(); - BucketInformation.caches.set(host, fresh); - return fresh; - } - - private static readonly caches = new WeakMap(); - - private readonly ownerships = new Map(); - private readonly encryptions = new Map(); - - private constructor() { - } - - public async bucketOwnership(s3: AWS.S3, bucket: string): Promise { - return cached(this.ownerships, bucket, () => this._bucketOwnership(s3, bucket)); - } - - public async bucketEncryption(s3: AWS.S3, bucket: string): Promise { - return cached(this.encryptions, bucket, () => this._bucketEncryption(s3, bucket)); - } - - private async _bucketOwnership(s3: AWS.S3, bucket: string): Promise { - try { - await s3.getBucketLocation({ Bucket: bucket }).promise(); - return BucketOwnership.MINE; - } catch (e: any) { - if (e.code === 'NoSuchBucket') { return BucketOwnership.DOES_NOT_EXIST; } - if (['AccessDenied', 'AllAccessDisabled'].includes(e.code)) { return BucketOwnership.SOMEONE_ELSES_OR_NO_ACCESS; } - throw e; - } - } - - private async _bucketEncryption(s3: AWS.S3, bucket: string): Promise { - try { - const encryption = await s3.getBucketEncryption({ Bucket: bucket }).promise(); - const l = encryption?.ServerSideEncryptionConfiguration?.Rules?.length ?? 0; - if (l > 0) { - const apply = encryption?.ServerSideEncryptionConfiguration?.Rules[0]?.ApplyServerSideEncryptionByDefault; - let ssealgo = apply?.SSEAlgorithm; - if (ssealgo === 'AES256') return { type: 'aes256' }; - if (ssealgo === 'aws:kms') return { type: 'kms', kmsKeyId: apply?.KMSMasterKeyID }; - } - return { type: 'no_encryption' }; - } catch (e: any) { - if (e.code === 'NoSuchBucket') { - return { type: 'does_not_exist' }; - } - if (e.code === 'ServerSideEncryptionConfigurationNotFoundError') { - return { type: 'no_encryption' }; - } - - if (['AccessDenied', 'AllAccessDisabled'].includes(e.code)) { - return { type: 'access_denied' }; - } - return { type: 'no_encryption' }; - } - } -} - -async function cached(cache: Map, key: A, factory: (x: A) => Promise): Promise { - if (cache.has(key)) { - return cache.get(key)!; - } - - const fresh = await factory(key); - cache.set(key, fresh); - return fresh; -} diff --git a/packages/cdk-assets/lib/private/handlers/index.ts b/packages/cdk-assets/lib/private/handlers/index.ts deleted file mode 100644 index 2b3c767eb4963..0000000000000 --- a/packages/cdk-assets/lib/private/handlers/index.ts +++ /dev/null @@ -1,15 +0,0 @@ -import { ContainerImageAssetHandler } from './container-images'; -import { FileAssetHandler } from './files'; -import { AssetManifest, DockerImageManifestEntry, FileManifestEntry, IManifestEntry } from '../../asset-manifest'; -import { IAssetHandler, IHandlerHost, IHandlerOptions } from '../asset-handler'; - -export function makeAssetHandler(manifest: AssetManifest, asset: IManifestEntry, host: IHandlerHost, options: IHandlerOptions): IAssetHandler { - if (asset instanceof FileManifestEntry) { - return new FileAssetHandler(manifest.directory, asset, host); - } - if (asset instanceof DockerImageManifestEntry) { - return new ContainerImageAssetHandler(manifest.directory, asset, host, options); - } - - throw new Error(`Unrecognized asset type: '${asset}'`); -} diff --git a/packages/cdk-assets/lib/private/placeholders.ts b/packages/cdk-assets/lib/private/placeholders.ts deleted file mode 100644 index 50f76dfd3a7a6..0000000000000 --- a/packages/cdk-assets/lib/private/placeholders.ts +++ /dev/null @@ -1,34 +0,0 @@ -import { EnvironmentPlaceholders } from '@aws-cdk/cx-api'; -import { IAws } from '../aws'; - -/** - * Replace the {ACCOUNT} and {REGION} placeholders in all strings found in a complex object. - * - * Duplicated between cdk-assets and aws-cdk CLI because we don't have a good single place to put it - * (they're nominally independent tools). - */ -export async function replaceAwsPlaceholders(object: A, aws: IAws): Promise { - let partition = async () => { - const p = await aws.discoverPartition(); - partition = () => Promise.resolve(p); - return p; - }; - - let account = async () => { - const a = await aws.discoverCurrentAccount(); - account = () => Promise.resolve(a); - return a; - }; - - return EnvironmentPlaceholders.replaceAsync(object, { - async region() { - return object.region ?? aws.discoverDefaultRegion(); - }, - async accountId() { - return (await account()).accountId; - }, - async partition() { - return partition(); - }, - }); -} \ No newline at end of file diff --git a/packages/cdk-assets/lib/private/shell.ts b/packages/cdk-assets/lib/private/shell.ts deleted file mode 100644 index 5e27452f98bab..0000000000000 --- a/packages/cdk-assets/lib/private/shell.ts +++ /dev/null @@ -1,127 +0,0 @@ -import * as child_process from 'child_process'; - -export type Logger = (x: string) => void; - -export interface ShellOptions extends child_process.SpawnOptions { - readonly quiet?: boolean; - readonly logger?: Logger; - readonly input?: string; -} - -/** - * OS helpers - * - * Shell function which both prints to stdout and collects the output into a - * string. - */ -export async function shell(command: string[], options: ShellOptions = {}): Promise { - if (options.logger) { - options.logger(renderCommandLine(command)); - } - const child = child_process.spawn(command[0], command.slice(1), { - ...options, - stdio: [options.input ? 'pipe' : 'ignore', 'pipe', 'pipe'], - }); - - return new Promise((resolve, reject) => { - if (options.input) { - child.stdin!.write(options.input); - child.stdin!.end(); - } - - const stdout = new Array(); - const stderr = new Array(); - - // Both write to stdout and collect - child.stdout!.on('data', chunk => { - if (!options.quiet) { - process.stdout.write(chunk); - } - stdout.push(chunk); - }); - - child.stderr!.on('data', chunk => { - if (!options.quiet) { - process.stderr.write(chunk); - } - - stderr.push(chunk); - }); - - child.once('error', reject); - - child.once('close', (code, signal) => { - if (code === 0) { - resolve(Buffer.concat(stdout).toString('utf-8')); - } else { - const out = Buffer.concat(stderr).toString('utf-8').trim(); - reject(new ProcessFailed(code, signal, `${renderCommandLine(command)} exited with ${code != null ? 'error code' : 'signal'} ${code ?? signal}: ${out}`)); - } - }); - }); -} - -export type ProcessFailedError = ProcessFailed - -class ProcessFailed extends Error { - public readonly code = 'PROCESS_FAILED'; - - constructor(public readonly exitCode: number | null, public readonly signal: NodeJS.Signals | null, message: string) { - super(message); - } -} - -/** - * Render the given command line as a string - * - * Probably missing some cases but giving it a good effort. - */ -function renderCommandLine(cmd: string[]) { - if (process.platform !== 'win32') { - return doRender(cmd, hasAnyChars(' ', '\\', '!', '"', "'", '&', '$'), posixEscape); - } else { - return doRender(cmd, hasAnyChars(' ', '"', '&', '^', '%'), windowsEscape); - } -} - -/** - * Render a UNIX command line - */ -function doRender(cmd: string[], needsEscaping: (x: string) => boolean, doEscape: (x: string) => string): string { - return cmd.map(x => needsEscaping(x) ? doEscape(x) : x).join(' '); -} - -/** - * Return a predicate that checks if a string has any of the indicated chars in it - */ -function hasAnyChars(...chars: string[]): (x: string) => boolean { - return (str: string) => { - return chars.some(c => str.indexOf(c) !== -1); - }; -} - -/** - * Escape a shell argument for POSIX shells - * - * Wrapping in single quotes and escaping single quotes inside will do it for us. - */ -function posixEscape(x: string) { - // Turn ' -> '"'"' - x = x.replace(/'/g, "'\"'\"'"); - return `'${x}'`; -} - -/** - * Escape a shell argument for cmd.exe - * - * This is how to do it right, but I'm not following everything: - * - * https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/ - */ -function windowsEscape(x: string): string { - // First surround by double quotes, ignore the part about backslashes - x = `"${x}"`; - // Now escape all special characters - const shellMeta = new Set(['"', '&', '^', '%']); - return x.split('').map(c => shellMeta.has(x) ? '^' + c : c).join(''); -} diff --git a/packages/cdk-assets/lib/private/util.ts b/packages/cdk-assets/lib/private/util.ts deleted file mode 100644 index 88a87a18e6ba9..0000000000000 --- a/packages/cdk-assets/lib/private/util.ts +++ /dev/null @@ -1,12 +0,0 @@ -/** - * Creates a critical section, ensuring that at most one function can - * enter the critical section at a time. - */ -export function createCriticalSection() { - let lock = Promise.resolve(); - return async (criticalFunction: () => Promise) => { - const res = lock.then(() => criticalFunction()); - lock = res.catch(e => e); - return res; - }; -}; \ No newline at end of file diff --git a/packages/cdk-assets/lib/progress.ts b/packages/cdk-assets/lib/progress.ts deleted file mode 100644 index b2c8e77ddad78..0000000000000 --- a/packages/cdk-assets/lib/progress.ts +++ /dev/null @@ -1,86 +0,0 @@ -import { IManifestEntry } from './asset-manifest'; - -/** - * A listener for progress events from the publisher - */ -export interface IPublishProgressListener { - /** - * Asset build event - */ - onPublishEvent(type: EventType, event: IPublishProgress): void; -} - -/** - * A single event for an asset - */ -export enum EventType { - /** - * Just starting on an asset - */ - START = 'start', - - /** - * When an asset is successfully finished - */ - SUCCESS = 'success', - - /** - * When an asset failed - */ - FAIL = 'fail', - - /** - * Checking whether an asset has already been published - */ - CHECK = 'check', - - /** - * The asset was already published - */ - FOUND = 'found', - - /** - * The asset was reused locally from a cached version - */ - CACHED = 'cached', - - /** - * The asset will be built - */ - BUILD = 'build', - - /** - * The asset will be uploaded - */ - UPLOAD = 'upload', - - /** - * Another type of detail message - */ - DEBUG = 'debug', -} - -/** - * Context object for publishing progress - */ -export interface IPublishProgress { - /** - * Current event message - */ - readonly message: string; - - /** - * Asset currently being packaged (if any) - */ - readonly currentAsset?: IManifestEntry; - - /** - * How far along are we? - */ - readonly percentComplete: number; - - /** - * Abort the current publishing operation - */ - abort(): void; -} diff --git a/packages/cdk-assets/lib/publishing.ts b/packages/cdk-assets/lib/publishing.ts deleted file mode 100644 index 03cf2683f3293..0000000000000 --- a/packages/cdk-assets/lib/publishing.ts +++ /dev/null @@ -1,256 +0,0 @@ -import { AssetManifest, IManifestEntry } from './asset-manifest'; -import { IAws } from './aws'; -import { IAssetHandler, IHandlerHost } from './private/asset-handler'; -import { DockerFactory } from './private/docker'; -import { makeAssetHandler } from './private/handlers'; -import { EventType, IPublishProgress, IPublishProgressListener } from './progress'; - -export interface AssetPublishingOptions { - /** - * Entry point for AWS client - */ - readonly aws: IAws; - - /** - * Listener for progress events - * - * @default No listener - */ - readonly progressListener?: IPublishProgressListener; - - /** - * Whether to throw at the end if there were errors - * - * @default true - */ - readonly throwOnError?: boolean; - - /** - * Whether to publish in parallel, when 'publish()' is called - * - * @default false - */ - readonly publishInParallel?: boolean; - - /** - * Whether to build assets, when 'publish()' is called - * - * @default true - */ - readonly buildAssets?: boolean; - - /** - * Whether to publish assets, when 'publish()' is called - * - * @default true - */ - readonly publishAssets?: boolean; - - /** - * Whether to print publishing logs - * - * @default true - */ - readonly quiet?: boolean; -} - -/** - * A failure to publish an asset - */ -export interface FailedAsset { - /** - * The asset that failed to publish - */ - readonly asset: IManifestEntry; - - /** - * The failure that occurred - */ - readonly error: Error; -} - -export class AssetPublishing implements IPublishProgress { - /** - * The message for the IPublishProgress interface - */ - public message: string = 'Starting'; - - /** - * The current asset for the IPublishProgress interface - */ - public currentAsset?: IManifestEntry; - public readonly failures = new Array(); - private readonly assets: IManifestEntry[]; - - private readonly totalOperations: number; - private completedOperations: number = 0; - private aborted = false; - private readonly handlerHost: IHandlerHost; - private readonly publishInParallel: boolean; - private readonly buildAssets: boolean; - private readonly publishAssets: boolean; - private readonly handlerCache = new Map(); - - constructor(private readonly manifest: AssetManifest, private readonly options: AssetPublishingOptions) { - this.assets = manifest.entries; - this.totalOperations = this.assets.length; - this.publishInParallel = options.publishInParallel ?? false; - this.buildAssets = options.buildAssets ?? true; - this.publishAssets = options.publishAssets ?? true; - - const self = this; - this.handlerHost = { - aws: this.options.aws, - get aborted() { return self.aborted; }, - emitMessage(t, m) { self.progressEvent(t, m); }, - dockerFactory: new DockerFactory(), - }; - } - - /** - * Publish all assets from the manifest - */ - public async publish(): Promise { - if (this.publishInParallel) { - await Promise.all(this.assets.map(async (asset) => this.publishAsset(asset))); - } else { - for (const asset of this.assets) { - if (!await this.publishAsset(asset)) { - break; - } - } - } - - if ((this.options.throwOnError ?? true) && this.failures.length > 0) { - throw new Error(`Error publishing: ${this.failures.map(e => e.error.message)}`); - } - } - - /** - * Build a single asset from the manifest - */ - public async buildEntry(asset: IManifestEntry) { - try { - if (this.progressEvent(EventType.START, `Building ${asset.id}`)) { return false; } - - const handler = this.assetHandler(asset); - await handler.build(); - - if (this.aborted) { - throw new Error('Aborted'); - } - - this.completedOperations++; - if (this.progressEvent(EventType.SUCCESS, `Built ${asset.id}`)) { return false; } - } catch (e: any) { - this.failures.push({ asset, error: e }); - this.completedOperations++; - if (this.progressEvent(EventType.FAIL, e.message)) { return false; } - } - - return true; - } - - /** - * Publish a single asset from the manifest - */ - public async publishEntry(asset: IManifestEntry) { - try { - if (this.progressEvent(EventType.START, `Publishing ${asset.id}`)) { return false; } - - const handler = this.assetHandler(asset); - await handler.publish(); - - if (this.aborted) { - throw new Error('Aborted'); - } - - this.completedOperations++; - if (this.progressEvent(EventType.SUCCESS, `Published ${asset.id}`)) { return false; } - } catch (e: any) { - this.failures.push({ asset, error: e }); - this.completedOperations++; - if (this.progressEvent(EventType.FAIL, e.message)) { return false; } - } - - return true; - } - - /** - * Return whether a single asset is published - */ - public isEntryPublished(asset: IManifestEntry) { - const handler = this.assetHandler(asset); - return handler.isPublished(); - } - - /** - * publish an asset (used by 'publish()') - * @param asset The asset to publish - * @returns false when publishing should stop - */ - private async publishAsset(asset: IManifestEntry) { - try { - if (this.progressEvent(EventType.START, `Publishing ${asset.id}`)) { return false; } - - const handler = this.assetHandler(asset); - - if (this.buildAssets) { - await handler.build(); - } - - if (this.publishAssets) { - await handler.publish(); - } - - if (this.aborted) { - throw new Error('Aborted'); - } - - this.completedOperations++; - if (this.progressEvent(EventType.SUCCESS, `Published ${asset.id}`)) { return false; } - } catch (e: any) { - this.failures.push({ asset, error: e }); - this.completedOperations++; - if (this.progressEvent(EventType.FAIL, e.message)) { return false; } - } - - return true; - } - - public get percentComplete() { - if (this.totalOperations === 0) { return 100; } - return Math.floor((this.completedOperations / this.totalOperations) * 100); - } - - public abort(): void { - this.aborted = true; - } - - public get hasFailures() { - return this.failures.length > 0; - } - - /** - * Publish a progress event to the listener, if present. - * - * Returns whether an abort is requested. Helper to get rid of repetitive code in publish(). - */ - private progressEvent(event: EventType, message: string): boolean { - this.message = message; - if (this.options.progressListener) { this.options.progressListener.onPublishEvent(event, this); } - return this.aborted; - } - - private assetHandler(asset: IManifestEntry) { - const existing = this.handlerCache.get(asset); - if (existing) { - return existing; - } - const ret = makeAssetHandler(this.manifest, asset, this.handlerHost, { - quiet: this.options.quiet, - }); - this.handlerCache.set(asset, ret); - return ret; - } -} diff --git a/packages/cdk-assets/package.json b/packages/cdk-assets/package.json deleted file mode 100644 index e07450f12ec3a..0000000000000 --- a/packages/cdk-assets/package.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "name": "cdk-assets", - "description": "CDK Asset Publishing Tool", - "version": "0.0.0", - "main": "lib/index.js", - "types": "lib/index.d.ts", - "bin": { - "cdk-assets": "bin/cdk-assets", - "docker-credential-cdk-assets": "bin/docker-credential-cdk-assets" - }, - "scripts": { - "build": "cdk-build", - "integ": "integ-runner --language javascript", - "lint": "cdk-lint", - "package": "cdk-package", - "awslint": "cdk-awslint", - "pkglint": "pkglint -f", - "test": "cdk-test", - "watch": "cdk-watch", - "build+test": "yarn build && yarn test", - "build+test+package": "yarn build+test && yarn package", - "compat": "cdk-compat", - "build+extract": "yarn build", - "build+test+extract": "yarn build+test" - }, - "author": { - "name": "Amazon Web Services", - "url": "https://aws.amazon.com", - "organization": true - }, - "license": "Apache-2.0", - "devDependencies": { - "@types/archiver": "^5.3.4", - "@types/glob": "^7.2.0", - "@types/jest": "^29.5.12", - "@types/mime": "^2.0.3", - "@types/mock-fs": "^4.13.4", - "@types/yargs": "^15.0.19", - "@aws-cdk/cdk-build-tools": "0.0.0", - "jest": "^29.7.0", - "jszip": "^3.10.1", - "mock-fs": "^4.14.0", - "@aws-cdk/pkglint": "0.0.0" - }, - "dependencies": { - "@aws-cdk/cloud-assembly-schema": "0.0.0", - "@aws-cdk/cx-api": "0.0.0", - "archiver": "^5.3.2", - "aws-sdk": "^2.1653.0", - "glob": "^7.2.3", - "mime": "^2.6.0", - "yargs": "^16.2.0" - }, - "repository": { - "url": "https://github.com/aws/aws-cdk.git", - "type": "git", - "directory": "packages/cdk-assets" - }, - "keywords": [ - "aws", - "cdk" - ], - "homepage": "https://github.com/aws/aws-cdk", - "engines": { - "node": ">= 14.15.0" - }, - "cdk-package": { - "shrinkWrap": true - }, - "nozem": { - "ostools": [ - "unzip", - "diff", - "rm" - ] - }, - "stability": "stable", - "maturity": "stable", - "publishConfig": { - "tag": "latest" - } -} diff --git a/packages/cdk-assets/test/archive.test.ts b/packages/cdk-assets/test/archive.test.ts deleted file mode 100644 index d0fe1e2b3dbe7..0000000000000 --- a/packages/cdk-assets/test/archive.test.ts +++ /dev/null @@ -1,94 +0,0 @@ -import { exec as _exec } from 'child_process'; -import * as crypto from 'crypto'; -import { constants, exists, promises as fs } from 'fs'; -import * as os from 'os'; -import * as path from 'path'; -import { promisify } from 'util'; -import * as jszip from 'jszip'; -import { zipDirectory } from '../lib/private/archive'; -import { rmRfSync } from '../lib/private/fs-extra'; -const exec = promisify(_exec); -const pathExists = promisify(exists); - -function logger(x: string) { - // eslint-disable-next-line no-console - console.log(x); -} - -test('zipDirectory can take a directory and produce a zip from it', async () => { - const stagingDir = await fs.mkdtemp(path.join(os.tmpdir(), 'test.archive')); - const extractDir = await fs.mkdtemp(path.join(os.tmpdir(), 'test.archive.extract')); - try { - const zipFile = path.join(stagingDir, 'output.zip'); - const originalDir = path.join(__dirname, 'test-archive'); - await zipDirectory(originalDir, zipFile, logger); - - // unzip and verify that the resulting tree is the same - await exec(`unzip ${zipFile}`, { cwd: extractDir }); - - await expect(exec(`diff -bur ${originalDir} ${extractDir}`)).resolves.toBeTruthy(); - - // inspect the zip file to check that dates are reset - const zip = await fs.readFile(zipFile); - const zipData = await jszip.loadAsync(zip); - const dates = Object.values(zipData.files).map(file => file.date.toISOString()); - expect(dates[0]).toBe('1980-01-01T00:00:00.000Z'); - expect(new Set(dates).size).toBe(1); - - // check that mode is preserved - const stat = await fs.stat(path.join(extractDir, 'executable.txt')); - // eslint-disable-next-line no-bitwise - const isExec = (stat.mode & constants.S_IXUSR) || (stat.mode & constants.S_IXGRP) || (stat.mode & constants.S_IXOTH); - expect(isExec).toBeTruthy(); - } finally { - rmRfSync(stagingDir); - rmRfSync(extractDir); - } -}); - -test('md5 hash of a zip stays consistent across invocations', async () => { - const stagingDir = await fs.mkdtemp(path.join(os.tmpdir(), 'test.archive')); - const zipFile1 = path.join(stagingDir, 'output.zip'); - const zipFile2 = path.join(stagingDir, 'output.zip'); - const originalDir = path.join(__dirname, 'test-archive'); - await zipDirectory(originalDir, zipFile1, logger); - await new Promise(ok => setTimeout(ok, 2000)); // wait 2s - await zipDirectory(originalDir, zipFile2, logger); - - const hash1 = contentHash(await fs.readFile(zipFile1)); - const hash2 = contentHash(await fs.readFile(zipFile2)); - - expect(hash1).toEqual(hash2); -}); - -test('zipDirectory follows symlinks', async () => { - const stagingDir = await fs.mkdtemp(path.join(os.tmpdir(), 'test.archive')); - const extractDir = await fs.mkdtemp(path.join(os.tmpdir(), 'test.archive.follow')); - try { - // First MAKE the symlink we're going to follow. We can't check it into git, because - // CodeBuild/CodePipeline (I forget which) is going to replace symlinks with a textual - // representation of its target upon checkout, for security reasons. So, to make sure - // the symlink exists, we need to create it at build time. - const symlinkPath = path.join(__dirname, 'test-archive-follow', 'data', 'linked'); - const symlinkTarget = '../linked'; - - if (await pathExists(symlinkPath)) { - await fs.unlink(symlinkPath); - } - await fs.symlink(symlinkTarget, symlinkPath, 'dir'); - - const originalDir = path.join(__dirname, 'test-archive-follow', 'data'); - const zipFile = path.join(stagingDir, 'output.zip'); - - await expect(zipDirectory(originalDir, zipFile, logger)).resolves.toBeUndefined(); - await expect(exec(`unzip ${zipFile}`, { cwd: extractDir })).resolves.toBeDefined(); - await expect(exec(`diff -bur ${originalDir} ${extractDir}`)).resolves.toBeDefined(); - } finally { - rmRfSync(stagingDir); - rmRfSync(extractDir); - } -}); - -function contentHash(data: string | Buffer | DataView) { - return crypto.createHash('sha256').update(data).digest('hex'); -} diff --git a/packages/cdk-assets/test/docker-images.test.ts b/packages/cdk-assets/test/docker-images.test.ts deleted file mode 100644 index c396853576c3e..0000000000000 --- a/packages/cdk-assets/test/docker-images.test.ts +++ /dev/null @@ -1,706 +0,0 @@ -jest.mock('child_process'); - -import * as fs from 'fs'; -import { Manifest } from '@aws-cdk/cloud-assembly-schema'; -import * as mockfs from 'mock-fs'; -import { mockAws, mockedApiFailure, mockedApiResult } from './mock-aws'; -import { mockSpawn } from './mock-child_process'; -import { AssetManifest, AssetPublishing } from '../lib'; -import * as dockercreds from '../lib/private/docker-credentials'; - -let aws: ReturnType; -const absoluteDockerPath = '/simple/cdk.out/dockerdir'; -beforeEach(() => { - jest.resetAllMocks(); - delete(process.env.CDK_DOCKER); - - // By default, assume no externally-configured credentials. - jest.spyOn(dockercreds, 'cdkCredentialsConfig').mockReturnValue(undefined); - - mockfs({ - '/simple/cdk.out/assets.json': JSON.stringify({ - version: Manifest.version(), - dockerImages: { - theAsset: { - source: { - directory: 'dockerdir', - }, - destinations: { - theDestination: { - region: 'us-north-50', - assumeRoleArn: 'arn:aws:role', - repositoryName: 'repo', - imageTag: 'abcdef', - }, - }, - }, - }, - }), - '/multi/cdk.out/assets.json': JSON.stringify({ - version: Manifest.version(), - dockerImages: { - theAsset1: { - source: { - directory: 'dockerdir', - }, - destinations: { - theDestination: { - region: 'us-north-50', - assumeRoleArn: 'arn:aws:role', - repositoryName: 'repo', - imageTag: 'theAsset1', - }, - }, - }, - theAsset2: { - source: { - directory: 'dockerdir', - }, - destinations: { - theDestination: { - region: 'us-north-50', - assumeRoleArn: 'arn:aws:role', - repositoryName: 'repo', - imageTag: 'theAsset2', - }, - }, - }, - }, - }), - '/external/cdk.out/assets.json': JSON.stringify({ - version: Manifest.version(), - dockerImages: { - theExternalAsset: { - source: { - executable: ['sometool'], - }, - destinations: { - theDestination: { - region: 'us-north-50', - assumeRoleArn: 'arn:aws:role', - repositoryName: 'repo', - imageTag: 'ghijkl', - }, - }, - }, - }, - }), - '/simple/cdk.out/dockerdir/Dockerfile': 'FROM scratch', - '/abs/cdk.out/assets.json': JSON.stringify({ - version: Manifest.version(), - dockerImages: { - theAsset: { - source: { - directory: absoluteDockerPath, - }, - destinations: { - theDestination: { - region: 'us-north-50', - assumeRoleArn: 'arn:aws:role', - repositoryName: 'repo', - imageTag: 'abcdef', - }, - }, - }, - }, - }), - '/default-network/cdk.out/assets.json': JSON.stringify({ - version: Manifest.version(), - dockerImages: { - theAsset: { - source: { - directory: 'dockerdir', - networkMode: 'default', - }, - destinations: { - theDestination: { - region: 'us-north-50', - assumeRoleArn: 'arn:aws:role', - repositoryName: 'repo', - imageTag: 'nopqr', - }, - }, - }, - }, - }), - '/default-network/cdk.out/dockerdir/Dockerfile': 'FROM scratch', - '/platform-arm64/cdk.out/assets.json': JSON.stringify({ - version: Manifest.version(), - dockerImages: { - theAsset: { - source: { - directory: 'dockerdir', - platform: 'linux/arm64', - }, - destinations: { - theDestination: { - region: 'us-north-50', - assumeRoleArn: 'arn:aws:role', - repositoryName: 'repo', - imageTag: 'nopqr', - }, - }, - }, - }, - }), - '/cache/cdk.out/assets.json': JSON.stringify({ - version: Manifest.version(), - dockerImages: { - theAsset: { - source: { - directory: 'dockerdir', - cacheFrom: [{ type: 'registry', params: { ref: 'abcdef' } }], - cacheTo: { type: 'inline' }, - }, - destinations: { - theDestination: { - region: 'us-north-50', - assumeRoleArn: 'arn:aws:role', - repositoryName: 'repo', - imageTag: 'nopqr', - }, - }, - }, - }, - }), - '/cache-from-multiple/cdk.out/assets.json': JSON.stringify({ - version: Manifest.version(), - dockerImages: { - theAsset: { - source: { - directory: 'dockerdir', - cacheFrom: [ - { type: 'registry', params: { ref: 'cache:ref' } }, - { type: 'registry', params: { ref: 'cache:main' } }, - { type: 'gha' }, - ], - }, - destinations: { - theDestination: { - region: 'us-north-50', - assumeRoleArn: 'arn:aws:role', - repositoryName: 'repo', - imageTag: 'nopqr', - }, - }, - }, - }, - }), - '/cache-to-complex/cdk.out/assets.json': JSON.stringify({ - version: Manifest.version(), - dockerImages: { - theAsset: { - source: { - directory: 'dockerdir', - cacheTo: { type: 'registry', params: { ref: 'cache:main', mode: 'max', compression: 'zstd' } }, - }, - destinations: { - theDestination: { - region: 'us-north-50', - assumeRoleArn: 'arn:aws:role', - repositoryName: 'repo', - imageTag: 'nopqr', - }, - }, - }, - }, - }), - '/nocache/cdk.out/assets.json': JSON.stringify({ - version: Manifest.version(), - dockerImages: { - theAsset: { - source: { - directory: 'dockerdir', - cacheDisabled: true, - }, - destinations: { - theDestination: { - region: 'us-north-50', - assumeRoleArn: 'arn:aws:role', - repositoryName: 'repo', - imageTag: 'nopqr', - }, - }, - }, - }, - }), - '/platform-arm64/cdk.out/dockerdir/Dockerfile': 'FROM scratch', - }); - - aws = mockAws(); -}); - -afterEach(() => { - mockfs.restore(); -}); - -test('pass destination properties to AWS client', async () => { - const pub = new AssetPublishing(AssetManifest.fromPath('/simple/cdk.out'), { aws, throwOnError: false }); - - await pub.publish(); - - expect(aws.ecrClient).toHaveBeenCalledWith(expect.objectContaining({ - region: 'us-north-50', - assumeRoleArn: 'arn:aws:role', - })); -}); - -describe('with a complete manifest', () => { - let pub: AssetPublishing; - beforeEach(() => { - pub = new AssetPublishing(AssetManifest.fromPath('/simple/cdk.out'), { aws }); - }); - - test('Do nothing if docker image already exists', async () => { - aws.mockEcr.describeImages = mockedApiResult({ /* No error == image exists */ }); - - await pub.publish(); - - expect(aws.mockEcr.describeImages).toHaveBeenCalledWith(expect.objectContaining({ - imageIds: [{ imageTag: 'abcdef' }], - repositoryName: 'repo', - })); - }); - - test('Displays an error if the ECR repository cannot be found', async () => { - aws.mockEcr.describeImages = mockedApiFailure('RepositoryNotFoundException', 'Repository not Found'); - - await expect(pub.publish()).rejects.toThrow('Error publishing: Repository not Found'); - }); - - test('successful run does not need to query account ID', async () => { - aws.mockEcr.describeImages = mockedApiResult({ /* No error == image exists */ }); - await pub.publish(); - expect(aws.discoverCurrentAccount).not.toHaveBeenCalled(); - }); - - test('upload docker image if not uploaded yet but exists locally', async () => { - aws.mockEcr.describeImages = mockedApiFailure('ImageNotFoundException', 'File does not exist'); - aws.mockEcr.getAuthorizationToken = mockedApiResult({ - authorizationData: [ - { authorizationToken: 'dXNlcjpwYXNz', proxyEndpoint: 'https://proxy.com/' }, - ], - }); - - const expectAllSpawns = mockSpawn( - { commandLine: ['docker', 'login', '--username', 'user', '--password-stdin', 'https://proxy.com/'] }, - { commandLine: ['docker', 'inspect', 'cdkasset-theasset'] }, - { commandLine: ['docker', 'tag', 'cdkasset-theasset', '12345.amazonaws.com/repo:abcdef'] }, - { commandLine: ['docker', 'push', '12345.amazonaws.com/repo:abcdef'] }, - ); - - await pub.publish(); - - expectAllSpawns(); - expect(true).toBeTruthy(); // Expect no exception, satisfy linter - }); - - test('build and upload docker image if not exists anywhere', async () => { - aws.mockEcr.describeImages = mockedApiFailure('ImageNotFoundException', 'File does not exist'); - aws.mockEcr.getAuthorizationToken = mockedApiResult({ - authorizationData: [ - { authorizationToken: 'dXNlcjpwYXNz', proxyEndpoint: 'https://proxy.com/' }, - ], - }); - - const expectAllSpawns = mockSpawn( - { commandLine: ['docker', 'login', '--username', 'user', '--password-stdin', 'https://proxy.com/'] }, - { commandLine: ['docker', 'inspect', 'cdkasset-theasset'], exitCode: 1 }, - { commandLine: ['docker', 'build', '--tag', 'cdkasset-theasset', '.'], cwd: absoluteDockerPath }, - { commandLine: ['docker', 'tag', 'cdkasset-theasset', '12345.amazonaws.com/repo:abcdef'] }, - { commandLine: ['docker', 'push', '12345.amazonaws.com/repo:abcdef'] }, - ); - - await pub.publish(); - - expectAllSpawns(); - expect(true).toBeTruthy(); // Expect no exception, satisfy linter - }); - - test('build with networkMode option', async () => { - pub = new AssetPublishing(AssetManifest.fromPath('/default-network/cdk.out'), { aws }); - const defaultNetworkDockerpath = '/default-network/cdk.out/dockerdir'; - aws.mockEcr.describeImages = mockedApiFailure('ImageNotFoundException', 'File does not exist'); - aws.mockEcr.getAuthorizationToken = mockedApiResult({ - authorizationData: [ - { authorizationToken: 'dXNlcjpwYXNz', proxyEndpoint: 'https://proxy.com/' }, - ], - }); - - const expectAllSpawns = mockSpawn( - { commandLine: ['docker', 'login', '--username', 'user', '--password-stdin', 'https://proxy.com/'] }, - { commandLine: ['docker', 'inspect', 'cdkasset-theasset'], exitCode: 1 }, - { commandLine: ['docker', 'build', '--tag', 'cdkasset-theasset', '--network', 'default', '.'], cwd: defaultNetworkDockerpath }, - { commandLine: ['docker', 'tag', 'cdkasset-theasset', '12345.amazonaws.com/repo:nopqr'] }, - { commandLine: ['docker', 'push', '12345.amazonaws.com/repo:nopqr'] }, - ); - - await pub.publish(); - - expectAllSpawns(); - expect(true).toBeTruthy(); // Expect no exception, satisfy linter - }); - - test('build with platform option', async () => { - pub = new AssetPublishing(AssetManifest.fromPath('/platform-arm64/cdk.out'), { aws }); - const defaultNetworkDockerpath = '/platform-arm64/cdk.out/dockerdir'; - aws.mockEcr.describeImages = mockedApiFailure('ImageNotFoundException', 'File does not exist'); - aws.mockEcr.getAuthorizationToken = mockedApiResult({ - authorizationData: [ - { authorizationToken: 'dXNlcjpwYXNz', proxyEndpoint: 'https://proxy.com/' }, - ], - }); - - const expectAllSpawns = mockSpawn( - { commandLine: ['docker', 'login', '--username', 'user', '--password-stdin', 'https://proxy.com/'] }, - { commandLine: ['docker', 'inspect', 'cdkasset-theasset'], exitCode: 1 }, - { commandLine: ['docker', 'build', '--tag', 'cdkasset-theasset', '--platform', 'linux/arm64', '.'], cwd: defaultNetworkDockerpath }, - { commandLine: ['docker', 'tag', 'cdkasset-theasset', '12345.amazonaws.com/repo:nopqr'] }, - { commandLine: ['docker', 'push', '12345.amazonaws.com/repo:nopqr'] }, - ); - - await pub.publish(); - - expectAllSpawns(); - expect(true).toBeTruthy(); // Expect no exception, satisfy linter - }); - - test('build with cache option', async () => { - pub = new AssetPublishing(AssetManifest.fromPath('/cache/cdk.out'), { aws }); - const defaultNetworkDockerpath = '/cache/cdk.out/dockerdir'; - aws.mockEcr.describeImages = mockedApiFailure('ImageNotFoundException', 'File does not exist'); - aws.mockEcr.getAuthorizationToken = mockedApiResult({ - authorizationData: [ - { authorizationToken: 'dXNlcjpwYXNz', proxyEndpoint: 'https://proxy.com/' }, - ], - }); - - const expectAllSpawns = mockSpawn( - { commandLine: ['docker', 'login', '--username', 'user', '--password-stdin', 'https://proxy.com/'] }, - { commandLine: ['docker', 'inspect', 'cdkasset-theasset'], exitCode: 1 }, - { commandLine: ['docker', 'build', '--tag', 'cdkasset-theasset', '--cache-from', 'type=registry,ref=abcdef', '--cache-to', 'type=inline', '.'], cwd: defaultNetworkDockerpath }, - { commandLine: ['docker', 'tag', 'cdkasset-theasset', '12345.amazonaws.com/repo:nopqr'] }, - { commandLine: ['docker', 'push', '12345.amazonaws.com/repo:nopqr'] }, - ); - - await pub.publish(); - - expectAllSpawns(); - expect(true).toBeTruthy(); // Expect no exception, satisfy linter - }); - - test('build with cache disabled', async () => { - pub = new AssetPublishing(AssetManifest.fromPath('/nocache/cdk.out'), { aws }); - const defaultNetworkDockerpath = '/nocache/cdk.out/dockerdir'; - aws.mockEcr.describeImages = mockedApiFailure('ImageNotFoundException', 'File does not exist'); - aws.mockEcr.getAuthorizationToken = mockedApiResult({ - authorizationData: [ - { authorizationToken: 'dXNlcjpwYXNz', proxyEndpoint: 'https://proxy.com/' }, - ], - }); - - const expectAllSpawns = mockSpawn( - { commandLine: ['docker', 'login', '--username', 'user', '--password-stdin', 'https://proxy.com/'] }, - { commandLine: ['docker', 'inspect', 'cdkasset-theasset'], exitCode: 1 }, - { commandLine: ['docker', 'build', '--tag', 'cdkasset-theasset', '--no-cache', '.'], cwd: defaultNetworkDockerpath }, - { commandLine: ['docker', 'tag', 'cdkasset-theasset', '12345.amazonaws.com/repo:nopqr'] }, - { commandLine: ['docker', 'push', '12345.amazonaws.com/repo:nopqr'] }, - ); - - await pub.publish(); - - expectAllSpawns(); - expect(true).toBeTruthy(); // Expect no exception, satisfy linter - }); - - test('build with multiple cache from option', async () => { - pub = new AssetPublishing(AssetManifest.fromPath('/cache-from-multiple/cdk.out'), { aws }); - const defaultNetworkDockerpath = '/cache-from-multiple/cdk.out/dockerdir'; - aws.mockEcr.describeImages = mockedApiFailure('ImageNotFoundException', 'File does not exist'); - aws.mockEcr.getAuthorizationToken = mockedApiResult({ - authorizationData: [ - { authorizationToken: 'dXNlcjpwYXNz', proxyEndpoint: 'https://proxy.com/' }, - ], - }); - - const expectAllSpawns = mockSpawn( - { commandLine: ['docker', 'login', '--username', 'user', '--password-stdin', 'https://proxy.com/'] }, - { commandLine: ['docker', 'inspect', 'cdkasset-theasset'], exitCode: 1 }, - { - commandLine: [ - 'docker', 'build', '--tag', 'cdkasset-theasset', '--cache-from', 'type=registry,ref=cache:ref', '--cache-from', 'type=registry,ref=cache:main', '--cache-from', 'type=gha', '.', - ], - cwd: defaultNetworkDockerpath, - }, - { commandLine: ['docker', 'tag', 'cdkasset-theasset', '12345.amazonaws.com/repo:nopqr'] }, - { commandLine: ['docker', 'push', '12345.amazonaws.com/repo:nopqr'] }, - ); - - await pub.publish(); - - expectAllSpawns(); - expect(true).toBeTruthy(); // Expect no exception, satisfy linter - }); - - test('build with cache to complex option', async () => { - pub = new AssetPublishing(AssetManifest.fromPath('/cache-to-complex/cdk.out'), { aws }); - const defaultNetworkDockerpath = '/cache-to-complex/cdk.out/dockerdir'; - aws.mockEcr.describeImages = mockedApiFailure('ImageNotFoundException', 'File does not exist'); - aws.mockEcr.getAuthorizationToken = mockedApiResult({ - authorizationData: [ - { authorizationToken: 'dXNlcjpwYXNz', proxyEndpoint: 'https://proxy.com/' }, - ], - }); - - const expectAllSpawns = mockSpawn( - { commandLine: ['docker', 'login', '--username', 'user', '--password-stdin', 'https://proxy.com/'] }, - { commandLine: ['docker', 'inspect', 'cdkasset-theasset'], exitCode: 1 }, - { commandLine: ['docker', 'build', '--tag', 'cdkasset-theasset', '--cache-to', 'type=registry,ref=cache:main,mode=max,compression=zstd', '.'], cwd: defaultNetworkDockerpath }, - { commandLine: ['docker', 'tag', 'cdkasset-theasset', '12345.amazonaws.com/repo:nopqr'] }, - { commandLine: ['docker', 'push', '12345.amazonaws.com/repo:nopqr'] }, - ); - - await pub.publish(); - - expectAllSpawns(); - expect(true).toBeTruthy(); // Expect no exception, satisfy linter - }); -}); - -describe('external assets', () => { - let pub: AssetPublishing; - const externalTag = 'external:tag'; - beforeEach(() => { - pub = new AssetPublishing(AssetManifest.fromPath('/external/cdk.out'), { aws }); - }); - - test('upload externally generated Docker image', async () => { - aws.mockEcr.describeImages = mockedApiFailure('ImageNotFoundException', 'File does not exist'); - aws.mockEcr.getAuthorizationToken = mockedApiResult({ - authorizationData: [ - { authorizationToken: 'dXNlcjpwYXNz', proxyEndpoint: 'https://proxy.com/' }, - ], - }); - - const expectAllSpawns = mockSpawn( - { commandLine: ['docker', 'login', '--username', 'user', '--password-stdin', 'https://proxy.com/'] }, - { commandLine: ['sometool'], stdout: externalTag, cwd: '/external/cdk.out' }, - { commandLine: ['docker', 'tag', externalTag, '12345.amazonaws.com/repo:ghijkl'] }, - { commandLine: ['docker', 'push', '12345.amazonaws.com/repo:ghijkl'] }, - ); - - await pub.publish(); - - expect(aws.ecrClient).toHaveBeenCalledWith(expect.objectContaining({ - region: 'us-north-50', - assumeRoleArn: 'arn:aws:role', - })); - expectAllSpawns(); - }); -}); - -test('correctly identify Docker directory if path is absolute', async () => { - const pub = new AssetPublishing(AssetManifest.fromPath('/abs/cdk.out'), { aws }); - - aws.mockEcr.describeImages = mockedApiFailure('ImageNotFoundException', 'File does not exist'); - aws.mockEcr.getAuthorizationToken = mockedApiResult({ - authorizationData: [ - { authorizationToken: 'dXNlcjpwYXNz', proxyEndpoint: 'https://proxy.com/' }, - ], - }); - - const expectAllSpawns = mockSpawn( - // Only care about the 'build' command line - { commandLine: ['docker', 'login'], prefix: true }, - { commandLine: ['docker', 'inspect'], exitCode: 1, prefix: true }, - { commandLine: ['docker', 'build', '--tag', 'cdkasset-theasset', '.'], cwd: absoluteDockerPath }, - { commandLine: ['docker', 'tag'], prefix: true }, - { commandLine: ['docker', 'push'], prefix: true }, - ); - - await pub.publish(); - - expect(true).toBeTruthy(); // Expect no exception, satisfy linter - expectAllSpawns(); -}); - -test('when external credentials are present, explicit Docker config directories are used', async () => { - // Setup -- Mock that we have CDK credentials, and mock fs operations. - jest.spyOn(dockercreds, 'cdkCredentialsConfig').mockReturnValue({ version: '0.1', domainCredentials: {} }); - jest.spyOn(fs, 'mkdtempSync').mockImplementationOnce(() => '/tmp/mockedTempDir'); - jest.spyOn(fs, 'writeFileSync').mockImplementation(jest.fn()); - - let pub = new AssetPublishing(AssetManifest.fromPath('/simple/cdk.out'), { aws }); - aws.mockEcr.describeImages = mockedApiFailure('ImageNotFoundException', 'File does not exist'); - aws.mockEcr.getAuthorizationToken = mockedApiResult({ - authorizationData: [ - { authorizationToken: 'dXNlcjpwYXNz', proxyEndpoint: 'https://proxy.com/' }, - ], - }); - - const expectAllSpawns = mockSpawn( - // Initally use the first created directory with the CDK credentials - { commandLine: ['docker', '--config', '/tmp/mockedTempDir', 'inspect', 'cdkasset-theasset'], exitCode: 1 }, - { commandLine: ['docker', '--config', '/tmp/mockedTempDir', 'build', '--tag', 'cdkasset-theasset', '.'], cwd: absoluteDockerPath }, - { commandLine: ['docker', '--config', '/tmp/mockedTempDir', 'tag', 'cdkasset-theasset', '12345.amazonaws.com/repo:abcdef'] }, - // Prior to push, revert to the default config directory - { commandLine: ['docker', 'login'], prefix: true }, - { commandLine: ['docker', 'push', '12345.amazonaws.com/repo:abcdef'] }, - ); - - await pub.publish(); - - expectAllSpawns(); -}); - -test('logging in only once for two assets', async () => { - const pub = new AssetPublishing(AssetManifest.fromPath('/multi/cdk.out'), { aws, throwOnError: false }); - aws.mockEcr.describeImages = mockedApiFailure('ImageNotFoundException', 'File does not exist'); - aws.mockEcr.getAuthorizationToken = mockedApiResult({ - authorizationData: [ - { authorizationToken: 'dXNlcjpwYXNz', proxyEndpoint: 'https://proxy.com/' }, - ], - }); - - const expectAllSpawns = mockSpawn( - { commandLine: ['docker', 'login', '--username', 'user', '--password-stdin', 'https://proxy.com/'] }, - { commandLine: ['docker', 'inspect', 'cdkasset-theasset1'], exitCode: 1 }, - { commandLine: ['docker', 'build', '--tag', 'cdkasset-theasset1', '.'], cwd: '/multi/cdk.out/dockerdir' }, - { commandLine: ['docker', 'tag', 'cdkasset-theasset1', '12345.amazonaws.com/repo:theAsset1'] }, - { commandLine: ['docker', 'push', '12345.amazonaws.com/repo:theAsset1'] }, - { commandLine: ['docker', 'inspect', 'cdkasset-theasset2'], exitCode: 1 }, - { commandLine: ['docker', 'build', '--tag', 'cdkasset-theasset2', '.'], cwd: '/multi/cdk.out/dockerdir' }, - { commandLine: ['docker', 'tag', 'cdkasset-theasset2', '12345.amazonaws.com/repo:theAsset2'] }, - { commandLine: ['docker', 'push', '12345.amazonaws.com/repo:theAsset2'] }, - ); - - await pub.publish(); - - expectAllSpawns(); - expect(true).toBeTruthy(); // Expect no exception, satisfy linter -}); - -test('logging in twice for two repository domains (containing account id & region)', async () => { - const pub = new AssetPublishing(AssetManifest.fromPath('/multi/cdk.out'), { aws, throwOnError: false }); - aws.mockEcr.describeImages = mockedApiFailure('ImageNotFoundException', 'File does not exist'); - - let repoIdx = 12345; - aws.mockEcr.describeRepositories = jest.fn().mockReturnValue({ - promise: jest.fn().mockImplementation(() => Promise.resolve({ - repositories: [ - // Usually looks like: 012345678910.dkr.ecr.us-west-2.amazonaws.com/aws-cdk/assets - { repositoryUri: `${repoIdx++}.amazonaws.com/aws-cdk/assets` }, - ], - })), - }); - - let proxyIdx = 12345; - aws.mockEcr.getAuthorizationToken = jest.fn().mockReturnValue({ - promise: jest.fn().mockImplementation(() => Promise.resolve({ - authorizationData: [ - { authorizationToken: 'dXNlcjpwYXNz', proxyEndpoint: `https://${proxyIdx++}.proxy.com/` }, - ], - })), - }); - - const expectAllSpawns = mockSpawn( - { commandLine: ['docker', 'login', '--username', 'user', '--password-stdin', 'https://12345.proxy.com/'] }, - { commandLine: ['docker', 'inspect', 'cdkasset-theasset1'], exitCode: 1 }, - { commandLine: ['docker', 'build', '--tag', 'cdkasset-theasset1', '.'], cwd: '/multi/cdk.out/dockerdir' }, - { commandLine: ['docker', 'tag', 'cdkasset-theasset1', '12345.amazonaws.com/aws-cdk/assets:theAsset1'] }, - { commandLine: ['docker', 'push', '12345.amazonaws.com/aws-cdk/assets:theAsset1'] }, - { commandLine: ['docker', 'login', '--username', 'user', '--password-stdin', 'https://12346.proxy.com/'] }, - { commandLine: ['docker', 'inspect', 'cdkasset-theasset2'], exitCode: 1 }, - { commandLine: ['docker', 'build', '--tag', 'cdkasset-theasset2', '.'], cwd: '/multi/cdk.out/dockerdir' }, - { commandLine: ['docker', 'tag', 'cdkasset-theasset2', '12346.amazonaws.com/aws-cdk/assets:theAsset2'] }, - { commandLine: ['docker', 'push', '12346.amazonaws.com/aws-cdk/assets:theAsset2'] }, - ); - - await pub.publish(); - - expectAllSpawns(); - expect(true).toBeTruthy(); // Expect no exception, satisfy linter -}); - -test('building only', async () => { - const pub = new AssetPublishing(AssetManifest.fromPath('/multi/cdk.out'), { - aws, - throwOnError: false, - buildAssets: true, - publishAssets: false, - }); - - aws.mockEcr.describeImages = mockedApiFailure('ImageNotFoundException', 'File does not exist'); - aws.mockEcr.getAuthorizationToken = mockedApiResult({ - authorizationData: [ - { authorizationToken: 'dXNlcjpwYXNz', proxyEndpoint: 'https://proxy.com/' }, - ], - }); - - const expectAllSpawns = mockSpawn( - { commandLine: ['docker', 'login', '--username', 'user', '--password-stdin', 'https://proxy.com/'] }, - { commandLine: ['docker', 'inspect', 'cdkasset-theasset1'], exitCode: 1 }, - { commandLine: ['docker', 'build', '--tag', 'cdkasset-theasset1', '.'], cwd: '/multi/cdk.out/dockerdir' }, - { commandLine: ['docker', 'tag', 'cdkasset-theasset1', '12345.amazonaws.com/repo:theAsset1'] }, - { commandLine: ['docker', 'inspect', 'cdkasset-theasset2'], exitCode: 1 }, - { commandLine: ['docker', 'build', '--tag', 'cdkasset-theasset2', '.'], cwd: '/multi/cdk.out/dockerdir' }, - { commandLine: ['docker', 'tag', 'cdkasset-theasset2', '12345.amazonaws.com/repo:theAsset2'] }, - ); - - await pub.publish(); - - expectAllSpawns(); - expect(true).toBeTruthy(); // Expect no exception, satisfy linter -}); - -test('publishing only', async () => { - const pub = new AssetPublishing(AssetManifest.fromPath('/multi/cdk.out'), { - aws, - throwOnError: false, - buildAssets: false, - publishAssets: true, - }); - - aws.mockEcr.describeImages = mockedApiFailure('ImageNotFoundException', 'File does not exist'); - aws.mockEcr.getAuthorizationToken = mockedApiResult({ - authorizationData: [ - { authorizationToken: 'dXNlcjpwYXNz', proxyEndpoint: 'https://proxy.com/' }, - ], - }); - - const expectAllSpawns = mockSpawn( - { commandLine: ['docker', 'login', '--username', 'user', '--password-stdin', 'https://proxy.com/'] }, - { commandLine: ['docker', 'push', '12345.amazonaws.com/aws-cdk/assets:theAsset1'] }, - { commandLine: ['docker', 'push', '12345.amazonaws.com/aws-cdk/assets:theAsset2'] }, - ); - - await pub.publish(); - - expectAllSpawns(); - expect(true).toBeTruthy(); // Expect no exception, satisfy linter -}); - -test('overriding the docker command', async () => { - process.env.CDK_DOCKER = 'custom'; - - const pub = new AssetPublishing(AssetManifest.fromPath('/simple/cdk.out'), { aws, throwOnError: false }); - - aws.mockEcr.describeImages = mockedApiFailure('ImageNotFoundException', 'File does not exist'); - aws.mockEcr.getAuthorizationToken = mockedApiResult({ - authorizationData: [ - { authorizationToken: 'dXNlcjpwYXNz', proxyEndpoint: 'https://proxy.com/' }, - ], - }); - - const expectAllSpawns = mockSpawn( - { commandLine: ['custom', 'login', '--username', 'user', '--password-stdin', 'https://proxy.com/'] }, - { commandLine: ['custom', 'inspect', 'cdkasset-theasset'] }, - { commandLine: ['custom', 'tag', 'cdkasset-theasset', '12345.amazonaws.com/repo:abcdef'] }, - { commandLine: ['custom', 'push', '12345.amazonaws.com/repo:abcdef'] }, - ); - - await pub.publish(); - - expectAllSpawns(); - expect(true).toBeTruthy(); // Expect no exception, satisfy linter -}); diff --git a/packages/cdk-assets/test/fake-listener.ts b/packages/cdk-assets/test/fake-listener.ts deleted file mode 100644 index 7aef7fbe9d9f6..0000000000000 --- a/packages/cdk-assets/test/fake-listener.ts +++ /dev/null @@ -1,17 +0,0 @@ -import { IPublishProgressListener, EventType, IPublishProgress } from '../lib/progress'; - -export class FakeListener implements IPublishProgressListener { - public readonly types = new Array(); - public readonly messages = new Array(); - - constructor(private readonly doAbort = false) { - } - - public onPublishEvent(_type: EventType, event: IPublishProgress): void { - this.messages.push(event.message); - - if (this.doAbort) { - event.abort(); - } - } -} \ No newline at end of file diff --git a/packages/cdk-assets/test/files.test.ts b/packages/cdk-assets/test/files.test.ts deleted file mode 100644 index 83af51717bea6..0000000000000 --- a/packages/cdk-assets/test/files.test.ts +++ /dev/null @@ -1,344 +0,0 @@ -jest.mock('child_process'); - -import { Manifest } from '@aws-cdk/cloud-assembly-schema'; -import * as mockfs from 'mock-fs'; -import { FakeListener } from './fake-listener'; -import { mockAws, mockedApiFailure, mockedApiResult, mockUpload } from './mock-aws'; -import { mockSpawn } from './mock-child_process'; -import { AssetPublishing, AssetManifest } from '../lib'; - -const ABS_PATH = '/simple/cdk.out/some_external_file'; - -const DEFAULT_DESTINATION = { - region: 'us-north-50', - assumeRoleArn: 'arn:aws:role', - bucketName: 'some_bucket', - objectKey: 'some_key', -}; - -let aws: ReturnType; -beforeEach(() => { - jest.resetAllMocks(); - - mockfs({ - '/simple/cdk.out/assets.json': JSON.stringify({ - version: Manifest.version(), - files: { - theAsset: { - source: { - path: 'some_file', - }, - destinations: { theDestination: DEFAULT_DESTINATION }, - }, - }, - }), - '/simple/cdk.out/some_file': 'FILE_CONTENTS', - [ABS_PATH]: 'ZIP_FILE_THAT_IS_DEFINITELY_NOT_EMPTY', - '/abs/cdk.out/assets.json': JSON.stringify({ - version: Manifest.version(), - files: { - theAsset: { - source: { - path: '/simple/cdk.out/some_file', - }, - destinations: { theDestination: { ...DEFAULT_DESTINATION, bucketName: 'some_other_bucket' } }, - }, - }, - }), - '/external/cdk.out/assets.json': JSON.stringify({ - version: Manifest.version(), - files: { - externalAsset: { - source: { - executable: ['sometool'], - }, - destinations: { theDestination: { ...DEFAULT_DESTINATION, bucketName: 'some_external_bucket' } }, - }, - }, - }), - '/types/cdk.out/assets.json': JSON.stringify({ - version: Manifest.version(), - files: { - theTextAsset: { - source: { - path: 'plain_text.txt', - }, - destinations: { theDestination: { ...DEFAULT_DESTINATION, objectKey: 'some_key.txt' } }, - }, - theImageAsset: { - source: { - path: 'image.png', - }, - destinations: { theDestination: { ...DEFAULT_DESTINATION, objectKey: 'some_key.png' } }, - }, - }, - }), - '/types/cdk.out/plain_text.txt': 'FILE_CONTENTS', - '/types/cdk.out/image.png': 'FILE_CONTENTS', - '/emptyzip/cdk.out/assets.json': JSON.stringify({ - version: Manifest.version(), - files: { - theTextAsset: { - source: { - path: 'empty_dir', - packaging: 'zip', - }, - destinations: { theDestination: DEFAULT_DESTINATION }, - }, - }, - }), - '/emptyzip/cdk.out/empty_dir': { }, // Empty directory - }); - - aws = mockAws(); -}); - -afterEach(() => { - mockfs.restore(); -}); - -test('pass destination properties to AWS client', async () => { - const pub = new AssetPublishing(AssetManifest.fromPath('/simple/cdk.out'), { aws, throwOnError: false }); - aws.mockS3.listObjectsV2 = mockedApiResult({}); - - await pub.publish(); - - expect(aws.s3Client).toHaveBeenCalledWith(expect.objectContaining({ - region: 'us-north-50', - assumeRoleArn: 'arn:aws:role', - })); -}); - -test('Do nothing if file already exists', async () => { - const pub = new AssetPublishing(AssetManifest.fromPath('/simple/cdk.out'), { aws }); - - aws.mockS3.listObjectsV2 = mockedApiResult({ Contents: [{ Key: 'some_key' }] }); - aws.mockS3.upload = mockUpload(); - await pub.publish(); - - expect(aws.mockS3.listObjectsV2).toHaveBeenCalledWith(expect.objectContaining({ - Bucket: 'some_bucket', - Prefix: 'some_key', - MaxKeys: 1, - })); - expect(aws.mockS3.upload).not.toHaveBeenCalled(); -}); - -test('tiny file does not count as cache hit', async () => { - const pub = new AssetPublishing(AssetManifest.fromPath('/simple/cdk.out'), { aws }); - - aws.mockS3.listObjectsV2 = mockedApiResult({ Contents: [{ Key: 'some_key', Size: 5 }] }); - aws.mockS3.upload = mockUpload(); - - await pub.publish(); - - expect(aws.mockS3.upload).toHaveBeenCalled(); -}); - -test('upload file if new (list returns other key)', async () => { - const pub = new AssetPublishing(AssetManifest.fromPath('/simple/cdk.out'), { aws }); - - aws.mockS3.listObjectsV2 = mockedApiResult({ Contents: [{ Key: 'some_key.but_not_the_one' }] }); - aws.mockS3.upload = mockUpload('FILE_CONTENTS'); - - await pub.publish(); - - expect(aws.mockS3.upload).toHaveBeenCalledWith(expect.objectContaining({ - Bucket: 'some_bucket', - Key: 'some_key', - ContentType: 'application/octet-stream', - })); - - // We'll just have to assume the contents are correct -}); - -test('upload with server side encryption AES256 header', async () => { - const pub = new AssetPublishing(AssetManifest.fromPath('/simple/cdk.out'), { aws }); - - aws.mockS3.getBucketEncryption = mockedApiResult({ - ServerSideEncryptionConfiguration: { - Rules: [ - { - ApplyServerSideEncryptionByDefault: { - SSEAlgorithm: 'AES256', - }, - BucketKeyEnabled: false, - }, - ], - }, - }); - aws.mockS3.listObjectsV2 = mockedApiResult({ Contents: [{ Key: 'some_key.but_not_the_one' }] }); - aws.mockS3.upload = mockUpload('FILE_CONTENTS'); - - await pub.publish(); - - expect(aws.mockS3.upload).toHaveBeenCalledWith(expect.objectContaining({ - Bucket: 'some_bucket', - Key: 'some_key', - ContentType: 'application/octet-stream', - ServerSideEncryption: 'AES256', - })); - - // We'll just have to assume the contents are correct -}); - -test('upload with server side encryption aws:kms header and key id', async () => { - const pub = new AssetPublishing(AssetManifest.fromPath('/simple/cdk.out'), { aws }); - - aws.mockS3.getBucketEncryption = mockedApiResult({ - ServerSideEncryptionConfiguration: { - Rules: [ - { - ApplyServerSideEncryptionByDefault: { - SSEAlgorithm: 'aws:kms', - KMSMasterKeyID: 'the-key-id', - }, - BucketKeyEnabled: false, - }, - ], - }, - }); - - aws.mockS3.listObjectsV2 = mockedApiResult({ Contents: [{ Key: 'some_key.but_not_the_one' }] }); - aws.mockS3.upload = mockUpload('FILE_CONTENTS'); - - await pub.publish(); - - expect(aws.mockS3.upload).toHaveBeenCalledWith(expect.objectContaining({ - Bucket: 'some_bucket', - Key: 'some_key', - ContentType: 'application/octet-stream', - ServerSideEncryption: 'aws:kms', - SSEKMSKeyId: 'the-key-id', - })); - - // We'll just have to assume the contents are correct -}); - -test('will only read bucketEncryption once even for multiple assets', async () => { - const pub = new AssetPublishing(AssetManifest.fromPath('/types/cdk.out'), { aws }); - - aws.mockS3.listObjectsV2 = mockedApiResult({ Contents: [{ Key: 'some_key.but_not_the_one' }] }); - aws.mockS3.upload = mockUpload('FILE_CONTENTS'); - - await pub.publish(); - - expect(aws.mockS3.upload).toHaveBeenCalledTimes(2); - expect(aws.mockS3.getBucketEncryption).toHaveBeenCalledTimes(1); -}); - -test('no server side encryption header if access denied for bucket encryption', async () => { - const progressListener = new FakeListener(); - const pub = new AssetPublishing(AssetManifest.fromPath('/simple/cdk.out'), { aws, progressListener }); - - aws.mockS3.getBucketEncryption = mockedApiFailure('AccessDenied', 'Access Denied'); - - aws.mockS3.listObjectsV2 = mockedApiResult({ Contents: [{ Key: 'some_key.but_not_the_one' }] }); - aws.mockS3.upload = mockUpload('FILE_CONTENTS'); - - await pub.publish(); - - expect(aws.mockS3.upload).toHaveBeenCalledWith(expect.not.objectContaining({ - ServerSideEncryption: 'aws:kms', - })); - - expect(aws.mockS3.upload).toHaveBeenCalledWith(expect.not.objectContaining({ - ServerSideEncryption: 'AES256', - })); -}); - -test('correctly looks up content type', async () => { - const pub = new AssetPublishing(AssetManifest.fromPath('/types/cdk.out'), { aws }); - - aws.mockS3.listObjectsV2 = mockedApiResult({ Contents: [{ Key: 'some_key.but_not_the_one' }] }); - aws.mockS3.upload = mockUpload('FILE_CONTENTS'); - - await pub.publish(); - - expect(aws.mockS3.upload).toHaveBeenCalledWith(expect.objectContaining({ - Bucket: 'some_bucket', - Key: 'some_key.txt', - ContentType: 'text/plain', - })); - - expect(aws.mockS3.upload).toHaveBeenCalledWith(expect.objectContaining({ - Bucket: 'some_bucket', - Key: 'some_key.png', - ContentType: 'image/png', - })); - - // We'll just have to assume the contents are correct -}); - -test('upload file if new (list returns no key)', async () => { - const pub = new AssetPublishing(AssetManifest.fromPath('/simple/cdk.out'), { aws }); - - aws.mockS3.listObjectsV2 = mockedApiResult({ Contents: undefined }); - aws.mockS3.upload = mockUpload('FILE_CONTENTS'); - - await pub.publish(); - - expect(aws.mockS3.upload).toHaveBeenCalledWith(expect.objectContaining({ - Bucket: 'some_bucket', - Key: 'some_key', - })); - - // We'll just have to assume the contents are correct -}); - -test('successful run does not need to query account ID', async () => { - const pub = new AssetPublishing(AssetManifest.fromPath('/simple/cdk.out'), { aws }); - - aws.mockS3.listObjectsV2 = mockedApiResult({ Contents: undefined }); - aws.mockS3.upload = mockUpload('FILE_CONTENTS'); - - await pub.publish(); - - expect(aws.discoverCurrentAccount).not.toHaveBeenCalled(); - expect(aws.discoverTargetAccount).not.toHaveBeenCalled(); -}); - -test('correctly identify asset path if path is absolute', async () => { - const pub = new AssetPublishing(AssetManifest.fromPath('/abs/cdk.out'), { aws }); - - aws.mockS3.listObjectsV2 = mockedApiResult({ Contents: undefined }); - aws.mockS3.upload = mockUpload('FILE_CONTENTS'); - - await pub.publish(); - - expect(true).toBeTruthy(); // No exception, satisfy linter -}); - -describe('external assets', () => { - let pub: AssetPublishing; - beforeEach(() => { - pub = new AssetPublishing(AssetManifest.fromPath('/external/cdk.out'), { aws }); - }); - - test('do nothing if file exists already', async () => { - aws.mockS3.listObjectsV2 = mockedApiResult({ Contents: [{ Key: 'some_key' }] }); - - await pub.publish(); - - expect(aws.mockS3.listObjectsV2).toHaveBeenCalledWith(expect.objectContaining({ - Bucket: 'some_external_bucket', - Prefix: 'some_key', - MaxKeys: 1, - })); - }); - - test('upload external asset correctly', async () => { - aws.mockS3.listObjectsV2 = mockedApiResult({ Contents: undefined }); - aws.mockS3.upload = mockUpload('ZIP_FILE_THAT_IS_DEFINITELY_NOT_EMPTY'); - const expectAllSpawns = mockSpawn({ commandLine: ['sometool'], stdout: ABS_PATH }); - - await pub.publish(); - - expect(aws.s3Client).toHaveBeenCalledWith(expect.objectContaining({ - region: 'us-north-50', - assumeRoleArn: 'arn:aws:role', - })); - - expectAllSpawns(); - }); -}); diff --git a/packages/cdk-assets/test/manifest.test.ts b/packages/cdk-assets/test/manifest.test.ts deleted file mode 100644 index 605d6922b5e08..0000000000000 --- a/packages/cdk-assets/test/manifest.test.ts +++ /dev/null @@ -1,117 +0,0 @@ -import { Manifest } from '@aws-cdk/cloud-assembly-schema'; -import * as mockfs from 'mock-fs'; -import { AssetManifest, DestinationIdentifier, DestinationPattern, DockerImageManifestEntry, FileManifestEntry } from '../lib'; - -beforeEach(() => { - mockfs({ - '/simple/cdk.out/assets.json': JSON.stringify({ - version: Manifest.version(), - files: { - asset1: { - type: 'file', - source: { path: 'S1' }, - destinations: { - dest1: { bucketName: 'D1', objectKey: 'X' }, - dest2: { bucketName: 'D2', objectKey: 'X' }, - }, - }, - }, - dockerImages: { - asset2: { - type: 'thing', - source: { directory: 'S2' }, - destinations: { - dest1: { repositoryName: 'D3', imageTag: 'X' }, - dest2: { repositoryName: 'D4', imageTag: 'X' }, - }, - }, - }, - }), - }); -}); - -afterEach(() => { - mockfs.restore(); -}); - -test('Can list manifest', () => { - const manifest = AssetManifest.fromPath('/simple/cdk.out'); - expect(manifest.list().join('\n')).toEqual(` -asset1 file {\"path\":\"S1\"} - ├ asset1:dest1 {\"bucketName\":\"D1\",\"objectKey\":\"X\"} - └ asset1:dest2 {\"bucketName\":\"D2\",\"objectKey\":\"X\"} -asset2 docker-image {\"directory\":\"S2\"} - ├ asset2:dest1 {\"repositoryName\":\"D3\",\"imageTag\":\"X\"} - └ asset2:dest2 {\"repositoryName\":\"D4\",\"imageTag\":\"X\"} -`.trim()); -}); - -test('.entries() iterates over all destinations', () => { - const manifest = AssetManifest.fromPath('/simple/cdk.out'); - - expect(manifest.entries).toEqual([ - new FileManifestEntry(new DestinationIdentifier('asset1', 'dest1'), { path: 'S1' }, { bucketName: 'D1', objectKey: 'X' }), - new FileManifestEntry(new DestinationIdentifier('asset1', 'dest2'), { path: 'S1' }, { bucketName: 'D2', objectKey: 'X' }), - new DockerImageManifestEntry(new DestinationIdentifier('asset2', 'dest1'), { directory: 'S2' }, { repositoryName: 'D3', imageTag: 'X' }), - new DockerImageManifestEntry(new DestinationIdentifier('asset2', 'dest2'), { directory: 'S2' }, { repositoryName: 'D4', imageTag: 'X' }), - ]); -}); - -test('can select by asset ID', () => { - const manifest = AssetManifest.fromPath('/simple/cdk.out'); - - const subset = manifest.select([DestinationPattern.parse('asset2')]); - - expect(subset.entries.map(e => f(e.genericDestination, 'repositoryName'))).toEqual(['D3', 'D4']); -}); - -test('can select by asset ID + destination ID', () => { - const manifest = AssetManifest.fromPath('/simple/cdk.out'); - - const subset = manifest.select([ - DestinationPattern.parse('asset1:dest1'), - DestinationPattern.parse('asset2:dest2'), - ]); - - expect(subset.entries.map(e => f(e.genericDestination, 'repositoryName', 'bucketName'))).toEqual(['D1', 'D4']); -}); - -test('can select by destination ID', () => { - const manifest = AssetManifest.fromPath('/simple/cdk.out'); - - const subset = manifest.select([ - DestinationPattern.parse(':dest1'), - ]); - - expect(subset.entries.map(e => f(e.genericDestination, 'repositoryName', 'bucketName'))).toEqual(['D1', 'D3']); -}); - -test('empty string is not a valid pattern', () => { - expect(() => { - DestinationPattern.parse(''); - }).toThrow(/Empty string is not a valid destination identifier/); -}); - -test('pattern must have two components', () => { - expect(() => { - DestinationPattern.parse('a:b:c'); - }).toThrow(/Asset identifier must contain at most 2/); -}); - -test('parse ASSET:* the same as ASSET and ASSET:', () => { - expect(DestinationPattern.parse('a:*')).toEqual(DestinationPattern.parse('a')); - expect(DestinationPattern.parse('a:*')).toEqual(DestinationPattern.parse('a:')); -}); - -test('parse *:DEST the same as :DEST', () => { - expect(DestinationPattern.parse('*:a')).toEqual(DestinationPattern.parse(':a')); -}); - -function f(obj: unknown, ...keys: string[]): any { - for (const k of keys) { - if (typeof obj === 'object' && obj !== null && k in obj) { - return (obj as any)[k]; - } - } - return undefined; -} diff --git a/packages/cdk-assets/test/mock-aws.ts b/packages/cdk-assets/test/mock-aws.ts deleted file mode 100644 index 10cb26da99727..0000000000000 --- a/packages/cdk-assets/test/mock-aws.ts +++ /dev/null @@ -1,74 +0,0 @@ -jest.mock('aws-sdk'); -import * as AWS from 'aws-sdk'; - -export function mockAws() { - const mockEcr = new AWS.ECR(); - const mockS3 = new AWS.S3(); - const mockSecretsManager = new AWS.SecretsManager(); - - // Sane defaults which can be overridden - mockS3.getBucketLocation = mockedApiResult({}); - mockS3.getBucketEncryption = mockedApiResult({}); - mockEcr.describeRepositories = mockedApiResult({ - repositories: [ - { - repositoryUri: '12345.amazonaws.com/repo', - }, - ], - }); - mockSecretsManager.getSecretValue = mockedApiFailure('NotImplemented', 'You need to supply an implementation for getSecretValue'); - - return { - mockEcr, - mockS3, - mockSecretsManager, - discoverPartition: jest.fn(() => Promise.resolve('swa')), - discoverCurrentAccount: jest.fn(() => Promise.resolve({ accountId: 'current_account', partition: 'swa' })), - discoverDefaultRegion: jest.fn(() => Promise.resolve('current_region')), - discoverTargetAccount: jest.fn(() => Promise.resolve({ accountId: 'target_account', partition: 'swa' })), - ecrClient: jest.fn(() => Promise.resolve(mockEcr)), - s3Client: jest.fn(() => Promise.resolve(mockS3)), - secretsManagerClient: jest.fn(() => Promise.resolve(mockSecretsManager)), - }; -} - -export function errorWithCode(code: string, message: string) { - const ret = new Error(message); - (ret as any).code = code; - return ret; -} - -export function mockedApiResult(returnValue: any) { - return jest.fn().mockReturnValue({ - promise: jest.fn().mockResolvedValue(returnValue), - }); -} - -export function mockedApiFailure(code: string, message: string) { - return jest.fn().mockReturnValue({ - promise: jest.fn().mockRejectedValue(errorWithCode(code, message)), - }); -} - -/** - * Mock upload, draining the stream that we get before returning - * so no race conditions happen with the uninstallation of mock-fs. - */ -export function mockUpload(expectContent?: string) { - return jest.fn().mockImplementation(request => ({ - promise: () => new Promise((ok, ko) => { - const didRead = new Array(); - - const bodyStream: NodeJS.ReadableStream = request.Body; - bodyStream.on('data', (chunk) => { didRead.push(chunk.toString()); }); // This listener must exist - bodyStream.on('error', ko); - bodyStream.on('close', () => { - const actualContent = didRead.join(''); - if (expectContent !== undefined && expectContent !== actualContent) { - throw new Error(`Expected to read '${expectContent}' but read: '${actualContent}'`); - } - ok(); - }); - }), - })); -} diff --git a/packages/cdk-assets/test/mock-child_process.ts b/packages/cdk-assets/test/mock-child_process.ts deleted file mode 100644 index 2cb513e24fff7..0000000000000 --- a/packages/cdk-assets/test/mock-child_process.ts +++ /dev/null @@ -1,69 +0,0 @@ -import * as child_process from 'child_process'; -import * as events from 'events'; - -if (!(child_process as any).spawn.mockImplementationOnce) { - throw new Error('Call "jest.mock(\'child_process\');" at the top of the test file!'); -} - -export interface Invocation { - commandLine: string[]; - cwd?: string; - exitCode?: number; - stdout?: string; - - /** - * Only match a prefix of the command (don't care about the details of the arguments) - */ - prefix?: boolean; -} - -export function mockSpawn(...invocations: Invocation[]): () => void { - let mock = (child_process.spawn as any); - for (const _invocation of invocations) { - const invocation = _invocation; // Mirror into variable for closure - mock = mock.mockImplementationOnce((binary: string, args: string[], options: child_process.SpawnOptions) => { - if (invocation.prefix) { - // Match command line prefix - expect([binary, ...args].slice(0, invocation.commandLine.length)).toEqual(invocation.commandLine); - } else { - // Match full command line - expect([binary, ...args]).toEqual(invocation.commandLine); - } - - if (invocation.cwd != null) { - expect(options.cwd).toBe(invocation.cwd); - } - - const child: any = new events.EventEmitter(); - child.stdin = new events.EventEmitter(); - child.stdin.write = jest.fn(); - child.stdin.end = jest.fn(); - child.stdout = new events.EventEmitter(); - child.stderr = new events.EventEmitter(); - - if (invocation.stdout) { - mockEmit(child.stdout, 'data', Buffer.from(invocation.stdout)); - } - mockEmit(child, 'close', invocation.exitCode ?? 0); - - return child; - }); - } - - mock.mockImplementation((binary: string, args: string[], _options: any) => { - throw new Error(`Did not expect call of ${JSON.stringify([binary, ...args])}`); - }); - - return () => { - expect(mock).toHaveBeenCalledTimes(invocations.length); - }; -} - -/** - * Must do this on the next tick, as emitter.emit() expects all listeners to have been attached already - */ -function mockEmit(emitter: events.EventEmitter, event: string, data: any) { - setImmediate(() => { - emitter.emit(event, data); - }); -} diff --git a/packages/cdk-assets/test/placeholders.test.ts b/packages/cdk-assets/test/placeholders.test.ts deleted file mode 100644 index 87944ca673c32..0000000000000 --- a/packages/cdk-assets/test/placeholders.test.ts +++ /dev/null @@ -1,82 +0,0 @@ -import { Manifest } from '@aws-cdk/cloud-assembly-schema'; -import * as mockfs from 'mock-fs'; -import { mockAws, mockedApiResult } from './mock-aws'; -import { AssetManifest, AssetPublishing } from '../lib'; - -let aws: ReturnType; -beforeEach(() => { - mockfs({ - '/simple/cdk.out/assets.json': JSON.stringify({ - version: Manifest.version(), - files: { - fileAsset: { - type: 'file', - source: { - path: 'some_file', - }, - destinations: { - theDestination: { - // Absence of region - assumeRoleArn: 'arn:aws:role-${AWS::AccountId}', - bucketName: 'some_bucket-${AWS::AccountId}-${AWS::Region}', - objectKey: 'some_key-${AWS::AccountId}-${AWS::Region}', - }, - }, - }, - }, - dockerImages: { - dockerAsset: { - type: 'docker-image', - source: { - directory: 'dockerdir', - }, - destinations: { - theDestination: { - // Explicit region - region: 'explicit_region', - assumeRoleArn: 'arn:aws:role-${AWS::AccountId}', - repositoryName: 'repo-${AWS::AccountId}-${AWS::Region}', - imageTag: 'abcdef', - }, - }, - }, - }, - }), - '/simple/cdk.out/some_file': 'FILE_CONTENTS', - }); - - aws = mockAws(); -}); - -afterEach(() => { - mockfs.restore(); -}); - -test('check that placeholders are replaced', async () => { - const pub = new AssetPublishing(AssetManifest.fromPath('/simple/cdk.out'), { aws }); - aws.mockS3.getBucketLocation = mockedApiResult({}); - aws.mockS3.listObjectsV2 = mockedApiResult({ Contents: [{ Key: 'some_key-current_account-current_region' }] }); - aws.mockEcr.describeImages = mockedApiResult({ /* No error == image exists */ }); - - await pub.publish(); - - expect(aws.s3Client).toHaveBeenCalledWith(expect.objectContaining({ - assumeRoleArn: 'arn:aws:role-current_account', - })); - - expect(aws.ecrClient).toHaveBeenCalledWith(expect.objectContaining({ - region: 'explicit_region', - assumeRoleArn: 'arn:aws:role-current_account', - })); - - expect(aws.mockS3.listObjectsV2).toHaveBeenCalledWith(expect.objectContaining({ - Bucket: 'some_bucket-current_account-current_region', - Prefix: 'some_key-current_account-current_region', - MaxKeys: 1, - })); - - expect(aws.mockEcr.describeImages).toHaveBeenCalledWith(expect.objectContaining({ - imageIds: [{ imageTag: 'abcdef' }], - repositoryName: 'repo-current_account-explicit_region', - })); -}); diff --git a/packages/cdk-assets/test/private/docker-credentials.test.ts b/packages/cdk-assets/test/private/docker-credentials.test.ts deleted file mode 100644 index c7e6957f9bc66..0000000000000 --- a/packages/cdk-assets/test/private/docker-credentials.test.ts +++ /dev/null @@ -1,220 +0,0 @@ -import * as os from 'os'; -import * as path from 'path'; -import * as mockfs from 'mock-fs'; -import { cdkCredentialsConfig, cdkCredentialsConfigFile, DockerCredentialsConfig, fetchDockerLoginCredentials } from '../../lib/private/docker-credentials'; -import { mockAws, mockedApiFailure, mockedApiResult } from '../mock-aws'; - -const _ENV = process.env; - -let aws: ReturnType; -beforeEach(() => { - jest.resetModules(); - jest.resetAllMocks(); - - aws = mockAws(); - - process.env = { ..._ENV }; -}); - -afterEach(() => { - mockfs.restore(); - process.env = _ENV; -}); - -describe('cdkCredentialsConfigFile', () => { - test('Can be overridden by CDK_DOCKER_CREDS_FILE', () => { - const credsFile = '/tmp/insertfilenamehere_cdk_config.json'; - process.env.CDK_DOCKER_CREDS_FILE = credsFile; - - expect(cdkCredentialsConfigFile()).toEqual(credsFile); - }); - - test('Uses homedir if no process env is set', () => { - expect(cdkCredentialsConfigFile()).toEqual(path.join(os.userInfo().homedir, '.cdk', 'cdk-docker-creds.json')); - }); -}); - -describe('cdkCredentialsConfig', () => { - const credsFile = '/tmp/foo/bar/does/not/exist/config.json'; - beforeEach(() => { process.env.CDK_DOCKER_CREDS_FILE = credsFile; }); - - test('returns undefined if no config exists', () => { - expect(cdkCredentialsConfig()).toBeUndefined(); - }); - - test('returns parsed config if it exists', () => { - mockfs({ - [credsFile]: JSON.stringify({ - version: '0.1', - domainCredentials: { - 'test1.example.com': { secretsManagerSecretId: 'mySecret' }, - 'test2.example.com': { ecrRepository: 'arn:aws:ecr:bar' }, - }, - }), - }); - - const config = cdkCredentialsConfig(); - expect(config).toBeDefined(); - expect(config?.version).toEqual('0.1'); - expect(config?.domainCredentials['test1.example.com']?.secretsManagerSecretId).toEqual('mySecret'); - expect(config?.domainCredentials['test2.example.com']?.ecrRepository).toEqual('arn:aws:ecr:bar'); - }); -}); - -describe('fetchDockerLoginCredentials', () => { - let config: DockerCredentialsConfig; - - beforeEach(() => { - config = { - version: '0.1', - domainCredentials: { - 'misconfigured.example.com': {}, - 'secret.example.com': { secretsManagerSecretId: 'mySecret' }, - 'secretwithrole.example.com': { - secretsManagerSecretId: 'mySecret', - assumeRoleArn: 'arn:aws:iam::0123456789012:role/my-role', - }, - 'secretwithcustomfields.example.com': { - secretsManagerSecretId: 'mySecret', - secretsUsernameField: 'name', - secretsPasswordField: 'apiKey', - assumeRoleArn: 'arn:aws:iam::0123456789012:role/my-role', - }, - 'ecr.example.com': { ecrRepository: true }, - 'ecrwithrole.example.com': { - ecrRepository: true, - assumeRoleArn: 'arn:aws:iam::0123456789012:role/my-role', - }, - }, - }; - }); - - test('throws on unknown domain', async () => { - await expect(fetchDockerLoginCredentials(aws, config, 'unknowndomain.example.com')).rejects.toThrow(/unknown domain/); - }); - - test('throws on misconfigured domain (no ECR or SM)', async () => { - await expect(fetchDockerLoginCredentials(aws, config, 'misconfigured.example.com')).rejects.toThrow(/unknown credential type/); - }); - - test('does not throw on correctly configured raw domain', async () => { - mockSecretWithSecretString({ username: 'secretUser', secret: 'secretPass' }); - - await expect(fetchDockerLoginCredentials(aws, config, 'https://secret.example.com/v1/')).resolves.toBeTruthy(); - }); - - describe('SecretsManager', () => { - test('returns the credentials successfully if configured correctly - domain', async () => { - mockSecretWithSecretString({ username: 'secretUser', secret: 'secretPass' }); - - const creds = await fetchDockerLoginCredentials(aws, config, 'secret.example.com'); - - expect(creds).toEqual({ Username: 'secretUser', Secret: 'secretPass' }); - }); - - test('returns the credentials successfully if configured correctly - raw domain', async () => { - mockSecretWithSecretString({ username: 'secretUser', secret: 'secretPass' }); - - const creds = await fetchDockerLoginCredentials(aws, config, 'https://secret.example.com'); - - expect(creds).toEqual({ Username: 'secretUser', Secret: 'secretPass' }); - }); - - test('throws when SecretsManager returns an error', async () => { - const errMessage = "Secrets Manager can't find the specified secret."; - aws.mockSecretsManager.getSecretValue = mockedApiFailure('ResourceNotFoundException', errMessage); - - await expect(fetchDockerLoginCredentials(aws, config, 'secret.example.com')).rejects.toThrow(errMessage); - }); - - test('supports assuming a role', async () => { - mockSecretWithSecretString({ username: 'secretUser', secret: 'secretPass' }); - - const creds = await fetchDockerLoginCredentials(aws, config, 'secretwithrole.example.com'); - - expect(creds).toEqual({ Username: 'secretUser', Secret: 'secretPass' }); - expect(aws.secretsManagerClient).toHaveBeenCalledWith({ assumeRoleArn: 'arn:aws:iam::0123456789012:role/my-role' }); - }); - - test('supports configuring the secret fields', async () => { - mockSecretWithSecretString({ name: 'secretUser', apiKey: '01234567' }); - - const creds = await fetchDockerLoginCredentials(aws, config, 'secretwithcustomfields.example.com'); - - expect(creds).toEqual({ Username: 'secretUser', Secret: '01234567' }); - }); - - test('throws when secret does not have the correct fields - key/value', async () => { - mockSecretWithSecretString({ principal: 'foo', credential: 'bar' }); - - await expect(fetchDockerLoginCredentials(aws, config, 'secret.example.com')).rejects.toThrow(/malformed secret string/); - }); - - test('throws when secret does not have the correct fields - plaintext', async () => { - mockSecretWithSecretString('myAPIKey'); - - await expect(fetchDockerLoginCredentials(aws, config, 'secret.example.com')).rejects.toThrow(/malformed secret string/); - }); - }); - - describe('ECR getAuthorizationToken', () => { - test('returns the credentials successfully', async () => { - mockEcrAuthorizationData(Buffer.from('myFoo:myBar', 'utf-8').toString('base64')); - - const creds = await fetchDockerLoginCredentials(aws, config, 'ecr.example.com'); - - expect(creds).toEqual({ Username: 'myFoo', Secret: 'myBar' }); - }); - - test('throws if ECR errors', async () => { - aws.mockEcr.getAuthorizationToken = mockedApiFailure('ServerException', 'uhoh'); - - await expect(fetchDockerLoginCredentials(aws, config, 'ecr.example.com')).rejects.toThrow(/uhoh/); - }); - - test('supports assuming a role', async () => { - mockEcrAuthorizationData(Buffer.from('myFoo:myBar', 'utf-8').toString('base64')); - - const creds = await fetchDockerLoginCredentials(aws, config, 'ecrwithrole.example.com'); - - expect(creds).toEqual({ Username: 'myFoo', Secret: 'myBar' }); - expect(aws.ecrClient).toHaveBeenCalledWith({ assumeRoleArn: 'arn:aws:iam::0123456789012:role/my-role' }); - }); - - test('throws if ECR returns no authData', async () => { - aws.mockEcr.getAuthorizationToken = mockedApiResult({ authorizationData: [] }); - - await expect(fetchDockerLoginCredentials(aws, config, 'ecr.example.com')).rejects.toThrow(/No authorization data received from ECR/); - }); - - test('throws if ECR authData is in an incorrect format', async () => { - mockEcrAuthorizationData('notabase64encodedstring'); - - await expect(fetchDockerLoginCredentials(aws, config, 'ecr.example.com')).rejects.toThrow(/unexpected ECR authData format/); - }); - }); - -}); - -function mockSecretWithSecretString(secretString: any) { - aws.mockSecretsManager.getSecretValue = mockedApiResult({ - ARN: 'arn:aws:secretsmanager:eu-west-1:0123456789012:secret:mySecret', - Name: 'mySecret', - VersionId: 'fa81fe61-c167-4aca-969e-4d8df74d4814', - SecretString: JSON.stringify(secretString), - VersionStages: [ - 'AWSCURRENT', - ], - }); -} - -function mockEcrAuthorizationData(authorizationToken: string) { - aws.mockEcr.getAuthorizationToken = mockedApiResult({ - authorizationData: [ - { - authorizationToken, - proxyEndpoint: 'https://0123456789012.dkr.ecr.eu-west-1.amazonaws.com', - }, - ], - }); -} diff --git a/packages/cdk-assets/test/private/docker.test.ts b/packages/cdk-assets/test/private/docker.test.ts deleted file mode 100644 index 40c37ca35f271..0000000000000 --- a/packages/cdk-assets/test/private/docker.test.ts +++ /dev/null @@ -1,94 +0,0 @@ -import { Docker } from '../../lib/private/docker'; -import { ShellOptions, ProcessFailedError } from '../../lib/private/shell'; - -type ShellExecuteMock = jest.SpyInstance, Parameters>; - -describe('Docker', () => { - describe('exists', () => { - let docker: Docker; - - const makeShellExecuteMock = ( - fn: (params: string[]) => void, - ): ShellExecuteMock => - jest.spyOn<{ execute: Docker['execute'] }, 'execute'>(Docker.prototype as any, 'execute').mockImplementation( - async (params: string[], _options?: ShellOptions) => fn(params), - ); - - afterEach(() => { - jest.restoreAllMocks(); - }); - - beforeEach(() => { - docker = new Docker(); - }); - - test('returns true when image inspect command does not throw', async () => { - const spy = makeShellExecuteMock(() => undefined); - - const imageExists = await docker.exists('foo'); - - expect(imageExists).toBe(true); - expect(spy.mock.calls[0][0]).toEqual(['inspect', 'foo']); - }); - - test('throws when an arbitrary error is caught', async () => { - makeShellExecuteMock(() => { - throw new Error(); - }); - - await expect(docker.exists('foo')).rejects.toThrow(); - }); - - test('throws when the error is a shell failure but the exit code is unrecognized', async () => { - makeShellExecuteMock(() => { - throw new (class extends Error implements ProcessFailedError { - public readonly code = 'PROCESS_FAILED' - public readonly exitCode = 47 - public readonly signal = null - - constructor() { - super('foo'); - } - }); - }); - - await expect(docker.exists('foo')).rejects.toThrow(); - }); - - test('returns false when the error is a shell failure and the exit code is 1 (Docker)', async () => { - makeShellExecuteMock(() => { - throw new (class extends Error implements ProcessFailedError { - public readonly code = 'PROCESS_FAILED' - public readonly exitCode = 1 - public readonly signal = null - - constructor() { - super('foo'); - } - }); - }); - - const imageExists = await docker.exists('foo'); - - expect(imageExists).toBe(false); - }); - - test('returns false when the error is a shell failure and the exit code is 125 (Podman)', async () => { - makeShellExecuteMock(() => { - throw new (class extends Error implements ProcessFailedError { - public readonly code = 'PROCESS_FAILED' - public readonly exitCode = 125 - public readonly signal = null - - constructor() { - super('foo'); - } - }); - }); - - const imageExists = await docker.exists('foo'); - - expect(imageExists).toBe(false); - }); - }); -}); diff --git a/packages/cdk-assets/test/progress.test.ts b/packages/cdk-assets/test/progress.test.ts deleted file mode 100644 index 2cca80311942a..0000000000000 --- a/packages/cdk-assets/test/progress.test.ts +++ /dev/null @@ -1,85 +0,0 @@ -import { Manifest } from '@aws-cdk/cloud-assembly-schema'; -import * as mockfs from 'mock-fs'; -import { FakeListener } from './fake-listener'; -import { mockAws, mockedApiResult, mockUpload } from './mock-aws'; -import { AssetManifest, AssetPublishing } from '../lib'; - -let aws: ReturnType; -beforeEach(() => { - mockfs({ - '/simple/cdk.out/assets.json': JSON.stringify({ - version: Manifest.version(), - files: { - theAsset: { - source: { - path: 'some_file', - }, - destinations: { - theDestination1: { - region: 'us-north-50', - assumeRoleArn: 'arn:aws:role', - bucketName: 'some_bucket', - objectKey: 'some_key', - }, - theDestination2: { - region: 'us-north-50', - assumeRoleArn: 'arn:aws:role', - bucketName: 'some_bucket', - objectKey: 'some_key2', - }, - }, - }, - }, - }), - '/simple/cdk.out/some_file': 'FILE_CONTENTS', - }); - - aws = mockAws(); - - // Accept all S3 uploads as new - aws.mockS3.getBucketLocation = mockedApiResult({}); - aws.mockS3.listObjectsV2 = mockedApiResult({ Contents: undefined }); - aws.mockS3.upload = mockUpload(); -}); - -afterEach(() => { - mockfs.restore(); -}); - -test('test listener', async () => { - const progressListener = new FakeListener(); - - const pub = new AssetPublishing(AssetManifest.fromPath('/simple/cdk.out'), { aws, progressListener }); - await pub.publish(); - - const allMessages = progressListener.messages.join('\n'); - - // Log mentions asset/destination ids - expect(allMessages).toContain('theAsset:theDestination1'); - expect(allMessages).toContain('theAsset:theDestination2'); -}); - -test('test publishing in parallel', async () => { - const progressListener = new FakeListener(); - - const pub = new AssetPublishing(AssetManifest.fromPath('/simple/cdk.out'), { aws, progressListener, publishInParallel: true }); - await pub.publish(); - - const allMessages = progressListener.messages.join('\n'); - - // Log mentions asset/destination ids - expect(allMessages).toContain('theAsset:theDestination1'); - expect(allMessages).toContain('theAsset:theDestination2'); -}); - -test('test abort', async () => { - const progressListener = new FakeListener(true); - - const pub = new AssetPublishing(AssetManifest.fromPath('/simple/cdk.out'), { aws, progressListener }); - await pub.publish(); - - const allMessages = progressListener.messages.join('\n'); - - // We never get to asset 2 - expect(allMessages).not.toContain('theAsset:theDestination2'); -}); \ No newline at end of file diff --git a/packages/cdk-assets/test/test-archive-follow/data/one.txt b/packages/cdk-assets/test/test-archive-follow/data/one.txt deleted file mode 100644 index 56a6051ca2b02..0000000000000 --- a/packages/cdk-assets/test/test-archive-follow/data/one.txt +++ /dev/null @@ -1 +0,0 @@ -1 \ No newline at end of file diff --git a/packages/cdk-assets/test/test-archive-follow/linked/two.txt b/packages/cdk-assets/test/test-archive-follow/linked/two.txt deleted file mode 100644 index d8263ee986059..0000000000000 --- a/packages/cdk-assets/test/test-archive-follow/linked/two.txt +++ /dev/null @@ -1 +0,0 @@ -2 \ No newline at end of file diff --git a/packages/cdk-assets/test/test-archive/executable.txt b/packages/cdk-assets/test/test-archive/executable.txt deleted file mode 100755 index e69de29bb2d1d..0000000000000 diff --git a/packages/cdk-assets/test/test-archive/file1.txt b/packages/cdk-assets/test/test-archive/file1.txt deleted file mode 100644 index 7bb7edbd4b634..0000000000000 --- a/packages/cdk-assets/test/test-archive/file1.txt +++ /dev/null @@ -1 +0,0 @@ -I am file1 \ No newline at end of file diff --git a/packages/cdk-assets/test/test-archive/file2.txt b/packages/cdk-assets/test/test-archive/file2.txt deleted file mode 100644 index ccb69856e7157..0000000000000 --- a/packages/cdk-assets/test/test-archive/file2.txt +++ /dev/null @@ -1,2 +0,0 @@ -I am file2 -BLA! \ No newline at end of file diff --git a/packages/cdk-assets/test/test-archive/subdir/file3.txt b/packages/cdk-assets/test/test-archive/subdir/file3.txt deleted file mode 100644 index 976606ef5a8ac..0000000000000 --- a/packages/cdk-assets/test/test-archive/subdir/file3.txt +++ /dev/null @@ -1 +0,0 @@ -I am in a subdirectory diff --git a/packages/cdk-assets/test/util.test.ts b/packages/cdk-assets/test/util.test.ts deleted file mode 100644 index 8e498076913f2..0000000000000 --- a/packages/cdk-assets/test/util.test.ts +++ /dev/null @@ -1,32 +0,0 @@ -import { createCriticalSection } from '../lib/private/util'; - -test('critical section', async () => { - // GIVEN - const criticalSection = createCriticalSection(); - - // WHEN - const arr = new Array(); - void criticalSection(async () => { - await new Promise(res => setTimeout(res, 500)); - arr.push('first'); - }); - await criticalSection(async () => { - arr.push('second'); - }); - - // THEN - expect(arr).toEqual([ - 'first', - 'second', - ]); -}); - -test('exceptions in critical sections', async () => { - // GIVEN - const criticalSection = createCriticalSection(); - - // WHEN/THEN - await expect(() => criticalSection(async () => { - throw new Error('Thrown'); - })).rejects.toThrow('Thrown'); -}); \ No newline at end of file diff --git a/packages/cdk-assets/test/zipping.test.ts b/packages/cdk-assets/test/zipping.test.ts deleted file mode 100644 index 71651289070b8..0000000000000 --- a/packages/cdk-assets/test/zipping.test.ts +++ /dev/null @@ -1,53 +0,0 @@ -// Separate test file since the archiving module doesn't work well with 'mock-fs' -import { bockfs } from '@aws-cdk/cdk-build-tools'; -import { Manifest } from '@aws-cdk/cloud-assembly-schema'; -import { mockAws, mockedApiResult, mockUpload } from './mock-aws'; -import { AssetManifest, AssetPublishing } from '../lib'; - -let aws: ReturnType; -beforeEach(() => { - bockfs({ - '/simple/cdk.out/assets.json': JSON.stringify({ - version: Manifest.version(), - files: { - theAsset: { - source: { - path: 'some_dir', - packaging: 'zip', - }, - destinations: { - theDestination: { - region: 'us-north-50', - assumeRoleArn: 'arn:aws:role', - bucketName: 'some_bucket', - objectKey: 'some_key', - }, - }, - }, - }, - }), - '/simple/cdk.out/some_dir/some_file': 'FILE_CONTENTS', - }); - - aws = mockAws(); - - // Accept all S3 uploads as new - aws.mockS3.listObjectsV2 = mockedApiResult({ Contents: undefined }); - aws.mockS3.upload = mockUpload(); -}); - -afterEach(() => { - bockfs.restore(); -}); - -test('Take a zipped upload', async () => { - const pub = new AssetPublishing(AssetManifest.fromPath(bockfs.path('/simple/cdk.out')), { aws }); - - await pub.publish(); - - expect(aws.mockS3.upload).toHaveBeenCalledWith(expect.objectContaining({ - Bucket: 'some_bucket', - Key: 'some_key', - ContentType: 'application/zip', - })); -}); diff --git a/packages/cdk-assets/tsconfig.json b/packages/cdk-assets/tsconfig.json deleted file mode 100644 index b238d46998d26..0000000000000 --- a/packages/cdk-assets/tsconfig.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "compilerOptions": { - "target": "ES2020", - "module": "commonjs", - "lib": ["es2020", "dom"], - "strict": true, - "alwaysStrict": true, - "declaration": true, - "inlineSourceMap": true, - "inlineSources": true, - "noUnusedLocals": true, - "noUnusedParameters": true, - "noImplicitReturns": true, - "noFallthroughCasesInSwitch": true, - "resolveJsonModule": true, - "composite": true, - "incremental": true - }, - "include": [ - "**/*.ts", - "**/*.d.ts", - "lib/init-templates/*/*/add-project.hook.ts" - ], - "exclude": [ - "lib/init-templates/*/typescript/**/*.ts" - ] -} - diff --git a/tools/@aws-cdk/cdk-build-tools/package.json b/tools/@aws-cdk/cdk-build-tools/package.json index 53374615cbef5..c65e33c5fae5b 100644 --- a/tools/@aws-cdk/cdk-build-tools/package.json +++ b/tools/@aws-cdk/cdk-build-tools/package.json @@ -62,8 +62,8 @@ "jest-junit": "^13.2.0", "jsii": "~5.4.25", "jsii-rosetta": "~5.4.24", - "jsii-pacmak": "1.101.0", - "jsii-reflect": "1.101.0", + "jsii-pacmak": "1.102.0", + "jsii-reflect": "1.102.0", "markdownlint-cli": "^0.41.0", "nyc": "^15.1.0", "semver": "^7.6.2", @@ -87,4 +87,4 @@ "ubergen": { "exclude": true } -} +} \ No newline at end of file diff --git a/tools/@aws-cdk/pkglint/lib/rules.ts b/tools/@aws-cdk/pkglint/lib/rules.ts index 11a435fdeb803..b6a105ad7089e 100644 --- a/tools/@aws-cdk/pkglint/lib/rules.ts +++ b/tools/@aws-cdk/pkglint/lib/rules.ts @@ -55,24 +55,10 @@ export class DescriptionIsRequired extends ValidationRule { export class PublishConfigTagIsRequired extends ValidationRule { public readonly name = 'package-info/publish-config-tag'; - // The list of packages that are publicly published in both v1 and v2. - private readonly SHARED_PACKAGES = [ - '@aws-cdk/cloud-assembly-schema', - '@aws-cdk/cloudformation-diff', - '@aws-cdk/cx-api', - '@aws-cdk/region-info', - 'aws-cdk', - 'awslint', - 'cdk-assets', - ]; - public validate(pkg: PackageJson): void { if (pkg.json.private) { return; } - // v1 packages that are v1-only (e.g., `@aws-cdk/aws-s3`) are always published as `latest`. - // Packages that are published with the same namespace to both v1 and v2 are published as `latest-1` on v1 and `latest` on v2. - // All v2-only packages are just `latest`. - const defaultPublishTag = (cdkMajorVersion() === 2 || !this.SHARED_PACKAGES.includes(pkg.packageName)) ? 'latest' : 'latest-1'; + const defaultPublishTag = 'latest'; if (pkg.json.publishConfig?.tag !== defaultPublishTag) { pkg.report({ @@ -1677,7 +1663,6 @@ export class UbergenPackageVisibility extends ValidationRule { // The ONLY (non-alpha) packages that should be published for v2. // These include dependencies of the CDK CLI (aws-cdk). private readonly v2PublicPackages = [ - '@aws-cdk/cloud-assembly-schema', '@aws-cdk/cloudformation-diff', '@aws-cdk/cx-api', '@aws-cdk/region-info', @@ -1685,7 +1670,6 @@ export class UbergenPackageVisibility extends ValidationRule { 'aws-cdk', 'awslint', 'cdk', - 'cdk-assets', '@aws-cdk/integ-runner', '@aws-cdk-testing/cli-integ', ]; diff --git a/tools/@aws-cdk/spec2cdk/package.json b/tools/@aws-cdk/spec2cdk/package.json index 20ade16f95420..e27ceb30eeb88 100644 --- a/tools/@aws-cdk/spec2cdk/package.json +++ b/tools/@aws-cdk/spec2cdk/package.json @@ -32,9 +32,9 @@ }, "license": "Apache-2.0", "dependencies": { - "@aws-cdk/aws-service-spec": "^0.1.15", - "@aws-cdk/service-spec-importers": "^0.0.43", - "@aws-cdk/service-spec-types": "^0.0.83", + "@aws-cdk/aws-service-spec": "^0.1.17", + "@aws-cdk/service-spec-importers": "^0.0.44", + "@aws-cdk/service-spec-types": "^0.0.85", "@cdklabs/tskb": "^0.0.3", "@cdklabs/typewriter": "^0.0.3", "camelcase": "^6", diff --git a/tools/@aws-cdk/spec2cdk/temporary-schemas/us-east-1/aws-lambda-eventsourcemapping.json b/tools/@aws-cdk/spec2cdk/temporary-schemas/us-east-1/aws-lambda-eventsourcemapping.json new file mode 100644 index 0000000000000..965ef4c491c1a --- /dev/null +++ b/tools/@aws-cdk/spec2cdk/temporary-schemas/us-east-1/aws-lambda-eventsourcemapping.json @@ -0,0 +1,409 @@ +{ + "typeName" : "AWS::Lambda::EventSourceMapping", + "description" : "Resource Type definition for AWS::Lambda::EventSourceMapping", + "nonPublicProperties": ["/properties/KmsKeyArn"], + "additionalProperties" : false, + "properties" : { + "Id": { + "description": "Event Source Mapping Identifier UUID.", + "type": "string", + "pattern": "[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}", + "minLength": 36, + "maxLength": 36 + }, + "BatchSize": { + "description": "The maximum number of items to retrieve in a single batch.", + "type": "integer", + "minimum": 1, + "maximum": 10000 + }, + "BisectBatchOnFunctionError": { + "description": "(Streams) If the function returns an error, split the batch in two and retry.", + "type": "boolean" + }, + "DestinationConfig": { + "description": "(Kinesis, DynamoDB, Amazon MSK, and self-managed Kafka event sources only) A configuration object that specifies the destination of an event after Lambda processes it.", + "$ref": "#/definitions/DestinationConfig" + }, + "Enabled": { + "description": "Disables the event source mapping to pause polling and invocation.", + "type": "boolean" + }, + "EventSourceArn": { + "description": "The Amazon Resource Name (ARN) of the event source.", + "type": "string", + "pattern": "arn:(aws[a-zA-Z0-9-]*):([a-zA-Z0-9\\-])+:([a-z]{2}(-gov)?(-iso([a-z])?)?-[a-z]+-\\d{1})?:(\\d{12})?:(.*)", + "minLength": 12, + "maxLength": 1024 + }, + "FilterCriteria": { + "description": "The filter criteria to control event filtering.", + "$ref": "#/definitions/FilterCriteria" + }, + "KmsKeyArn": { + "description": "The Amazon Resource Name (ARN) of the KMS key.", + "type": "string", + "pattern": "(arn:(aws[a-zA-Z-]*)?:[a-z0-9-.]+:.*)|()", + "minLength": 12, + "maxLength": 2048 + }, + "FunctionName": { + "description": "The name of the Lambda function.", + "type": "string", + "pattern": "(arn:(aws[a-zA-Z-]*)?:lambda:)?([a-z]{2}(-gov)?(-iso([a-z])?)?-[a-z]+-\\d{1}:)?(\\d{12}:)?(function:)?([a-zA-Z0-9-_]+)(:(\\$LATEST|[a-zA-Z0-9-_]+))?", + "minLength": 1, + "maxLength": 140 + }, + "MaximumBatchingWindowInSeconds": { + "description": "(Streams) The maximum amount of time to gather records before invoking the function, in seconds.", + "type": "integer", + "minimum": 0, + "maximum": 300 + }, + "MaximumRecordAgeInSeconds": { + "description": "(Streams) The maximum age of a record that Lambda sends to a function for processing.", + "type": "integer", + "minimum": -1, + "maximum": 604800 + }, + "MaximumRetryAttempts": { + "description": "(Streams) The maximum number of times to retry when the function returns an error.", + "type": "integer", + "minimum": -1, + "maximum": 10000 + }, + "ParallelizationFactor": { + "description": "(Streams) The number of batches to process from each shard concurrently.", + "type": "integer", + "minimum": 1, + "maximum": 10 + }, + "StartingPosition": { + "description": "The position in a stream from which to start reading. Required for Amazon Kinesis and Amazon DynamoDB Streams sources.", + "type": "string", + "pattern": "(LATEST|TRIM_HORIZON|AT_TIMESTAMP)+", + "minLength": 6, + "maxLength": 12 + }, + "StartingPositionTimestamp": { + "description": "With StartingPosition set to AT_TIMESTAMP, the time from which to start reading, in Unix time seconds.", + "type": "number" + }, + "Topics": { + "description": "(Kafka) A list of Kafka topics.", + "type": "array", + "uniqueItems": true, + "items": { + "type": "string", + "pattern": "^[^.]([a-zA-Z0-9\\-_.]+)", + "minLength": 1, + "maxLength": 249 + }, + "minItems": 1, + "maxItems": 1 + }, + "Queues": { + "description": "(ActiveMQ) A list of ActiveMQ queues.", + "type": "array", + "uniqueItems": true, + "items": { + "type": "string", + "pattern": "[\\s\\S]*", + "minLength": 1, + "maxLength": 1000 + }, + "minItems": 1, + "maxItems": 1 + }, + "SourceAccessConfigurations": { + "description": "A list of SourceAccessConfiguration.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/SourceAccessConfiguration" + }, + "minItems": 1, + "maxItems": 22 + }, + "TumblingWindowInSeconds": { + "description": "(Streams) Tumbling window (non-overlapping time window) duration to perform aggregations.", + "type": "integer", + "minimum": 0, + "maximum": 900 + }, + "FunctionResponseTypes": { + "description": "(Streams) A list of response types supported by the function.", + "type": "array", + "uniqueItems": true, + "items": { + "type": "string", + "enum": [ + "ReportBatchItemFailures" + ] + }, + "minLength": 0, + "maxLength": 1 + }, + "SelfManagedEventSource": { + "description": "Self-managed event source endpoints.", + "$ref": "#/definitions/SelfManagedEventSource" + }, + "AmazonManagedKafkaEventSourceConfig": { + "description": "Specific configuration settings for an MSK event source.", + "$ref": "#/definitions/AmazonManagedKafkaEventSourceConfig" + }, + "SelfManagedKafkaEventSourceConfig": { + "description": "Specific configuration settings for a Self-Managed Apache Kafka event source.", + "$ref": "#/definitions/SelfManagedKafkaEventSourceConfig" + }, + "ScalingConfig": { + "description": "The scaling configuration for the event source.", + "$ref": "#/definitions/ScalingConfig" + }, + "DocumentDBEventSourceConfig": { + "description": "Document db event source config.", + "$ref": "#/definitions/DocumentDBEventSourceConfig" + } + }, + "definitions" : { + "DestinationConfig" : { + "type" : "object", + "additionalProperties" : false, + "description": "A configuration object that specifies the destination of an event after Lambda processes it.", + "properties" : { + "OnFailure": { + "description": "A destination for records of invocations that failed processing.", + "$ref": "#/definitions/OnFailure" + } + } + }, + "FilterCriteria": { + "type": "object", + "description": "The filter criteria to control event filtering.", + "additionalProperties" : false, + "properties": { + "Filters": { + "description": "List of filters of this FilterCriteria", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/Filter" + }, + "minItems": 1, + "maxItems": 20 + } + } + }, + "Filter": { + "type": "object", + "description": "The filter object that defines parameters for ESM filtering.", + "additionalProperties" : false, + "properties": { + "Pattern": { + "type": "string", + "description": "The filter pattern that defines which events should be passed for invocations.", + "pattern": ".*", + "minLength": 0, + "maxLength": 4096 + } + } + }, + "OnFailure": { + "type" : "object", + "description" : "A destination for records of invocations that failed processing.", + "additionalProperties" : false, + "properties" : { + "Destination": { + "description": "The Amazon Resource Name (ARN) of the destination resource.", + "type": "string", + "pattern": "arn:(aws[a-zA-Z0-9-]*):([a-zA-Z0-9\\-])+:([a-z]{2}(-gov)?(-iso([a-z])?)?-[a-z]+-\\d{1})?:(\\d{12})?:(.*)", + "minLength": 12, + "maxLength": 1024 + } + } + }, + "SourceAccessConfiguration" : { + "type" : "object", + "additionalProperties" : false, + "description": "The configuration used by AWS Lambda to access event source", + "properties" : { + "Type" : { + "description": "The type of source access configuration.", + "enum": [ + "BASIC_AUTH", + "VPC_SUBNET", + "VPC_SECURITY_GROUP", + "SASL_SCRAM_512_AUTH", + "SASL_SCRAM_256_AUTH", + "VIRTUAL_HOST", + "CLIENT_CERTIFICATE_TLS_AUTH", + "SERVER_ROOT_CA_CERTIFICATE" + ], + "type": "string" + }, + "URI" : { + "description": "The URI for the source access configuration resource.", + "type": "string", + "pattern": "[a-zA-Z0-9-\\/*:_+=.@-]*", + "minLength": 1, + "maxLength": 200 + } + } + }, + "SelfManagedEventSource" : { + "type": "object", + "additionalProperties": false, + "description": "The configuration used by AWS Lambda to access a self-managed event source.", + "properties": { + "Endpoints": { + "description": "The endpoints for a self-managed event source.", + "$ref": "#/definitions/Endpoints" + } + } + }, + "Endpoints" : { + "type": "object", + "additionalProperties": false, + "description": "The endpoints used by AWS Lambda to access a self-managed event source.", + "properties": { + "KafkaBootstrapServers": { + "type": "array", + "description": "A list of Kafka server endpoints.", + "uniqueItems": true, + "items": { + "type": "string", + "description": "The URL of a Kafka server.", + "pattern": "^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9]):[0-9]{1,5}", + "minLength": 1, + "maxLength": 300 + }, + "minItems": 1, + "maxItems": 10 + } + } + }, + "ConsumerGroupId": { + "description": "The identifier for the Kafka Consumer Group to join.", + "type": "string", + "pattern": "[a-zA-Z0-9-\\/*:_+=.@-]*", + "minLength": 1, + "maxLength": 200 + }, + "AmazonManagedKafkaEventSourceConfig": { + "description": "Specific configuration settings for an MSK event source.", + "type": "object", + "additionalProperties": false, + "properties": { + "ConsumerGroupId": { + "description": "The identifier for the Kafka Consumer Group to join.", + "$ref": "#/definitions/ConsumerGroupId" + } + } + }, + "SelfManagedKafkaEventSourceConfig": { + "description": "Specific configuration settings for a Self-Managed Apache Kafka event source.", + "type": "object", + "additionalProperties": false, + "properties": { + "ConsumerGroupId": { + "description": "The identifier for the Kafka Consumer Group to join.", + "$ref": "#/definitions/ConsumerGroupId" + } + } + }, + "MaximumConcurrency": { + "description": "The maximum number of concurrent functions that an event source can invoke.", + "type": "integer", + "minimum": 2, + "maximum": 1000 + }, + "ScalingConfig": { + "description": "The scaling configuration for the event source.", + "type": "object", + "additionalProperties": false, + "properties": { + "MaximumConcurrency": { + "description": "The maximum number of concurrent functions that the event source can invoke.", + "$ref": "#/definitions/MaximumConcurrency" + } + } + }, + "DocumentDBEventSourceConfig": { + "description": "Document db event source config.", + "type": "object", + "additionalProperties": false, + "properties": { + "DatabaseName": { + "description": "The database name to connect to.", + "type": "string", + "minLength": 1, + "maxLength": 63 + }, + "CollectionName": { + "description": "The collection name to connect to.", + "type": "string", + "minLength": 1, + "maxLength": 57 + }, + "FullDocument": { + "description": "Include full document in change stream response. The default option will only send the changes made to documents to Lambda. If you want the complete document sent to Lambda, set this to UpdateLookup.", + "type": "string", + "enum": [ + "UpdateLookup", + "Default" + ] + } + } + } + }, + "required" : [ "FunctionName" ], + "createOnlyProperties" : [ + "/properties/EventSourceArn", + "/properties/StartingPosition", + "/properties/StartingPositionTimestamp", + "/properties/SelfManagedEventSource", + "/properties/AmazonManagedKafkaEventSourceConfig", + "/properties/SelfManagedKafkaEventSourceConfig" + ], + "readOnlyProperties" : [ "/properties/Id" ], + "primaryIdentifier" : [ "/properties/Id" ], + "propertyTransform" : { + "/properties/StartingPositionTimestamp": "StartingPositionTimestamp * 1000" + }, + "handlers": { + "create": { + "permissions": [ + "lambda:CreateEventSourceMapping", + "lambda:GetEventSourceMapping" + ] + }, + "delete": { + "permissions": [ + "lambda:DeleteEventSourceMapping", + "lambda:GetEventSourceMapping" + ] + }, + "list": { + "permissions": [ + "lambda:ListEventSourceMappings" + ] + }, + "read": { + "permissions": [ + "lambda:GetEventSourceMapping" + ] + }, + "update": { + "permissions": [ + "lambda:UpdateEventSourceMapping", + "lambda:GetEventSourceMapping" + ] + } + }, + "tagging": { + "taggable": false, + "tagOnCreate": false, + "tagUpdatable": false, + "cloudFormationSystemTags": false + } +} \ No newline at end of file diff --git a/version.v2.json b/version.v2.json index 6c3bf4ed415f0..21304aecb929a 100644 --- a/version.v2.json +++ b/version.v2.json @@ -1,4 +1,4 @@ { - "version": "2.151.0", - "alphaVersion": "2.151.0-alpha.0" + "version": "2.152.0", + "alphaVersion": "2.152.0-alpha.0" } \ No newline at end of file diff --git a/yarn.lock b/yarn.lock index b446bece17399..3067c91971028 100644 --- a/yarn.lock +++ b/yarn.lock @@ -51,14 +51,37 @@ resolved "https://registry.npmjs.org/@aws-cdk/asset-node-proxy-agent-v6/-/asset-node-proxy-agent-v6-2.0.3.tgz#9b5d213b5ce5ad4461f6a4720195ff8de72e6523" integrity sha512-twhuEG+JPOYCYPx/xy5uH2+VUsIEhPTzDY0F1KuB+ocjWWB/KEDiOVL19nHvbPCB6fhWnkykXEMJ4HHcKvjtvg== -"@aws-cdk/aws-service-spec@^0.1.15": - version "0.1.15" - resolved "https://registry.npmjs.org/@aws-cdk/aws-service-spec/-/aws-service-spec-0.1.15.tgz#2d4ab7b847ddc255e5d3a300bb91905c513ffac4" - integrity sha512-r5hNmHKqsuY+Y3bh0TLOTla0yORh3e6o79pOUkDRwyL1tdcds2ziY1Kc967KJDcET5Tn1zvoxTuksD40abmKhw== +"@aws-cdk/aws-service-spec@^0.1.17": + version "0.1.17" + resolved "https://registry.npmjs.org/@aws-cdk/aws-service-spec/-/aws-service-spec-0.1.17.tgz#8d3cf28223e8d43caf37cb28b96e1185c190bfbe" + integrity sha512-QCrkR16/gbWoQJiDdP8JhnMWcRCHkhslnRXMg8q3GfEFZ9p0SD3dqrXBCjT4imQQJUn1jrfWWufo5yz4KpbP7w== dependencies: - "@aws-cdk/service-spec-types" "^0.0.83" + "@aws-cdk/service-spec-types" "^0.0.85" "@cdklabs/tskb" "^0.0.3" +"@aws-cdk/cloud-assembly-schema@^36.0.0": + version "36.0.6" + resolved "https://registry.npmjs.org/@aws-cdk/cloud-assembly-schema/-/cloud-assembly-schema-36.0.6.tgz#880a1418f50b786276e834ca1916a772fc57a8ed" + integrity sha512-ZF7d7D5+eM7IReYJXzSEYaaw7+JXM20NFGRRjUqmckKFF5GUds4ouExyihRgOE/HjwGgcAOPKMxzCmMJCqLVWQ== + dependencies: + jsonschema "^1.4.1" + semver "^7.6.3" + +"@aws-cdk/cloud-assembly-schema@^36.0.5": + version "36.0.5" + resolved "https://registry.npmjs.org/@aws-cdk/cloud-assembly-schema/-/cloud-assembly-schema-36.0.5.tgz#20207347d263eea8c3e0381ce2b9d169f0fbfe41" + integrity sha512-3BYOfDqB+xU/ZCjdQ1SDc6qodvg93DY7MPU9FuuIhvqLQBsuO6e//WNZlkToo/QXE9FFm7d/TQI9AyAD/Y/84w== + dependencies: + jsonschema "^1.4.1" + semver "^7.6.3" + +"@aws-cdk/cx-api@^2.151.0": + version "2.151.1" + resolved "https://registry.npmjs.org/@aws-cdk/cx-api/-/cx-api-2.151.1.tgz#77e7eccf784d6c369241859dcef69e593bf16fe0" + integrity sha512-pkDgjncFjtw/Y2kaW5Y5msU/TcUPyohx+FDNGw/lHrW74t7NKf+ydxRPAxN/FbAweX2aWlpEqpHU5iatZflBUg== + dependencies: + semver "^7.6.2" + "@aws-cdk/lambda-layer-kubectl-v24@^2.0.242": version "2.0.242" resolved "https://registry.npmjs.org/@aws-cdk/lambda-layer-kubectl-v24/-/lambda-layer-kubectl-v24-2.0.242.tgz#4273a5ad7714f933a7eba155eb9280823086db71" @@ -74,12 +97,12 @@ resolved "https://registry.npmjs.org/@aws-cdk/lambda-layer-kubectl-v30/-/lambda-layer-kubectl-v30-2.0.0.tgz#97c40d31e5350ce7170be5d188361118b1e39231" integrity sha512-yES6NfrJ3QV1372lAZ2FLXp/no4bqDWBXeSREJdrpWjQzD0wvL/hCpHEyjZrzHhOi27YbMxFTQ3g9isKAul8+A== -"@aws-cdk/service-spec-importers@^0.0.43": - version "0.0.43" - resolved "https://registry.npmjs.org/@aws-cdk/service-spec-importers/-/service-spec-importers-0.0.43.tgz#94de14d9d21243c213de448edf14f3b83db76086" - integrity sha512-iu1uOGyzI/MF5y3WL/7txu81Bw9KoxgD+dO+M1yLhwKY7zJR6HulQ2FCZCAAU4CDHpXXbpdEz3vY5G692a8uBA== +"@aws-cdk/service-spec-importers@^0.0.44": + version "0.0.44" + resolved "https://registry.npmjs.org/@aws-cdk/service-spec-importers/-/service-spec-importers-0.0.44.tgz#8a2c55e69f1fd33ff19877e7eb82d87cf35cd229" + integrity sha512-Oo5qbamIPx/YOeZlmxNJsenPvNkyaofgieWhZavqhAgk0H5VCis4/stxnUwZzsu3Bc7SCg/vQRILDt4oGt981Q== dependencies: - "@aws-cdk/service-spec-types" "^0.0.82" + "@aws-cdk/service-spec-types" "^0.0.84" "@cdklabs/tskb" "^0.0.3" ajv "^6" canonicalize "^2.0.0" @@ -90,17 +113,17 @@ glob "^8" sort-json "^2.0.1" -"@aws-cdk/service-spec-types@^0.0.82": - version "0.0.82" - resolved "https://registry.npmjs.org/@aws-cdk/service-spec-types/-/service-spec-types-0.0.82.tgz#f677f017fd54b311092af7721946b6464ae100f6" - integrity sha512-8vdhrkYq3p1kg7WY4thblhin8djcKCf1MfcESFoYa5dG8zu9DmdBNXUFx8GiXjkHXADGrPK2/jaL1XhK4qkLpw== +"@aws-cdk/service-spec-types@^0.0.84": + version "0.0.84" + resolved "https://registry.npmjs.org/@aws-cdk/service-spec-types/-/service-spec-types-0.0.84.tgz#b6fa7429bb556d26eb39c18a2ee9802079bdb234" + integrity sha512-AM3ghRsd9cZlpW+nuVRRdQiPuGV9iWDyHnR/Vjd9xKQEf+Qmh9vnRmB205rFncAIlbFjHXxgapII+lujHCGDmQ== dependencies: "@cdklabs/tskb" "^0.0.3" -"@aws-cdk/service-spec-types@^0.0.83": - version "0.0.83" - resolved "https://registry.npmjs.org/@aws-cdk/service-spec-types/-/service-spec-types-0.0.83.tgz#20337cb6adde4627ffbcc624fc43e3ae042e746c" - integrity sha512-M3G0UiTKm81SCK9tTSfzmnojg5Mx/NQ3nsIQUIYNmlYHaw/EM9A933sjSv02lJt42fIqnzNjWOH1wiwQFnX28Q== +"@aws-cdk/service-spec-types@^0.0.85": + version "0.0.85" + resolved "https://registry.npmjs.org/@aws-cdk/service-spec-types/-/service-spec-types-0.0.85.tgz#6d1d8d6720c50d44f0519a50b519dbcb33962203" + integrity sha512-cqTOKSy4ASJISezk4c3dv4AxGt1C8UfUdux9r58jmuNwNROjPfVTuAnSweACbmG18A1/rVvfyTUt5E72otYqgQ== dependencies: "@cdklabs/tskb" "^0.0.3" @@ -4257,7 +4280,22 @@ chalk "^4.1.2" semver "^7.6.0" -"@jsii/spec@1.101.0", "@jsii/spec@^1.101.0": +"@jsii/check-node@1.102.0": + version "1.102.0" + resolved "https://registry.npmjs.org/@jsii/check-node/-/check-node-1.102.0.tgz#d5dce81b60411b35d4890e69eee2b86d606c8672" + integrity sha512-uyKjxCe1ou11RJz6koBr5vXtyaGjTA45hF+H88GNW96vms7jKqmYdMm067Az1OKwl38h02lQRQ2tmoEzV7u74w== + dependencies: + chalk "^4.1.2" + semver "^7.6.3" + +"@jsii/spec@1.102.0", "@jsii/spec@^1.102.0": + version "1.102.0" + resolved "https://registry.npmjs.org/@jsii/spec/-/spec-1.102.0.tgz#3f9cfcd44e4358ba7259730452e89b2111918524" + integrity sha512-/VcmoEyp7HR0xoFz47/fiyZjAv+0gHG4ZwTbgB+umbB88bTbLZadnqBL7T9OIKQbK4w8HNOaRnHwjNBIYIPxWQ== + dependencies: + ajv "^8.17.1" + +"@jsii/spec@^1.101.0": version "1.101.0" resolved "https://registry.npmjs.org/@jsii/spec/-/spec-1.101.0.tgz#b1c3488d5df2ee0c355e0a3493e3de4add9d7452" integrity sha512-855OnjKm4RTzRA78GGTNBG/GLe6X/vHJYD58zg7Rw8rWS7sU6iB65TM/7P7R3cufVew8umjjPjvW7ygS6ZqITQ== @@ -6388,11 +6426,6 @@ resolved "https://registry.npmjs.org/@types/mime-types/-/mime-types-2.1.4.tgz#93a1933e24fed4fb9e4adc5963a63efcbb3317a2" integrity sha512-lfU4b34HOri+kAY5UheuFMWPDOI+OPceBSHZKp69gEyTL/mmJ4cnU6Y/rlme3UL3GyOn6Y42hyIEw0/q8sWx5w== -"@types/mime@^2.0.3": - version "2.0.3" - resolved "https://registry.npmjs.org/@types/mime/-/mime-2.0.3.tgz#c893b73721db73699943bfc3653b1deb7faa4a3a" - integrity sha512-Jus9s4CDbqwocc5pOAnh8ShfrnMcPHuJYzVcSUU7lrh8Ni5HuIqX3oilL86p3dlTrk0LzHRCgA/GQ7uNCw6l2Q== - "@types/minimatch@*": version "5.1.2" resolved "https://registry.npmjs.org/@types/minimatch/-/minimatch-5.1.2.tgz#07508b45797cb81ec3f273011b054cd0755eddca" @@ -6850,6 +6883,16 @@ ajv@^8.0.1, ajv@^8.13.0: require-from-string "^2.0.2" uri-js "^4.4.1" +ajv@^8.17.1: + version "8.17.1" + resolved "https://registry.npmjs.org/ajv/-/ajv-8.17.1.tgz#37d9a5c776af6bc92d7f4f9510eba4c0a60d11a6" + integrity sha512-B/gBuNg5SiMTrPkC+A2+cW0RszwxYmn6VYxB/inlBStS5nx6xHIt/ehKRhIMhqusl7a8LjQoZnjCs5vhwxOQ1g== + dependencies: + fast-deep-equal "^3.1.3" + fast-uri "^3.0.1" + json-schema-traverse "^1.0.0" + require-from-string "^2.0.2" + ansi-align@^3.0.1: version "3.0.1" resolved "https://registry.npmjs.org/ansi-align/-/ansi-align-3.0.1.tgz#0cdf12e111ace773a86e9a1fad1225c43cb19a59" @@ -7236,6 +7279,22 @@ aws-sdk@^2.1231.0, aws-sdk@^2.1653.0, aws-sdk@^2.928.0: uuid "8.0.0" xml2js "0.6.2" +aws-sdk@^2.1674.0: + version "2.1675.0" + resolved "https://registry.npmjs.org/aws-sdk/-/aws-sdk-2.1675.0.tgz#8cde066706a99b3645fa0671e30cbb2bfcefa196" + integrity sha512-gkqNAP0m3gDpnZCKL2OLdwAG+SjYT9MURGfTkixAWHIPDYD4OQf3sCcZNBTTTeOvOXus/tJIpgafKHD9DCIOCQ== + dependencies: + buffer "4.9.2" + events "1.1.1" + ieee754 "1.1.13" + jmespath "0.16.0" + querystring "0.2.0" + sax "1.2.1" + url "0.10.3" + util "^0.12.4" + uuid "8.0.0" + xml2js "0.6.2" + axios@^0.27.2: version "0.27.2" resolved "https://registry.npmjs.org/axios/-/axios-0.27.2.tgz#207658cc8621606e586c85db4b41a750e756d972" @@ -7245,9 +7304,9 @@ axios@^0.27.2: form-data "^4.0.0" axios@^1.6.0, axios@^1.7.2: - version "1.7.2" - resolved "https://registry.npmjs.org/axios/-/axios-1.7.2.tgz#b625db8a7051fbea61c35a3cbb3a1daa7b9c7621" - integrity sha512-2A8QhOMrbomlDuiLeK9XibIBzuHeRcqqNOHp0Cyp5EoJ1IFDh+XZH3A6BkXtv0K4gFGCI0Y4BM7B1wOEi0Rmgw== + version "1.7.4" + resolved "https://registry.npmjs.org/axios/-/axios-1.7.4.tgz#4c8ded1b43683c8dd362973c393f3ede24052aa2" + integrity sha512-DukmaFRnY6AzAALSH4J2M3k6PkaC+MfaAGdEERRWcC9q3/TWQwLpHR8ZRLKTdQ3aBDL64EdluRDjJqKw+BPZEw== dependencies: follow-redirects "^1.15.6" form-data "^4.0.0" @@ -7673,6 +7732,19 @@ case@1.6.3, case@^1.6.3: resolved "https://registry.npmjs.org/case/-/case-1.6.3.tgz#0a4386e3e9825351ca2e6216c60467ff5f1ea1c9" integrity sha512-mzDSXIPaFwVDvZAHqZ9VlbyF4yyXRuX6IvB06WvPYkqJVO24kX1PPhv9bfpKNFZyxYFmmgo03HUiD8iklmJYRQ== +cdk-assets@^2.151.2: + version "2.151.8" + resolved "https://registry.npmjs.org/cdk-assets/-/cdk-assets-2.151.8.tgz#2ee48b6e95aff27fdc02a24e844b4ccc20ea3940" + integrity sha512-YipXIHtofvok9DwnewpwHsh0339QVNe/UZ7bUaGPTIXxOQP+hJxB4q3ooLiUk2cqnXK+IEgBx+GKjGzSwwhhdg== + dependencies: + "@aws-cdk/cloud-assembly-schema" "^36.0.0" + "@aws-cdk/cx-api" "^2.151.0" + archiver "^5.3.2" + aws-sdk "^2.1674.0" + glob "^7.2.3" + mime "^2.6.0" + yargs "^16.2.0" + cdk-from-cfn@^0.162.0: version "0.162.0" resolved "https://registry.npmjs.org/cdk-from-cfn/-/cdk-from-cfn-0.162.0.tgz#7cde2acead7a150884b505caabeab9891708bdd9" @@ -7941,10 +8013,10 @@ co@^4.6.0: resolved "https://registry.npmjs.org/co/-/co-4.6.0.tgz#6ea6bdf3d853ae54ccb8e47bfa0bf3f9031fb184" integrity sha512-QVb0dM5HvG+uaxitm8wONl7jltx8dqhfU33DcqtOZcLSVIKSDDLDi7+0LbAKiyI8hD9u42m2YxXSkMGWThaecQ== -codemaker@^1.101.0: - version "1.101.0" - resolved "https://registry.npmjs.org/codemaker/-/codemaker-1.101.0.tgz#27e5e0311f08061618804e485a015eaa860aa718" - integrity sha512-bAg+N4PA8mniJrCpTYFdaFmJA+3fE1Vjgf4o1EnPc07nw6qRcJsr/D9ZZoutEsvw7UM8OmZp4qZxVzpCqRhhQQ== +codemaker@^1.102.0: + version "1.102.0" + resolved "https://registry.npmjs.org/codemaker/-/codemaker-1.102.0.tgz#336dd6a8f7ffd64e02afcee7830c1f8d768f0efe" + integrity sha512-lxsbbcSMxCdT+9wUv1AvBH9791andoWDcQ6s7ZK6KsMZ+UkRLO3obzhi7Zm+RIA3lHecqzaGmOKyRnu0Dx/Zew== dependencies: camelcase "^6.3.0" decamelize "^5.0.1" @@ -8073,6 +8145,15 @@ commonmark@^0.31.0: minimist "~1.2.5" string.prototype.repeat "^1.0.0" +commonmark@^0.31.1: + version "0.31.1" + resolved "https://registry.npmjs.org/commonmark/-/commonmark-0.31.1.tgz#5c8b1b5eaaca00a0912cad68d1f0f00c836cecd3" + integrity sha512-M6pbc3sRU96iiOK7rmjv/TNrXvTaOscvthUCq7YOrlvZWbqAA36fyEtBvyI3nCcEK4u+JAy9sAdtftIeXwIWig== + dependencies: + entities "~3.0.1" + mdurl "~1.0.1" + minimist "~1.2.5" + compare-func@^2.0.0: version "2.0.0" resolved "https://registry.npmjs.org/compare-func/-/compare-func-2.0.0.tgz#fb65e75edbddfd2e568554e8b5b05fff7a51fcb3" @@ -9636,6 +9717,11 @@ fast-memoize@^2.5.2: resolved "https://registry.npmjs.org/fast-memoize/-/fast-memoize-2.5.2.tgz#79e3bb6a4ec867ea40ba0e7146816f6cdce9b57e" integrity sha512-Ue0LwpDYErFbmNnZSF0UH6eImUwDmogUO1jyE+JbN2gsQz/jICm1Ve7t9QT0rNSsfJt+Hs4/S3GnsDVjL4HVrw== +fast-uri@^3.0.1: + version "3.0.1" + resolved "https://registry.npmjs.org/fast-uri/-/fast-uri-3.0.1.tgz#cddd2eecfc83a71c1be2cc2ef2061331be8a7134" + integrity sha512-MWipKbbYiYI0UC7cl8m/i/IWTqfC8YXsqjzybjddLsFjStroQzsHXkc73JutMvBiXmOvapk+axIl79ig5t55Bw== + fast-xml-parser@4.2.5: version "4.2.5" resolved "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.2.5.tgz#a6747a09296a6cb34f2ae634019bf1738f3b421f" @@ -10541,11 +10627,6 @@ ignore@^5.0.4, ignore@^5.2.0, ignore@^5.2.4, ignore@^5.3.1, ignore@~5.3.1: resolved "https://registry.npmjs.org/ignore/-/ignore-5.3.1.tgz#5073e554cd42c5b33b394375f538b8593e34d4ef" integrity sha512-5Fytz/IraMjqpwfd34ke28PTVMjZjJG2MPn5t7OE4eUCUNf8BAa7b5WUS9/Qvr6mwOQS7Mk6vdsMno5he+T8Xw== -immediate@~3.0.5: - version "3.0.6" - resolved "https://registry.npmjs.org/immediate/-/immediate-3.0.6.tgz#9db1dbd0faf8de6fbe0f5dd5e56bb606280de69b" - integrity sha512-XXOFtyqDjNDAQxVfYxuF7g9Il/IbWmmlQg2MYKOH8ExIT1qg6xc4zyS3HaEEATgs1btfzxq15ciUiY7gjSXRGQ== - import-fresh@^3.0.0, import-fresh@^3.2.1, import-fresh@^3.3.0: version "3.3.0" resolved "https://registry.npmjs.org/import-fresh/-/import-fresh-3.3.0.tgz#37162c25fcb9ebaa2e6e53d5b4d88ce17d9e0c2b" @@ -11608,37 +11689,49 @@ jsesc@^2.5.1: resolved "https://registry.npmjs.org/jsesc/-/jsesc-2.5.2.tgz#80564d2e483dacf6e8ef209650a67df3f0c283a4" integrity sha512-OYu7XEzjkCQ3C5Ps3QIZsQfNpqoJyZZA99wd9aWd05NCtC5pWOkShK2mkL6HXQR6/Cy2lbNdPlZBpuQHXE63gA== -jsii-diff@1.101.0: - version "1.101.0" - resolved "https://registry.npmjs.org/jsii-diff/-/jsii-diff-1.101.0.tgz#d8bf59c522aaf419e9465170db78810a9795f8a9" - integrity sha512-7DvBiLireA91AnWCxt7EcKd04/zp8Rhk8oTYSGtIM57ZNZ+FV7cbrgxmXqja6P1ZXz67N3UAjKC8KdtFXeOqRA== +jsii-diff@1.102.0: + version "1.102.0" + resolved "https://registry.npmjs.org/jsii-diff/-/jsii-diff-1.102.0.tgz#4008ea927f4367eecef813189822df6d6f239109" + integrity sha512-mFXOk5CDlk7ojkomHh2H6ngcknht1/r5Qmeice+B1xlL/fEmySs+g/ILowDED4Yu4P4491kZzh3EDMAaf34NkQ== dependencies: - "@jsii/check-node" "1.101.0" - "@jsii/spec" "^1.101.0" + "@jsii/check-node" "1.102.0" + "@jsii/spec" "^1.102.0" fs-extra "^10.1.0" - jsii-reflect "^1.101.0" + jsii-reflect "^1.102.0" log4js "^6.9.1" yargs "^16.2.0" -jsii-pacmak@1.101.0: - version "1.101.0" - resolved "https://registry.npmjs.org/jsii-pacmak/-/jsii-pacmak-1.101.0.tgz#8ad183be51d5a79e455253b27ae596efcb8a3b35" - integrity sha512-07a04KtOj+Kmx+5XQVD1JG6QOh6JNqFWh4bbzMDKiFx7JoHhQnLq07b/OlUpCuP7J7Q9WaXXYM59EUQpXO07wg== +jsii-pacmak@1.102.0: + version "1.102.0" + resolved "https://registry.npmjs.org/jsii-pacmak/-/jsii-pacmak-1.102.0.tgz#ccf7f98f05c2b1bad34a0b90dbf5c479bd45c1a1" + integrity sha512-3/nqBYNH8n/5IWI0sBFBYl1yATokEDUDQtYFLjzk7oXNWpUJ23/encI78Cs55ZS6UXcfWN3xczGLqCWnsgEpnw== dependencies: - "@jsii/check-node" "1.101.0" - "@jsii/spec" "^1.101.0" + "@jsii/check-node" "1.102.0" + "@jsii/spec" "^1.102.0" clone "^2.1.2" - codemaker "^1.101.0" - commonmark "^0.31.0" + codemaker "^1.102.0" + commonmark "^0.31.1" escape-string-regexp "^4.0.0" fs-extra "^10.1.0" - jsii-reflect "^1.101.0" - semver "^7.6.0" + jsii-reflect "^1.102.0" + semver "^7.6.3" spdx-license-list "^6.9.0" xmlbuilder "^15.1.1" yargs "^16.2.0" -jsii-reflect@1.101.0, jsii-reflect@^1.101.0: +jsii-reflect@1.102.0, jsii-reflect@^1.102.0: + version "1.102.0" + resolved "https://registry.npmjs.org/jsii-reflect/-/jsii-reflect-1.102.0.tgz#4d1d3c9e2f51d157a43297d55dd61487bf61e384" + integrity sha512-Lf2l8z3HSRSyouFGpDddfheP2LznKvFDKVlUWEzO+jDnQFOJOYTv4x617Yy5JIeIa9D8f70drRelOqove6hZtQ== + dependencies: + "@jsii/check-node" "1.102.0" + "@jsii/spec" "^1.102.0" + chalk "^4" + fs-extra "^10.1.0" + oo-ascii-tree "^1.102.0" + yargs "^16.2.0" + +jsii-reflect@^1.101.0: version "1.101.0" resolved "https://registry.npmjs.org/jsii-reflect/-/jsii-reflect-1.101.0.tgz#e96fa687ba9db5c4b70995839aacceea11abc288" integrity sha512-ZCFb+laktj/ekNadUYksf+jLZq4fjoQeNe344GwslJOaemGjgAeqy0atV2H8nvTYU8ubszFApUPpdoRvtxgdPw== @@ -11807,16 +11900,6 @@ jsonschema@^1.4.1: resolved "https://registry.npmjs.org/jsonschema/-/jsonschema-1.4.1.tgz#cc4c3f0077fb4542982973d8a083b6b34f482dab" integrity sha512-S6cATIPVv1z0IlxdN+zUk5EPjkGCdnhN4wVSBlvoUO1tOLJootbo9CquNJmbIh4yikWHiUedhRYrNPn1arpEmQ== -jszip@^3.10.1: - version "3.10.1" - resolved "https://registry.npmjs.org/jszip/-/jszip-3.10.1.tgz#34aee70eb18ea1faec2f589208a157d1feb091c2" - integrity sha512-xXDvecyTpGLrqFrvkrUSoxxfJI5AH7U8zxxtVclpsUtMCq4JQ290LY8AW5c7Ggnr/Y/oK+bQMbqK2qmtk3pN4g== - dependencies: - lie "~3.3.0" - pako "~1.0.2" - readable-stream "~2.3.6" - setimmediate "^1.0.5" - just-diff-apply@^5.2.0: version "5.5.0" resolved "https://registry.npmjs.org/just-diff-apply/-/just-diff-apply-5.5.0.tgz#771c2ca9fa69f3d2b54e7c3f5c1dfcbcc47f9f0f" @@ -12168,13 +12251,6 @@ license-checker@^25.0.1: spdx-satisfies "^4.0.0" treeify "^1.1.0" -lie@~3.3.0: - version "3.3.0" - resolved "https://registry.npmjs.org/lie/-/lie-3.3.0.tgz#dcf82dee545f46074daf200c7c1c5a08e0f40f6a" - integrity sha512-UaiMJzeWRlEujzAuw5LokY1L5ecNQYZKfmyZ9L7wDHb/p5etKaxXhohBcrw0EYby+G/NA52vRSN4N39dxHAIwQ== - dependencies: - immediate "~3.0.5" - line-reader@^0.2.4: version "0.2.4" resolved "https://registry.npmjs.org/line-reader/-/line-reader-0.2.4.tgz#c4392b587dea38580c9678570e6e8e49fce52622" @@ -13647,6 +13723,11 @@ oo-ascii-tree@^1.101.0: resolved "https://registry.npmjs.org/oo-ascii-tree/-/oo-ascii-tree-1.101.0.tgz#bd14acf6a71430c02443f865975ec0c4b4ff03aa" integrity sha512-hNE9Nfvo4HLa9/dAiaiXUm64KHUvgBa7jPftsb8gZdTv1G1wSMMnd9j7SMcRzaMbDEqi+0cfgeBSIcsKy+k0vA== +oo-ascii-tree@^1.102.0: + version "1.102.0" + resolved "https://registry.npmjs.org/oo-ascii-tree/-/oo-ascii-tree-1.102.0.tgz#438e67730bc8503ae28e40a5273075e5f489b875" + integrity sha512-SNcZNfqtov0Af+6hx+qnliUhTOIxPUfboX/zQnc2EdmGHLXKQ3eSPQ40NopCgv4canzl5EvKGlCJaMCvk2viCQ== + open@^7.4.2: version "7.4.2" resolved "https://registry.npmjs.org/open/-/open-7.4.2.tgz#b8147e26dcf3e426316c730089fd71edd29c2321" @@ -13969,11 +14050,6 @@ pacote@^18.0.0, pacote@^18.0.6: ssri "^10.0.0" tar "^6.1.11" -pako@~1.0.2: - version "1.0.11" - resolved "https://registry.npmjs.org/pako/-/pako-1.0.11.tgz#6c9599d340d54dfd3946380252a35705a6b992bf" - integrity sha512-4hLB8Py4zZce5s4yd9XzopqwVv/yGNhV1Bl8NTmCq1763HeK2+EwVTv+leGeL13Dnh2wfbqowVPXCIO0z4taYw== - param-case@^3.0.4: version "3.0.4" resolved "https://registry.npmjs.org/param-case/-/param-case-3.0.4.tgz#7d17fe4aa12bde34d4a77d91acfb6219caad01c5" @@ -14995,11 +15071,16 @@ semver@^6.0.0, semver@^6.1.1, semver@^6.3.0, semver@^6.3.1: resolved "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz#556d2ef8689146e46dcea4bfdd095f3434dffcb4" integrity sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA== -semver@^7.0.0, semver@^7.1.1, semver@^7.2.1, semver@^7.3.2, semver@^7.3.4, semver@^7.3.5, semver@^7.3.7, semver@^7.3.8, semver@^7.5.3, semver@^7.5.4, semver@^7.6.0, semver@^7.6.2: +semver@^7.0.0, semver@^7.1.1, semver@^7.2.1, semver@^7.3.2, semver@^7.3.4, semver@^7.3.5, semver@^7.3.7, semver@^7.3.8, semver@^7.5.3, semver@^7.5.4, semver@^7.6.2: version "7.6.2" resolved "https://registry.npmjs.org/semver/-/semver-7.6.2.tgz#1e3b34759f896e8f14d6134732ce798aeb0c6e13" integrity sha512-FNAIBWCx9qcRhoHcgcJ0gvU7SN1lYU2ZXuSfl04bSC5OpvDHFyJCjdNHomPXxjQlCBU67YW64PzY7/VIEH7F2w== +semver@^7.6.0, semver@^7.6.3: + version "7.6.3" + resolved "https://registry.npmjs.org/semver/-/semver-7.6.3.tgz#980f7b5550bc175fb4dc09403085627f9eb33143" + integrity sha512-oVekP1cKtI+CTDvHWYFUcMtsK/00wmAEfyqKfNdARm8u1wNVhSgaX7A8d4UuIlUI5e84iEwOhs7ZPYRmzU9U6A== + sentence-case@^3.0.4: version "3.0.4" resolved "https://registry.npmjs.org/sentence-case/-/sentence-case-3.0.4.tgz#3645a7b8c117c787fde8702056225bb62a45131f" @@ -15036,11 +15117,6 @@ set-function-name@^2.0.1: functions-have-names "^1.2.3" has-property-descriptors "^1.0.2" -setimmediate@^1.0.5: - version "1.0.5" - resolved "https://registry.npmjs.org/setimmediate/-/setimmediate-1.0.5.tgz#290cbb232e306942d7d7ea9b83732ab7856f8285" - integrity sha512-MATJdZp8sLqDl/68LfQmbP8zKPLQNV6BIZoIgrscFDQ+RsvK/BxeDQOgyxKKoh0y/8h3BqVFnCqQ/gd+reiIXA== - shallow-clone@^3.0.0: version "3.0.1" resolved "https://registry.npmjs.org/shallow-clone/-/shallow-clone-3.0.1.tgz#8f2981ad92531f55035b01fb230769a40e02efa3" @@ -16824,4 +16900,4 @@ zip-stream@^4.1.0: dependencies: archiver-utils "^3.0.4" compress-commons "^4.1.2" - readable-stream "^3.6.0" \ No newline at end of file + readable-stream "^3.6.0"