diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/README.md b/packages/@aws-cdk/aws-imagebuilder-alpha/README.md index 46bb3f2e0198a..53c83084b2a12 100644 --- a/packages/@aws-cdk/aws-imagebuilder-alpha/README.md +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/README.md @@ -36,6 +36,256 @@ EC2 Image Builder supports AWS-managed components for common tasks, AWS Marketpl that you create. Components run during specific workflow phases: build and validate phases during the build stage, and test phase during the test stage. +### Image Pipeline + +An image pipeline provides the automation framework for building secure AMIs and container images. The pipeline orchestrates the entire image creation process by combining an image recipe or container recipe with infrastructure configuration and distribution configuration. Pipelines can run on a schedule or be triggered manually, and they manage the build, test, and distribution phases automatically. + +#### Image Pipeline Basic Usage + +Create a simple AMI pipeline with just an image recipe: + +```ts +const imageRecipe = new imagebuilder.ImageRecipe(this, 'MyImageRecipe', { + baseImage: imagebuilder.BaseImage.fromSsmParameterName( + '/aws/service/ami-amazon-linux-latest/al2023-ami-minimal-kernel-default-x86_64' + ) +}); + +const imagePipeline = new imagebuilder.ImagePipeline(this, 'MyImagePipeline', { + recipe: exampleImageRecipe +}); +``` + +Create a simple container pipeline with just a container recipe: + +```ts +const containerRecipe = new imagebuilder.ContainerRecipe(this, 'MyContainerRecipe', { + baseImage: imagebuilder.BaseContainerImage.fromDockerHub('amazonlinux', 'latest'), + targetRepository: imagebuilder.Repository.fromEcr( + ecr.Repository.fromRepositoryName(this, 'Repository', 'my-container-repo') + ) +}); + +const containerPipeline = new imagebuilder.ImagePipeline(this, 'MyContainerPipeline', { + recipe: exampleContainerRecipe +}); +``` + +#### Image Pipeline Scheduling + +##### Manual Pipeline Execution + +Create a pipeline that runs only when manually triggered: + +```ts +const manualPipeline = new imagebuilder.ImagePipeline(this, 'ManualPipeline', { + imagePipelineName: 'my-manual-pipeline', + description: 'Pipeline triggered manually for production builds', + recipe: exampleImageRecipe + // No schedule property - manual execution only +}); + +// Grant Lambda function permission to trigger the pipeline +manualPipeline.grantStartExecution(role); +``` + +##### Automated Pipeline Scheduling + +Schedule a pipeline to run automatically using cron expressions: + +```ts +const weeklyPipeline = new imagebuilder.ImagePipeline(this, 'WeeklyPipeline', { + imagePipelineName: 'weekly-build-pipeline', + recipe: exampleImageRecipe, + schedule: { + expression: events.Schedule.cron({ + minute: '0', + hour: '6', + weekDay: 'MON' + }) + } +}); +``` + +Use rate expressions for regular intervals: + +```ts +const dailyPipeline = new imagebuilder.ImagePipeline(this, 'DailyPipeline', { + recipe: exampleContainerRecipe, + schedule: { + expression: events.Schedule.rate(Duration.days(1)) + } +}); +``` + +##### Pipeline Schedule Configuration + +Configure advanced scheduling options: + +```ts +const advancedSchedulePipeline = new imagebuilder.ImagePipeline(this, 'AdvancedSchedulePipeline', { + recipe: exampleImageRecipe, + schedule: { + expression: events.Schedule.rate(Duration.days(7)), + // Only trigger when dependencies are updated (new base images, components, etc.) + startCondition: imagebuilder.ScheduleStartCondition.EXPRESSION_MATCH_AND_DEPENDENCY_UPDATES_AVAILABLE, + // Automatically disable after 3 consecutive failures + autoDisableFailureCount: 3 + }, + // Start enabled + status: imagebuilder.ImagePipelineStatus.ENABLED +}); +``` + +#### Image Pipeline Configuration + +##### Infrastructure and Distribution + +Configure custom infrastructure and distribution settings: + +```ts +const infrastructureConfiguration = new imagebuilder.InfrastructureConfiguration(this, 'Infrastructure', { + infrastructureConfigurationName: 'production-infrastructure', + instanceTypes: [ + ec2.InstanceType.of(ec2.InstanceClass.COMPUTE7_INTEL, ec2.InstanceSize.LARGE) + ], + vpc: vpc, + subnetSelection: { subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS } +}); + +const distributionConfiguration = new imagebuilder.DistributionConfiguration(this, 'Distribution'); +distributionConfiguration.addAmiDistributions({ + amiName: 'production-ami-{{ imagebuilder:buildDate }}', + amiTargetAccountIds: ['123456789012', '098765432109'] +}); + +const productionPipeline = new imagebuilder.ImagePipeline(this, 'ProductionPipeline', { + recipe: exampleImageRecipe, + infrastructureConfiguration: infrastructureConfiguration, + distributionConfiguration: distributionConfiguration +}); +``` + +##### Pipeline Logging Configuration + +Configure custom CloudWatch log groups for pipeline and image logs: + +```ts +const pipelineLogGroup = new logs.LogGroup(this, 'PipelineLogGroup', { + logGroupName: '/custom/imagebuilder/pipeline/logs', + retention: logs.RetentionDays.ONE_MONTH +}); + +const imageLogGroup = new logs.LogGroup(this, 'ImageLogGroup', { + logGroupName: '/custom/imagebuilder/image/logs', + retention: logs.RetentionDays.ONE_WEEK +}); + +const loggedPipeline = new imagebuilder.ImagePipeline(this, 'LoggedPipeline', { + recipe: exampleImageRecipe, + imagePipelineLogGroup: pipelineLogGroup, + imageLogGroup: imageLogGroup +}); +``` + +##### Workflow Integration + +Use AWS-managed workflows for common pipeline phases: + +```ts +const workflowPipeline = new imagebuilder.ImagePipeline(this, 'WorkflowPipeline', { + recipe: exampleImageRecipe, + workflows: [ + { workflow: imagebuilder.AwsManagedWorkflow.buildImage(this, 'BuildWorkflow') }, + { workflow: imagebuilder.AwsManagedWorkflow.testImage(this, 'TestWorkflow') } + ] +}); +``` + +For container pipelines, use container-specific workflows: + +```ts +const containerWorkflowPipeline = new imagebuilder.ImagePipeline(this, 'ContainerWorkflowPipeline', { + recipe: exampleContainerRecipe, + workflows: [ + { workflow: imagebuilder.AwsManagedWorkflow.buildContainer(this, 'BuildContainer') }, + { workflow: imagebuilder.AwsManagedWorkflow.testContainer(this, 'TestContainer') }, + { workflow: imagebuilder.AwsManagedWorkflow.distributeContainer(this, 'DistributeContainer') } + ] +}); +``` + +##### Advanced Features + +Configure image scanning for container pipelines: + +```ts +const scanningRepository = new ecr.Repository(this, 'ScanningRepo'); + +const scannedContainerPipeline = new imagebuilder.ImagePipeline(this, 'ScannedContainerPipeline', { + recipe: exampleContainerRecipe, + imageScanningEnabled: true, + imageScanningEcrRepository: scanningRepository, + imageScanningEcrTags: ['security-scan', 'latest'] +}); +``` + +Control metadata collection and testing: + +```ts +const controlledPipeline = new imagebuilder.ImagePipeline(this, 'ControlledPipeline', { + recipe: exampleImageRecipe, + enhancedImageMetadataEnabled: true, // Collect detailed OS and package info + imageTestsEnabled: false // Skip testing phase for faster builds +}); +``` + +#### Image Pipeline Events + +##### Pipeline Event Handling + +Handle specific pipeline events: + +```ts +// Monitor CVE detection +examplePipeline.onCVEDetected('CVEAlert', { + target: new targets.SnsTopic(topic) +}); + +// Handle pipeline auto-disable events +examplePipeline.onImagePipelineAutoDisabled('PipelineDisabledAlert', { + target: new targets.LambdaFunction(lambdaFunction) +}); +``` + +#### Importing Image Pipelines + +Reference existing pipelines created outside CDK: + +```ts +// Import by name +const existingPipelineByName = imagebuilder.ImagePipeline.fromImagePipelineName( + this, + 'ExistingPipelineByName', + 'my-existing-pipeline' +); + +// Import by ARN +const existingPipelineByArn = imagebuilder.ImagePipeline.fromImagePipelineArn( + this, + 'ExistingPipelineByArn', + 'arn:aws:imagebuilder:us-east-1:123456789012:image-pipeline/imported-pipeline' +); + +// Grant permissions to imported pipelines +const automationRole = new iam.Role(this, 'AutomationRole', { + assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com') +}); + +existingPipelineByName.grantStartExecution(automationRole); +existingPipelineByArn.grantRead(role); +``` + ### Image Recipe #### Image Recipe Basic Usage diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/lib/image-pipeline.ts b/packages/@aws-cdk/aws-imagebuilder-alpha/lib/image-pipeline.ts new file mode 100644 index 0000000000000..6d47d4b0484f6 --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/lib/image-pipeline.ts @@ -0,0 +1,778 @@ +import * as cdk from 'aws-cdk-lib'; +import * as ecr from 'aws-cdk-lib/aws-ecr'; +import * as events from 'aws-cdk-lib/aws-events'; +import * as iam from 'aws-cdk-lib/aws-iam'; +import { CfnImagePipeline } from 'aws-cdk-lib/aws-imagebuilder'; +import * as logs from 'aws-cdk-lib/aws-logs'; +import { propertyInjectable } from 'aws-cdk-lib/core/lib/prop-injectable'; +import { Construct } from 'constructs'; +import { IDistributionConfiguration } from './distribution-configuration'; +import { IInfrastructureConfiguration, InfrastructureConfiguration } from './infrastructure-configuration'; +import { + buildImageScanningConfiguration, + buildImageTestsConfiguration, + buildWorkflows, +} from './private/image-and-pipeline-props-helper'; +import { defaultExecutionRolePolicy, getExecutionRole } from './private/policy-helper'; +import { IRecipeBase } from './recipe-base'; +import { WorkflowConfiguration } from './workflow'; + +const IMAGE_PIPELINE_SYMBOL = Symbol.for('@aws-cdk/aws-imagebuilder-alpha.ImagePipeline'); + +/** + * An EC2 Image Builder Image Pipeline. + */ +export interface IImagePipeline extends cdk.IResource { + /** + * The ARN of the image pipeline + * + * @attribute + */ + readonly imagePipelineArn: string; + + /** + * The name of the image pipeline + * + * @attribute + */ + readonly imagePipelineName: string; + + /** + * Grant custom actions to the given grantee for the image pipeline + * + * @param grantee The principal + * @param actions The list of actions + */ + grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant; + + /** + * Grants the default permissions for building an image to the provided execution role. + * + * @param grantee The execution role used for the image build. + */ + grantDefaultExecutionRolePermissions(grantee: iam.IGrantable): iam.Grant[]; + + /** + * Grant read permissions to the given grantee for the image pipeline + * + * @param grantee The principal + */ + grantRead(grantee: iam.IGrantable): iam.Grant; + + /** + * Grant permissions to the given grantee to start an execution of the image pipeline + * + * @param grantee The principal + */ + grantStartExecution(grantee: iam.IGrantable): iam.Grant; + + /** + * Creates an EventBridge rule for Image Builder events. + * + * @param id Unique identifier for the rule + * @param options Configuration options for the event rule + * + * @see https://docs.aws.amazon.com/imagebuilder/latest/userguide/integ-eventbridge.html + */ + onEvent(id: string, options?: events.OnEventOptions): events.Rule; + + /** + * Creates an EventBridge rule for Image Builder CVE detected events. + * + * @param id Unique identifier for the rule + * @param options Configuration options for the event rule + * + * @see https://docs.aws.amazon.com/imagebuilder/latest/userguide/integ-eventbridge.html + */ + onCVEDetected(id: string, options?: events.OnEventOptions): events.Rule; + + /** + * Creates an EventBridge rule for Image Builder image state change events. + * + * @param id Unique identifier for the rule + * @param options Configuration options for the event rule + * + * @see https://docs.aws.amazon.com/imagebuilder/latest/userguide/integ-eventbridge.html + */ + onImageBuildStateChange(id: string, options?: events.OnEventOptions): events.Rule; + + /** + * Creates an EventBridge rule for Image Builder image build completion events. + * + * @param id Unique identifier for the rule + * @param options Configuration options for the event rule + * + * @see https://docs.aws.amazon.com/imagebuilder/latest/userguide/integ-eventbridge.html + */ + onImageBuildCompleted(id: string, options?: events.OnEventOptions): events.Rule; + + /** + * Creates an EventBridge rule for Image Builder image build failure events. + * + * @param id Unique identifier for the rule + * @param options Configuration options for the event rule + * + * @see https://docs.aws.amazon.com/imagebuilder/latest/userguide/integ-eventbridge.html + */ + onImageBuildFailed(id: string, options?: events.OnEventOptions): events.Rule; + + /** + * Creates an EventBridge rule for Image Builder image success events. + * + * @param id Unique identifier for the rule + * @param options Configuration options for the event rule + * + * @see https://docs.aws.amazon.com/imagebuilder/latest/userguide/integ-eventbridge.html + */ + onImageBuildSucceeded(id: string, options?: events.OnEventOptions): events.Rule; + + /** + * Creates an EventBridge rule for Image Builder image pipeline automatically disabled events. + * + * @param id Unique identifier for the rule + * @param options Configuration options for the event rule + * + * @see https://docs.aws.amazon.com/imagebuilder/latest/userguide/integ-eventbridge.html + */ + onImagePipelineAutoDisabled(id: string, options?: events.OnEventOptions): events.Rule; + + /** + * Creates an EventBridge rule for Image Builder wait for action events + * + * @param id Unique identifier for the rule + * @param options Configuration options for the event rule + * + * @see https://docs.aws.amazon.com/imagebuilder/latest/userguide/integ-eventbridge.html + */ + onWaitForAction(id: string, options?: events.OnEventOptions): events.Rule; +} + +/** + * Properties for creating an Image Pipeline resource + */ +export interface ImagePipelineProps { + /** + * The recipe that defines the base image, components, and customizations used to build the image. This can either be + * an image recipe, or a container recipe. + */ + readonly recipe: IRecipeBase; + + /** + * The name of the image pipeline. + * + * @default - a name is generated + */ + readonly imagePipelineName?: string; + + /** + * The description of the image pipeline. + * + * @default None + */ + readonly description?: string; + + /** + * The schedule of the image pipeline. This configures how often and when a pipeline automatically creates a new + * image. + * + * @default - none, a manual image pipeline will be created + */ + readonly schedule?: ImagePipelineSchedule; + + /** + * Indicates whether the pipeline is enabled to be triggered by the provided schedule + * + * @default ImagePipelineStatus.ENABLED + */ + readonly status?: ImagePipelineStatus; + + /** + * The infrastructure configuration used for building the image. + * + * A default infrastructure configuration will be used if one is not provided. + * + * The default configuration will create an instance profile and role with minimal permissions needed to build the + * image, attached to the EC2 instance. + * + * @default - an infrastructure configuration will be created with the default settings + */ + readonly infrastructureConfiguration?: IInfrastructureConfiguration; + + /** + * The distribution configuration used for distributing the image. + * + * @default None + */ + readonly distributionConfiguration?: IDistributionConfiguration; + + /** + * The list of workflow configurations used to build the image. + * + * @default - Image Builder will use a default set of workflows for the build to build, test, and distribute the image + */ + readonly workflows?: WorkflowConfiguration[]; + + /** + * The execution role used to perform workflow actions to build this image. + * + * By default, the Image Builder Service Linked Role (SLR) will be created automatically and used as the execution + * role. However, when providing a custom set of image workflows for the pipeline, an execution role will be + * generated with the minimal permissions needed to execute the workflows. + * + * @default - Image Builder will use the SLR if possible. Otherwise, an execution role will be generated + */ + readonly executionRole?: iam.IRole; + + /** + * The log group to use for the image pipeline. By default, a log group will be created with the format + * `/aws/imagebuilder/pipeline/` + * + * @default - a log group will be created + */ + readonly imagePipelineLogGroup?: logs.ILogGroup; + + /** + * The log group to use for images created from the image pipeline. By default, a log group will be created with the + * format `/aws/imagebuilder/`. + * + * @default - a log group will be created + */ + readonly imageLogGroup?: logs.ILogGroup; + + /** + * Indicates whether Image Builder keeps a snapshot of the vulnerability scans that Amazon Inspector runs against the + * build instance when you create a new image. + * + * @default false + */ + readonly imageScanningEnabled?: boolean; + + /** + * The container repository that Amazon Inspector scans to identify findings for your container images. If a + * repository is not provided, Image Builder creates a repository named `image-builder-image-scanning-repository` + * for vulnerability scanning. + * + * @default - if scanning is enabled, a repository will be created by Image Builder if one is not provided + */ + readonly imageScanningEcrRepository?: ecr.IRepository; + + /** + * The tags for Image Builder to apply to the output container image that Amazon Inspector scans. + * + * @default None + */ + readonly imageScanningEcrTags?: string[]; + + /** + * If enabled, collects additional information about the image being created, including the operating system (OS) + * version and package list for the AMI. + * + * @default true + */ + readonly enhancedImageMetadataEnabled?: boolean; + + /** + * Whether to run tests after building an image. + * + * @default true + */ + readonly imageTestsEnabled?: boolean; + + /** + * The tags to apply to the image pipeline + * + * @default None + */ + readonly tags?: { [key: string]: string }; +} + +/** + * The schedule settings for the image pipeline, which defines when a pipeline should be triggered + */ +export interface ImagePipelineSchedule { + /** + * The schedule expression to use. This can either be a cron expression or a rate expression. + */ + readonly expression: events.Schedule; + + /** + * The number of consecutive failures allowed before the pipeline is automatically disabled. This value must be + * between 1 and 10. + * + * @default - no auto-disable policy is configured and the pipeline is not automatically disabled on consecutive + * failures + */ + readonly autoDisableFailureCount?: number; + + /** + * The start condition for the pipeline, indicating the condition under which a pipeline should be triggered. + * + * @default ScheduleStartCondition.EXPRESSION_MATCH_AND_DEPENDENCY_UPDATES_AVAILABLE + */ + readonly startCondition?: ScheduleStartCondition; +} + +/** + * The start condition for the pipeline, indicating the condition under which a pipeline should be triggered. + */ +export enum ScheduleStartCondition { + /** + * Indicates to trigger a pipeline whenever its schedule is met + */ + EXPRESSION_MATCH_ONLY = 'EXPRESSION_MATCH_ONLY', + + /** + * Indicates to trigger a pipeline whenever its schedule is met, and there are matching dependency updates available, + * such as new versions of components or images to use in the pipeline build. + */ + EXPRESSION_MATCH_AND_DEPENDENCY_UPDATES_AVAILABLE = 'EXPRESSION_MATCH_AND_DEPENDENCY_UPDATES_AVAILABLE', +} + +/** + * Indicates whether the pipeline is enabled to be triggered by the provided schedule + */ +export enum ImagePipelineStatus { + /** + * Indicates that the pipeline is enabled for scheduling + */ + ENABLED = 'ENABLED', + + /** + * Indicates that the pipeline is disabled and will not be triggered on the schedule + */ + DISABLED = 'DISABLED', +} + +/** + * A new or imported Image Pipeline + */ +abstract class ImagePipelineBase extends cdk.Resource implements IImagePipeline { + /** + * The ARN of the image pipeline + */ + abstract readonly imagePipelineArn: string; + + /** + * The name of the image pipeline + */ + abstract readonly imagePipelineName: string; + + /** + * Grant custom actions to the given grantee for the image pipeline + * + * @param grantee The principal + * @param actions The list of actions + */ + public grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant { + return iam.Grant.addToPrincipal({ + grantee: grantee, + resourceArns: [this.imagePipelineArn], + actions: actions, + scope: this, + }); + } + + /** + * Grants the default permissions for building an image to the provided execution role. + * + * @param grantee The execution role used for the image build. + */ + public grantDefaultExecutionRolePermissions(grantee: iam.IGrantable): iam.Grant[] { + const policies = defaultExecutionRolePolicy(this); + return policies.map((policy) => + iam.Grant.addToPrincipal({ + grantee: grantee, + resourceArns: policy.resources, + actions: policy.actions, + conditions: policy.conditions, + scope: this, + }), + ); + } + + /** + * Grant read permissions to the given grantee for the image pipeline + * + * @param grantee The principal + */ + public grantRead(grantee: iam.IGrantable): iam.Grant { + return this.grant(grantee, 'imagebuilder:GetImagePipeline'); + } + + /** + * Grant permissions to the given grantee to start an execution of the image pipeline + * + * @param grantee The principal + */ + public grantStartExecution(grantee: iam.IGrantable): iam.Grant { + return this.grant(grantee, 'imagebuilder:StartImagePipelineExecution'); + } + + /** + * Creates an EventBridge rule for Image Builder events. + * + * @param id Unique identifier for the rule + * @param options Configuration options for the event rule + * + * @see https://docs.aws.amazon.com/imagebuilder/latest/userguide/integ-eventbridge.html + */ + public onEvent(id: string, options: events.OnEventOptions = {}): events.Rule { + const rule = new events.Rule(this, id, options); + rule.addTarget(options.target); + rule.addEventPattern({ + source: ['aws.imagebuilder'], + ...(options.eventPattern?.resources?.length && { resources: options.eventPattern.resources }), + ...(options.eventPattern?.detailType?.length && { detailType: options.eventPattern.detailType }), + ...(options.eventPattern?.detail !== undefined && { detail: options.eventPattern.detail }), + }); + return rule; + } + + /** + * Creates an EventBridge rule for Image Builder CVE detected events. + * + * @param id Unique identifier for the rule + * @param options Configuration options for the event rule + * + * @see https://docs.aws.amazon.com/imagebuilder/latest/userguide/integ-eventbridge.html + */ + public onCVEDetected(id: string, options: events.OnEventOptions = {}): events.Rule { + return this.onEvent(id, { + ...options, + eventPattern: { + ...options.eventPattern, + detailType: ['EC2 Image Builder CVE Detected'], + resources: [this.imagePipelineArn], + }, + }); + } + + /** + * Creates an EventBridge rule for Image Builder image state change events. + * + * @param id Unique identifier for the rule + * @param options Configuration options for the event rule + * + * @see https://docs.aws.amazon.com/imagebuilder/latest/userguide/integ-eventbridge.html + */ + public onImageBuildStateChange(id: string, options: events.OnEventOptions = {}): events.Rule { + return this.onEvent(id, { + ...options, + eventPattern: { ...options.eventPattern, detailType: ['EC2 Image Builder Image State Change'] }, + }); + } + + /** + * Creates an EventBridge rule for Image Builder image build completion events. + * + * @param id Unique identifier for the rule + * @param options Configuration options for the event rule + * + * @see https://docs.aws.amazon.com/imagebuilder/latest/userguide/integ-eventbridge.html + */ + public onImageBuildCompleted(id: string, options: events.OnEventOptions = {}): events.Rule { + return this.onImageBuildStateChange(id, { + ...options, + eventPattern: { + ...options.eventPattern, + detail: { ...options.eventPattern?.detail, state: { status: ['AVAILABLE', 'CANCELLED', 'FAILED'] } }, + }, + }); + } + + /** + * Creates an EventBridge rule for Image Builder image build failure events. + * + * @param id Unique identifier for the rule + * @param options Configuration options for the event rule + * + * @see https://docs.aws.amazon.com/imagebuilder/latest/userguide/integ-eventbridge.html + */ + public onImageBuildFailed(id: string, options: events.OnEventOptions = {}): events.Rule { + return this.onImageBuildStateChange(id, { + ...options, + eventPattern: { + ...options.eventPattern, + detail: { ...options.eventPattern?.detail, state: { status: ['FAILED'] } }, + }, + }); + } + + /** + * Creates an EventBridge rule for Image Builder image success events. + * + * @param id Unique identifier for the rule + * @param options Configuration options for the event rule + * + * @see https://docs.aws.amazon.com/imagebuilder/latest/userguide/integ-eventbridge.html + */ + public onImageBuildSucceeded(id: string, options: events.OnEventOptions = {}): events.Rule { + return this.onImageBuildStateChange(id, { + ...options, + eventPattern: { + ...options.eventPattern, + detail: { ...options.eventPattern?.detail, state: { status: ['AVAILABLE'] } }, + }, + }); + } + + /** + * Creates an EventBridge rule for Image Builder image pipeline automatically disabled events. + * + * @param id Unique identifier for the rule + * @param options Configuration options for the event rule + * + * @see https://docs.aws.amazon.com/imagebuilder/latest/userguide/integ-eventbridge.html + */ + public onImagePipelineAutoDisabled(id: string, options: events.OnEventOptions = {}): events.Rule { + return this.onEvent(id, { + ...options, + eventPattern: { + detailType: ['EC2 Image Builder Image Pipeline Automatically Disabled'], + resources: [this.imagePipelineArn], + }, + }); + } + + /** + * Creates an EventBridge rule for Image Builder wait for action events + * + * @param id Unique identifier for the rule + * @param options Configuration options for the event rule + * + * @see https://docs.aws.amazon.com/imagebuilder/latest/userguide/integ-eventbridge.html + */ + public onWaitForAction(id: string, options: events.OnEventOptions = {}): events.Rule { + return this.onEvent(id, { + ...options, + eventPattern: { ...options.eventPattern, detailType: ['EC2 Image Builder Workflow Step Waiting'] }, + }); + } +} + +/** + * Represents an EC2 Image Builder Image Pipeline. + * + * @see https://docs.aws.amazon.com/imagebuilder/latest/userguide/manage-pipelines.html + */ +@propertyInjectable +export class ImagePipeline extends ImagePipelineBase { + /** Uniquely identifies this class. */ + public static readonly PROPERTY_INJECTION_ID: string = '@aws-cdk.aws-imagebuilder-alpha.ImagePipeline'; + + /** + * Import an existing image pipeline given its ARN. + */ + public static fromImagePipelineArn(scope: Construct, id: string, imagePipelineArn: string): IImagePipeline { + const imagePipelineName = cdk.Stack.of(scope).splitArn( + imagePipelineArn, + cdk.ArnFormat.SLASH_RESOURCE_NAME, + ).resourceName!; + + class Import extends ImagePipelineBase { + public readonly imagePipelineArn = imagePipelineArn; + public readonly imagePipelineName = imagePipelineName; + } + + return new Import(scope, id); + } + + /** + * Import an existing image pipeline given its name. The provided name must be normalized by converting all + * alphabetical characters to lowercase, and replacing all spaces and underscores with hyphens. + */ + public static fromImagePipelineName(scope: Construct, id: string, imagePipelineName: string): IImagePipeline { + return this.fromImagePipelineArn( + scope, + id, + cdk.Stack.of(scope).formatArn({ + service: 'imagebuilder', + resource: 'image-pipeline', + resourceName: imagePipelineName, + }), + ); + } + + /** + * Return whether the given object is an ImagePipeline. + */ + public static isImagePipeline(x: any): x is ImagePipeline { + return x !== null && typeof x === 'object' && IMAGE_PIPELINE_SYMBOL in x; + } + + /** + * The ARN of the image pipeline + */ + public readonly imagePipelineArn: string; + + /** + * The name of the image pipeline + */ + public readonly imagePipelineName: string; + + /** + * The infrastructure configuration used for the image build + */ + readonly infrastructureConfiguration: IInfrastructureConfiguration; + + /** + * The execution role used for the image build. If there is no execution role, then the build will be executed with + * the AWSServiceRoleForImageBuilder service-linked role. + */ + public readonly executionRole?: iam.IRole; + + private readonly props: ImagePipelineProps; + + public constructor(scope: Construct, id: string, props: ImagePipelineProps) { + super(scope, id, { + physicalName: + props.imagePipelineName ?? + cdk.Lazy.string({ + produce: () => + cdk.Names.uniqueResourceName(this, { + maxLength: 128, + separator: '-', + allowedSpecialCharacters: '-', + }).toLowerCase(), // Enforce lowercase for the auto-generated fallback + }), + }); + + Object.defineProperty(this, IMAGE_PIPELINE_SYMBOL, { value: true }); + + this.validateImagePipelineName(); + + this.props = props; + this.infrastructureConfiguration = + props.infrastructureConfiguration ?? new InfrastructureConfiguration(this, 'InfrastructureConfiguration'); + this.executionRole = getExecutionRole( + this, + (grantee: iam.IGrantable) => this.grantDefaultExecutionRolePermissions(grantee), + props, + ); + + if (InfrastructureConfiguration.isInfrastructureConfiguration(this.infrastructureConfiguration)) { + this.infrastructureConfiguration._bind({ isContainerBuild: props.recipe._isContainerRecipe() }); + } + + if (props.recipe._isImageRecipe() && props.recipe._isContainerRecipe()) { + throw new cdk.ValidationError('the recipe cannot be both an IImageRecipe and an IContainerRecipe', this); + } + + if (!props.recipe._isImageRecipe() && !props.recipe._isContainerRecipe()) { + throw new cdk.ValidationError('the recipe must either be an IImageRecipe or IContainerRecipe', this); + } + + const imagePipeline = new CfnImagePipeline(this, 'Resource', { + name: this.physicalName, + description: props.description, + ...(props.recipe._isImageRecipe() && { imageRecipeArn: props.recipe.imageRecipeArn }), + ...(props.recipe._isContainerRecipe() && { containerRecipeArn: props.recipe.containerRecipeArn }), + ...(props.status !== undefined && { status: props.status }), + infrastructureConfigurationArn: this.infrastructureConfiguration.infrastructureConfigurationArn, + distributionConfigurationArn: props.distributionConfiguration?.distributionConfigurationArn, + enhancedImageMetadataEnabled: props.enhancedImageMetadataEnabled, + executionRole: this.executionRole?.roleArn, + schedule: this.buildSchedule(props), + loggingConfiguration: this.buildLoggingConfiguration(props), + imageTestsConfiguration: buildImageTestsConfiguration< + ImagePipelineProps, + CfnImagePipeline.ImageTestsConfigurationProperty + >(props), + imageScanningConfiguration: buildImageScanningConfiguration< + ImagePipelineProps, + CfnImagePipeline.ImageScanningConfigurationProperty + >(this, props), + workflows: buildWorkflows(props), + tags: props.tags, + }); + + this.imagePipelineName = this.getResourceNameAttribute(imagePipeline.attrName); + this.imagePipelineArn = this.getResourceArnAttribute(imagePipeline.attrArn, { + service: 'imagebuilder', + resource: 'image-pipeline', + resourceName: this.physicalName, + }); + } + + /** + * Grants the default permissions for building an image to the provided execution role. + * + * @param grantee The execution role used for the image build. + */ + public grantDefaultExecutionRolePermissions(grantee: iam.IGrantable): iam.Grant[] { + const policies = defaultExecutionRolePolicy(this, this.props); + return policies.map((policy) => + iam.Grant.addToPrincipal({ + grantee: grantee, + resourceArns: policy.resources, + actions: policy.actions, + conditions: policy.conditions, + scope: this, + }), + ); + } + + private validateImagePipelineName() { + if (cdk.Token.isUnresolved(this.physicalName)) { + return; // Cannot validate unresolved tokens, given their actual value is rendered at deployment time + } + + if (this.physicalName.length > 128) { + throw new cdk.ValidationError('The imagePipelineName cannot be longer than 128 characters', this); + } + + if (this.physicalName.includes(' ')) { + throw new cdk.ValidationError('The imagePipelineName cannot contain spaces', this); + } + + if (this.physicalName.includes('_')) { + throw new cdk.ValidationError('The imagePipelineName cannot contain underscores', this); + } + + if (this.physicalName !== this.physicalName.toLowerCase()) { + throw new cdk.ValidationError('The imagePipelineName must be lowercase', this); + } + } + + private buildSchedule(props: ImagePipelineProps): CfnImagePipeline.ScheduleProperty | undefined { + const schedule = props.schedule; + if (!schedule) { + return undefined; + } + + if (schedule.autoDisableFailureCount !== undefined && !cdk.Token.isUnresolved(schedule.autoDisableFailureCount)) { + if (schedule.autoDisableFailureCount < 1 || schedule.autoDisableFailureCount > 10) { + throw new cdk.ValidationError('the autoDisableFailureCount must be between 1 and 10', this); + } + } + + return { + scheduleExpression: schedule.expression.expressionString, + ...(schedule.autoDisableFailureCount !== undefined && { + autoDisablePolicy: { + failureCount: schedule.autoDisableFailureCount, + }, + }), + ...(schedule.startCondition !== undefined && { + pipelineExecutionStartCondition: schedule.startCondition, + }), + }; + } + + /** + * Generates the loggingConfiguration property into the `LoggingConfiguration` type in the CloudFormation L1 + * definition. + * + * @param props Props input for the construct + */ + private buildLoggingConfiguration = ( + props: ImagePipelineProps, + ): CfnImagePipeline.PipelineLoggingConfigurationProperty | undefined => { + const loggingConfiguration = { + ...(props.imageLogGroup && { imageLogGroupName: props.imageLogGroup.logGroupName }), + ...(props.imagePipelineLogGroup && { pipelineLogGroupName: props.imagePipelineLogGroup.logGroupName }), + }; + + return Object.keys(loggingConfiguration).length ? loggingConfiguration : undefined; + }; +} diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/lib/index.ts b/packages/@aws-cdk/aws-imagebuilder-alpha/lib/index.ts index 14d2f886b7607..2e7bdfdcad8d6 100644 --- a/packages/@aws-cdk/aws-imagebuilder-alpha/lib/index.ts +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/lib/index.ts @@ -3,6 +3,7 @@ export * from './component'; export * from './container-recipe'; export * from './distribution-configuration'; +export * from './image-pipeline'; export * from './image-recipe'; export * from './infrastructure-configuration'; export * from './workflow'; diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/lib/infrastructure-configuration.ts b/packages/@aws-cdk/aws-imagebuilder-alpha/lib/infrastructure-configuration.ts index 4be0a9c2454d0..2a4438f376520 100644 --- a/packages/@aws-cdk/aws-imagebuilder-alpha/lib/infrastructure-configuration.ts +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/lib/infrastructure-configuration.ts @@ -145,7 +145,7 @@ export interface InfrastructureConfigurationProps { * Note: You can provide an instanceProfile or a role, but not both. * * @example - * const role = new iam.Role(this, 'MyRole', { + * const instanceProfileRole = new iam.Role(this, 'MyRole', { * assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com') * }); * diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/lib/private/image-and-pipeline-props-helper.ts b/packages/@aws-cdk/aws-imagebuilder-alpha/lib/private/image-and-pipeline-props-helper.ts new file mode 100644 index 0000000000000..e5d9dbabb62f7 --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/lib/private/image-and-pipeline-props-helper.ts @@ -0,0 +1,88 @@ +import * as cdk from 'aws-cdk-lib'; +import { CfnImage, CfnImagePipeline } from 'aws-cdk-lib/aws-imagebuilder'; +import { Construct } from 'constructs'; +import { ImagePipelineProps } from '../image-pipeline'; + +/** + * Generates the image tests configuration property into the `ImageTestsConfiguration` type in the CloudFormation L1 + * definition. + * + * @param props Props input for the construct + */ +export const buildImageTestsConfiguration = < + PropsT extends ImagePipelineProps, + OutputT extends CfnImagePipeline.ImageTestsConfigurationProperty | CfnImage.ImageTestsConfigurationProperty, +>( + props: PropsT, +): OutputT | undefined => { + if (props.imageTestsEnabled === undefined) { + return undefined; + } + + return { imageTestsEnabled: props.imageTestsEnabled } as OutputT; +}; + +/** + * Generates the image scanning configuration property into the `ImageScanningConfiguration` type in the CloudFormation + * L1 definition. + * + * @param scope The construct scope + * @param props Props input for the construct + */ +export const buildImageScanningConfiguration = < + PropsT extends ImagePipelineProps, + OutputT extends CfnImagePipeline.ImageScanningConfigurationProperty | CfnImage.ImageScanningConfigurationProperty, +>( + scope: Construct, + props: PropsT, +): OutputT | undefined => { + if (!props.recipe._isContainerRecipe() && props.imageScanningEcrRepository !== undefined) { + throw new cdk.ValidationError('imageScanningEcrRepository is only supported for container recipe builds', scope); + } + + if (!props.recipe._isContainerRecipe() && props.imageScanningEcrTags !== undefined) { + throw new cdk.ValidationError('imageScanningEcrTags is only supported for container recipe builds', scope); + } + + const ecrConfiguration: CfnImagePipeline.EcrConfigurationProperty = { + ...(props.imageScanningEcrRepository !== undefined && { + repositoryName: props.imageScanningEcrRepository.repositoryName, + }), + ...((props.imageScanningEcrTags ?? []).length && { containerTags: props.imageScanningEcrTags }), + }; + + const imageScanningConfiguration = { + ...(props.imageScanningEnabled !== undefined && { imageScanningEnabled: props.imageScanningEnabled }), + ...(Object.keys(ecrConfiguration).length && { ecrConfiguration }), + }; + + return Object.keys(imageScanningConfiguration).length ? (imageScanningConfiguration as OutputT) : undefined; +}; + +/** + * Generates the workflows property into the `WorkflowConfiguration` type in the CloudFormation L1 + * definition. + * + * @param props Props input for the construct + */ +export const buildWorkflows = < + PropsT extends ImagePipelineProps, + OutputT extends CfnImagePipeline.WorkflowConfigurationProperty[] | CfnImage.WorkflowConfigurationProperty[], +>( + props: PropsT, +): OutputT | undefined => { + const cfnWorkflows = props.workflows?.map((workflow) => { + const parameters = Object.entries(workflow.parameters ?? {}).map(([name, value]) => ({ + name, + value: value.value, + })); + return { + workflowArn: workflow.workflow.workflowArn, + onFailure: workflow.onFailure, + parallelGroup: workflow.parallelGroup, + ...(parameters.length && { parameters }), + }; + }); + + return cfnWorkflows?.length ? (cfnWorkflows as OutputT) : undefined; +}; diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/lib/private/policy-helper.ts b/packages/@aws-cdk/aws-imagebuilder-alpha/lib/private/policy-helper.ts new file mode 100644 index 0000000000000..6e0770509683e --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/lib/private/policy-helper.ts @@ -0,0 +1,477 @@ +import * as cdk from 'aws-cdk-lib'; +import * as iam from 'aws-cdk-lib/aws-iam'; +import * as logs from 'aws-cdk-lib/aws-logs'; +import { Construct } from 'constructs'; +import { ImagePipelineProps } from '../image-pipeline'; +import { WorkflowConfiguration } from '../workflow'; + +/** + * Returns the default execution role policy, for auto-generated execution roles. + * + * @param scope The construct scope + * @param props Props input for the construct + * + * @see https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSServiceRoleForImageBuilder.html + */ +export const defaultExecutionRolePolicy = ( + scope: Construct, + props?: PropsT, +): iam.PolicyStatement[] => { + const stack = cdk.Stack.of(scope); + const partition = stack.partition; + const region = stack.region; + const account = stack.account; + + // Permissions are identical to https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSServiceRoleForImageBuilder.html + // SLR policies cannot be attached to roles, and no managed policy exists for these permissions yet + const policies = [ + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: ['ec2:RegisterImage'], + resources: [`arn:${partition}:ec2:*::image/*`], + conditions: { + StringEquals: { + 'aws:RequestTag/CreatedBy': 'EC2 Image Builder', + }, + }, + }), + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: ['ec2:RegisterImage'], + resources: [`arn:${partition}:ec2:*::snapshot/*`], + conditions: { + StringEquals: { + 'ec2:ResourceTag/CreatedBy': 'EC2 Image Builder', + }, + }, + }), + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: ['ec2:RunInstances'], + resources: [ + `arn:${partition}:ec2:*::image/*`, + `arn:${partition}:ec2:*::snapshot/*`, + `arn:${partition}:ec2:*:*:subnet/*`, + `arn:${partition}:ec2:*:*:network-interface/*`, + `arn:${partition}:ec2:*:*:security-group/*`, + `arn:${partition}:ec2:*:*:key-pair/*`, + `arn:${partition}:ec2:*:*:launch-template/*`, + `arn:${partition}:license-manager:*:*:license-configuration:*`, + ], + }), + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: ['ec2:RunInstances'], + resources: [`arn:${partition}:ec2:*:*:volume/*`, `arn:${partition}:ec2:*:*:instance/*`], + conditions: { + StringEquals: { + 'aws:RequestTag/CreatedBy': ['EC2 Image Builder', 'EC2 Fast Launch'], + }, + }, + }), + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: ['iam:PassRole'], + resources: ['*'], + conditions: { + StringEquals: { + 'iam:PassedToService': ['ec2.amazonaws.com', 'ec2.amazonaws.com.cn', 'vmie.amazonaws.com'], + }, + }, + }), + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: ['ec2:StopInstances', 'ec2:StartInstances', 'ec2:TerminateInstances'], + resources: ['*'], + conditions: { + StringEquals: { + 'ec2:ResourceTag/CreatedBy': 'EC2 Image Builder', + }, + }, + }), + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: [ + 'ec2:CopyImage', + 'ec2:CreateImage', + 'ec2:CreateLaunchTemplate', + 'ec2:DeregisterImage', + 'ec2:DescribeImages', + 'ec2:DescribeInstanceAttribute', + 'ec2:DescribeInstanceStatus', + 'ec2:DescribeInstances', + 'ec2:DescribeInstanceTypeOfferings', + 'ec2:DescribeInstanceTypes', + 'ec2:DescribeSubnets', + 'ec2:DescribeTags', + 'ec2:ModifyImageAttribute', + 'ec2:DescribeImportImageTasks', + 'ec2:DescribeSnapshots', + 'ec2:DescribeHosts', + ], + resources: ['*'], + }), + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: ['ec2:ModifySnapshotAttribute'], + resources: [`arn:${partition}:ec2:*::snapshot/*`], + conditions: { + StringEquals: { + 'ec2:ResourceTag/CreatedBy': 'EC2 Image Builder', + }, + }, + }), + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: ['ec2:CreateTags'], + resources: ['*'], + conditions: { + StringEquals: { + 'ec2:CreateAction': ['RunInstances', 'CreateImage'], + 'aws:RequestTag/CreatedBy': ['EC2 Image Builder', 'EC2 Fast Launch'], + }, + }, + }), + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: ['ec2:CreateTags'], + resources: [`arn:${partition}:ec2:*::image/*`, `arn:${partition}:ec2:*:*:export-image-task/*`], + }), + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: ['ec2:CreateTags'], + resources: [`arn:${partition}:ec2:*::snapshot/*`, `arn:${partition}:ec2:*:*:launch-template/*`], + conditions: { + StringEquals: { + 'aws:RequestTag/CreatedBy': ['EC2 Image Builder', 'EC2 Fast Launch'], + }, + }, + }), + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: ['sns:Publish'], + resources: [`arn:${partition}:sns:${region}:${account}:*`], + }), + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: [ + 'ssm:ListCommands', + 'ssm:ListCommandInvocations', + 'ssm:AddTagsToResource', + 'ssm:DescribeInstanceInformation', + 'ssm:ListInventoryEntries', + 'ssm:DescribeInstanceAssociationsStatus', + 'ssm:DescribeAssociationExecutions', + 'ssm:GetCommandInvocation', + ], + resources: ['*'], + }), + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: ['ssm:SendCommand'], + resources: [ + `arn:${partition}:ssm:*:*:document/AWS-RunPowerShellScript`, + `arn:${partition}:ssm:*:*:document/AWS-RunShellScript`, + `arn:${partition}:ssm:*:*:document/AWSEC2-RunSysprep`, + `arn:${partition}:s3:::*`, + ], + }), + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: ['ssm:SendCommand'], + resources: [`arn:${partition}:ec2:*:*:instance/*`], + conditions: { + StringEquals: { + 'ssm:resourceTag/CreatedBy': ['EC2 Image Builder'], + }, + }, + }), + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: ['ssm:CreateAssociation', 'ssm:DeleteAssociation'], + resources: [ + `arn:${partition}:ssm:*:*:document/AWS-GatherSoftwareInventory`, + `arn:${partition}:ssm:*:*:association/*`, + `arn:${partition}:ec2:*:*:instance/*`, + ], + }), + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: [ + 'kms:Encrypt', + 'kms:Decrypt', + 'kms:ReEncryptFrom', + 'kms:ReEncryptTo', + 'kms:GenerateDataKeyWithoutPlaintext', + ], + resources: ['*'], + conditions: { + 'ForAllValues:StringEquals': { + 'kms:EncryptionContextKeys': ['aws:ebs:id'], + }, + 'StringLike': { + 'kms:ViaService': ['ec2.*.amazonaws.com'], + }, + }, + }), + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: ['kms:DescribeKey'], + resources: ['*'], + conditions: { + StringLike: { + 'kms:ViaService': ['ec2.*.amazonaws.com'], + }, + }, + }), + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: ['kms:CreateGrant'], + resources: ['*'], + conditions: { + Bool: { + 'kms:GrantIsForAWSResource': true, + }, + StringLike: { + 'kms:ViaService': ['ec2.*.amazonaws.com'], + }, + }, + }), + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: ['logs:CreateLogStream', 'logs:CreateLogGroup', 'logs:PutLogEvents'], + resources: [`arn:${partition}:logs:*:*:log-group:/aws/imagebuilder/*`], + }), + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: ['iam:CreateServiceLinkedRole'], + resources: ['*'], + conditions: { + StringEquals: { + 'iam:AWSServiceName': ['ssm.amazonaws.com'], + }, + }, + }), + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: [ + 'events:DeleteRule', + 'events:DescribeRule', + 'events:PutRule', + 'events:PutTargets', + 'events:RemoveTargets', + ], + resources: [`arn:${partition}:events:*:*:rule/ImageBuilder-*`], + }), + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: ['ssm:GetParameter', 'ssm:PutParameter'], + resources: [`arn:${partition}:ssm:*:*:parameter/imagebuilder/*`], + }), + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: ['ssm:GetParameter'], + resources: [`arn:${partition}:ssm:*::parameter/aws/service/*`], + }), + ]; + + const hasProps = props !== undefined; + if (!hasProps || (props.recipe._isImageRecipe() && props.distributionConfiguration !== undefined)) { + // Distribution-specific permissions if distribution settings are provided. All permissions here are for AMI builds + // specifically. + policies.push( + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: ['ec2:DescribeExportImageTasks'], + resources: ['*'], + }), + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: ['license-manager:UpdateLicenseSpecificationsForResource'], + resources: [`arn:${partition}:license-manager:*:${account}:license-configuration:*`], + }), + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: ['sts:AssumeRole'], + resources: [`arn:${partition}:iam::*:role/EC2ImageBuilderDistributionCrossAccountRole`], + }), + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: ['ec2:DescribeLaunchTemplates', 'ec2:DescribeLaunchTemplateVersions'], + resources: ['*'], + }), + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: ['ec2:CreateLaunchTemplateVersion', 'ec2:ModifyLaunchTemplate'], + resources: [`arn:${partition}:ec2:${region}:${account}:launch-template/*`], + }), + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: ['ec2:ExportImage'], + resources: [`arn:${partition}:ec2:*::image/*`], + conditions: { + StringEquals: { + 'ec2:ResourceTag/CreatedBy': 'EC2 Image Builder', + }, + }, + }), + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: ['ec2:ExportImage'], + resources: [`arn:${partition}:ec2:*:*:export-image-task/*`], + }), + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: ['ec2:CancelExportTask'], + resources: [`arn:${partition}:ec2:*:*:export-image-task/*`], + conditions: { + StringEquals: { + 'ec2:ResourceTag/CreatedBy': 'EC2 Image Builder', + }, + }, + }), + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: ['iam:CreateServiceLinkedRole'], + resources: ['*'], + conditions: { + StringEquals: { + 'iam:AWSServiceName': ['ec2fastlaunch.amazonaws.com'], + }, + }, + }), + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: ['ec2:EnableFastLaunch'], + resources: [`arn:${partition}:ec2:*::image/*`, `arn:${partition}:ec2:*:*:launch-template/*`], + conditions: { + StringEquals: { + 'ec2:ResourceTag/CreatedBy': 'EC2 Image Builder', + }, + }, + }), + ); + } + + if (!hasProps || props.imageScanningEnabled !== false) { + // Add Inspector permissions if scanning is enabled + policies.push( + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: ['inspector2:ListCoverage', 'inspector2:ListFindings'], + resources: ['*'], + }), + ); + + // Add image scanning ECR permissions for container builds + if (!hasProps || props.recipe._isContainerRecipe()) { + policies.push( + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: ['ecr:CreateRepository'], + resources: ['*'], + conditions: { + StringEquals: { + 'aws:RequestTag/CreatedBy': 'EC2 Image Builder', + }, + }, + }), + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: ['ecr:TagResource'], + resources: [`arn:${partition}:ecr:*:*:repository/image-builder-*`], + conditions: { + StringEquals: { + 'aws:RequestTag/CreatedBy': 'EC2 Image Builder', + }, + }, + }), + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: ['ecr:BatchDeleteImage'], + resources: [`arn:${partition}:ecr:*:*:repository/image-builder-*`], + conditions: { + StringEquals: { + 'ecr:ResourceTag/CreatedBy': 'EC2 Image Builder', + }, + }, + }), + ); + } + } + + return policies; +}; + +export const getExecutionRole = ( + scope: Construct, + grantDefaultExecutionRolePermissions: (grantee: iam.IGrantable) => void, + { + executionRole, + workflows, + imageLogGroup, + imagePipelineLogGroup, + }: { + executionRole?: iam.IRole; + imageLogGroup?: logs.ILogGroup; + imagePipelineLogGroup?: logs.ILogGroup; + workflows?: WorkflowConfiguration[]; + }, +): iam.IRole | undefined => { + const { executionRoleRequired, applyGrants } = getExecutionRoleRequirements({ + workflows, + imageLogGroup, + imagePipelineLogGroup, + }); + if (!executionRoleRequired) { + return executionRole; + } + + if (executionRole !== undefined) { + applyGrants(executionRole); + return executionRole; + } + + const autoGeneratedExecutionRole = new iam.Role(scope, 'ExecutionRole', { + assumedBy: new iam.ServicePrincipal('imagebuilder.amazonaws.com'), + }); + grantDefaultExecutionRolePermissions(autoGeneratedExecutionRole); + applyGrants(autoGeneratedExecutionRole); + + return autoGeneratedExecutionRole; +}; + +const getExecutionRoleRequirements = ({ + workflows, + imageLogGroup, + imagePipelineLogGroup, +}: { + imageLogGroup?: logs.ILogGroup; + imagePipelineLogGroup?: logs.ILogGroup; + workflows?: WorkflowConfiguration[]; +}): { executionRoleRequired: boolean; applyGrants: (role: iam.IRole) => void } => { + const granters: Array<(role: iam.IRole) => void> = []; + + const hasWorkflows = Boolean(workflows?.length); + const addImageLogGroupPermissions = + imageLogGroup !== undefined && + !cdk.Token.isUnresolved(imageLogGroup.logGroupName) && + !imageLogGroup.logGroupName.startsWith('/aws/imagebuilder/'); + const addPipelineLogGroupPermissions = + imagePipelineLogGroup !== undefined && + !cdk.Token.isUnresolved(imagePipelineLogGroup.logGroupName) && + !imagePipelineLogGroup.logGroupName.startsWith('/aws/imagebuilder/'); + + if (addImageLogGroupPermissions) { + granters.push((role) => imageLogGroup!.grantWrite(role)); + } + + if (addPipelineLogGroupPermissions) { + granters.push((role) => imagePipelineLogGroup!.grantWrite(role)); + } + + return { + executionRoleRequired: hasWorkflows || addImageLogGroupPermissions || addPipelineLogGroupPermissions, + applyGrants: (role: iam.IRole) => granters.forEach((granter) => granter(role)), + }; +}; diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/lib/workflow.ts b/packages/@aws-cdk/aws-imagebuilder-alpha/lib/workflow.ts index fe3ae663e59d9..b46fe122c7499 100644 --- a/packages/@aws-cdk/aws-imagebuilder-alpha/lib/workflow.ts +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/lib/workflow.ts @@ -490,6 +490,87 @@ class S3WorkflowDataFromAsset extends S3WorkflowData { } } +/** + * The parameter value for a workflow parameter + */ +export class WorkflowParameterValue { + /** + * The value of the parameter as a boolean + * + * @param value The boolean value of the parameter + */ + public static fromBoolean(value: boolean): WorkflowParameterValue { + return new WorkflowParameterValue([value.toString()]); + } + + /** + * The value of the parameter as an integer + * + * @param value The integer value of the parameter + */ + public static fromInteger(value: number): WorkflowParameterValue { + return new WorkflowParameterValue([value.toString()]); + } + + /** + * The value of the parameter as a string + * @param value The string value of the parameter + */ + public static fromString(value: string): WorkflowParameterValue { + return new WorkflowParameterValue([value]); + } + + /** + * The value of the parameter as a string list + * + * @param values The string list value of the parameter + */ + public static fromStringList(values: string[]): WorkflowParameterValue { + return new WorkflowParameterValue(values); + } + + /** + * The rendered parameter value + */ + public readonly value: string[]; + + protected constructor(value: string[]) { + this.value = value; + } +} + +/** + * Configuration details for a workflow + */ +export interface WorkflowConfiguration { + /** + * The workflow to execute in the image build + */ + readonly workflow: IWorkflow; + + /** + * The action to take if the workflow fails + * + * @default WorkflowOnFailure.ABORT + */ + readonly onFailure?: WorkflowOnFailure; + + /** + * The named parallel group to include this workflow in. Workflows in the same parallel group run in parallel of each + * other. + * + * @default None + */ + readonly parallelGroup?: string; + + /** + * The parameters to pass to the workflow at execution time + * + * @default - none if the workflow has no parameters, otherwise the default parameter values are used + */ + readonly parameters?: { [name: string]: WorkflowParameterValue }; +} + /** * Helper class for working with AWS-managed workflows */ diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/rosetta/default.ts-fixture b/packages/@aws-cdk/aws-imagebuilder-alpha/rosetta/default.ts-fixture index 99000e42f387b..29b5d80ae9a8d 100644 --- a/packages/@aws-cdk/aws-imagebuilder-alpha/rosetta/default.ts-fixture +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/rosetta/default.ts-fixture @@ -1,12 +1,17 @@ // Fixture with packages imported, but nothing else import * as imagebuilder from '@aws-cdk/aws-imagebuilder-alpha'; -import { Aws, Duration, Stack } from 'aws-cdk-lib'; +import { Aws, Duration, Stack, TimeZone } from 'aws-cdk-lib'; import * as ec2 from 'aws-cdk-lib/aws-ec2'; import * as ecr from 'aws-cdk-lib/aws-ecr'; +import * as events from 'aws-cdk-lib/aws-events'; +import * as targets from 'aws-cdk-lib/aws-events-targets'; import * as iam from 'aws-cdk-lib/aws-iam'; import * as kms from 'aws-cdk-lib/aws-kms'; +import * as lambda from 'aws-cdk-lib/aws-lambda'; +import * as logs from 'aws-cdk-lib/aws-logs'; import * as s3 from 'aws-cdk-lib/aws-s3'; import * as sns from 'aws-cdk-lib/aws-sns'; +import * as sqs from 'aws-cdk-lib/aws-sqs'; import * as ssm from 'aws-cdk-lib/aws-ssm'; import { Construct } from 'constructs'; @@ -21,6 +26,36 @@ class Fixture extends Stack { instanceType: ec2.InstanceType.of(ec2.InstanceClass.STANDARD6_GRAVITON, ec2.InstanceSize.LARGE).toString(), }); + const role = new iam.Role(this, 'Role', { + assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com') + }); + + const lambdaFunction = new lambda.Function(this, 'Function', { + runtime: lambda.Runtime.NODEJS_18_X, + handler: 'index.handler', + code: lambda.Code.fromInline('exports.handler = async () => {};') + }); + + const topic = new sns.Topic(this, 'Topic'); + const queue = new sqs.Queue(this, 'Queue'); + + const exampleImageRecipe = new imagebuilder.ImageRecipe(this, 'ImageRecipe', { + baseImage: imagebuilder.BaseImage.fromSsmParameterName( + '/aws/service/ami-amazon-linux-latest/al2023-ami-minimal-kernel-default-x86_64' + ) + }); + + const exampleContainerRecipe = new imagebuilder.ContainerRecipe(this, 'ContainerRecipe', { + baseImage: imagebuilder.BaseContainerImage.fromDockerHub('amazonlinux', 'latest'), + targetRepository: imagebuilder.Repository.fromEcr( + ecr.Repository.fromRepositoryName(this, 'Repository', 'my-container-repo') + ) + }); + + const examplePipeline = new imagebuilder.ImagePipeline(this, 'Pipeline', { + recipe: exampleImageRecipe + }); + /// here } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/test/image-pipeline.test.ts b/packages/@aws-cdk/aws-imagebuilder-alpha/test/image-pipeline.test.ts new file mode 100644 index 0000000000000..5f9fda6e54a0c --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/test/image-pipeline.test.ts @@ -0,0 +1,1054 @@ +import * as cdk from 'aws-cdk-lib'; +import { Match, Template } from 'aws-cdk-lib/assertions'; +import * as ecr from 'aws-cdk-lib/aws-ecr'; +import * as events from 'aws-cdk-lib/aws-events'; +import * as iam from 'aws-cdk-lib/aws-iam'; +import * as logs from 'aws-cdk-lib/aws-logs'; +import { + AwsManagedWorkflow, + ContainerRecipe, + DistributionConfiguration, + IContainerRecipe, + IImageRecipe, + ImagePipeline, + ImagePipelineStatus, + ImageRecipe, + InfrastructureConfiguration, + IRecipeBase, + ScheduleStartCondition, + WorkflowOnFailure, + WorkflowParameterValue, +} from '../lib'; + +/* eslint-disable quote-props */ +describe('ImagePipeline', () => { + let app: cdk.App; + let stack: cdk.Stack; + + beforeEach(() => { + app = new cdk.App(); + stack = new cdk.Stack(app, 'Stack', { env: { region: 'us-east-1', account: '123456789012' } }); + }); + + test('imported by name', () => { + const imagePipeline = ImagePipeline.fromImagePipelineName( + stack, + 'ImagePipeline', + 'imported-image-pipeline-by-name', + ); + + expect(stack.resolve(imagePipeline.imagePipelineArn)).toEqual({ + 'Fn::Join': [ + '', + [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':imagebuilder:us-east-1:123456789012:image-pipeline/imported-image-pipeline-by-name', + ], + ], + }); + expect(imagePipeline.imagePipelineName).toEqual('imported-image-pipeline-by-name'); + }); + + test('imported by name as an unresolved token', () => { + const imagePipeline = ImagePipeline.fromImagePipelineName( + stack, + 'ImagePipeline', + `test-image-pipeline-${stack.partition}`, + ); + + expect(stack.resolve(imagePipeline.imagePipelineArn)).toEqual({ + 'Fn::Join': [ + '', + [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':imagebuilder:us-east-1:123456789012:image-pipeline/test-image-pipeline-', + { Ref: 'AWS::Partition' }, + ], + ], + }); + expect(stack.resolve(imagePipeline.imagePipelineName)).toEqual({ + 'Fn::Join': ['', ['test-image-pipeline-', { Ref: 'AWS::Partition' }]], + }); + }); + + test('imported by arn', () => { + const imagePipeline = ImagePipeline.fromImagePipelineArn( + stack, + 'ImagePipeline', + 'arn:aws:imagebuilder:us-east-1:123456789012:image-pipeline/imported-image-pipeline-by-arn', + ); + + expect(imagePipeline.imagePipelineArn).toEqual( + 'arn:aws:imagebuilder:us-east-1:123456789012:image-pipeline/imported-image-pipeline-by-arn', + ); + expect(imagePipeline.imagePipelineName).toEqual('imported-image-pipeline-by-arn'); + }); + + test('with all parameters - AMI pipeline', () => { + const executionRole = iam.Role.fromRoleName(stack, 'ExecutionRole', 'imagebuilder-execution-role'); + const imagePipeline = new ImagePipeline(stack, 'ImagePipeline', { + imagePipelineName: 'test-image-pipeline', + description: 'this is an image pipeline description.', + recipe: ImageRecipe.fromImageRecipeName(stack, 'ImageRecipe', 'imported-image-recipe'), + infrastructureConfiguration: InfrastructureConfiguration.fromInfrastructureConfigurationName( + stack, + 'InfrastructureConfiguration', + 'imported-infrastructure-configuration', + ), + distributionConfiguration: DistributionConfiguration.fromDistributionConfigurationName( + stack, + 'DistributionConfiguration', + 'imported-distribution-configuration', + ), + status: ImagePipelineStatus.ENABLED, + executionRole, + schedule: { + expression: events.Schedule.cron({ minute: '0', hour: '0', weekDay: '0' }), + startCondition: ScheduleStartCondition.EXPRESSION_MATCH_AND_DEPENDENCY_UPDATES_AVAILABLE, + autoDisableFailureCount: 5, + }, + workflows: [ + { + workflow: AwsManagedWorkflow.buildImage(stack, 'BuildImage'), + onFailure: WorkflowOnFailure.ABORT, + parallelGroup: 'group-1', + parameters: { parameterName: WorkflowParameterValue.fromString('parameterValue') }, + }, + ], + imageLogGroup: logs.LogGroup.fromLogGroupName(stack, 'ImageLogGroup', '/aws/imagebuilder/test'), + imagePipelineLogGroup: logs.LogGroup.fromLogGroupName( + stack, + 'ImagePipelineLogGroup', + '/aws/imagebuilder/pipeline/test', + ), + enhancedImageMetadataEnabled: true, + imageTestsEnabled: false, + imageScanningEnabled: true, + }); + const grants = imagePipeline.grantDefaultExecutionRolePermissions(executionRole); + + expect(grants.length).toBeGreaterThanOrEqual(1); + + expect(ImagePipeline.isImagePipeline(imagePipeline as unknown)).toBeTruthy(); + expect(ImagePipeline.isImagePipeline('ImagePipeline')).toBeFalsy(); + + const template = Template.fromStack(stack); + + // Validate that default permissions were added - check presence of ec2:CreateImage + template.hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([ + { Action: Match.arrayWith(['ec2:CreateImage']), Effect: 'Allow', Resource: Match.anyValue() }, + ]), + }, + }); + + template.templateMatches({ + Resources: { + ImagePipeline7DDDE57F: Match.objectEquals({ + Type: 'AWS::ImageBuilder::ImagePipeline', + Properties: { + Description: 'this is an image pipeline description.', + DistributionConfigurationArn: { + 'Fn::Join': [ + '', + [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':imagebuilder:us-east-1:123456789012:distribution-configuration/imported-distribution-configuration', + ], + ], + }, + EnhancedImageMetadataEnabled: true, + ExecutionRole: { + 'Fn::Join': [ + '', + ['arn:', { Ref: 'AWS::Partition' }, ':iam::123456789012:role/imagebuilder-execution-role'], + ], + }, + ImageRecipeArn: { + 'Fn::Join': [ + '', + [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':imagebuilder:us-east-1:123456789012:image-recipe/imported-image-recipe/x.x.x', + ], + ], + }, + ImageScanningConfiguration: { ImageScanningEnabled: true }, + ImageTestsConfiguration: { ImageTestsEnabled: false }, + InfrastructureConfigurationArn: { + 'Fn::Join': [ + '', + [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':imagebuilder:us-east-1:123456789012:infrastructure-configuration/imported-infrastructure-configuration', + ], + ], + }, + LoggingConfiguration: { + ImageLogGroupName: '/aws/imagebuilder/test', + PipelineLogGroupName: '/aws/imagebuilder/pipeline/test', + }, + Name: 'test-image-pipeline', + Schedule: { + AutoDisablePolicy: { FailureCount: 5 }, + PipelineExecutionStartCondition: 'EXPRESSION_MATCH_AND_DEPENDENCY_UPDATES_AVAILABLE', + ScheduleExpression: 'cron(0 0 ? * 0 *)', + }, + Status: 'ENABLED', + Workflows: [ + { + OnFailure: 'Abort', + ParallelGroup: 'group-1', + Parameters: [{ Name: 'parameterName', Value: ['parameterValue'] }], + WorkflowArn: { + 'Fn::Join': [ + '', + ['arn:', { Ref: 'AWS::Partition' }, ':imagebuilder:us-east-1:aws:workflow/build/build-image/x.x.x'], + ], + }, + }, + ], + }, + }), + }, + }); + }); + + test('with all parameters - container pipeline', () => { + const executionRole = iam.Role.fromRoleName(stack, 'ExecutionRole', 'imagebuilder-execution-role'); + const imagePipeline = new ImagePipeline(stack, 'ImagePipeline', { + imagePipelineName: 'test-image-pipeline', + description: 'this is an image pipeline description.', + recipe: ContainerRecipe.fromContainerRecipeName(stack, 'ImageRecipe', 'imported-container-recipe'), + infrastructureConfiguration: InfrastructureConfiguration.fromInfrastructureConfigurationName( + stack, + 'InfrastructureConfiguration', + 'imported-infrastructure-configuration', + ), + distributionConfiguration: DistributionConfiguration.fromDistributionConfigurationName( + stack, + 'DistributionConfiguration', + 'imported-distribution-configuration', + ), + executionRole, + status: ImagePipelineStatus.DISABLED, + schedule: { + expression: events.Schedule.rate(cdk.Duration.days(7)), + startCondition: ScheduleStartCondition.EXPRESSION_MATCH_AND_DEPENDENCY_UPDATES_AVAILABLE, + }, + workflows: [ + { + workflow: AwsManagedWorkflow.buildContainer(stack, 'BuildContainer'), + onFailure: WorkflowOnFailure.ABORT, + parallelGroup: 'group-1', + parameters: { parameterName: WorkflowParameterValue.fromString('parameterValue') }, + }, + ], + imageLogGroup: logs.LogGroup.fromLogGroupName(stack, 'ImageLogGroup', '/aws/imagebuilder/test'), + imagePipelineLogGroup: logs.LogGroup.fromLogGroupName( + stack, + 'ImagePipelineLogGroup', + '/aws/imagebuilder/pipeline/test', + ), + enhancedImageMetadataEnabled: false, + imageTestsEnabled: true, + imageScanningEnabled: true, + imageScanningEcrRepository: ecr.Repository.fromRepositoryName(stack, 'Repository', 'scanning-repo'), + imageScanningEcrTags: ['latest-scan'], + }); + imagePipeline.grantDefaultExecutionRolePermissions(executionRole); + + expect(ImagePipeline.isImagePipeline(imagePipeline as unknown)).toBeTruthy(); + expect(ImagePipeline.isImagePipeline('ImagePipeline')).toBeFalsy(); + + Template.fromStack(stack).templateMatches({ + Resources: { + ImagePipeline7DDDE57F: Match.objectEquals({ + Type: 'AWS::ImageBuilder::ImagePipeline', + Properties: { + ContainerRecipeArn: { + 'Fn::Join': [ + '', + [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':imagebuilder:us-east-1:123456789012:container-recipe/imported-container-recipe/x.x.x', + ], + ], + }, + Description: 'this is an image pipeline description.', + DistributionConfigurationArn: { + 'Fn::Join': [ + '', + [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':imagebuilder:us-east-1:123456789012:distribution-configuration/imported-distribution-configuration', + ], + ], + }, + EnhancedImageMetadataEnabled: false, + ExecutionRole: { + 'Fn::Join': [ + '', + ['arn:', { Ref: 'AWS::Partition' }, ':iam::123456789012:role/imagebuilder-execution-role'], + ], + }, + ImageScanningConfiguration: { + EcrConfiguration: { + ContainerTags: ['latest-scan'], + RepositoryName: 'scanning-repo', + }, + ImageScanningEnabled: true, + }, + ImageTestsConfiguration: { ImageTestsEnabled: true }, + InfrastructureConfigurationArn: { + 'Fn::Join': [ + '', + [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':imagebuilder:us-east-1:123456789012:infrastructure-configuration/imported-infrastructure-configuration', + ], + ], + }, + LoggingConfiguration: { + ImageLogGroupName: '/aws/imagebuilder/test', + PipelineLogGroupName: '/aws/imagebuilder/pipeline/test', + }, + Name: 'test-image-pipeline', + Schedule: { + PipelineExecutionStartCondition: 'EXPRESSION_MATCH_AND_DEPENDENCY_UPDATES_AVAILABLE', + ScheduleExpression: 'rate(7 days)', + }, + Status: 'DISABLED', + Workflows: [ + { + OnFailure: 'Abort', + ParallelGroup: 'group-1', + Parameters: [{ Name: 'parameterName', Value: ['parameterValue'] }], + WorkflowArn: { + 'Fn::Join': [ + '', + [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':imagebuilder:us-east-1:aws:workflow/build/build-container/x.x.x', + ], + ], + }, + }, + ], + }, + }), + }, + }); + }); + + test('with required parameters - AMI pipeline', () => { + new ImagePipeline(stack, 'ImagePipeline', { + recipe: ImageRecipe.fromImageRecipeName(stack, 'ImageRecipe', 'imported-image-recipe'), + }); + + const template = Template.fromStack(stack); + + template.resourceCountIs('AWS::IAM::Role', 1); + template.resourceCountIs('AWS::IAM::InstanceProfile', 1); + template.resourceCountIs('AWS::ImageBuilder::InfrastructureConfiguration', 1); + template.resourceCountIs('AWS::ImageBuilder::ImagePipeline', 1); + expect(Object.keys(template.toJSON().Resources)).toHaveLength(4); + + Template.fromStack(stack).templateMatches({ + Resources: { + ImagePipeline7DDDE57F: Match.objectEquals({ + Type: 'AWS::ImageBuilder::ImagePipeline', + Properties: { + ImageRecipeArn: { + 'Fn::Join': [ + '', + [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':imagebuilder:us-east-1:123456789012:image-recipe/imported-image-recipe/x.x.x', + ], + ], + }, + InfrastructureConfigurationArn: { + 'Fn::GetAtt': ['ImagePipelineInfrastructureConfiguration70CB8806', 'Arn'], + }, + Name: 'stack-imagepipeline-8aa53ec3', + }, + }), + }, + }); + }); + + test('with required parameters - container pipeline', () => { + new ImagePipeline(stack, 'ImagePipeline', { + recipe: ContainerRecipe.fromContainerRecipeName(stack, 'ContainerRecipe', 'imported-container-recipe'), + }); + + const template = Template.fromStack(stack); + + template.resourceCountIs('AWS::IAM::Role', 1); + template.resourceCountIs('AWS::IAM::InstanceProfile', 1); + template.resourceCountIs('AWS::ImageBuilder::InfrastructureConfiguration', 1); + template.resourceCountIs('AWS::ImageBuilder::ImagePipeline', 1); + expect(Object.keys(template.toJSON().Resources)).toHaveLength(4); + + Template.fromStack(stack).templateMatches({ + Resources: { + ImagePipeline7DDDE57F: Match.objectEquals({ + Type: 'AWS::ImageBuilder::ImagePipeline', + Properties: { + ContainerRecipeArn: { + 'Fn::Join': [ + '', + [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':imagebuilder:us-east-1:123456789012:container-recipe/imported-container-recipe/x.x.x', + ], + ], + }, + InfrastructureConfigurationArn: { + 'Fn::GetAtt': ['ImagePipelineInfrastructureConfiguration70CB8806', 'Arn'], + }, + Name: 'stack-imagepipeline-8aa53ec3', + }, + }), + }, + }); + }); + + test('generates an execution role when workflows are provided', () => { + const imagePipeline = new ImagePipeline(stack, 'ImagePipeline', { + recipe: ImageRecipe.fromImageRecipeName(stack, 'ImageRecipe', 'imported-image-recipe'), + workflows: [{ workflow: AwsManagedWorkflow.buildImage(stack, 'BuildImage') }], + }); + + const template = Template.fromStack(stack); + + expect(imagePipeline.executionRole).not.toBeUndefined(); + expect(imagePipeline.executionRole).toBeInstanceOf(iam.Role); + + template.resourceCountIs('AWS::IAM::Role', 2); + template.resourceCountIs('AWS::IAM::InstanceProfile', 1); + template.resourceCountIs('AWS::IAM::Policy', 1); + template.resourceCountIs('AWS::ImageBuilder::InfrastructureConfiguration', 1); + template.resourceCountIs('AWS::ImageBuilder::ImagePipeline', 1); + expect(Object.keys(template.toJSON().Resources)).toHaveLength(6); + + template.hasResourceProperties('AWS::ImageBuilder::ImagePipeline', { ExecutionRole: Match.anyValue() }); + template.hasResourceProperties('AWS::IAM::Role', { + AssumeRolePolicyDocument: { + Statement: [ + { + Action: 'sts:AssumeRole', + Effect: 'Allow', + Principal: { + Service: 'imagebuilder.amazonaws.com', + }, + }, + ], + }, + }); + }); + + test('generates an execution role when an image log group is provided outside of /aws/imagebuilder/', () => { + const imagePipeline = new ImagePipeline(stack, 'ImagePipeline', { + recipe: ImageRecipe.fromImageRecipeName(stack, 'ImageRecipe', 'imported-image-recipe'), + imageLogGroup: logs.LogGroup.fromLogGroupName(stack, 'ImageLogGroup', 'image-log-group'), + }); + + const template = Template.fromStack(stack); + + expect(imagePipeline.executionRole).not.toBeUndefined(); + expect(imagePipeline.executionRole).toBeInstanceOf(iam.Role); + + template.resourceCountIs('AWS::IAM::Role', 2); + template.resourceCountIs('AWS::IAM::InstanceProfile', 1); + template.resourceCountIs('AWS::IAM::Policy', 1); + template.resourceCountIs('AWS::ImageBuilder::InfrastructureConfiguration', 1); + template.resourceCountIs('AWS::ImageBuilder::ImagePipeline', 1); + expect(Object.keys(template.toJSON().Resources)).toHaveLength(6); + + template.hasResourceProperties('AWS::ImageBuilder::ImagePipeline', { ExecutionRole: Match.anyValue() }); + template.hasResourceProperties('AWS::IAM::Role', { + AssumeRolePolicyDocument: { + Statement: [ + { + Action: 'sts:AssumeRole', + Effect: 'Allow', + Principal: { + Service: 'imagebuilder.amazonaws.com', + }, + }, + ], + }, + }); + template.hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([ + { + Action: Match.arrayWith(['logs:CreateLogStream', 'logs:PutLogEvents']), + Effect: 'Allow', + Resource: { + 'Fn::Join': [ + '', + [ + 'arn:', + { + Ref: 'AWS::Partition', + }, + ':logs:us-east-1:123456789012:log-group:image-log-group:*', + ], + ], + }, + }, + ]), + }, + }); + }); + + test('generates an execution role when an image pipeline log group is provided outside of /aws/imagebuilder/', () => { + const imagePipeline = new ImagePipeline(stack, 'ImagePipeline', { + recipe: ImageRecipe.fromImageRecipeName(stack, 'ImageRecipe', 'imported-image-recipe'), + imagePipelineLogGroup: logs.LogGroup.fromLogGroupName(stack, 'ImagePipelineLogGroup', 'image-pipeline-log-group'), + }); + + const template = Template.fromStack(stack); + + expect(imagePipeline.executionRole).not.toBeUndefined(); + expect(imagePipeline.executionRole).toBeInstanceOf(iam.Role); + + template.resourceCountIs('AWS::IAM::Role', 2); + template.resourceCountIs('AWS::IAM::InstanceProfile', 1); + template.resourceCountIs('AWS::IAM::Policy', 1); + template.resourceCountIs('AWS::ImageBuilder::InfrastructureConfiguration', 1); + template.resourceCountIs('AWS::ImageBuilder::ImagePipeline', 1); + expect(Object.keys(template.toJSON().Resources)).toHaveLength(6); + + template.hasResourceProperties('AWS::ImageBuilder::ImagePipeline', { ExecutionRole: Match.anyValue() }); + template.hasResourceProperties('AWS::IAM::Role', { + AssumeRolePolicyDocument: { + Statement: [ + { + Action: 'sts:AssumeRole', + Effect: 'Allow', + Principal: { + Service: 'imagebuilder.amazonaws.com', + }, + }, + ], + }, + }); + template.hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([ + { + Action: Match.arrayWith(['logs:CreateLogStream', 'logs:PutLogEvents']), + Effect: 'Allow', + Resource: { + 'Fn::Join': [ + '', + [ + 'arn:', + { + Ref: 'AWS::Partition', + }, + ':logs:us-east-1:123456789012:log-group:image-pipeline-log-group:*', + ], + ], + }, + }, + ]), + }, + }); + }); + + test('grants log group permissions to a pre-defined execution role', () => { + const executionRole = new iam.Role(stack, 'ExecutionRole', { + assumedBy: new iam.ServicePrincipal('imagebuilder.amazonaws.com'), + }); + + const imagePipeline = new ImagePipeline(stack, 'ImagePipeline', { + recipe: ImageRecipe.fromImageRecipeName(stack, 'ImageRecipe', 'imported-image-recipe'), + imageLogGroup: logs.LogGroup.fromLogGroupName(stack, 'ImageLogGroup', 'image-log-group'), + imagePipelineLogGroup: logs.LogGroup.fromLogGroupName(stack, 'ImagePipelineLogGroup', 'image-pipeline-log-group'), + executionRole, + }); + + const template = Template.fromStack(stack); + + expect(imagePipeline.executionRole).not.toBeUndefined(); + expect(imagePipeline.executionRole).toBeInstanceOf(iam.Role); + + template.resourceCountIs('AWS::IAM::Role', 2); + template.resourceCountIs('AWS::IAM::InstanceProfile', 1); + template.resourceCountIs('AWS::IAM::Policy', 1); + template.resourceCountIs('AWS::ImageBuilder::InfrastructureConfiguration', 1); + template.resourceCountIs('AWS::ImageBuilder::ImagePipeline', 1); + expect(Object.keys(template.toJSON().Resources)).toHaveLength(6); + + template.hasResourceProperties('AWS::ImageBuilder::ImagePipeline', { ExecutionRole: Match.anyValue() }); + template.hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([ + { + Action: Match.arrayWith(['logs:CreateLogStream', 'logs:PutLogEvents']), + Effect: 'Allow', + Resource: { + 'Fn::Join': [ + '', + ['arn:', { Ref: 'AWS::Partition' }, ':logs:us-east-1:123456789012:log-group:image-log-group:*'], + ], + }, + }, + { + Action: Match.arrayWith(['logs:CreateLogStream', 'logs:PutLogEvents']), + Effect: 'Allow', + Resource: { + 'Fn::Join': [ + '', + [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':logs:us-east-1:123456789012:log-group:image-pipeline-log-group:*', + ], + ], + }, + }, + ]), + }, + }); + }); + + test('grants read access to IAM roles', () => { + const imagePipeline = new ImagePipeline(stack, 'ImagePipeline', { + recipe: ImageRecipe.fromImageRecipeName(stack, 'ImageRecipe', 'imported-image-recipe'), + }); + + const role = new iam.Role(stack, 'Role', { assumedBy: new iam.AccountPrincipal('123456789012') }); + + imagePipeline.grantRead(role); + + const template = Template.fromStack(stack); + + template.resourceCountIs('AWS::IAM::Role', 2); + template.resourceCountIs('AWS::IAM::Policy', 1); + template.resourceCountIs('AWS::IAM::InstanceProfile', 1); + template.resourceCountIs('AWS::ImageBuilder::InfrastructureConfiguration', 1); + template.resourceCountIs('AWS::ImageBuilder::ImagePipeline', 1); + expect(Object.keys(template.toJSON().Resources)).toHaveLength(6); + + template.hasResourceProperties('AWS::IAM::Role', { + AssumeRolePolicyDocument: { + Statement: [ + { + Action: 'sts:AssumeRole', + Effect: 'Allow', + Principal: { + AWS: { + 'Fn::Join': ['', ['arn:', { Ref: 'AWS::Partition' }, ':iam::123456789012:root']], + }, + }, + }, + ], + }, + }); + + template.hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: [ + { + Effect: 'Allow', + Action: 'imagebuilder:GetImagePipeline', + Resource: { + 'Fn::GetAtt': ['ImagePipeline7DDDE57F', 'Arn'], + }, + }, + ], + }, + Roles: [Match.anyValue()], + }); + }); + + test('grants start pipeline execution access to IAM roles', () => { + const imagePipeline = new ImagePipeline(stack, 'ImagePipeline', { + recipe: ImageRecipe.fromImageRecipeName(stack, 'ImageRecipe', 'imported-image-recipe'), + }); + + const role = new iam.Role(stack, 'Role', { assumedBy: new iam.AccountPrincipal('123456789012') }); + + imagePipeline.grantStartExecution(role); + + const template = Template.fromStack(stack); + + template.resourceCountIs('AWS::IAM::Role', 2); + template.resourceCountIs('AWS::IAM::Policy', 1); + template.resourceCountIs('AWS::IAM::InstanceProfile', 1); + template.resourceCountIs('AWS::ImageBuilder::InfrastructureConfiguration', 1); + template.resourceCountIs('AWS::ImageBuilder::ImagePipeline', 1); + expect(Object.keys(template.toJSON().Resources)).toHaveLength(6); + + template.hasResourceProperties('AWS::IAM::Role', { + AssumeRolePolicyDocument: { + Statement: [ + { + Action: 'sts:AssumeRole', + Effect: 'Allow', + Principal: { + AWS: { + 'Fn::Join': ['', ['arn:', { Ref: 'AWS::Partition' }, ':iam::123456789012:root']], + }, + }, + }, + ], + }, + }); + + template.hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: [ + { + Effect: 'Allow', + Action: 'imagebuilder:StartImagePipelineExecution', + Resource: { + 'Fn::GetAtt': ['ImagePipeline7DDDE57F', 'Arn'], + }, + }, + ], + }, + Roles: [Match.anyValue()], + }); + }); + + test('grants permissions to IAM roles', () => { + const imagePipeline = new ImagePipeline(stack, 'ImagePipeline', { + recipe: ImageRecipe.fromImageRecipeName(stack, 'ImageRecipe', 'imported-image-recipe'), + }); + + const role = new iam.Role(stack, 'Role', { assumedBy: new iam.AccountPrincipal('123456789012') }); + + imagePipeline.grant(role, 'imagebuilder:DeleteImagePipeline', 'imagebuilder:UpdateImagePipeline'); + + const template = Template.fromStack(stack); + + template.resourceCountIs('AWS::IAM::Role', 2); + template.resourceCountIs('AWS::IAM::Policy', 1); + template.resourceCountIs('AWS::IAM::InstanceProfile', 1); + template.resourceCountIs('AWS::ImageBuilder::InfrastructureConfiguration', 1); + template.resourceCountIs('AWS::ImageBuilder::ImagePipeline', 1); + expect(Object.keys(template.toJSON().Resources)).toHaveLength(6); + + template.hasResourceProperties('AWS::IAM::Role', { + AssumeRolePolicyDocument: { + Statement: [ + { + Action: 'sts:AssumeRole', + Effect: 'Allow', + Principal: { + AWS: { + 'Fn::Join': ['', ['arn:', { Ref: 'AWS::Partition' }, ':iam::123456789012:root']], + }, + }, + }, + ], + }, + }); + + template.hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: [ + { + Effect: 'Allow', + Action: ['imagebuilder:DeleteImagePipeline', 'imagebuilder:UpdateImagePipeline'], + Resource: { + 'Fn::GetAtt': ['ImagePipeline7DDDE57F', 'Arn'], + }, + }, + ], + }, + Roles: [Match.anyValue()], + }); + }); + + test('creates a rule from onEvent', () => { + const imagePipeline = new ImagePipeline(stack, 'ImagePipeline', { + recipe: ImageRecipe.fromImageRecipeName(stack, 'ImageRecipe', 'imported-image-recipe'), + }); + + imagePipeline.onEvent('PipelineRule'); + + Template.fromStack(stack).hasResourceProperties('AWS::Events::Rule', { + EventPattern: { source: ['aws.imagebuilder'] }, + State: 'ENABLED', + }); + }); + + test('creates a rule from onCVEDetected', () => { + const imagePipeline = new ImagePipeline(stack, 'ImagePipeline', { + recipe: ImageRecipe.fromImageRecipeName(stack, 'ImageRecipe', 'imported-image-recipe'), + }); + + imagePipeline.onCVEDetected('CVEDetectionRule'); + + Template.fromStack(stack).hasResourceProperties('AWS::Events::Rule', { + EventPattern: { + source: ['aws.imagebuilder'], + resources: [{ 'Fn::GetAtt': ['ImagePipeline7DDDE57F', 'Arn'] }], + 'detail-type': ['EC2 Image Builder CVE Detected'], + }, + State: 'ENABLED', + }); + }); + + test('creates a rule from onImageBuildStateChange', () => { + const imagePipeline = new ImagePipeline(stack, 'ImagePipeline', { + recipe: ImageRecipe.fromImageRecipeName(stack, 'ImageRecipe', 'imported-image-recipe'), + }); + + imagePipeline.onImageBuildStateChange('ImageBuildStateChangeRule'); + + Template.fromStack(stack).hasResourceProperties('AWS::Events::Rule', { + EventPattern: { + source: ['aws.imagebuilder'], + 'detail-type': ['EC2 Image Builder Image State Change'], + }, + State: 'ENABLED', + }); + }); + + test('creates a rule from onImageBuildCompleted', () => { + const imagePipeline = new ImagePipeline(stack, 'ImagePipeline', { + recipe: ImageRecipe.fromImageRecipeName(stack, 'ImageRecipe', 'imported-image-recipe'), + }); + + imagePipeline.onImageBuildCompleted('ImageBuildCompletedRule'); + + Template.fromStack(stack).hasResourceProperties('AWS::Events::Rule', { + EventPattern: { + source: ['aws.imagebuilder'], + 'detail-type': ['EC2 Image Builder Image State Change'], + detail: { state: { status: ['AVAILABLE', 'CANCELLED', 'FAILED'] } }, + }, + State: 'ENABLED', + }); + }); + + test('creates a rule from onImageBuildFailed', () => { + const imagePipeline = new ImagePipeline(stack, 'ImagePipeline', { + recipe: ImageRecipe.fromImageRecipeName(stack, 'ImageRecipe', 'imported-image-recipe'), + }); + + imagePipeline.onImageBuildFailed('ImageBuildFailedRule'); + + Template.fromStack(stack).hasResourceProperties('AWS::Events::Rule', { + EventPattern: { + source: ['aws.imagebuilder'], + 'detail-type': ['EC2 Image Builder Image State Change'], + detail: { state: { status: ['FAILED'] } }, + }, + State: 'ENABLED', + }); + }); + + test('creates a rule from onImageBuildSucceeded', () => { + const imagePipeline = new ImagePipeline(stack, 'ImagePipeline', { + recipe: ImageRecipe.fromImageRecipeName(stack, 'ImageRecipe', 'imported-image-recipe'), + }); + + imagePipeline.onImageBuildSucceeded('ImageBuildSuccessRule'); + + Template.fromStack(stack).hasResourceProperties('AWS::Events::Rule', { + EventPattern: { + source: ['aws.imagebuilder'], + 'detail-type': ['EC2 Image Builder Image State Change'], + detail: { state: { status: ['AVAILABLE'] } }, + }, + State: 'ENABLED', + }); + }); + + test('creates a rule from onImagePipelineAutoDisabled', () => { + const imagePipeline = new ImagePipeline(stack, 'ImagePipeline', { + recipe: ImageRecipe.fromImageRecipeName(stack, 'ImageRecipe', 'imported-image-recipe'), + }); + + imagePipeline.onImagePipelineAutoDisabled('ImagePipelineAutoDisabledRule'); + + Template.fromStack(stack).hasResourceProperties('AWS::Events::Rule', { + EventPattern: { + source: ['aws.imagebuilder'], + resources: [{ 'Fn::GetAtt': ['ImagePipeline7DDDE57F', 'Arn'] }], + 'detail-type': ['EC2 Image Builder Image Pipeline Automatically Disabled'], + }, + State: 'ENABLED', + }); + }); + + test('creates a rule from onWaitForAction', () => { + const imagePipeline = new ImagePipeline(stack, 'ImagePipeline', { + recipe: ImageRecipe.fromImageRecipeName(stack, 'ImageRecipe', 'imported-image-recipe'), + }); + + imagePipeline.onWaitForAction('ImageBuildWaitingRule'); + + Template.fromStack(stack).hasResourceProperties('AWS::Events::Rule', { + EventPattern: { + source: ['aws.imagebuilder'], + 'detail-type': ['EC2 Image Builder Workflow Step Waiting'], + }, + State: 'ENABLED', + }); + }); + + test('throws a validation error when the resource name is too long', () => { + expect(() => { + new ImagePipeline(stack, 'ImagePipeline', { + imagePipelineName: 'a'.repeat(129), + recipe: ImageRecipe.fromImageRecipeName(stack, 'ImageRecipe', 'imported-image-recipe'), + }); + }).toThrow(cdk.ValidationError); + }); + + test('throws a validation error when the resource name contains spaces', () => { + expect(() => { + new ImagePipeline(stack, 'ImagePipeline', { + imagePipelineName: 'an image pipeline', + recipe: ImageRecipe.fromImageRecipeName(stack, 'ImageRecipe', 'imported-image-recipe'), + }); + }).toThrow(cdk.ValidationError); + }); + + test('throws a validation error when the resource name contains underscores', () => { + expect(() => { + new ImagePipeline(stack, 'ImagePipeline', { + imagePipelineName: 'an_image_pipeline', + recipe: ImageRecipe.fromImageRecipeName(stack, 'ImageRecipe', 'imported-image-recipe'), + }); + }).toThrow(cdk.ValidationError); + }); + + test('throws a validation error when the resource name contains uppercase characters', () => { + expect(() => { + new ImagePipeline(stack, 'ImagePipeline', { + imagePipelineName: 'AnImagePipeline', + recipe: ImageRecipe.fromImageRecipeName(stack, 'ImageRecipe', 'imported-image-recipe'), + }); + }).toThrow(cdk.ValidationError); + }); + + test('throws a validation error when the auto disable failure count is lower than the limit', () => { + expect(() => { + new ImagePipeline(stack, 'ImagePipeline', { + schedule: { expression: events.Schedule.rate(cdk.Duration.days(7)), autoDisableFailureCount: -1 }, + recipe: ImageRecipe.fromImageRecipeName(stack, 'ImageRecipe', 'imported-image-recipe'), + }); + }).toThrow(cdk.ValidationError); + }); + + test('throws a validation error when the auto disable failure count is higher than the limit', () => { + expect(() => { + new ImagePipeline(stack, 'ImagePipeline', { + schedule: { expression: events.Schedule.rate(cdk.Duration.days(7)), autoDisableFailureCount: 11 }, + recipe: ImageRecipe.fromImageRecipeName(stack, 'ImageRecipe', 'imported-image-recipe'), + }); + }).toThrow(cdk.ValidationError); + }); + + test('does not throw a validation error when the auto disable failure count is an unresolved token', () => { + expect(() => { + new ImagePipeline(stack, 'ImagePipeline', { + schedule: { + expression: events.Schedule.rate(cdk.Duration.days(7)), + autoDisableFailureCount: cdk.Lazy.number({ produce: () => 100 }), + }, + recipe: ImageRecipe.fromImageRecipeName(stack, 'ImageRecipe', 'imported-image-recipe'), + }); + }).not.toThrow(cdk.ValidationError); + }); + + test('throws a validation error when an image scanning ECR repository is provided for an AMI pipeline', () => { + expect(() => { + new ImagePipeline(stack, 'ImagePipeline', { + recipe: ImageRecipe.fromImageRecipeName(stack, 'ImageRecipe', 'imported-image-recipe'), + imageScanningEcrRepository: ecr.Repository.fromRepositoryName(stack, 'Repository', 'scanning-repo'), + }); + }).toThrow(cdk.ValidationError); + }); + + test('throws a validation error when an image scanning ECR tag is provided for an AMI pipeline', () => { + expect(() => { + new ImagePipeline(stack, 'ImagePipeline', { + recipe: ImageRecipe.fromImageRecipeName(stack, 'ImageRecipe', 'imported-image-recipe'), + imageScanningEcrTags: ['latest-scan'], + }); + }).toThrow(cdk.ValidationError); + }); + + test('throws a validation error when the recipe is neither an IImageRecipe or IContainerRecipe', () => { + class BadRecipe extends cdk.Resource implements IRecipeBase { + public grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant { + return iam.Grant.addToPrincipal({ + grantee, + actions, + resourceArns: ['*'], + scope: stack, + }); + } + + public grantRead(grantee: iam.IGrantable): iam.Grant { + return this.grant(grantee, 'imagebuilder:GetBadRecipe'); + } + + public _isContainerRecipe(): this is IContainerRecipe { + return false; + } + + public _isImageRecipe(): this is IImageRecipe { + return false; + } + } + + expect(() => new ImagePipeline(stack, 'ImagePipeline', { recipe: new BadRecipe(stack, 'BadRecipe') })).toThrow( + cdk.ValidationError, + ); + }); + + test('throws a validation error when the recipe is both an IImageRecipe and IContainerRecipe', () => { + class BadRecipe extends cdk.Resource implements IRecipeBase { + public grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant { + return iam.Grant.addToPrincipal({ + grantee, + actions, + resourceArns: ['*'], + scope: stack, + }); + } + + public grantRead(grantee: iam.IGrantable): iam.Grant { + return this.grant(grantee, 'imagebuilder:GetBadRecipe'); + } + + public _isContainerRecipe(): this is IContainerRecipe { + return true; + } + + public _isImageRecipe(): this is IImageRecipe { + return true; + } + } + + expect(() => new ImagePipeline(stack, 'ImagePipeline', { recipe: new BadRecipe(stack, 'BadRecipe') })).toThrow( + cdk.ValidationError, + ); + }); +}); diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.ami.js.snapshot/ImagePipelineTestAMIAllParametersDefaultTestDeployAssertE01BE77E.assets.json b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.ami.js.snapshot/ImagePipelineTestAMIAllParametersDefaultTestDeployAssertE01BE77E.assets.json new file mode 100644 index 0000000000000..a0abab27e53d3 --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.ami.js.snapshot/ImagePipelineTestAMIAllParametersDefaultTestDeployAssertE01BE77E.assets.json @@ -0,0 +1,20 @@ +{ + "version": "48.0.0", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "displayName": "ImagePipelineTestAMIAllParametersDefaultTestDeployAssertE01BE77E Template", + "source": { + "path": "ImagePipelineTestAMIAllParametersDefaultTestDeployAssertE01BE77E.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region-d8d86b35": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.ami.js.snapshot/ImagePipelineTestAMIAllParametersDefaultTestDeployAssertE01BE77E.template.json b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.ami.js.snapshot/ImagePipelineTestAMIAllParametersDefaultTestDeployAssertE01BE77E.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.ami.js.snapshot/ImagePipelineTestAMIAllParametersDefaultTestDeployAssertE01BE77E.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.ami.js.snapshot/aws-cdk-imagebuilder-image-pipeline-ami-all-parameters.assets.json b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.ami.js.snapshot/aws-cdk-imagebuilder-image-pipeline-ami-all-parameters.assets.json new file mode 100644 index 0000000000000..6ff93c2d217c5 --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.ami.js.snapshot/aws-cdk-imagebuilder-image-pipeline-ami-all-parameters.assets.json @@ -0,0 +1,20 @@ +{ + "version": "48.0.0", + "files": { + "93718d4fe6ed18ae76f3e0deb0941adc935c78da7a05c506b63ef3375d28b67e": { + "displayName": "aws-cdk-imagebuilder-image-pipeline-ami-all-parameters Template", + "source": { + "path": "aws-cdk-imagebuilder-image-pipeline-ami-all-parameters.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region-b48b42ea": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "93718d4fe6ed18ae76f3e0deb0941adc935c78da7a05c506b63ef3375d28b67e.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.ami.js.snapshot/aws-cdk-imagebuilder-image-pipeline-ami-all-parameters.template.json b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.ami.js.snapshot/aws-cdk-imagebuilder-image-pipeline-ami-all-parameters.template.json new file mode 100644 index 0000000000000..b6facf3aec279 --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.ami.js.snapshot/aws-cdk-imagebuilder-image-pipeline-ami-all-parameters.template.json @@ -0,0 +1,1087 @@ +{ + "Resources": { + "ExecutionRole605A040B": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "imagebuilder.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + } + } + }, + "ExecutionRoleDefaultPolicyA5B92313": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": "ec2:RegisterImage", + "Condition": { + "StringEquals": { + "aws:RequestTag/CreatedBy": "EC2 Image Builder" + } + }, + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*::image/*" + ] + ] + } + }, + { + "Action": [ + "ec2:ModifySnapshotAttribute", + "ec2:RegisterImage" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/CreatedBy": "EC2 Image Builder" + } + }, + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*::snapshot/*" + ] + ] + } + }, + { + "Action": "ec2:RunInstances", + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*:*:key-pair/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*:*:launch-template/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*:*:network-interface/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*:*:security-group/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*:*:subnet/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*::image/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*::snapshot/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":license-manager:*:*:license-configuration:*" + ] + ] + } + ] + }, + { + "Action": "ec2:RunInstances", + "Condition": { + "StringEquals": { + "aws:RequestTag/CreatedBy": [ + "EC2 Image Builder", + "EC2 Fast Launch" + ] + } + }, + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*:*:instance/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*:*:volume/*" + ] + ] + } + ] + }, + { + "Action": "iam:PassRole", + "Condition": { + "StringEquals": { + "iam:PassedToService": [ + "ec2.amazonaws.com", + "ec2.amazonaws.com.cn", + "vmie.amazonaws.com" + ] + } + }, + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:StartInstances", + "ec2:StopInstances", + "ec2:TerminateInstances" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/CreatedBy": "EC2 Image Builder" + } + }, + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:CopyImage", + "ec2:CreateImage", + "ec2:CreateLaunchTemplate", + "ec2:DeregisterImage", + "ec2:DescribeExportImageTasks", + "ec2:DescribeHosts", + "ec2:DescribeImages", + "ec2:DescribeImportImageTasks", + "ec2:DescribeInstanceAttribute", + "ec2:DescribeInstanceStatus", + "ec2:DescribeInstanceTypeOfferings", + "ec2:DescribeInstanceTypes", + "ec2:DescribeInstances", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeLaunchTemplates", + "ec2:DescribeSnapshots", + "ec2:DescribeSubnets", + "ec2:DescribeTags", + "ec2:ModifyImageAttribute", + "inspector2:ListCoverage", + "inspector2:ListFindings", + "ssm:AddTagsToResource", + "ssm:DescribeAssociationExecutions", + "ssm:DescribeInstanceAssociationsStatus", + "ssm:DescribeInstanceInformation", + "ssm:GetCommandInvocation", + "ssm:ListCommandInvocations", + "ssm:ListCommands", + "ssm:ListInventoryEntries" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "RunInstances", + "CreateImage" + ], + "aws:RequestTag/CreatedBy": [ + "EC2 Image Builder", + "EC2 Fast Launch" + ] + } + }, + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": "ec2:CreateTags", + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*:*:export-image-task/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*::image/*" + ] + ] + } + ] + }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "aws:RequestTag/CreatedBy": [ + "EC2 Image Builder", + "EC2 Fast Launch" + ] + } + }, + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*:*:launch-template/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*::snapshot/*" + ] + ] + } + ] + }, + { + "Action": "sns:Publish", + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":sns:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":*" + ] + ] + } + }, + { + "Action": "ssm:SendCommand", + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":s3:::*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ssm:*:*:document/AWS-RunPowerShellScript" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ssm:*:*:document/AWS-RunShellScript" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ssm:*:*:document/AWSEC2-RunSysprep" + ] + ] + } + ] + }, + { + "Action": "ssm:SendCommand", + "Condition": { + "StringEquals": { + "ssm:resourceTag/CreatedBy": [ + "EC2 Image Builder" + ] + } + }, + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*:*:instance/*" + ] + ] + } + }, + { + "Action": [ + "ssm:CreateAssociation", + "ssm:DeleteAssociation" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*:*:instance/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ssm:*:*:association/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ssm:*:*:document/AWS-GatherSoftwareInventory" + ] + ] + } + ] + }, + { + "Action": [ + "kms:Decrypt", + "kms:Encrypt", + "kms:GenerateDataKeyWithoutPlaintext", + "kms:ReEncryptFrom", + "kms:ReEncryptTo" + ], + "Condition": { + "ForAllValues:StringEquals": { + "kms:EncryptionContextKeys": [ + "aws:ebs:id" + ] + }, + "StringLike": { + "kms:ViaService": [ + "ec2.*.amazonaws.com" + ] + } + }, + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": "kms:DescribeKey", + "Condition": { + "StringLike": { + "kms:ViaService": [ + "ec2.*.amazonaws.com" + ] + } + }, + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": "kms:CreateGrant", + "Condition": { + "Bool": { + "kms:GrantIsForAWSResource": true + }, + "StringLike": { + "kms:ViaService": [ + "ec2.*.amazonaws.com" + ] + } + }, + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:*:*:log-group:/aws/imagebuilder/*" + ] + ] + } + }, + { + "Action": "iam:CreateServiceLinkedRole", + "Condition": { + "StringEquals": { + "iam:AWSServiceName": [ + "ssm.amazonaws.com" + ] + } + }, + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "events:DeleteRule", + "events:DescribeRule", + "events:PutRule", + "events:PutTargets", + "events:RemoveTargets" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":events:*:*:rule/ImageBuilder-*" + ] + ] + } + }, + { + "Action": [ + "ssm:GetParameter", + "ssm:PutParameter" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ssm:*:*:parameter/imagebuilder/*" + ] + ] + } + }, + { + "Action": "ssm:GetParameter", + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ssm:*::parameter/aws/service/*" + ] + ] + } + }, + { + "Action": "license-manager:UpdateLicenseSpecificationsForResource", + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":license-manager:*:", + { + "Ref": "AWS::AccountId" + }, + ":license-configuration:*" + ] + ] + } + }, + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::*:role/EC2ImageBuilderDistributionCrossAccountRole" + ] + ] + } + }, + { + "Action": [ + "ec2:CreateLaunchTemplateVersion", + "ec2:ModifyLaunchTemplate" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":launch-template/*" + ] + ] + } + }, + { + "Action": "ec2:ExportImage", + "Condition": { + "StringEquals": { + "ec2:ResourceTag/CreatedBy": "EC2 Image Builder" + } + }, + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*::image/*" + ] + ] + } + }, + { + "Action": "ec2:ExportImage", + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*:*:export-image-task/*" + ] + ] + } + }, + { + "Action": "ec2:CancelExportTask", + "Condition": { + "StringEquals": { + "ec2:ResourceTag/CreatedBy": "EC2 Image Builder" + } + }, + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*:*:export-image-task/*" + ] + ] + } + }, + { + "Action": "iam:CreateServiceLinkedRole", + "Condition": { + "StringEquals": { + "iam:AWSServiceName": [ + "ec2fastlaunch.amazonaws.com" + ] + } + }, + "Effect": "Allow", + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "ExecutionRoleDefaultPolicyA5B92313", + "Roles": [ + { + "Ref": "ExecutionRole605A040B" + } + ] + } + }, + "ExecutionRoleOverflowPolicy19707E3D1": { + "Type": "AWS::IAM::ManagedPolicy", + "Properties": { + "Description": "Part of the policies for aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ExecutionRole", + "Path": "/", + "PolicyDocument": { + "Statement": [ + { + "Action": "ec2:EnableFastLaunch", + "Condition": { + "StringEquals": { + "ec2:ResourceTag/CreatedBy": "EC2 Image Builder" + } + }, + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*:*:launch-template/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*::image/*" + ] + ] + } + ] + } + ], + "Version": "2012-10-17" + }, + "Roles": [ + { + "Ref": "ExecutionRole605A040B" + } + ] + } + }, + "ImageLogGroupD34F5836": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "RetentionInDays": 731 + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "ImagePipelineLogGroup7E475C9B": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "RetentionInDays": 731 + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "InfrastructureConfigurationInstanceProfileRole3AFA1533": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "ec2.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/AmazonSSMManagedInstanceCore" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/EC2InstanceProfileForImageBuilder" + ] + ] + } + ] + } + }, + "InfrastructureConfigurationInstanceProfile8FD9235B": { + "Type": "AWS::IAM::InstanceProfile", + "Properties": { + "Roles": [ + { + "Ref": "InfrastructureConfigurationInstanceProfileRole3AFA1533" + } + ] + } + }, + "InfrastructureConfiguration86C7777D": { + "Type": "AWS::ImageBuilder::InfrastructureConfiguration", + "Properties": { + "InstanceMetadataOptions": { + "HttpPutResponseHopLimit": 2, + "HttpTokens": "required" + }, + "InstanceProfileName": { + "Ref": "InfrastructureConfigurationInstanceProfile8FD9235B" + }, + "Name": "aws-cdk-imagebuilder-image-pipeline-ami-all-parameters-infrastructureconfiguration-82cabe27" + } + }, + "ImageRecipe8C789631": { + "Type": "AWS::ImageBuilder::ImageRecipe", + "Properties": { + "Name": "aws-cdk-imagebuilder-image-pipeline-ami-all-parameters-imagerecipe-e6bfe19c", + "ParentImage": "ssm:/aws/service/ami-amazon-linux-latest/al2023-ami-minimal-kernel-default-x86_64", + "Version": "1.0.x" + } + }, + "AMIDistributionConfigurationA286FE05": { + "Type": "AWS::ImageBuilder::DistributionConfiguration", + "Properties": { + "Distributions": [ + { + "AmiDistributionConfiguration": { + "Name": "imagebuidler-{{ imagebuilder:buildDate }}" + }, + "Region": { + "Ref": "AWS::Region" + } + } + ], + "Name": "aws-cdk-imagebuilder-image-pipeline-ami-all-parameters-amidistributionconfiguration-12cb7eed" + } + }, + "ImagePipelineAMI7635ECE0": { + "Type": "AWS::ImageBuilder::ImagePipeline", + "Properties": { + "Description": "this is an image pipeline description.", + "DistributionConfigurationArn": { + "Fn::GetAtt": [ + "AMIDistributionConfigurationA286FE05", + "Arn" + ] + }, + "EnhancedImageMetadataEnabled": true, + "ExecutionRole": { + "Fn::GetAtt": [ + "ExecutionRole605A040B", + "Arn" + ] + }, + "ImageRecipeArn": { + "Fn::GetAtt": [ + "ImageRecipe8C789631", + "Arn" + ] + }, + "ImageScanningConfiguration": { + "ImageScanningEnabled": true + }, + "ImageTestsConfiguration": { + "ImageTestsEnabled": true + }, + "InfrastructureConfigurationArn": { + "Fn::GetAtt": [ + "InfrastructureConfiguration86C7777D", + "Arn" + ] + }, + "LoggingConfiguration": { + "ImageLogGroupName": { + "Ref": "ImageLogGroupD34F5836" + }, + "PipelineLogGroupName": { + "Ref": "ImagePipelineLogGroup7E475C9B" + } + }, + "Name": "test-image-pipeline", + "Schedule": { + "AutoDisablePolicy": { + "FailureCount": 5 + }, + "PipelineExecutionStartCondition": "EXPRESSION_MATCH_AND_DEPENDENCY_UPDATES_AVAILABLE", + "ScheduleExpression": "cron(0 7 ? * mon *)" + }, + "Status": "ENABLED", + "Workflows": [ + { + "WorkflowArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":imagebuilder:", + { + "Ref": "AWS::Region" + }, + ":aws:workflow/build/build-image/x.x.x" + ] + ] + } + } + ] + } + }, + "ImagePipelineAMIImageBuildSuccessTriggerRuleA11584AD": { + "Type": "AWS::Events::Rule", + "Properties": { + "EventPattern": { + "source": [ + "aws.imagebuilder" + ] + }, + "State": "ENABLED" + } + }, + "ImagePipelineAMIImageBuildCVEDetectedTriggerRule84FC4210": { + "Type": "AWS::Events::Rule", + "Properties": { + "EventPattern": { + "detail-type": [ + "EC2 Image Builder CVE Detected" + ], + "resources": [ + { + "Fn::GetAtt": [ + "ImagePipelineAMI7635ECE0", + "Arn" + ] + } + ], + "source": [ + "aws.imagebuilder" + ] + }, + "State": "ENABLED" + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.ami.js.snapshot/cdk.out b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.ami.js.snapshot/cdk.out new file mode 100644 index 0000000000000..523a9aac37cbf --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.ami.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"48.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.ami.js.snapshot/integ.json b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.ami.js.snapshot/integ.json new file mode 100644 index 0000000000000..3fffac63ff2b9 --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.ami.js.snapshot/integ.json @@ -0,0 +1,13 @@ +{ + "version": "48.0.0", + "testCases": { + "ImagePipelineTest-AMI-AllParameters/DefaultTest": { + "stacks": [ + "aws-cdk-imagebuilder-image-pipeline-ami-all-parameters" + ], + "assertionStack": "ImagePipelineTest-AMI-AllParameters/DefaultTest/DeployAssert", + "assertionStackName": "ImagePipelineTestAMIAllParametersDefaultTestDeployAssertE01BE77E" + } + }, + "minimumCliVersion": "2.1027.0" +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.ami.js.snapshot/manifest.json b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.ami.js.snapshot/manifest.json new file mode 100644 index 0000000000000..2f5c24f3f70b1 --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.ami.js.snapshot/manifest.json @@ -0,0 +1,1460 @@ +{ + "version": "48.0.0", + "artifacts": { + "aws-cdk-imagebuilder-image-pipeline-ami-all-parameters.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "aws-cdk-imagebuilder-image-pipeline-ami-all-parameters.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "aws-cdk-imagebuilder-image-pipeline-ami-all-parameters": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "aws-cdk-imagebuilder-image-pipeline-ami-all-parameters.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/93718d4fe6ed18ae76f3e0deb0941adc935c78da7a05c506b63ef3375d28b67e.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "aws-cdk-imagebuilder-image-pipeline-ami-all-parameters.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "aws-cdk-imagebuilder-image-pipeline-ami-all-parameters.assets" + ], + "metadata": { + "/aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ExecutionRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + } + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachInlinePolicy": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachInlinePolicy": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ExecutionRole/ImportExecutionRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ExecutionRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ExecutionRole605A040B" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ExecutionRole/DefaultPolicy": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ExecutionRole/DefaultPolicy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ExecutionRoleDefaultPolicyA5B92313" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ExecutionRole/OverflowPolicy1": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "description": "*", + "document": "*", + "roles": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ExecutionRole/OverflowPolicy1/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ExecutionRoleOverflowPolicy19707E3D1" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ImageLogGroup": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "removalPolicy": "destroy" + } + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ImageLogGroup/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ImageLogGroupD34F5836" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ImagePipelineLogGroup": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "removalPolicy": "destroy" + } + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ImagePipelineLogGroup/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ImagePipelineLogGroup7E475C9B" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/InfrastructureConfiguration": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/InfrastructureConfiguration/InstanceProfileRole": [ + { + "type": "aws:cdk:warning", + "data": "Failed to add construct metadata for node [InstanceProfileRole]. Reason: ValidationError: The result of fromAwsManagedPolicyName can not be used in this API [ack: @aws-cdk/core:addConstructMetadataFailed]" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/InfrastructureConfiguration/InstanceProfileRole/ImportInstanceProfileRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/InfrastructureConfiguration/InstanceProfileRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "InfrastructureConfigurationInstanceProfileRole3AFA1533" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/InfrastructureConfiguration/InstanceProfile": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "role": "*" + } + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/InfrastructureConfiguration/InstanceProfile/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "InfrastructureConfigurationInstanceProfile8FD9235B" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/InfrastructureConfiguration/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "InfrastructureConfiguration86C7777D" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ImageRecipe": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ImageRecipe/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ImageRecipe8C789631" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/AMIDistributionConfiguration": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/AMIDistributionConfiguration/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "AMIDistributionConfigurationA286FE05" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ImagePipeline-AMI/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ImagePipelineAMI7635ECE0" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ImagePipeline-AMI/ImageBuildSuccessTriggerRule": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addEventPattern": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addTarget": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addEventPattern": [ + { + "source": "*" + } + ] + } + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ImagePipeline-AMI/ImageBuildSuccessTriggerRule/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ImagePipelineAMIImageBuildSuccessTriggerRuleA11584AD" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ImagePipeline-AMI/ImageBuildCVEDetectedTriggerRule": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "eventPattern": { + "detailType": "*", + "resources": "*" + } + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addEventPattern": [ + { + "detailType": "*", + "resources": "*" + } + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addTarget": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addEventPattern": [ + { + "source": "*", + "resources": "*", + "detailType": "*" + } + ] + } + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ImagePipeline-AMI/ImageBuildCVEDetectedTriggerRule/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ImagePipelineAMIImageBuildCVEDetectedTriggerRule84FC4210" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "aws-cdk-imagebuilder-image-pipeline-ami-all-parameters" + }, + "ImagePipelineTestAMIAllParametersDefaultTestDeployAssertE01BE77E.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "ImagePipelineTestAMIAllParametersDefaultTestDeployAssertE01BE77E.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "ImagePipelineTestAMIAllParametersDefaultTestDeployAssertE01BE77E": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "ImagePipelineTestAMIAllParametersDefaultTestDeployAssertE01BE77E.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "ImagePipelineTestAMIAllParametersDefaultTestDeployAssertE01BE77E.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "ImagePipelineTestAMIAllParametersDefaultTestDeployAssertE01BE77E.assets" + ], + "metadata": { + "/ImagePipelineTest-AMI-AllParameters/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/ImagePipelineTest-AMI-AllParameters/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "ImagePipelineTest-AMI-AllParameters/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + }, + "aws-cdk-lib/feature-flag-report": { + "type": "cdk:feature-flag-report", + "properties": { + "module": "aws-cdk-lib", + "flags": { + "@aws-cdk/aws-signer:signingProfileNamePassedToCfn": { + "userValue": true, + "recommendedValue": true, + "explanation": "Pass signingProfileName to CfnSigningProfile" + }, + "@aws-cdk/core:newStyleStackSynthesis": { + "recommendedValue": true, + "explanation": "Switch to new stack synthesis method which enables CI/CD", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:stackRelativeExports": { + "recommendedValue": true, + "explanation": "Name exports based on the construct paths relative to the stack, rather than the global construct path", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-ecs-patterns:secGroupsDisablesImplicitOpenListener": { + "userValue": true, + "recommendedValue": true, + "explanation": "Disable implicit openListener when custom security groups are provided" + }, + "@aws-cdk/aws-rds:lowercaseDbIdentifier": { + "recommendedValue": true, + "explanation": "Force lowercasing of RDS Cluster names in CDK", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": { + "recommendedValue": true, + "explanation": "Allow adding/removing multiple UsagePlanKeys independently", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-lambda:recognizeVersionProps": { + "recommendedValue": true, + "explanation": "Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-lambda:recognizeLayerVersion": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`." + }, + "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": { + "recommendedValue": true, + "explanation": "Enable this feature flag to have cloudfront distributions use the security policy TLSv1.2_2021 by default.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:checkSecretUsage": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this flag to make it impossible to accidentally use SecretValues in unsafe locations" + }, + "@aws-cdk/core:target-partitions": { + "recommendedValue": [ + "aws", + "aws-cn" + ], + "explanation": "What regions to include in lookup tables of environment agnostic stacks" + }, + "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": { + "userValue": true, + "recommendedValue": true, + "explanation": "ECS extensions will automatically add an `awslogs` driver if no logging is specified" + }, + "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to have Launch Templates generated by the `InstanceRequireImdsv2Aspect` use unique names." + }, + "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": { + "userValue": true, + "recommendedValue": true, + "explanation": "ARN format used by ECS. In the new ARN format, the cluster name is part of the resource ID." + }, + "@aws-cdk/aws-iam:minimizePolicies": { + "userValue": true, + "recommendedValue": true, + "explanation": "Minimize IAM policies by combining Statements" + }, + "@aws-cdk/core:validateSnapshotRemovalPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Error on snapshot removal policies on resources that do not support it." + }, + "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate key aliases that include the stack name" + }, + "@aws-cdk/aws-s3:createDefaultLoggingPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to create an S3 bucket policy by default in cases where an AWS service would automatically create the Policy if one does not exist." + }, + "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": { + "userValue": true, + "recommendedValue": true, + "explanation": "Restrict KMS key policy for encrypted Queues a bit more" + }, + "@aws-cdk/aws-apigateway:disableCloudWatchRole": { + "userValue": true, + "recommendedValue": true, + "explanation": "Make default CloudWatch Role behavior safe for multiple API Gateways in one environment" + }, + "@aws-cdk/core:enablePartitionLiterals": { + "userValue": true, + "recommendedValue": true, + "explanation": "Make ARNs concrete if AWS partition is known" + }, + "@aws-cdk/aws-events:eventsTargetQueueSameAccount": { + "userValue": true, + "recommendedValue": true, + "explanation": "Event Rules may only push to encrypted SQS queues in the same account" + }, + "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": { + "userValue": true, + "recommendedValue": true, + "explanation": "Avoid setting the \"ECS\" deployment controller when adding a circuit breaker" + }, + "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature to create default policy names for imported roles that depend on the stack the role is in." + }, + "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use S3 Bucket Policy instead of ACLs for Server Access Logging" + }, + "@aws-cdk/aws-route53-patters:useCertificate": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use the official `Certificate` resource instead of `DnsValidatedCertificate`" + }, + "@aws-cdk/customresources:installLatestAwsSdkDefault": { + "userValue": false, + "recommendedValue": false, + "explanation": "Whether to install the latest SDK by default in AwsCustomResource" + }, + "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use unique resource name for Database Proxy" + }, + "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "Remove CloudWatch alarms from deployment group" + }, + "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Include authorizer configuration in the calculation of the API deployment logical ID." + }, + "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": { + "userValue": true, + "recommendedValue": true, + "explanation": "Define user data for a launch template by default when a machine image is provided." + }, + "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": { + "userValue": true, + "recommendedValue": true, + "explanation": "SecretTargetAttachments uses the ResourcePolicy of the attached Secret." + }, + "@aws-cdk/aws-redshift:columnId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Whether to use an ID to track Redshift column changes" + }, + "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable AmazonEMRServicePolicy_v2 managed policies" + }, + "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "Restrict access to the VPC default security group" + }, + "@aws-cdk/aws-apigateway:requestValidatorUniqueId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate a unique id for each RequestValidator added to a method" + }, + "@aws-cdk/aws-kms:aliasNameRef": { + "userValue": true, + "recommendedValue": true, + "explanation": "KMS Alias name and keyArn will have implicit reference to KMS Key" + }, + "@aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable grant methods on Aliases imported by name to use kms:ResourceAliases condition" + }, + "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate a launch template when creating an AutoScalingGroup" + }, + "@aws-cdk/core:includePrefixInUniqueNameGeneration": { + "userValue": true, + "recommendedValue": true, + "explanation": "Include the stack prefix in the stack name generation process" + }, + "@aws-cdk/aws-efs:denyAnonymousAccess": { + "userValue": true, + "recommendedValue": true, + "explanation": "EFS denies anonymous clients accesses" + }, + "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables support for Multi-AZ with Standby deployment for opensearch domains" + }, + "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables aws-lambda-nodejs.Function to use the latest available NodeJs runtime as the default" + }, + "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, mount targets will have a stable logicalId that is linked to the associated subnet." + }, + "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, a scope of InstanceParameterGroup for AuroraClusterInstance with each parameters will change." + }, + "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, will always use the arn for identifiers for CfnSourceApiAssociation in the GraphqlApi construct rather than id." + }, + "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, creating an RDS database cluster from a snapshot will only render credentials for snapshot credentials." + }, + "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the CodeCommit source action is using the default branch name 'main'." + }, + "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the logical ID of a Lambda permission for a Lambda action includes an alarm ID." + }, + "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables Pipeline to set the default value for crossAccountKeys to false." + }, + "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables Pipeline to set the default pipeline type to V2." + }, + "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only." + }, + "@aws-cdk/pipelines:reduceAssetRoleTrustScope": { + "recommendedValue": true, + "explanation": "Remove the root account principal from PipelineAssetsFileRole trust policy", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-eks:nodegroupNameAttribute": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, nodegroupName attribute of the provisioned EKS NodeGroup will not have the cluster name prefix." + }, + "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default volume type of the EBS volume will be GP3" + }, + "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, remove default deployment alarm settings" + }, + "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": { + "userValue": false, + "recommendedValue": false, + "explanation": "When enabled, the custom resource used for `AwsCustomResource` will configure the `logApiResponseData` property as true by default" + }, + "@aws-cdk/aws-s3:keepNotificationInImportedBucket": { + "userValue": false, + "recommendedValue": false, + "explanation": "When enabled, Adding notifications to a bucket in the current stack will not remove notification from imported stack." + }, + "@aws-cdk/aws-stepfunctions-tasks:useNewS3UriParametersForBedrockInvokeModelTask": { + "recommendedValue": true, + "explanation": "When enabled, use new props for S3 URI field in task definition of state machine for bedrock invoke model.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:explicitStackTags": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, stack tags need to be assigned explicitly on a Stack." + }, + "@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature": { + "userValue": false, + "recommendedValue": false, + "explanation": "When set to true along with canContainersAccessInstanceRole=false in ECS cluster, new updated commands will be added to UserData to block container accessing IMDS. **Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)**" + }, + "@aws-cdk/aws-ecs:disableEcsImdsBlocking": { + "userValue": true, + "recommendedValue": true, + "explanation": "When set to true, CDK synth will throw exception if canContainersAccessInstanceRole is false. **IMPORTANT: See [details.](#aws-cdkaws-ecsdisableEcsImdsBlocking)**" + }, + "@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, we will only grant the necessary permissions when users specify cloudwatch log group through logConfiguration" + }, + "@aws-cdk/aws-dynamodb:resourcePolicyPerReplica": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled will allow you to specify a resource policy per replica, and not copy the source table policy to all replicas" + }, + "@aws-cdk/aws-ec2:ec2SumTImeoutEnabled": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, initOptions.timeout and resourceSignalTimeout values will be summed together." + }, + "@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, a Lambda authorizer Permission created when using GraphqlApi will be properly scoped with a SourceArn." + }, + "@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the value of property `instanceResourceId` in construct `DatabaseInstanceReadReplica` will be set to the correct value which is `DbiResourceId` instead of currently `DbInstanceArn`" + }, + "@aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CFN templates added with `cfn-include` will error if the template contains Resource Update or Create policies with CFN Intrinsics that include non-primitive values." + }, + "@aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, both `@aws-sdk` and `@smithy` packages will be excluded from the Lambda Node.js 18.x runtime to prevent version mismatches in bundled applications." + }, + "@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the resource of IAM Run Ecs policy generated by SFN EcsRunTask will reference the definition, instead of constructing ARN." + }, + "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the BastionHost construct will use the latest Amazon Linux 2023 AMI, instead of Amazon Linux 2." + }, + "@aws-cdk/core:aspectStabilization": { + "recommendedValue": true, + "explanation": "When enabled, a stabilization loop will be run when invoking Aspects during synthesis.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, use a new method for DNS Name of user pool domain target without creating a custom resource." + }, + "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere" + }, + "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default behaviour of OIDC provider will reject unauthorized connections" + }, + "@aws-cdk/core:enableAdditionalMetadataCollection": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK will expand the scope of usage data collected to better inform CDK development and improve communication for security concerns and emerging issues." + }, + "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": { + "userValue": false, + "recommendedValue": false, + "explanation": "[Deprecated] When enabled, Lambda will create new inline policies with AddToRolePolicy instead of adding to the Default Policy Statement" + }, + "@aws-cdk/aws-s3:setUniqueReplicationRoleName": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK will automatically generate a unique role name that is used for s3 object replication." + }, + "@aws-cdk/pipelines:reduceStageRoleTrustScope": { + "recommendedValue": true, + "explanation": "Remove the root account principal from Stage addActions trust policy", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-events:requireEventBusPolicySid": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, grantPutEventsTo() will use resource policies with Statement IDs for service principals." + }, + "@aws-cdk/core:aspectPrioritiesMutating": { + "userValue": true, + "recommendedValue": true, + "explanation": "When set to true, Aspects added by the construct library on your behalf will be given a priority of MUTATING." + }, + "@aws-cdk/aws-dynamodb:retainTableReplica": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, table replica will be default to the removal policy of source table unless specified otherwise." + }, + "@aws-cdk/cognito:logUserPoolClientSecretValue": { + "recommendedValue": false, + "explanation": "When disabled, the value of the user pool client secret will not be logged in the custom resource lambda function logs." + }, + "@aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope": { + "recommendedValue": true, + "explanation": "When enabled, scopes down the trust policy for the cross-account action role", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-stepfunctions:useDistributedMapResultWriterV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the resultWriterV2 property of DistributedMap will be used insted of resultWriter" + }, + "@aws-cdk/s3-notifications:addS3TrustKeyPolicyForSnsSubscriptions": { + "userValue": true, + "recommendedValue": true, + "explanation": "Add an S3 trust policy to a KMS key resource policy for SNS subscriptions." + }, + "@aws-cdk/aws-ec2:requirePrivateSubnetsForEgressOnlyInternetGateway": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the EgressOnlyGateway resource is only created if private subnets are defined in the dual-stack VPC." + }, + "@aws-cdk/aws-ec2-alpha:useResourceIdForVpcV2Migration": { + "recommendedValue": false, + "explanation": "When enabled, use resource IDs for VPC V2 migration" + }, + "@aws-cdk/aws-s3:publicAccessBlockedByDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, setting any combination of options for BlockPublicAccess will automatically set true for any options not defined." + }, + "@aws-cdk/aws-lambda:useCdkManagedLogGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK creates and manages loggroup for the lambda function" + }, + "@aws-cdk/aws-elasticloadbalancingv2:networkLoadBalancerWithSecurityGroupByDefault": { + "recommendedValue": true, + "explanation": "When enabled, Network Load Balancer will be created with a security group by default." + }, + "@aws-cdk/aws-stepfunctions-tasks:httpInvokeDynamicJsonPathEndpoint": { + "recommendedValue": true, + "explanation": "When enabled, allows using a dynamic apiEndpoint with JSONPath format in HttpInvoke tasks.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-ecs-patterns:uniqueTargetGroupId": { + "recommendedValue": true, + "explanation": "When enabled, ECS patterns will generate unique target group IDs to prevent conflicts during load balancer replacement" + } + } + } + } + }, + "minimumCliVersion": "2.1031.2" +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.ami.js.snapshot/tree.json b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.ami.js.snapshot/tree.json new file mode 100644 index 0000000000000..2d1e93deb6969 --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.ami.js.snapshot/tree.json @@ -0,0 +1 @@ +{"version":"tree-0.1","tree":{"id":"App","path":"","constructInfo":{"fqn":"aws-cdk-lib.App","version":"0.0.0"},"children":{"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters":{"id":"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters","path":"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"ExecutionRole":{"id":"ExecutionRole","path":"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ExecutionRole","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Role","version":"0.0.0","metadata":[{"assumedBy":{"principalAccount":"*","assumeRoleAction":"*"}},{"addToPrincipalPolicy":[{}]},{"attachInlinePolicy":["*"]},{"attachInlinePolicy":["*"]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]}]},"children":{"ImportExecutionRole":{"id":"ImportExecutionRole","path":"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ExecutionRole/ImportExecutionRole","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*"]}},"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ExecutionRole/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnRole","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Role","aws:cdk:cloudformation:props":{"assumeRolePolicyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"Service":"imagebuilder.amazonaws.com"}}],"Version":"2012-10-17"}}}},"DefaultPolicy":{"id":"DefaultPolicy","path":"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ExecutionRole/DefaultPolicy","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Policy","version":"0.0.0","metadata":["*",{"attachToRole":["*"]},{"attachToRole":["*"]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]}]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ExecutionRole/DefaultPolicy/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnPolicy","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Policy","aws:cdk:cloudformation:props":{"policyDocument":{"Statement":[{"Action":"ec2:RegisterImage","Condition":{"StringEquals":{"aws:RequestTag/CreatedBy":"EC2 Image Builder"}},"Effect":"Allow","Resource":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*::image/*"]]}},{"Action":["ec2:ModifySnapshotAttribute","ec2:RegisterImage"],"Condition":{"StringEquals":{"ec2:ResourceTag/CreatedBy":"EC2 Image Builder"}},"Effect":"Allow","Resource":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*::snapshot/*"]]}},{"Action":"ec2:RunInstances","Effect":"Allow","Resource":[{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*:*:key-pair/*"]]},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*:*:launch-template/*"]]},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*:*:network-interface/*"]]},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*:*:security-group/*"]]},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*:*:subnet/*"]]},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*::image/*"]]},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*::snapshot/*"]]},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":license-manager:*:*:license-configuration:*"]]}]},{"Action":"ec2:RunInstances","Condition":{"StringEquals":{"aws:RequestTag/CreatedBy":["EC2 Image Builder","EC2 Fast Launch"]}},"Effect":"Allow","Resource":[{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*:*:instance/*"]]},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*:*:volume/*"]]}]},{"Action":"iam:PassRole","Condition":{"StringEquals":{"iam:PassedToService":["ec2.amazonaws.com","ec2.amazonaws.com.cn","vmie.amazonaws.com"]}},"Effect":"Allow","Resource":"*"},{"Action":["ec2:StartInstances","ec2:StopInstances","ec2:TerminateInstances"],"Condition":{"StringEquals":{"ec2:ResourceTag/CreatedBy":"EC2 Image Builder"}},"Effect":"Allow","Resource":"*"},{"Action":["ec2:CopyImage","ec2:CreateImage","ec2:CreateLaunchTemplate","ec2:DeregisterImage","ec2:DescribeExportImageTasks","ec2:DescribeHosts","ec2:DescribeImages","ec2:DescribeImportImageTasks","ec2:DescribeInstanceAttribute","ec2:DescribeInstanceStatus","ec2:DescribeInstanceTypeOfferings","ec2:DescribeInstanceTypes","ec2:DescribeInstances","ec2:DescribeLaunchTemplateVersions","ec2:DescribeLaunchTemplates","ec2:DescribeSnapshots","ec2:DescribeSubnets","ec2:DescribeTags","ec2:ModifyImageAttribute","inspector2:ListCoverage","inspector2:ListFindings","ssm:AddTagsToResource","ssm:DescribeAssociationExecutions","ssm:DescribeInstanceAssociationsStatus","ssm:DescribeInstanceInformation","ssm:GetCommandInvocation","ssm:ListCommandInvocations","ssm:ListCommands","ssm:ListInventoryEntries"],"Effect":"Allow","Resource":"*"},{"Action":"ec2:CreateTags","Condition":{"StringEquals":{"ec2:CreateAction":["RunInstances","CreateImage"],"aws:RequestTag/CreatedBy":["EC2 Image Builder","EC2 Fast Launch"]}},"Effect":"Allow","Resource":"*"},{"Action":"ec2:CreateTags","Effect":"Allow","Resource":[{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*:*:export-image-task/*"]]},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*::image/*"]]}]},{"Action":"ec2:CreateTags","Condition":{"StringEquals":{"aws:RequestTag/CreatedBy":["EC2 Image Builder","EC2 Fast Launch"]}},"Effect":"Allow","Resource":[{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*:*:launch-template/*"]]},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*::snapshot/*"]]}]},{"Action":"sns:Publish","Effect":"Allow","Resource":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":sns:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":*"]]}},{"Action":"ssm:SendCommand","Effect":"Allow","Resource":[{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":s3:::*"]]},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ssm:*:*:document/AWS-RunPowerShellScript"]]},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ssm:*:*:document/AWS-RunShellScript"]]},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ssm:*:*:document/AWSEC2-RunSysprep"]]}]},{"Action":"ssm:SendCommand","Condition":{"StringEquals":{"ssm:resourceTag/CreatedBy":["EC2 Image Builder"]}},"Effect":"Allow","Resource":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*:*:instance/*"]]}},{"Action":["ssm:CreateAssociation","ssm:DeleteAssociation"],"Effect":"Allow","Resource":[{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*:*:instance/*"]]},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ssm:*:*:association/*"]]},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ssm:*:*:document/AWS-GatherSoftwareInventory"]]}]},{"Action":["kms:Decrypt","kms:Encrypt","kms:GenerateDataKeyWithoutPlaintext","kms:ReEncryptFrom","kms:ReEncryptTo"],"Condition":{"ForAllValues:StringEquals":{"kms:EncryptionContextKeys":["aws:ebs:id"]},"StringLike":{"kms:ViaService":["ec2.*.amazonaws.com"]}},"Effect":"Allow","Resource":"*"},{"Action":"kms:DescribeKey","Condition":{"StringLike":{"kms:ViaService":["ec2.*.amazonaws.com"]}},"Effect":"Allow","Resource":"*"},{"Action":"kms:CreateGrant","Condition":{"Bool":{"kms:GrantIsForAWSResource":true},"StringLike":{"kms:ViaService":["ec2.*.amazonaws.com"]}},"Effect":"Allow","Resource":"*"},{"Action":["logs:CreateLogGroup","logs:CreateLogStream","logs:PutLogEvents"],"Effect":"Allow","Resource":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":logs:*:*:log-group:/aws/imagebuilder/*"]]}},{"Action":"iam:CreateServiceLinkedRole","Condition":{"StringEquals":{"iam:AWSServiceName":["ssm.amazonaws.com"]}},"Effect":"Allow","Resource":"*"},{"Action":["events:DeleteRule","events:DescribeRule","events:PutRule","events:PutTargets","events:RemoveTargets"],"Effect":"Allow","Resource":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":events:*:*:rule/ImageBuilder-*"]]}},{"Action":["ssm:GetParameter","ssm:PutParameter"],"Effect":"Allow","Resource":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ssm:*:*:parameter/imagebuilder/*"]]}},{"Action":"ssm:GetParameter","Effect":"Allow","Resource":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ssm:*::parameter/aws/service/*"]]}},{"Action":"license-manager:UpdateLicenseSpecificationsForResource","Effect":"Allow","Resource":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":license-manager:*:",{"Ref":"AWS::AccountId"},":license-configuration:*"]]}},{"Action":"sts:AssumeRole","Effect":"Allow","Resource":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":iam::*:role/EC2ImageBuilderDistributionCrossAccountRole"]]}},{"Action":["ec2:CreateLaunchTemplateVersion","ec2:ModifyLaunchTemplate"],"Effect":"Allow","Resource":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":launch-template/*"]]}},{"Action":"ec2:ExportImage","Condition":{"StringEquals":{"ec2:ResourceTag/CreatedBy":"EC2 Image Builder"}},"Effect":"Allow","Resource":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*::image/*"]]}},{"Action":"ec2:ExportImage","Effect":"Allow","Resource":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*:*:export-image-task/*"]]}},{"Action":"ec2:CancelExportTask","Condition":{"StringEquals":{"ec2:ResourceTag/CreatedBy":"EC2 Image Builder"}},"Effect":"Allow","Resource":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*:*:export-image-task/*"]]}},{"Action":"iam:CreateServiceLinkedRole","Condition":{"StringEquals":{"iam:AWSServiceName":["ec2fastlaunch.amazonaws.com"]}},"Effect":"Allow","Resource":"*"}],"Version":"2012-10-17"},"policyName":"ExecutionRoleDefaultPolicyA5B92313","roles":[{"Ref":"ExecutionRole605A040B"}]}}}}},"OverflowPolicy1":{"id":"OverflowPolicy1","path":"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ExecutionRole/OverflowPolicy1","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.ManagedPolicy","version":"0.0.0","metadata":[{"description":"*","document":"*","roles":["*"]},{"attachToRole":["*"]}]},"children":{"ImportedOverflowPolicy1":{"id":"ImportedOverflowPolicy1","path":"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ExecutionRole/OverflowPolicy1/ImportedOverflowPolicy1","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":[]}},"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ExecutionRole/OverflowPolicy1/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnManagedPolicy","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::ManagedPolicy","aws:cdk:cloudformation:props":{"description":"Part of the policies for aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ExecutionRole","path":"/","policyDocument":{"Statement":[{"Action":"ec2:EnableFastLaunch","Condition":{"StringEquals":{"ec2:ResourceTag/CreatedBy":"EC2 Image Builder"}},"Effect":"Allow","Resource":[{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*:*:launch-template/*"]]},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*::image/*"]]}]}],"Version":"2012-10-17"},"roles":[{"Ref":"ExecutionRole605A040B"}]}}}}}}},"ImageLogGroup":{"id":"ImageLogGroup","path":"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ImageLogGroup","constructInfo":{"fqn":"aws-cdk-lib.aws_logs.LogGroup","version":"0.0.0","metadata":[{"removalPolicy":"destroy"}]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ImageLogGroup/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_logs.CfnLogGroup","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::Logs::LogGroup","aws:cdk:cloudformation:props":{"retentionInDays":731}}}}},"ImagePipelineLogGroup":{"id":"ImagePipelineLogGroup","path":"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ImagePipelineLogGroup","constructInfo":{"fqn":"aws-cdk-lib.aws_logs.LogGroup","version":"0.0.0","metadata":[{"removalPolicy":"destroy"}]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ImagePipelineLogGroup/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_logs.CfnLogGroup","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::Logs::LogGroup","aws:cdk:cloudformation:props":{"retentionInDays":731}}}}},"InfrastructureConfiguration":{"id":"InfrastructureConfiguration","path":"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/InfrastructureConfiguration","constructInfo":{"fqn":"@aws-cdk/aws-imagebuilder-alpha.InfrastructureConfiguration","version":"0.0.0","metadata":["*"]},"children":{"InstanceProfileRole":{"id":"InstanceProfileRole","path":"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/InfrastructureConfiguration/InstanceProfileRole","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Role","version":"0.0.0","metadata":[]},"children":{"ImportInstanceProfileRole":{"id":"ImportInstanceProfileRole","path":"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/InfrastructureConfiguration/InstanceProfileRole/ImportInstanceProfileRole","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*"]}},"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/InfrastructureConfiguration/InstanceProfileRole/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnRole","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Role","aws:cdk:cloudformation:props":{"assumeRolePolicyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"Service":"ec2.amazonaws.com"}}],"Version":"2012-10-17"},"managedPolicyArns":[{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":iam::aws:policy/AmazonSSMManagedInstanceCore"]]},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":iam::aws:policy/EC2InstanceProfileForImageBuilder"]]}]}}}}},"InstanceProfile":{"id":"InstanceProfile","path":"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/InfrastructureConfiguration/InstanceProfile","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.InstanceProfile","version":"0.0.0","metadata":[{"role":"*"}]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/InfrastructureConfiguration/InstanceProfile/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnInstanceProfile","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::InstanceProfile","aws:cdk:cloudformation:props":{"roles":[{"Ref":"InfrastructureConfigurationInstanceProfileRole3AFA1533"}]}}}}},"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/InfrastructureConfiguration/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_imagebuilder.CfnInfrastructureConfiguration","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::ImageBuilder::InfrastructureConfiguration","aws:cdk:cloudformation:props":{"instanceMetadataOptions":{"httpTokens":"required","httpPutResponseHopLimit":2},"instanceProfileName":{"Ref":"InfrastructureConfigurationInstanceProfile8FD9235B"},"name":"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters-infrastructureconfiguration-82cabe27"}}}}},"ImageRecipe":{"id":"ImageRecipe","path":"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ImageRecipe","constructInfo":{"fqn":"@aws-cdk/aws-imagebuilder-alpha.ImageRecipe","version":"0.0.0","metadata":["*","*"]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ImageRecipe/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_imagebuilder.CfnImageRecipe","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::ImageBuilder::ImageRecipe","aws:cdk:cloudformation:props":{"name":"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters-imagerecipe-e6bfe19c","parentImage":"ssm:/aws/service/ami-amazon-linux-latest/al2023-ami-minimal-kernel-default-x86_64","version":"1.0.x"}}}}},"AMIDistributionConfiguration":{"id":"AMIDistributionConfiguration","path":"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/AMIDistributionConfiguration","constructInfo":{"fqn":"@aws-cdk/aws-imagebuilder-alpha.DistributionConfiguration","version":"0.0.0","metadata":["*","*","*","*"]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/AMIDistributionConfiguration/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_imagebuilder.CfnDistributionConfiguration","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::ImageBuilder::DistributionConfiguration","aws:cdk:cloudformation:props":{"distributions":[{"region":{"Ref":"AWS::Region"},"amiDistributionConfiguration":{"Name":"imagebuidler-{{ imagebuilder:buildDate }}"}}],"name":"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters-amidistributionconfiguration-12cb7eed"}}}}},"BuildImage":{"id":"BuildImage","path":"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/BuildImage","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":[]}},"ImagePipeline-AMI":{"id":"ImagePipeline-AMI","path":"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ImagePipeline-AMI","constructInfo":{"fqn":"@aws-cdk/aws-imagebuilder-alpha.ImagePipeline","version":"0.0.0","metadata":[]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ImagePipeline-AMI/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_imagebuilder.CfnImagePipeline","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::ImageBuilder::ImagePipeline","aws:cdk:cloudformation:props":{"description":"this is an image pipeline description.","distributionConfigurationArn":{"Fn::GetAtt":["AMIDistributionConfigurationA286FE05","Arn"]},"enhancedImageMetadataEnabled":true,"executionRole":{"Fn::GetAtt":["ExecutionRole605A040B","Arn"]},"imageRecipeArn":{"Fn::GetAtt":["ImageRecipe8C789631","Arn"]},"imageScanningConfiguration":{"imageScanningEnabled":true},"imageTestsConfiguration":{"imageTestsEnabled":true},"infrastructureConfigurationArn":{"Fn::GetAtt":["InfrastructureConfiguration86C7777D","Arn"]},"loggingConfiguration":{"imageLogGroupName":{"Ref":"ImageLogGroupD34F5836"},"pipelineLogGroupName":{"Ref":"ImagePipelineLogGroup7E475C9B"}},"name":"test-image-pipeline","schedule":{"scheduleExpression":"cron(0 7 ? * mon *)","autoDisablePolicy":{"failureCount":5},"pipelineExecutionStartCondition":"EXPRESSION_MATCH_AND_DEPENDENCY_UPDATES_AVAILABLE"},"status":"ENABLED","workflows":[{"workflowArn":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":imagebuilder:",{"Ref":"AWS::Region"},":aws:workflow/build/build-image/x.x.x"]]}}]}}},"ImageBuildSuccessTriggerRule":{"id":"ImageBuildSuccessTriggerRule","path":"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ImagePipeline-AMI/ImageBuildSuccessTriggerRule","constructInfo":{"fqn":"aws-cdk-lib.aws_events.Rule","version":"0.0.0","metadata":["*",{"addEventPattern":["*"]},{"addTarget":["*"]},{"addEventPattern":[{"source":"*"}]}]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ImagePipeline-AMI/ImageBuildSuccessTriggerRule/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_events.CfnRule","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::Events::Rule","aws:cdk:cloudformation:props":{"eventPattern":{"source":["aws.imagebuilder"]},"state":"ENABLED"}}}}},"ImageBuildCVEDetectedTriggerRule":{"id":"ImageBuildCVEDetectedTriggerRule","path":"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ImagePipeline-AMI/ImageBuildCVEDetectedTriggerRule","constructInfo":{"fqn":"aws-cdk-lib.aws_events.Rule","version":"0.0.0","metadata":[{"eventPattern":{"detailType":"*","resources":"*"}},{"addEventPattern":[{"detailType":"*","resources":"*"}]},{"addTarget":["*"]},{"addEventPattern":[{"source":"*","resources":"*","detailType":"*"}]}]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/ImagePipeline-AMI/ImageBuildCVEDetectedTriggerRule/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_events.CfnRule","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::Events::Rule","aws:cdk:cloudformation:props":{"eventPattern":{"detail-type":["EC2 Image Builder CVE Detected"],"resources":[{"Fn::GetAtt":["ImagePipelineAMI7635ECE0","Arn"]}],"source":["aws.imagebuilder"]},"state":"ENABLED"}}}}}}},"BootstrapVersion":{"id":"BootstrapVersion","path":"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"aws-cdk-imagebuilder-image-pipeline-ami-all-parameters/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}},"ImagePipelineTest-AMI-AllParameters":{"id":"ImagePipelineTest-AMI-AllParameters","path":"ImagePipelineTest-AMI-AllParameters","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTest","version":"0.0.0"},"children":{"DefaultTest":{"id":"DefaultTest","path":"ImagePipelineTest-AMI-AllParameters/DefaultTest","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTestCase","version":"0.0.0"},"children":{"Default":{"id":"Default","path":"ImagePipelineTest-AMI-AllParameters/DefaultTest/Default","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"}},"DeployAssert":{"id":"DeployAssert","path":"ImagePipelineTest-AMI-AllParameters/DefaultTest/DeployAssert","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"BootstrapVersion":{"id":"BootstrapVersion","path":"ImagePipelineTest-AMI-AllParameters/DefaultTest/DeployAssert/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"ImagePipelineTest-AMI-AllParameters/DefaultTest/DeployAssert/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}}}}}},"Tree":{"id":"Tree","path":"Tree","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"}}}}} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.ami.ts b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.ami.ts new file mode 100644 index 0000000000000..da85d8f3671b8 --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.ami.ts @@ -0,0 +1,56 @@ +import * as integ from '@aws-cdk/integ-tests-alpha'; +import * as cdk from 'aws-cdk-lib'; +import * as events from 'aws-cdk-lib/aws-events'; +import * as iam from 'aws-cdk-lib/aws-iam'; +import * as logs from 'aws-cdk-lib/aws-logs'; +import * as imagebuilder from '../lib'; + +const app = new cdk.App(); +const stack = new cdk.Stack(app, 'aws-cdk-imagebuilder-image-pipeline-ami-all-parameters'); + +const executionRole = new iam.Role(stack, 'ExecutionRole', { + assumedBy: new iam.ServicePrincipal('imagebuilder.amazonaws.com'), +}); +const imageLogGroup = new logs.LogGroup(stack, 'ImageLogGroup', { removalPolicy: cdk.RemovalPolicy.DESTROY }); +const imagePipelineLogGroup = new logs.LogGroup(stack, 'ImagePipelineLogGroup', { + removalPolicy: cdk.RemovalPolicy.DESTROY, +}); + +const infrastructureConfiguration = new imagebuilder.InfrastructureConfiguration(stack, 'InfrastructureConfiguration'); +const imageRecipe = new imagebuilder.ImageRecipe(stack, 'ImageRecipe', { + baseImage: imagebuilder.BaseImage.fromSsmParameterName( + '/aws/service/ami-amazon-linux-latest/al2023-ami-minimal-kernel-default-x86_64', + ), +}); + +const amiDistributionConfiguration = new imagebuilder.DistributionConfiguration(stack, 'AMIDistributionConfiguration'); +amiDistributionConfiguration.addAmiDistributions({ amiName: 'imagebuidler-{{ imagebuilder:buildDate }}' }); + +const imagePipeline = new imagebuilder.ImagePipeline(stack, 'ImagePipeline-AMI', { + imagePipelineName: 'test-image-pipeline', + description: 'this is an image pipeline description.', + recipe: imageRecipe, + infrastructureConfiguration, + distributionConfiguration: amiDistributionConfiguration, + status: imagebuilder.ImagePipelineStatus.ENABLED, + executionRole, + schedule: { + expression: events.Schedule.expression('cron(0 7 ? * mon *)'), + startCondition: imagebuilder.ScheduleStartCondition.EXPRESSION_MATCH_AND_DEPENDENCY_UPDATES_AVAILABLE, + autoDisableFailureCount: 5, + }, + workflows: [{ workflow: imagebuilder.AwsManagedWorkflow.buildImage(stack, 'BuildImage') }], + imageLogGroup, + imagePipelineLogGroup, + enhancedImageMetadataEnabled: true, + imageTestsEnabled: true, + imageScanningEnabled: true, +}); + +imagePipeline.grantDefaultExecutionRolePermissions(executionRole); +imagePipeline.onEvent('ImageBuildSuccessTriggerRule'); +imagePipeline.onCVEDetected('ImageBuildCVEDetectedTriggerRule'); + +new integ.IntegTest(app, 'ImagePipelineTest-AMI-AllParameters', { + testCases: [stack], +}); diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.container.js.snapshot/ImagePipelineTestContainerAllParametersDefaultTestDeployAssert1B190D7C.assets.json b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.container.js.snapshot/ImagePipelineTestContainerAllParametersDefaultTestDeployAssert1B190D7C.assets.json new file mode 100644 index 0000000000000..cb30c95e17cfd --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.container.js.snapshot/ImagePipelineTestContainerAllParametersDefaultTestDeployAssert1B190D7C.assets.json @@ -0,0 +1,20 @@ +{ + "version": "48.0.0", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "displayName": "ImagePipelineTestContainerAllParametersDefaultTestDeployAssert1B190D7C Template", + "source": { + "path": "ImagePipelineTestContainerAllParametersDefaultTestDeployAssert1B190D7C.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region-d8d86b35": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.container.js.snapshot/ImagePipelineTestContainerAllParametersDefaultTestDeployAssert1B190D7C.template.json b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.container.js.snapshot/ImagePipelineTestContainerAllParametersDefaultTestDeployAssert1B190D7C.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.container.js.snapshot/ImagePipelineTestContainerAllParametersDefaultTestDeployAssert1B190D7C.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.container.js.snapshot/aws-cdk-imagebuilder-image-pipeline-container-all-parameters.assets.json b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.container.js.snapshot/aws-cdk-imagebuilder-image-pipeline-container-all-parameters.assets.json new file mode 100644 index 0000000000000..89691cfff3fb5 --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.container.js.snapshot/aws-cdk-imagebuilder-image-pipeline-container-all-parameters.assets.json @@ -0,0 +1,20 @@ +{ + "version": "48.0.0", + "files": { + "362dd503d4f2a2cbe795b8f6d500d82162fe73a642e142c7edbb91e89a5e8226": { + "displayName": "aws-cdk-imagebuilder-image-pipeline-container-all-parameters Template", + "source": { + "path": "aws-cdk-imagebuilder-image-pipeline-container-all-parameters.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region-de0aa876": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "362dd503d4f2a2cbe795b8f6d500d82162fe73a642e142c7edbb91e89a5e8226.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.container.js.snapshot/aws-cdk-imagebuilder-image-pipeline-container-all-parameters.template.json b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.container.js.snapshot/aws-cdk-imagebuilder-image-pipeline-container-all-parameters.template.json new file mode 100644 index 0000000000000..e00c53de54b39 --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.container.js.snapshot/aws-cdk-imagebuilder-image-pipeline-container-all-parameters.template.json @@ -0,0 +1,1031 @@ +{ + "Resources": { + "Repository22E53BBD": { + "Type": "AWS::ECR::Repository", + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "ScanningRepositoryB9C9B705": { + "Type": "AWS::ECR::Repository", + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "ExecutionRole605A040B": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "imagebuilder.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + } + } + }, + "ExecutionRoleDefaultPolicyA5B92313": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": "ec2:RegisterImage", + "Condition": { + "StringEquals": { + "aws:RequestTag/CreatedBy": "EC2 Image Builder" + } + }, + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*::image/*" + ] + ] + } + }, + { + "Action": [ + "ec2:ModifySnapshotAttribute", + "ec2:RegisterImage" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/CreatedBy": "EC2 Image Builder" + } + }, + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*::snapshot/*" + ] + ] + } + }, + { + "Action": "ec2:RunInstances", + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*:*:key-pair/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*:*:launch-template/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*:*:network-interface/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*:*:security-group/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*:*:subnet/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*::image/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*::snapshot/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":license-manager:*:*:license-configuration:*" + ] + ] + } + ] + }, + { + "Action": "ec2:RunInstances", + "Condition": { + "StringEquals": { + "aws:RequestTag/CreatedBy": [ + "EC2 Image Builder", + "EC2 Fast Launch" + ] + } + }, + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*:*:instance/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*:*:volume/*" + ] + ] + } + ] + }, + { + "Action": "iam:PassRole", + "Condition": { + "StringEquals": { + "iam:PassedToService": [ + "ec2.amazonaws.com", + "ec2.amazonaws.com.cn", + "vmie.amazonaws.com" + ] + } + }, + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:StartInstances", + "ec2:StopInstances", + "ec2:TerminateInstances" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/CreatedBy": "EC2 Image Builder" + } + }, + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "ec2:CopyImage", + "ec2:CreateImage", + "ec2:CreateLaunchTemplate", + "ec2:DeregisterImage", + "ec2:DescribeHosts", + "ec2:DescribeImages", + "ec2:DescribeImportImageTasks", + "ec2:DescribeInstanceAttribute", + "ec2:DescribeInstanceStatus", + "ec2:DescribeInstanceTypeOfferings", + "ec2:DescribeInstanceTypes", + "ec2:DescribeInstances", + "ec2:DescribeSnapshots", + "ec2:DescribeSubnets", + "ec2:DescribeTags", + "ec2:ModifyImageAttribute", + "inspector2:ListCoverage", + "inspector2:ListFindings", + "ssm:AddTagsToResource", + "ssm:DescribeAssociationExecutions", + "ssm:DescribeInstanceAssociationsStatus", + "ssm:DescribeInstanceInformation", + "ssm:GetCommandInvocation", + "ssm:ListCommandInvocations", + "ssm:ListCommands", + "ssm:ListInventoryEntries" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "RunInstances", + "CreateImage" + ], + "aws:RequestTag/CreatedBy": [ + "EC2 Image Builder", + "EC2 Fast Launch" + ] + } + }, + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": "ec2:CreateTags", + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*:*:export-image-task/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*::image/*" + ] + ] + } + ] + }, + { + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "aws:RequestTag/CreatedBy": [ + "EC2 Image Builder", + "EC2 Fast Launch" + ] + } + }, + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*:*:launch-template/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*::snapshot/*" + ] + ] + } + ] + }, + { + "Action": "sns:Publish", + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":sns:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":*" + ] + ] + } + }, + { + "Action": "ssm:SendCommand", + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":s3:::*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ssm:*:*:document/AWS-RunPowerShellScript" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ssm:*:*:document/AWS-RunShellScript" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ssm:*:*:document/AWSEC2-RunSysprep" + ] + ] + } + ] + }, + { + "Action": "ssm:SendCommand", + "Condition": { + "StringEquals": { + "ssm:resourceTag/CreatedBy": [ + "EC2 Image Builder" + ] + } + }, + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*:*:instance/*" + ] + ] + } + }, + { + "Action": [ + "ssm:CreateAssociation", + "ssm:DeleteAssociation" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:*:*:instance/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ssm:*:*:association/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ssm:*:*:document/AWS-GatherSoftwareInventory" + ] + ] + } + ] + }, + { + "Action": [ + "kms:Decrypt", + "kms:Encrypt", + "kms:GenerateDataKeyWithoutPlaintext", + "kms:ReEncryptFrom", + "kms:ReEncryptTo" + ], + "Condition": { + "ForAllValues:StringEquals": { + "kms:EncryptionContextKeys": [ + "aws:ebs:id" + ] + }, + "StringLike": { + "kms:ViaService": [ + "ec2.*.amazonaws.com" + ] + } + }, + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": "kms:DescribeKey", + "Condition": { + "StringLike": { + "kms:ViaService": [ + "ec2.*.amazonaws.com" + ] + } + }, + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": "kms:CreateGrant", + "Condition": { + "Bool": { + "kms:GrantIsForAWSResource": true + }, + "StringLike": { + "kms:ViaService": [ + "ec2.*.amazonaws.com" + ] + } + }, + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:*:*:log-group:/aws/imagebuilder/*" + ] + ] + } + }, + { + "Action": "iam:CreateServiceLinkedRole", + "Condition": { + "StringEquals": { + "iam:AWSServiceName": [ + "ssm.amazonaws.com" + ] + } + }, + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "events:DeleteRule", + "events:DescribeRule", + "events:PutRule", + "events:PutTargets", + "events:RemoveTargets" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":events:*:*:rule/ImageBuilder-*" + ] + ] + } + }, + { + "Action": [ + "ssm:GetParameter", + "ssm:PutParameter" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ssm:*:*:parameter/imagebuilder/*" + ] + ] + } + }, + { + "Action": "ssm:GetParameter", + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ssm:*::parameter/aws/service/*" + ] + ] + } + }, + { + "Action": "ecr:CreateRepository", + "Condition": { + "StringEquals": { + "aws:RequestTag/CreatedBy": "EC2 Image Builder" + } + }, + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": "ecr:TagResource", + "Condition": { + "StringEquals": { + "aws:RequestTag/CreatedBy": "EC2 Image Builder" + } + }, + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ecr:*:*:repository/image-builder-*" + ] + ] + } + }, + { + "Action": "ecr:BatchDeleteImage", + "Condition": { + "StringEquals": { + "ecr:ResourceTag/CreatedBy": "EC2 Image Builder" + } + }, + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ecr:*:*:repository/image-builder-*" + ] + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "ExecutionRoleDefaultPolicyA5B92313", + "Roles": [ + { + "Ref": "ExecutionRole605A040B" + } + ] + } + }, + "ImageLogGroupD34F5836": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "RetentionInDays": 731 + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "ImagePipelineLogGroup7E475C9B": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "RetentionInDays": 731 + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "InfrastructureConfigurationInstanceProfileRole3AFA1533": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "ec2.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/AmazonSSMManagedInstanceCore" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/EC2InstanceProfileForImageBuilder" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/EC2InstanceProfileForImageBuilderECRContainerBuilds" + ] + ] + } + ] + } + }, + "InfrastructureConfigurationInstanceProfile8FD9235B": { + "Type": "AWS::IAM::InstanceProfile", + "Properties": { + "Roles": [ + { + "Ref": "InfrastructureConfigurationInstanceProfileRole3AFA1533" + } + ] + } + }, + "InfrastructureConfiguration86C7777D": { + "Type": "AWS::ImageBuilder::InfrastructureConfiguration", + "Properties": { + "InstanceMetadataOptions": { + "HttpPutResponseHopLimit": 2, + "HttpTokens": "required" + }, + "InstanceProfileName": { + "Ref": "InfrastructureConfigurationInstanceProfile8FD9235B" + }, + "Name": "aws-cdk-imagebuilder-image-pipeline-container-all-parameters-infrastructureconfiguration-25b197bb" + } + }, + "ContainerRecipe8A7CC9ED": { + "Type": "AWS::ImageBuilder::ContainerRecipe", + "Properties": { + "ContainerType": "DOCKER", + "DockerfileTemplateData": "FROM {{{ imagebuilder:parentImage }}}\n{{{ imagebuilder:environments }}}\n{{{ imagebuilder:components }}}", + "ImageOsVersionOverride": "Amazon Linux 2023", + "Name": "aws-cdk-imagebuilder-image-pipeline-container-all-parameters-containerrecipe-703c2596", + "ParentImage": "public.ecr.aws/amazonlinux/amazonlinux:latest", + "PlatformOverride": "Linux", + "TargetRepository": { + "RepositoryName": { + "Ref": "Repository22E53BBD" + }, + "Service": "ECR" + }, + "Version": "1.0.x" + } + }, + "ContainerDistributionConfiguration18609EDB": { + "Type": "AWS::ImageBuilder::DistributionConfiguration", + "Properties": { + "Distributions": [ + { + "ContainerDistributionConfiguration": { + "TargetRepository": { + "RepositoryName": { + "Ref": "Repository22E53BBD" + }, + "Service": "ECR" + } + }, + "Region": { + "Ref": "AWS::Region" + } + } + ], + "Name": "aws-cdk-imagebuilder-image-pipeline-container-all-parameters-containerdistributionconfiguration-4e4b61cf" + } + }, + "ImagePipelineContainer507B5032": { + "Type": "AWS::ImageBuilder::ImagePipeline", + "Properties": { + "ContainerRecipeArn": { + "Fn::GetAtt": [ + "ContainerRecipe8A7CC9ED", + "Arn" + ] + }, + "DistributionConfigurationArn": { + "Fn::GetAtt": [ + "ContainerDistributionConfiguration18609EDB", + "Arn" + ] + }, + "EnhancedImageMetadataEnabled": true, + "ExecutionRole": { + "Fn::GetAtt": [ + "ExecutionRole605A040B", + "Arn" + ] + }, + "ImageScanningConfiguration": { + "EcrConfiguration": { + "ContainerTags": [ + "latest-scan" + ], + "RepositoryName": { + "Ref": "ScanningRepositoryB9C9B705" + } + }, + "ImageScanningEnabled": true + }, + "ImageTestsConfiguration": { + "ImageTestsEnabled": true + }, + "InfrastructureConfigurationArn": { + "Fn::GetAtt": [ + "InfrastructureConfiguration86C7777D", + "Arn" + ] + }, + "LoggingConfiguration": { + "ImageLogGroupName": { + "Ref": "ImageLogGroupD34F5836" + }, + "PipelineLogGroupName": { + "Ref": "ImagePipelineLogGroup7E475C9B" + } + }, + "Name": "test-container-image-pipeline", + "Schedule": { + "AutoDisablePolicy": { + "FailureCount": 5 + }, + "PipelineExecutionStartCondition": "EXPRESSION_MATCH_AND_DEPENDENCY_UPDATES_AVAILABLE", + "ScheduleExpression": "rate(7 days)" + }, + "Status": "DISABLED", + "Workflows": [ + { + "WorkflowArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":imagebuilder:", + { + "Ref": "AWS::Region" + }, + ":aws:workflow/build/build-container/x.x.x" + ] + ] + } + }, + { + "WorkflowArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":imagebuilder:", + { + "Ref": "AWS::Region" + }, + ":aws:workflow/test/test-container/x.x.x" + ] + ] + } + }, + { + "WorkflowArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":imagebuilder:", + { + "Ref": "AWS::Region" + }, + ":aws:workflow/distribution/distribute-container/x.x.x" + ] + ] + } + } + ] + } + }, + "ImagePipelineContainerImageBuildSuccessTriggerRuleFC549F96": { + "Type": "AWS::Events::Rule", + "Properties": { + "EventPattern": { + "source": [ + "aws.imagebuilder" + ] + }, + "State": "ENABLED" + } + }, + "ImagePipelineContainerImagePipelineAutoDisabledTriggerRule567551D9": { + "Type": "AWS::Events::Rule", + "Properties": { + "EventPattern": { + "detail-type": [ + "EC2 Image Builder Image Pipeline Automatically Disabled" + ], + "resources": [ + { + "Fn::GetAtt": [ + "ImagePipelineContainer507B5032", + "Arn" + ] + } + ], + "source": [ + "aws.imagebuilder" + ] + }, + "State": "ENABLED" + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.container.js.snapshot/cdk.out b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.container.js.snapshot/cdk.out new file mode 100644 index 0000000000000..523a9aac37cbf --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.container.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"48.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.container.js.snapshot/integ.json b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.container.js.snapshot/integ.json new file mode 100644 index 0000000000000..7a69fd31ae20a --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.container.js.snapshot/integ.json @@ -0,0 +1,13 @@ +{ + "version": "48.0.0", + "testCases": { + "ImagePipelineTest-Container-AllParameters/DefaultTest": { + "stacks": [ + "aws-cdk-imagebuilder-image-pipeline-container-all-parameters" + ], + "assertionStack": "ImagePipelineTest-Container-AllParameters/DefaultTest/DeployAssert", + "assertionStackName": "ImagePipelineTestContainerAllParametersDefaultTestDeployAssert1B190D7C" + } + }, + "minimumCliVersion": "2.1027.0" +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.container.js.snapshot/manifest.json b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.container.js.snapshot/manifest.json new file mode 100644 index 0000000000000..b98793a32e5dd --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.container.js.snapshot/manifest.json @@ -0,0 +1,1354 @@ +{ + "version": "48.0.0", + "artifacts": { + "aws-cdk-imagebuilder-image-pipeline-container-all-parameters.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "aws-cdk-imagebuilder-image-pipeline-container-all-parameters.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "aws-cdk-imagebuilder-image-pipeline-container-all-parameters": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "aws-cdk-imagebuilder-image-pipeline-container-all-parameters.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/362dd503d4f2a2cbe795b8f6d500d82162fe73a642e142c7edbb91e89a5e8226.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "aws-cdk-imagebuilder-image-pipeline-container-all-parameters.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "aws-cdk-imagebuilder-image-pipeline-container-all-parameters.assets" + ], + "metadata": { + "/aws-cdk-imagebuilder-image-pipeline-container-all-parameters/Repository": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "removalPolicy": "destroy" + } + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-all-parameters/Repository/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "Repository22E53BBD" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ScanningRepository": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "removalPolicy": "destroy" + } + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ScanningRepository/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ScanningRepositoryB9C9B705" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ExecutionRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + } + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachInlinePolicy": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachInlinePolicy": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ExecutionRole/ImportExecutionRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ExecutionRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ExecutionRole605A040B" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ExecutionRole/DefaultPolicy": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ExecutionRole/DefaultPolicy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ExecutionRoleDefaultPolicyA5B92313" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ImageLogGroup": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "removalPolicy": "destroy" + } + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ImageLogGroup/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ImageLogGroupD34F5836" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ImagePipelineLogGroup": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "removalPolicy": "destroy" + } + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ImagePipelineLogGroup/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ImagePipelineLogGroup7E475C9B" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-all-parameters/InfrastructureConfiguration": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-all-parameters/InfrastructureConfiguration/InstanceProfileRole": [ + { + "type": "aws:cdk:warning", + "data": "Failed to add construct metadata for node [InstanceProfileRole]. Reason: ValidationError: The result of fromAwsManagedPolicyName can not be used in this API [ack: @aws-cdk/core:addConstructMetadataFailed]" + }, + { + "type": "aws:cdk:warning", + "data": "Failed to add method metadata for node [InstanceProfileRole], method name addManagedPolicy. Reason: ValidationError: The result of fromAwsManagedPolicyName can not be used in this API [ack: @aws-cdk/core:addMethodMetadataFailed]" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-all-parameters/InfrastructureConfiguration/InstanceProfileRole/ImportInstanceProfileRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-all-parameters/InfrastructureConfiguration/InstanceProfileRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "InfrastructureConfigurationInstanceProfileRole3AFA1533" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-all-parameters/InfrastructureConfiguration/InstanceProfile": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "role": "*" + } + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-all-parameters/InfrastructureConfiguration/InstanceProfile/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "InfrastructureConfigurationInstanceProfile8FD9235B" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-all-parameters/InfrastructureConfiguration/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "InfrastructureConfiguration86C7777D" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ContainerRecipe": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ContainerRecipe/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ContainerRecipe8A7CC9ED" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ContainerDistributionConfiguration": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ContainerDistributionConfiguration/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ContainerDistributionConfiguration18609EDB" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ImagePipeline-Container/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ImagePipelineContainer507B5032" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ImagePipeline-Container/ImageBuildSuccessTriggerRule": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addEventPattern": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addTarget": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addEventPattern": [ + { + "source": "*" + } + ] + } + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ImagePipeline-Container/ImageBuildSuccessTriggerRule/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ImagePipelineContainerImageBuildSuccessTriggerRuleFC549F96" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ImagePipeline-Container/ImagePipelineAutoDisabledTriggerRule": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "eventPattern": { + "detailType": "*", + "resources": "*" + } + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addEventPattern": [ + { + "detailType": "*", + "resources": "*" + } + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addTarget": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addEventPattern": [ + { + "source": "*", + "resources": "*", + "detailType": "*" + } + ] + } + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ImagePipeline-Container/ImagePipelineAutoDisabledTriggerRule/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ImagePipelineContainerImagePipelineAutoDisabledTriggerRule567551D9" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-all-parameters/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-all-parameters/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "aws-cdk-imagebuilder-image-pipeline-container-all-parameters" + }, + "ImagePipelineTestContainerAllParametersDefaultTestDeployAssert1B190D7C.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "ImagePipelineTestContainerAllParametersDefaultTestDeployAssert1B190D7C.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "ImagePipelineTestContainerAllParametersDefaultTestDeployAssert1B190D7C": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "ImagePipelineTestContainerAllParametersDefaultTestDeployAssert1B190D7C.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "ImagePipelineTestContainerAllParametersDefaultTestDeployAssert1B190D7C.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "ImagePipelineTestContainerAllParametersDefaultTestDeployAssert1B190D7C.assets" + ], + "metadata": { + "/ImagePipelineTest-Container-AllParameters/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/ImagePipelineTest-Container-AllParameters/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "ImagePipelineTest-Container-AllParameters/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + }, + "aws-cdk-lib/feature-flag-report": { + "type": "cdk:feature-flag-report", + "properties": { + "module": "aws-cdk-lib", + "flags": { + "@aws-cdk/aws-signer:signingProfileNamePassedToCfn": { + "userValue": true, + "recommendedValue": true, + "explanation": "Pass signingProfileName to CfnSigningProfile" + }, + "@aws-cdk/core:newStyleStackSynthesis": { + "recommendedValue": true, + "explanation": "Switch to new stack synthesis method which enables CI/CD", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:stackRelativeExports": { + "recommendedValue": true, + "explanation": "Name exports based on the construct paths relative to the stack, rather than the global construct path", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-ecs-patterns:secGroupsDisablesImplicitOpenListener": { + "userValue": true, + "recommendedValue": true, + "explanation": "Disable implicit openListener when custom security groups are provided" + }, + "@aws-cdk/aws-rds:lowercaseDbIdentifier": { + "recommendedValue": true, + "explanation": "Force lowercasing of RDS Cluster names in CDK", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": { + "recommendedValue": true, + "explanation": "Allow adding/removing multiple UsagePlanKeys independently", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-lambda:recognizeVersionProps": { + "recommendedValue": true, + "explanation": "Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-lambda:recognizeLayerVersion": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`." + }, + "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": { + "recommendedValue": true, + "explanation": "Enable this feature flag to have cloudfront distributions use the security policy TLSv1.2_2021 by default.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:checkSecretUsage": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this flag to make it impossible to accidentally use SecretValues in unsafe locations" + }, + "@aws-cdk/core:target-partitions": { + "recommendedValue": [ + "aws", + "aws-cn" + ], + "explanation": "What regions to include in lookup tables of environment agnostic stacks" + }, + "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": { + "userValue": true, + "recommendedValue": true, + "explanation": "ECS extensions will automatically add an `awslogs` driver if no logging is specified" + }, + "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to have Launch Templates generated by the `InstanceRequireImdsv2Aspect` use unique names." + }, + "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": { + "userValue": true, + "recommendedValue": true, + "explanation": "ARN format used by ECS. In the new ARN format, the cluster name is part of the resource ID." + }, + "@aws-cdk/aws-iam:minimizePolicies": { + "userValue": true, + "recommendedValue": true, + "explanation": "Minimize IAM policies by combining Statements" + }, + "@aws-cdk/core:validateSnapshotRemovalPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Error on snapshot removal policies on resources that do not support it." + }, + "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate key aliases that include the stack name" + }, + "@aws-cdk/aws-s3:createDefaultLoggingPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to create an S3 bucket policy by default in cases where an AWS service would automatically create the Policy if one does not exist." + }, + "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": { + "userValue": true, + "recommendedValue": true, + "explanation": "Restrict KMS key policy for encrypted Queues a bit more" + }, + "@aws-cdk/aws-apigateway:disableCloudWatchRole": { + "userValue": true, + "recommendedValue": true, + "explanation": "Make default CloudWatch Role behavior safe for multiple API Gateways in one environment" + }, + "@aws-cdk/core:enablePartitionLiterals": { + "userValue": true, + "recommendedValue": true, + "explanation": "Make ARNs concrete if AWS partition is known" + }, + "@aws-cdk/aws-events:eventsTargetQueueSameAccount": { + "userValue": true, + "recommendedValue": true, + "explanation": "Event Rules may only push to encrypted SQS queues in the same account" + }, + "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": { + "userValue": true, + "recommendedValue": true, + "explanation": "Avoid setting the \"ECS\" deployment controller when adding a circuit breaker" + }, + "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature to create default policy names for imported roles that depend on the stack the role is in." + }, + "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use S3 Bucket Policy instead of ACLs for Server Access Logging" + }, + "@aws-cdk/aws-route53-patters:useCertificate": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use the official `Certificate` resource instead of `DnsValidatedCertificate`" + }, + "@aws-cdk/customresources:installLatestAwsSdkDefault": { + "userValue": false, + "recommendedValue": false, + "explanation": "Whether to install the latest SDK by default in AwsCustomResource" + }, + "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use unique resource name for Database Proxy" + }, + "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "Remove CloudWatch alarms from deployment group" + }, + "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Include authorizer configuration in the calculation of the API deployment logical ID." + }, + "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": { + "userValue": true, + "recommendedValue": true, + "explanation": "Define user data for a launch template by default when a machine image is provided." + }, + "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": { + "userValue": true, + "recommendedValue": true, + "explanation": "SecretTargetAttachments uses the ResourcePolicy of the attached Secret." + }, + "@aws-cdk/aws-redshift:columnId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Whether to use an ID to track Redshift column changes" + }, + "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable AmazonEMRServicePolicy_v2 managed policies" + }, + "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "Restrict access to the VPC default security group" + }, + "@aws-cdk/aws-apigateway:requestValidatorUniqueId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate a unique id for each RequestValidator added to a method" + }, + "@aws-cdk/aws-kms:aliasNameRef": { + "userValue": true, + "recommendedValue": true, + "explanation": "KMS Alias name and keyArn will have implicit reference to KMS Key" + }, + "@aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable grant methods on Aliases imported by name to use kms:ResourceAliases condition" + }, + "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate a launch template when creating an AutoScalingGroup" + }, + "@aws-cdk/core:includePrefixInUniqueNameGeneration": { + "userValue": true, + "recommendedValue": true, + "explanation": "Include the stack prefix in the stack name generation process" + }, + "@aws-cdk/aws-efs:denyAnonymousAccess": { + "userValue": true, + "recommendedValue": true, + "explanation": "EFS denies anonymous clients accesses" + }, + "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables support for Multi-AZ with Standby deployment for opensearch domains" + }, + "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables aws-lambda-nodejs.Function to use the latest available NodeJs runtime as the default" + }, + "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, mount targets will have a stable logicalId that is linked to the associated subnet." + }, + "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, a scope of InstanceParameterGroup for AuroraClusterInstance with each parameters will change." + }, + "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, will always use the arn for identifiers for CfnSourceApiAssociation in the GraphqlApi construct rather than id." + }, + "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, creating an RDS database cluster from a snapshot will only render credentials for snapshot credentials." + }, + "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the CodeCommit source action is using the default branch name 'main'." + }, + "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the logical ID of a Lambda permission for a Lambda action includes an alarm ID." + }, + "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables Pipeline to set the default value for crossAccountKeys to false." + }, + "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables Pipeline to set the default pipeline type to V2." + }, + "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only." + }, + "@aws-cdk/pipelines:reduceAssetRoleTrustScope": { + "recommendedValue": true, + "explanation": "Remove the root account principal from PipelineAssetsFileRole trust policy", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-eks:nodegroupNameAttribute": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, nodegroupName attribute of the provisioned EKS NodeGroup will not have the cluster name prefix." + }, + "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default volume type of the EBS volume will be GP3" + }, + "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, remove default deployment alarm settings" + }, + "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": { + "userValue": false, + "recommendedValue": false, + "explanation": "When enabled, the custom resource used for `AwsCustomResource` will configure the `logApiResponseData` property as true by default" + }, + "@aws-cdk/aws-s3:keepNotificationInImportedBucket": { + "userValue": false, + "recommendedValue": false, + "explanation": "When enabled, Adding notifications to a bucket in the current stack will not remove notification from imported stack." + }, + "@aws-cdk/aws-stepfunctions-tasks:useNewS3UriParametersForBedrockInvokeModelTask": { + "recommendedValue": true, + "explanation": "When enabled, use new props for S3 URI field in task definition of state machine for bedrock invoke model.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:explicitStackTags": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, stack tags need to be assigned explicitly on a Stack." + }, + "@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature": { + "userValue": false, + "recommendedValue": false, + "explanation": "When set to true along with canContainersAccessInstanceRole=false in ECS cluster, new updated commands will be added to UserData to block container accessing IMDS. **Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)**" + }, + "@aws-cdk/aws-ecs:disableEcsImdsBlocking": { + "userValue": true, + "recommendedValue": true, + "explanation": "When set to true, CDK synth will throw exception if canContainersAccessInstanceRole is false. **IMPORTANT: See [details.](#aws-cdkaws-ecsdisableEcsImdsBlocking)**" + }, + "@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, we will only grant the necessary permissions when users specify cloudwatch log group through logConfiguration" + }, + "@aws-cdk/aws-dynamodb:resourcePolicyPerReplica": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled will allow you to specify a resource policy per replica, and not copy the source table policy to all replicas" + }, + "@aws-cdk/aws-ec2:ec2SumTImeoutEnabled": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, initOptions.timeout and resourceSignalTimeout values will be summed together." + }, + "@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, a Lambda authorizer Permission created when using GraphqlApi will be properly scoped with a SourceArn." + }, + "@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the value of property `instanceResourceId` in construct `DatabaseInstanceReadReplica` will be set to the correct value which is `DbiResourceId` instead of currently `DbInstanceArn`" + }, + "@aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CFN templates added with `cfn-include` will error if the template contains Resource Update or Create policies with CFN Intrinsics that include non-primitive values." + }, + "@aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, both `@aws-sdk` and `@smithy` packages will be excluded from the Lambda Node.js 18.x runtime to prevent version mismatches in bundled applications." + }, + "@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the resource of IAM Run Ecs policy generated by SFN EcsRunTask will reference the definition, instead of constructing ARN." + }, + "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the BastionHost construct will use the latest Amazon Linux 2023 AMI, instead of Amazon Linux 2." + }, + "@aws-cdk/core:aspectStabilization": { + "recommendedValue": true, + "explanation": "When enabled, a stabilization loop will be run when invoking Aspects during synthesis.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, use a new method for DNS Name of user pool domain target without creating a custom resource." + }, + "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere" + }, + "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default behaviour of OIDC provider will reject unauthorized connections" + }, + "@aws-cdk/core:enableAdditionalMetadataCollection": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK will expand the scope of usage data collected to better inform CDK development and improve communication for security concerns and emerging issues." + }, + "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": { + "userValue": false, + "recommendedValue": false, + "explanation": "[Deprecated] When enabled, Lambda will create new inline policies with AddToRolePolicy instead of adding to the Default Policy Statement" + }, + "@aws-cdk/aws-s3:setUniqueReplicationRoleName": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK will automatically generate a unique role name that is used for s3 object replication." + }, + "@aws-cdk/pipelines:reduceStageRoleTrustScope": { + "recommendedValue": true, + "explanation": "Remove the root account principal from Stage addActions trust policy", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-events:requireEventBusPolicySid": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, grantPutEventsTo() will use resource policies with Statement IDs for service principals." + }, + "@aws-cdk/core:aspectPrioritiesMutating": { + "userValue": true, + "recommendedValue": true, + "explanation": "When set to true, Aspects added by the construct library on your behalf will be given a priority of MUTATING." + }, + "@aws-cdk/aws-dynamodb:retainTableReplica": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, table replica will be default to the removal policy of source table unless specified otherwise." + }, + "@aws-cdk/cognito:logUserPoolClientSecretValue": { + "recommendedValue": false, + "explanation": "When disabled, the value of the user pool client secret will not be logged in the custom resource lambda function logs." + }, + "@aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope": { + "recommendedValue": true, + "explanation": "When enabled, scopes down the trust policy for the cross-account action role", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-stepfunctions:useDistributedMapResultWriterV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the resultWriterV2 property of DistributedMap will be used insted of resultWriter" + }, + "@aws-cdk/s3-notifications:addS3TrustKeyPolicyForSnsSubscriptions": { + "userValue": true, + "recommendedValue": true, + "explanation": "Add an S3 trust policy to a KMS key resource policy for SNS subscriptions." + }, + "@aws-cdk/aws-ec2:requirePrivateSubnetsForEgressOnlyInternetGateway": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the EgressOnlyGateway resource is only created if private subnets are defined in the dual-stack VPC." + }, + "@aws-cdk/aws-ec2-alpha:useResourceIdForVpcV2Migration": { + "recommendedValue": false, + "explanation": "When enabled, use resource IDs for VPC V2 migration" + }, + "@aws-cdk/aws-s3:publicAccessBlockedByDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, setting any combination of options for BlockPublicAccess will automatically set true for any options not defined." + }, + "@aws-cdk/aws-lambda:useCdkManagedLogGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK creates and manages loggroup for the lambda function" + }, + "@aws-cdk/aws-elasticloadbalancingv2:networkLoadBalancerWithSecurityGroupByDefault": { + "recommendedValue": true, + "explanation": "When enabled, Network Load Balancer will be created with a security group by default." + }, + "@aws-cdk/aws-stepfunctions-tasks:httpInvokeDynamicJsonPathEndpoint": { + "recommendedValue": true, + "explanation": "When enabled, allows using a dynamic apiEndpoint with JSONPath format in HttpInvoke tasks.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-ecs-patterns:uniqueTargetGroupId": { + "recommendedValue": true, + "explanation": "When enabled, ECS patterns will generate unique target group IDs to prevent conflicts during load balancer replacement" + } + } + } + } + }, + "minimumCliVersion": "2.1031.2" +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.container.js.snapshot/tree.json b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.container.js.snapshot/tree.json new file mode 100644 index 0000000000000..a3229068a8f92 --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.container.js.snapshot/tree.json @@ -0,0 +1 @@ +{"version":"tree-0.1","tree":{"id":"App","path":"","constructInfo":{"fqn":"aws-cdk-lib.App","version":"0.0.0"},"children":{"aws-cdk-imagebuilder-image-pipeline-container-all-parameters":{"id":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters","path":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"Repository":{"id":"Repository","path":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters/Repository","constructInfo":{"fqn":"aws-cdk-lib.aws_ecr.Repository","version":"0.0.0","metadata":[{"removalPolicy":"destroy"}]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters/Repository/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_ecr.CfnRepository","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::ECR::Repository","aws:cdk:cloudformation:props":{}}}}},"ScanningRepository":{"id":"ScanningRepository","path":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ScanningRepository","constructInfo":{"fqn":"aws-cdk-lib.aws_ecr.Repository","version":"0.0.0","metadata":[{"removalPolicy":"destroy"}]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ScanningRepository/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_ecr.CfnRepository","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::ECR::Repository","aws:cdk:cloudformation:props":{}}}}},"ExecutionRole":{"id":"ExecutionRole","path":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ExecutionRole","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Role","version":"0.0.0","metadata":[{"assumedBy":{"principalAccount":"*","assumeRoleAction":"*"}},{"addToPrincipalPolicy":[{}]},{"attachInlinePolicy":["*"]},{"attachInlinePolicy":["*"]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]}]},"children":{"ImportExecutionRole":{"id":"ImportExecutionRole","path":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ExecutionRole/ImportExecutionRole","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*"]}},"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ExecutionRole/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnRole","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Role","aws:cdk:cloudformation:props":{"assumeRolePolicyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"Service":"imagebuilder.amazonaws.com"}}],"Version":"2012-10-17"}}}},"DefaultPolicy":{"id":"DefaultPolicy","path":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ExecutionRole/DefaultPolicy","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Policy","version":"0.0.0","metadata":["*",{"attachToRole":["*"]},{"attachToRole":["*"]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]}]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ExecutionRole/DefaultPolicy/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnPolicy","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Policy","aws:cdk:cloudformation:props":{"policyDocument":{"Statement":[{"Action":"ec2:RegisterImage","Condition":{"StringEquals":{"aws:RequestTag/CreatedBy":"EC2 Image Builder"}},"Effect":"Allow","Resource":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*::image/*"]]}},{"Action":["ec2:ModifySnapshotAttribute","ec2:RegisterImage"],"Condition":{"StringEquals":{"ec2:ResourceTag/CreatedBy":"EC2 Image Builder"}},"Effect":"Allow","Resource":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*::snapshot/*"]]}},{"Action":"ec2:RunInstances","Effect":"Allow","Resource":[{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*:*:key-pair/*"]]},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*:*:launch-template/*"]]},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*:*:network-interface/*"]]},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*:*:security-group/*"]]},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*:*:subnet/*"]]},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*::image/*"]]},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*::snapshot/*"]]},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":license-manager:*:*:license-configuration:*"]]}]},{"Action":"ec2:RunInstances","Condition":{"StringEquals":{"aws:RequestTag/CreatedBy":["EC2 Image Builder","EC2 Fast Launch"]}},"Effect":"Allow","Resource":[{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*:*:instance/*"]]},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*:*:volume/*"]]}]},{"Action":"iam:PassRole","Condition":{"StringEquals":{"iam:PassedToService":["ec2.amazonaws.com","ec2.amazonaws.com.cn","vmie.amazonaws.com"]}},"Effect":"Allow","Resource":"*"},{"Action":["ec2:StartInstances","ec2:StopInstances","ec2:TerminateInstances"],"Condition":{"StringEquals":{"ec2:ResourceTag/CreatedBy":"EC2 Image Builder"}},"Effect":"Allow","Resource":"*"},{"Action":["ec2:CopyImage","ec2:CreateImage","ec2:CreateLaunchTemplate","ec2:DeregisterImage","ec2:DescribeHosts","ec2:DescribeImages","ec2:DescribeImportImageTasks","ec2:DescribeInstanceAttribute","ec2:DescribeInstanceStatus","ec2:DescribeInstanceTypeOfferings","ec2:DescribeInstanceTypes","ec2:DescribeInstances","ec2:DescribeSnapshots","ec2:DescribeSubnets","ec2:DescribeTags","ec2:ModifyImageAttribute","inspector2:ListCoverage","inspector2:ListFindings","ssm:AddTagsToResource","ssm:DescribeAssociationExecutions","ssm:DescribeInstanceAssociationsStatus","ssm:DescribeInstanceInformation","ssm:GetCommandInvocation","ssm:ListCommandInvocations","ssm:ListCommands","ssm:ListInventoryEntries"],"Effect":"Allow","Resource":"*"},{"Action":"ec2:CreateTags","Condition":{"StringEquals":{"ec2:CreateAction":["RunInstances","CreateImage"],"aws:RequestTag/CreatedBy":["EC2 Image Builder","EC2 Fast Launch"]}},"Effect":"Allow","Resource":"*"},{"Action":"ec2:CreateTags","Effect":"Allow","Resource":[{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*:*:export-image-task/*"]]},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*::image/*"]]}]},{"Action":"ec2:CreateTags","Condition":{"StringEquals":{"aws:RequestTag/CreatedBy":["EC2 Image Builder","EC2 Fast Launch"]}},"Effect":"Allow","Resource":[{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*:*:launch-template/*"]]},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*::snapshot/*"]]}]},{"Action":"sns:Publish","Effect":"Allow","Resource":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":sns:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":*"]]}},{"Action":"ssm:SendCommand","Effect":"Allow","Resource":[{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":s3:::*"]]},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ssm:*:*:document/AWS-RunPowerShellScript"]]},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ssm:*:*:document/AWS-RunShellScript"]]},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ssm:*:*:document/AWSEC2-RunSysprep"]]}]},{"Action":"ssm:SendCommand","Condition":{"StringEquals":{"ssm:resourceTag/CreatedBy":["EC2 Image Builder"]}},"Effect":"Allow","Resource":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*:*:instance/*"]]}},{"Action":["ssm:CreateAssociation","ssm:DeleteAssociation"],"Effect":"Allow","Resource":[{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ec2:*:*:instance/*"]]},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ssm:*:*:association/*"]]},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ssm:*:*:document/AWS-GatherSoftwareInventory"]]}]},{"Action":["kms:Decrypt","kms:Encrypt","kms:GenerateDataKeyWithoutPlaintext","kms:ReEncryptFrom","kms:ReEncryptTo"],"Condition":{"ForAllValues:StringEquals":{"kms:EncryptionContextKeys":["aws:ebs:id"]},"StringLike":{"kms:ViaService":["ec2.*.amazonaws.com"]}},"Effect":"Allow","Resource":"*"},{"Action":"kms:DescribeKey","Condition":{"StringLike":{"kms:ViaService":["ec2.*.amazonaws.com"]}},"Effect":"Allow","Resource":"*"},{"Action":"kms:CreateGrant","Condition":{"Bool":{"kms:GrantIsForAWSResource":true},"StringLike":{"kms:ViaService":["ec2.*.amazonaws.com"]}},"Effect":"Allow","Resource":"*"},{"Action":["logs:CreateLogGroup","logs:CreateLogStream","logs:PutLogEvents"],"Effect":"Allow","Resource":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":logs:*:*:log-group:/aws/imagebuilder/*"]]}},{"Action":"iam:CreateServiceLinkedRole","Condition":{"StringEquals":{"iam:AWSServiceName":["ssm.amazonaws.com"]}},"Effect":"Allow","Resource":"*"},{"Action":["events:DeleteRule","events:DescribeRule","events:PutRule","events:PutTargets","events:RemoveTargets"],"Effect":"Allow","Resource":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":events:*:*:rule/ImageBuilder-*"]]}},{"Action":["ssm:GetParameter","ssm:PutParameter"],"Effect":"Allow","Resource":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ssm:*:*:parameter/imagebuilder/*"]]}},{"Action":"ssm:GetParameter","Effect":"Allow","Resource":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ssm:*::parameter/aws/service/*"]]}},{"Action":"ecr:CreateRepository","Condition":{"StringEquals":{"aws:RequestTag/CreatedBy":"EC2 Image Builder"}},"Effect":"Allow","Resource":"*"},{"Action":"ecr:TagResource","Condition":{"StringEquals":{"aws:RequestTag/CreatedBy":"EC2 Image Builder"}},"Effect":"Allow","Resource":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ecr:*:*:repository/image-builder-*"]]}},{"Action":"ecr:BatchDeleteImage","Condition":{"StringEquals":{"ecr:ResourceTag/CreatedBy":"EC2 Image Builder"}},"Effect":"Allow","Resource":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ecr:*:*:repository/image-builder-*"]]}}],"Version":"2012-10-17"},"policyName":"ExecutionRoleDefaultPolicyA5B92313","roles":[{"Ref":"ExecutionRole605A040B"}]}}}}}}},"ImageLogGroup":{"id":"ImageLogGroup","path":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ImageLogGroup","constructInfo":{"fqn":"aws-cdk-lib.aws_logs.LogGroup","version":"0.0.0","metadata":[{"removalPolicy":"destroy"}]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ImageLogGroup/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_logs.CfnLogGroup","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::Logs::LogGroup","aws:cdk:cloudformation:props":{"retentionInDays":731}}}}},"ImagePipelineLogGroup":{"id":"ImagePipelineLogGroup","path":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ImagePipelineLogGroup","constructInfo":{"fqn":"aws-cdk-lib.aws_logs.LogGroup","version":"0.0.0","metadata":[{"removalPolicy":"destroy"}]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ImagePipelineLogGroup/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_logs.CfnLogGroup","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::Logs::LogGroup","aws:cdk:cloudformation:props":{"retentionInDays":731}}}}},"InfrastructureConfiguration":{"id":"InfrastructureConfiguration","path":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters/InfrastructureConfiguration","constructInfo":{"fqn":"@aws-cdk/aws-imagebuilder-alpha.InfrastructureConfiguration","version":"0.0.0","metadata":["*"]},"children":{"InstanceProfileRole":{"id":"InstanceProfileRole","path":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters/InfrastructureConfiguration/InstanceProfileRole","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Role","version":"0.0.0","metadata":[]},"children":{"ImportInstanceProfileRole":{"id":"ImportInstanceProfileRole","path":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters/InfrastructureConfiguration/InstanceProfileRole/ImportInstanceProfileRole","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*"]}},"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters/InfrastructureConfiguration/InstanceProfileRole/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnRole","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Role","aws:cdk:cloudformation:props":{"assumeRolePolicyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"Service":"ec2.amazonaws.com"}}],"Version":"2012-10-17"},"managedPolicyArns":[{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":iam::aws:policy/AmazonSSMManagedInstanceCore"]]},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":iam::aws:policy/EC2InstanceProfileForImageBuilder"]]},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":iam::aws:policy/EC2InstanceProfileForImageBuilderECRContainerBuilds"]]}]}}}}},"InstanceProfile":{"id":"InstanceProfile","path":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters/InfrastructureConfiguration/InstanceProfile","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.InstanceProfile","version":"0.0.0","metadata":[{"role":"*"}]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters/InfrastructureConfiguration/InstanceProfile/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnInstanceProfile","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::InstanceProfile","aws:cdk:cloudformation:props":{"roles":[{"Ref":"InfrastructureConfigurationInstanceProfileRole3AFA1533"}]}}}}},"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters/InfrastructureConfiguration/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_imagebuilder.CfnInfrastructureConfiguration","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::ImageBuilder::InfrastructureConfiguration","aws:cdk:cloudformation:props":{"instanceMetadataOptions":{"httpTokens":"required","httpPutResponseHopLimit":2},"instanceProfileName":{"Ref":"InfrastructureConfigurationInstanceProfile8FD9235B"},"name":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters-infrastructureconfiguration-25b197bb"}}}}},"ContainerRecipe":{"id":"ContainerRecipe","path":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ContainerRecipe","constructInfo":{"fqn":"@aws-cdk/aws-imagebuilder-alpha.ContainerRecipe","version":"0.0.0","metadata":["*","*"]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ContainerRecipe/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_imagebuilder.CfnContainerRecipe","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::ImageBuilder::ContainerRecipe","aws:cdk:cloudformation:props":{"containerType":"DOCKER","dockerfileTemplateData":"FROM {{{ imagebuilder:parentImage }}}\n{{{ imagebuilder:environments }}}\n{{{ imagebuilder:components }}}","imageOsVersionOverride":"Amazon Linux 2023","name":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters-containerrecipe-703c2596","parentImage":"public.ecr.aws/amazonlinux/amazonlinux:latest","platformOverride":"Linux","targetRepository":{"repositoryName":{"Ref":"Repository22E53BBD"},"service":"ECR"},"version":"1.0.x"}}}}},"ContainerDistributionConfiguration":{"id":"ContainerDistributionConfiguration","path":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ContainerDistributionConfiguration","constructInfo":{"fqn":"@aws-cdk/aws-imagebuilder-alpha.DistributionConfiguration","version":"0.0.0","metadata":["*","*","*","*"]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ContainerDistributionConfiguration/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_imagebuilder.CfnDistributionConfiguration","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::ImageBuilder::DistributionConfiguration","aws:cdk:cloudformation:props":{"distributions":[{"region":{"Ref":"AWS::Region"},"containerDistributionConfiguration":{"TargetRepository":{"RepositoryName":{"Ref":"Repository22E53BBD"},"Service":"ECR"}}}],"name":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters-containerdistributionconfiguration-4e4b61cf"}}}}},"BuildContainer":{"id":"BuildContainer","path":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters/BuildContainer","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":[]}},"TestContainer":{"id":"TestContainer","path":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters/TestContainer","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":[]}},"DistributeContainer":{"id":"DistributeContainer","path":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters/DistributeContainer","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":[]}},"ImagePipeline-Container":{"id":"ImagePipeline-Container","path":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ImagePipeline-Container","constructInfo":{"fqn":"@aws-cdk/aws-imagebuilder-alpha.ImagePipeline","version":"0.0.0","metadata":[]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ImagePipeline-Container/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_imagebuilder.CfnImagePipeline","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::ImageBuilder::ImagePipeline","aws:cdk:cloudformation:props":{"containerRecipeArn":{"Fn::GetAtt":["ContainerRecipe8A7CC9ED","Arn"]},"distributionConfigurationArn":{"Fn::GetAtt":["ContainerDistributionConfiguration18609EDB","Arn"]},"enhancedImageMetadataEnabled":true,"executionRole":{"Fn::GetAtt":["ExecutionRole605A040B","Arn"]},"imageScanningConfiguration":{"imageScanningEnabled":true,"ecrConfiguration":{"repositoryName":{"Ref":"ScanningRepositoryB9C9B705"},"containerTags":["latest-scan"]}},"imageTestsConfiguration":{"imageTestsEnabled":true},"infrastructureConfigurationArn":{"Fn::GetAtt":["InfrastructureConfiguration86C7777D","Arn"]},"loggingConfiguration":{"imageLogGroupName":{"Ref":"ImageLogGroupD34F5836"},"pipelineLogGroupName":{"Ref":"ImagePipelineLogGroup7E475C9B"}},"name":"test-container-image-pipeline","schedule":{"scheduleExpression":"rate(7 days)","autoDisablePolicy":{"failureCount":5},"pipelineExecutionStartCondition":"EXPRESSION_MATCH_AND_DEPENDENCY_UPDATES_AVAILABLE"},"status":"DISABLED","workflows":[{"workflowArn":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":imagebuilder:",{"Ref":"AWS::Region"},":aws:workflow/build/build-container/x.x.x"]]}},{"workflowArn":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":imagebuilder:",{"Ref":"AWS::Region"},":aws:workflow/test/test-container/x.x.x"]]}},{"workflowArn":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":imagebuilder:",{"Ref":"AWS::Region"},":aws:workflow/distribution/distribute-container/x.x.x"]]}}]}}},"ImageBuildSuccessTriggerRule":{"id":"ImageBuildSuccessTriggerRule","path":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ImagePipeline-Container/ImageBuildSuccessTriggerRule","constructInfo":{"fqn":"aws-cdk-lib.aws_events.Rule","version":"0.0.0","metadata":["*",{"addEventPattern":["*"]},{"addTarget":["*"]},{"addEventPattern":[{"source":"*"}]}]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ImagePipeline-Container/ImageBuildSuccessTriggerRule/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_events.CfnRule","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::Events::Rule","aws:cdk:cloudformation:props":{"eventPattern":{"source":["aws.imagebuilder"]},"state":"ENABLED"}}}}},"ImagePipelineAutoDisabledTriggerRule":{"id":"ImagePipelineAutoDisabledTriggerRule","path":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ImagePipeline-Container/ImagePipelineAutoDisabledTriggerRule","constructInfo":{"fqn":"aws-cdk-lib.aws_events.Rule","version":"0.0.0","metadata":[{"eventPattern":{"detailType":"*","resources":"*"}},{"addEventPattern":[{"detailType":"*","resources":"*"}]},{"addTarget":["*"]},{"addEventPattern":[{"source":"*","resources":"*","detailType":"*"}]}]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters/ImagePipeline-Container/ImagePipelineAutoDisabledTriggerRule/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_events.CfnRule","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::Events::Rule","aws:cdk:cloudformation:props":{"eventPattern":{"detail-type":["EC2 Image Builder Image Pipeline Automatically Disabled"],"resources":[{"Fn::GetAtt":["ImagePipelineContainer507B5032","Arn"]}],"source":["aws.imagebuilder"]},"state":"ENABLED"}}}}}}},"BootstrapVersion":{"id":"BootstrapVersion","path":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"aws-cdk-imagebuilder-image-pipeline-container-all-parameters/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}},"ImagePipelineTest-Container-AllParameters":{"id":"ImagePipelineTest-Container-AllParameters","path":"ImagePipelineTest-Container-AllParameters","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTest","version":"0.0.0"},"children":{"DefaultTest":{"id":"DefaultTest","path":"ImagePipelineTest-Container-AllParameters/DefaultTest","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTestCase","version":"0.0.0"},"children":{"Default":{"id":"Default","path":"ImagePipelineTest-Container-AllParameters/DefaultTest/Default","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"}},"DeployAssert":{"id":"DeployAssert","path":"ImagePipelineTest-Container-AllParameters/DefaultTest/DeployAssert","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"BootstrapVersion":{"id":"BootstrapVersion","path":"ImagePipelineTest-Container-AllParameters/DefaultTest/DeployAssert/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"ImagePipelineTest-Container-AllParameters/DefaultTest/DeployAssert/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}}}}}},"Tree":{"id":"Tree","path":"Tree","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"}}}}} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.container.ts b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.container.ts new file mode 100644 index 0000000000000..4f95e75d238f9 --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.container.ts @@ -0,0 +1,70 @@ +import * as integ from '@aws-cdk/integ-tests-alpha'; +import * as cdk from 'aws-cdk-lib'; +import * as ecr from 'aws-cdk-lib/aws-ecr'; +import * as events from 'aws-cdk-lib/aws-events'; +import * as iam from 'aws-cdk-lib/aws-iam'; +import * as logs from 'aws-cdk-lib/aws-logs'; +import * as imagebuilder from '../lib'; + +const app = new cdk.App(); +const stack = new cdk.Stack(app, 'aws-cdk-imagebuilder-image-pipeline-container-all-parameters'); + +const repository = new ecr.Repository(stack, 'Repository', { removalPolicy: cdk.RemovalPolicy.DESTROY }); +const scanningRepository = new ecr.Repository(stack, 'ScanningRepository', { + removalPolicy: cdk.RemovalPolicy.DESTROY, +}); +const executionRole = new iam.Role(stack, 'ExecutionRole', { + assumedBy: new iam.ServicePrincipal('imagebuilder.amazonaws.com'), +}); +const imageLogGroup = new logs.LogGroup(stack, 'ImageLogGroup', { removalPolicy: cdk.RemovalPolicy.DESTROY }); +const imagePipelineLogGroup = new logs.LogGroup(stack, 'ImagePipelineLogGroup', { + removalPolicy: cdk.RemovalPolicy.DESTROY, +}); + +const infrastructureConfiguration = new imagebuilder.InfrastructureConfiguration(stack, 'InfrastructureConfiguration'); +const containerRecipe = new imagebuilder.ContainerRecipe(stack, 'ContainerRecipe', { + baseImage: imagebuilder.BaseContainerImage.fromEcrPublic('amazonlinux', 'amazonlinux', 'latest'), + targetRepository: imagebuilder.Repository.fromEcr(repository), + osVersion: imagebuilder.OSVersion.AMAZON_LINUX_2023, +}); + +const containerDistributionConfiguration = new imagebuilder.DistributionConfiguration( + stack, + 'ContainerDistributionConfiguration', +); +containerDistributionConfiguration.addContainerDistributions({ + containerRepository: imagebuilder.Repository.fromEcr(repository), +}); + +const containerImagePipeline = new imagebuilder.ImagePipeline(stack, 'ImagePipeline-Container', { + imagePipelineName: 'test-container-image-pipeline', + recipe: containerRecipe, + infrastructureConfiguration, + distributionConfiguration: containerDistributionConfiguration, + status: imagebuilder.ImagePipelineStatus.DISABLED, + executionRole, + schedule: { + expression: events.Schedule.rate(cdk.Duration.days(7)), + startCondition: imagebuilder.ScheduleStartCondition.EXPRESSION_MATCH_AND_DEPENDENCY_UPDATES_AVAILABLE, + autoDisableFailureCount: 5, + }, + workflows: [ + { workflow: imagebuilder.AwsManagedWorkflow.buildContainer(stack, 'BuildContainer') }, + { workflow: imagebuilder.AwsManagedWorkflow.testContainer(stack, 'TestContainer') }, + { workflow: imagebuilder.AwsManagedWorkflow.distributeContainer(stack, 'DistributeContainer') }, + ], + imageLogGroup, + imagePipelineLogGroup, + enhancedImageMetadataEnabled: true, + imageTestsEnabled: true, + imageScanningEnabled: true, + imageScanningEcrRepository: scanningRepository, + imageScanningEcrTags: ['latest-scan'], +}); +containerImagePipeline.grantDefaultExecutionRolePermissions(executionRole); +containerImagePipeline.onEvent('ImageBuildSuccessTriggerRule'); +containerImagePipeline.onImagePipelineAutoDisabled('ImagePipelineAutoDisabledTriggerRule'); + +new integ.IntegTest(app, 'ImagePipelineTest-Container-AllParameters', { + testCases: [stack], +}); diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.ami.js.snapshot/ImagePipelineTestAMIDefaultParametersDefaultTestDeployAssert1F773E9C.assets.json b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.ami.js.snapshot/ImagePipelineTestAMIDefaultParametersDefaultTestDeployAssert1F773E9C.assets.json new file mode 100644 index 0000000000000..c1c7cd27151e9 --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.ami.js.snapshot/ImagePipelineTestAMIDefaultParametersDefaultTestDeployAssert1F773E9C.assets.json @@ -0,0 +1,20 @@ +{ + "version": "48.0.0", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "displayName": "ImagePipelineTestAMIDefaultParametersDefaultTestDeployAssert1F773E9C Template", + "source": { + "path": "ImagePipelineTestAMIDefaultParametersDefaultTestDeployAssert1F773E9C.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region-d8d86b35": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.ami.js.snapshot/ImagePipelineTestAMIDefaultParametersDefaultTestDeployAssert1F773E9C.template.json b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.ami.js.snapshot/ImagePipelineTestAMIDefaultParametersDefaultTestDeployAssert1F773E9C.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.ami.js.snapshot/ImagePipelineTestAMIDefaultParametersDefaultTestDeployAssert1F773E9C.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.ami.js.snapshot/aws-cdk-imagebuilder-image-pipeline-ami-required-parameters.assets.json b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.ami.js.snapshot/aws-cdk-imagebuilder-image-pipeline-ami-required-parameters.assets.json new file mode 100644 index 0000000000000..10b018091d3e0 --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.ami.js.snapshot/aws-cdk-imagebuilder-image-pipeline-ami-required-parameters.assets.json @@ -0,0 +1,20 @@ +{ + "version": "48.0.0", + "files": { + "55bf74de51035878fe1917112785d4fa37f9c3d80dc849ee917353a8864e0b17": { + "displayName": "aws-cdk-imagebuilder-image-pipeline-ami-required-parameters Template", + "source": { + "path": "aws-cdk-imagebuilder-image-pipeline-ami-required-parameters.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region-dfefa870": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "55bf74de51035878fe1917112785d4fa37f9c3d80dc849ee917353a8864e0b17.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.ami.js.snapshot/aws-cdk-imagebuilder-image-pipeline-ami-required-parameters.template.json b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.ami.js.snapshot/aws-cdk-imagebuilder-image-pipeline-ami-required-parameters.template.json new file mode 100644 index 0000000000000..fa1511420f834 --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.ami.js.snapshot/aws-cdk-imagebuilder-image-pipeline-ami-required-parameters.template.json @@ -0,0 +1,130 @@ +{ + "Resources": { + "ImageRecipe8C789631": { + "Type": "AWS::ImageBuilder::ImageRecipe", + "Properties": { + "Name": "aws-cdk-imagebuilder-image-pipeline-ami-required-parameters-imagerecipe-8db6c8ef", + "ParentImage": "ssm:/aws/service/ami-amazon-linux-latest/al2023-ami-minimal-kernel-default-x86_64", + "Version": "1.0.x" + } + }, + "ImagePipelineAMIInfrastructureConfigurationInstanceProfileRole507BD514": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "ec2.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/AmazonSSMManagedInstanceCore" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/EC2InstanceProfileForImageBuilder" + ] + ] + } + ] + } + }, + "ImagePipelineAMIInfrastructureConfigurationInstanceProfile43042B10": { + "Type": "AWS::IAM::InstanceProfile", + "Properties": { + "Roles": [ + { + "Ref": "ImagePipelineAMIInfrastructureConfigurationInstanceProfileRole507BD514" + } + ] + } + }, + "ImagePipelineAMIInfrastructureConfiguration8BB437DC": { + "Type": "AWS::ImageBuilder::InfrastructureConfiguration", + "Properties": { + "InstanceMetadataOptions": { + "HttpPutResponseHopLimit": 2, + "HttpTokens": "required" + }, + "InstanceProfileName": { + "Ref": "ImagePipelineAMIInfrastructureConfigurationInstanceProfile43042B10" + }, + "Name": "aws-cdk-imagebuilder-image-pipeline-ami-required-parameters-imagepipeline-ami-infrastructureconfiguration-f4861ab8" + } + }, + "ImagePipelineAMI7635ECE0": { + "Type": "AWS::ImageBuilder::ImagePipeline", + "Properties": { + "ImageRecipeArn": { + "Fn::GetAtt": [ + "ImageRecipe8C789631", + "Arn" + ] + }, + "InfrastructureConfigurationArn": { + "Fn::GetAtt": [ + "ImagePipelineAMIInfrastructureConfiguration8BB437DC", + "Arn" + ] + }, + "Name": "aws-cdk-imagebuilder-image-pipeline-ami-required-parameters-imagepipeline-ami-a91b44cb" + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.ami.js.snapshot/cdk.out b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.ami.js.snapshot/cdk.out new file mode 100644 index 0000000000000..523a9aac37cbf --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.ami.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"48.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.ami.js.snapshot/integ.json b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.ami.js.snapshot/integ.json new file mode 100644 index 0000000000000..fba34644073d2 --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.ami.js.snapshot/integ.json @@ -0,0 +1,13 @@ +{ + "version": "48.0.0", + "testCases": { + "ImagePipelineTest-AMI-DefaultParameters/DefaultTest": { + "stacks": [ + "aws-cdk-imagebuilder-image-pipeline-ami-required-parameters" + ], + "assertionStack": "ImagePipelineTest-AMI-DefaultParameters/DefaultTest/DeployAssert", + "assertionStackName": "ImagePipelineTestAMIDefaultParametersDefaultTestDeployAssert1F773E9C" + } + }, + "minimumCliVersion": "2.1027.0" +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.ami.js.snapshot/manifest.json b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.ami.js.snapshot/manifest.json new file mode 100644 index 0000000000000..471652da8c4ef --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.ami.js.snapshot/manifest.json @@ -0,0 +1,659 @@ +{ + "version": "48.0.0", + "artifacts": { + "aws-cdk-imagebuilder-image-pipeline-ami-required-parameters.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "aws-cdk-imagebuilder-image-pipeline-ami-required-parameters.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "aws-cdk-imagebuilder-image-pipeline-ami-required-parameters": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "aws-cdk-imagebuilder-image-pipeline-ami-required-parameters.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/55bf74de51035878fe1917112785d4fa37f9c3d80dc849ee917353a8864e0b17.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "aws-cdk-imagebuilder-image-pipeline-ami-required-parameters.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "aws-cdk-imagebuilder-image-pipeline-ami-required-parameters.assets" + ], + "metadata": { + "/aws-cdk-imagebuilder-image-pipeline-ami-required-parameters/ImageRecipe/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ImageRecipe8C789631" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-required-parameters/ImagePipeline-AMI/InfrastructureConfiguration": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-required-parameters/ImagePipeline-AMI/InfrastructureConfiguration/InstanceProfileRole": [ + { + "type": "aws:cdk:warning", + "data": "Failed to add construct metadata for node [InstanceProfileRole]. Reason: ValidationError: The result of fromAwsManagedPolicyName can not be used in this API [ack: @aws-cdk/core:addConstructMetadataFailed]" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-required-parameters/ImagePipeline-AMI/InfrastructureConfiguration/InstanceProfileRole/ImportInstanceProfileRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-required-parameters/ImagePipeline-AMI/InfrastructureConfiguration/InstanceProfileRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ImagePipelineAMIInfrastructureConfigurationInstanceProfileRole507BD514" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-required-parameters/ImagePipeline-AMI/InfrastructureConfiguration/InstanceProfile": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "role": "*" + } + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-required-parameters/ImagePipeline-AMI/InfrastructureConfiguration/InstanceProfile/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ImagePipelineAMIInfrastructureConfigurationInstanceProfile43042B10" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-required-parameters/ImagePipeline-AMI/InfrastructureConfiguration/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ImagePipelineAMIInfrastructureConfiguration8BB437DC" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-required-parameters/ImagePipeline-AMI/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ImagePipelineAMI7635ECE0" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-required-parameters/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-ami-required-parameters/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "aws-cdk-imagebuilder-image-pipeline-ami-required-parameters" + }, + "ImagePipelineTestAMIDefaultParametersDefaultTestDeployAssert1F773E9C.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "ImagePipelineTestAMIDefaultParametersDefaultTestDeployAssert1F773E9C.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "ImagePipelineTestAMIDefaultParametersDefaultTestDeployAssert1F773E9C": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "ImagePipelineTestAMIDefaultParametersDefaultTestDeployAssert1F773E9C.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "ImagePipelineTestAMIDefaultParametersDefaultTestDeployAssert1F773E9C.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "ImagePipelineTestAMIDefaultParametersDefaultTestDeployAssert1F773E9C.assets" + ], + "metadata": { + "/ImagePipelineTest-AMI-DefaultParameters/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/ImagePipelineTest-AMI-DefaultParameters/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "ImagePipelineTest-AMI-DefaultParameters/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + }, + "aws-cdk-lib/feature-flag-report": { + "type": "cdk:feature-flag-report", + "properties": { + "module": "aws-cdk-lib", + "flags": { + "@aws-cdk/aws-signer:signingProfileNamePassedToCfn": { + "userValue": true, + "recommendedValue": true, + "explanation": "Pass signingProfileName to CfnSigningProfile" + }, + "@aws-cdk/core:newStyleStackSynthesis": { + "recommendedValue": true, + "explanation": "Switch to new stack synthesis method which enables CI/CD", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:stackRelativeExports": { + "recommendedValue": true, + "explanation": "Name exports based on the construct paths relative to the stack, rather than the global construct path", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-ecs-patterns:secGroupsDisablesImplicitOpenListener": { + "userValue": true, + "recommendedValue": true, + "explanation": "Disable implicit openListener when custom security groups are provided" + }, + "@aws-cdk/aws-rds:lowercaseDbIdentifier": { + "recommendedValue": true, + "explanation": "Force lowercasing of RDS Cluster names in CDK", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": { + "recommendedValue": true, + "explanation": "Allow adding/removing multiple UsagePlanKeys independently", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-lambda:recognizeVersionProps": { + "recommendedValue": true, + "explanation": "Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-lambda:recognizeLayerVersion": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`." + }, + "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": { + "recommendedValue": true, + "explanation": "Enable this feature flag to have cloudfront distributions use the security policy TLSv1.2_2021 by default.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:checkSecretUsage": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this flag to make it impossible to accidentally use SecretValues in unsafe locations" + }, + "@aws-cdk/core:target-partitions": { + "recommendedValue": [ + "aws", + "aws-cn" + ], + "explanation": "What regions to include in lookup tables of environment agnostic stacks" + }, + "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": { + "userValue": true, + "recommendedValue": true, + "explanation": "ECS extensions will automatically add an `awslogs` driver if no logging is specified" + }, + "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to have Launch Templates generated by the `InstanceRequireImdsv2Aspect` use unique names." + }, + "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": { + "userValue": true, + "recommendedValue": true, + "explanation": "ARN format used by ECS. In the new ARN format, the cluster name is part of the resource ID." + }, + "@aws-cdk/aws-iam:minimizePolicies": { + "userValue": true, + "recommendedValue": true, + "explanation": "Minimize IAM policies by combining Statements" + }, + "@aws-cdk/core:validateSnapshotRemovalPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Error on snapshot removal policies on resources that do not support it." + }, + "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate key aliases that include the stack name" + }, + "@aws-cdk/aws-s3:createDefaultLoggingPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to create an S3 bucket policy by default in cases where an AWS service would automatically create the Policy if one does not exist." + }, + "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": { + "userValue": true, + "recommendedValue": true, + "explanation": "Restrict KMS key policy for encrypted Queues a bit more" + }, + "@aws-cdk/aws-apigateway:disableCloudWatchRole": { + "userValue": true, + "recommendedValue": true, + "explanation": "Make default CloudWatch Role behavior safe for multiple API Gateways in one environment" + }, + "@aws-cdk/core:enablePartitionLiterals": { + "userValue": true, + "recommendedValue": true, + "explanation": "Make ARNs concrete if AWS partition is known" + }, + "@aws-cdk/aws-events:eventsTargetQueueSameAccount": { + "userValue": true, + "recommendedValue": true, + "explanation": "Event Rules may only push to encrypted SQS queues in the same account" + }, + "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": { + "userValue": true, + "recommendedValue": true, + "explanation": "Avoid setting the \"ECS\" deployment controller when adding a circuit breaker" + }, + "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature to create default policy names for imported roles that depend on the stack the role is in." + }, + "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use S3 Bucket Policy instead of ACLs for Server Access Logging" + }, + "@aws-cdk/aws-route53-patters:useCertificate": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use the official `Certificate` resource instead of `DnsValidatedCertificate`" + }, + "@aws-cdk/customresources:installLatestAwsSdkDefault": { + "userValue": false, + "recommendedValue": false, + "explanation": "Whether to install the latest SDK by default in AwsCustomResource" + }, + "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use unique resource name for Database Proxy" + }, + "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "Remove CloudWatch alarms from deployment group" + }, + "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Include authorizer configuration in the calculation of the API deployment logical ID." + }, + "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": { + "userValue": true, + "recommendedValue": true, + "explanation": "Define user data for a launch template by default when a machine image is provided." + }, + "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": { + "userValue": true, + "recommendedValue": true, + "explanation": "SecretTargetAttachments uses the ResourcePolicy of the attached Secret." + }, + "@aws-cdk/aws-redshift:columnId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Whether to use an ID to track Redshift column changes" + }, + "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable AmazonEMRServicePolicy_v2 managed policies" + }, + "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "Restrict access to the VPC default security group" + }, + "@aws-cdk/aws-apigateway:requestValidatorUniqueId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate a unique id for each RequestValidator added to a method" + }, + "@aws-cdk/aws-kms:aliasNameRef": { + "userValue": true, + "recommendedValue": true, + "explanation": "KMS Alias name and keyArn will have implicit reference to KMS Key" + }, + "@aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable grant methods on Aliases imported by name to use kms:ResourceAliases condition" + }, + "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate a launch template when creating an AutoScalingGroup" + }, + "@aws-cdk/core:includePrefixInUniqueNameGeneration": { + "userValue": true, + "recommendedValue": true, + "explanation": "Include the stack prefix in the stack name generation process" + }, + "@aws-cdk/aws-efs:denyAnonymousAccess": { + "userValue": true, + "recommendedValue": true, + "explanation": "EFS denies anonymous clients accesses" + }, + "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables support for Multi-AZ with Standby deployment for opensearch domains" + }, + "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables aws-lambda-nodejs.Function to use the latest available NodeJs runtime as the default" + }, + "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, mount targets will have a stable logicalId that is linked to the associated subnet." + }, + "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, a scope of InstanceParameterGroup for AuroraClusterInstance with each parameters will change." + }, + "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, will always use the arn for identifiers for CfnSourceApiAssociation in the GraphqlApi construct rather than id." + }, + "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, creating an RDS database cluster from a snapshot will only render credentials for snapshot credentials." + }, + "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the CodeCommit source action is using the default branch name 'main'." + }, + "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the logical ID of a Lambda permission for a Lambda action includes an alarm ID." + }, + "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables Pipeline to set the default value for crossAccountKeys to false." + }, + "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables Pipeline to set the default pipeline type to V2." + }, + "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only." + }, + "@aws-cdk/pipelines:reduceAssetRoleTrustScope": { + "recommendedValue": true, + "explanation": "Remove the root account principal from PipelineAssetsFileRole trust policy", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-eks:nodegroupNameAttribute": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, nodegroupName attribute of the provisioned EKS NodeGroup will not have the cluster name prefix." + }, + "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default volume type of the EBS volume will be GP3" + }, + "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, remove default deployment alarm settings" + }, + "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": { + "userValue": false, + "recommendedValue": false, + "explanation": "When enabled, the custom resource used for `AwsCustomResource` will configure the `logApiResponseData` property as true by default" + }, + "@aws-cdk/aws-s3:keepNotificationInImportedBucket": { + "userValue": false, + "recommendedValue": false, + "explanation": "When enabled, Adding notifications to a bucket in the current stack will not remove notification from imported stack." + }, + "@aws-cdk/aws-stepfunctions-tasks:useNewS3UriParametersForBedrockInvokeModelTask": { + "recommendedValue": true, + "explanation": "When enabled, use new props for S3 URI field in task definition of state machine for bedrock invoke model.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:explicitStackTags": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, stack tags need to be assigned explicitly on a Stack." + }, + "@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature": { + "userValue": false, + "recommendedValue": false, + "explanation": "When set to true along with canContainersAccessInstanceRole=false in ECS cluster, new updated commands will be added to UserData to block container accessing IMDS. **Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)**" + }, + "@aws-cdk/aws-ecs:disableEcsImdsBlocking": { + "userValue": true, + "recommendedValue": true, + "explanation": "When set to true, CDK synth will throw exception if canContainersAccessInstanceRole is false. **IMPORTANT: See [details.](#aws-cdkaws-ecsdisableEcsImdsBlocking)**" + }, + "@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, we will only grant the necessary permissions when users specify cloudwatch log group through logConfiguration" + }, + "@aws-cdk/aws-dynamodb:resourcePolicyPerReplica": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled will allow you to specify a resource policy per replica, and not copy the source table policy to all replicas" + }, + "@aws-cdk/aws-ec2:ec2SumTImeoutEnabled": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, initOptions.timeout and resourceSignalTimeout values will be summed together." + }, + "@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, a Lambda authorizer Permission created when using GraphqlApi will be properly scoped with a SourceArn." + }, + "@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the value of property `instanceResourceId` in construct `DatabaseInstanceReadReplica` will be set to the correct value which is `DbiResourceId` instead of currently `DbInstanceArn`" + }, + "@aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CFN templates added with `cfn-include` will error if the template contains Resource Update or Create policies with CFN Intrinsics that include non-primitive values." + }, + "@aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, both `@aws-sdk` and `@smithy` packages will be excluded from the Lambda Node.js 18.x runtime to prevent version mismatches in bundled applications." + }, + "@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the resource of IAM Run Ecs policy generated by SFN EcsRunTask will reference the definition, instead of constructing ARN." + }, + "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the BastionHost construct will use the latest Amazon Linux 2023 AMI, instead of Amazon Linux 2." + }, + "@aws-cdk/core:aspectStabilization": { + "recommendedValue": true, + "explanation": "When enabled, a stabilization loop will be run when invoking Aspects during synthesis.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, use a new method for DNS Name of user pool domain target without creating a custom resource." + }, + "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere" + }, + "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default behaviour of OIDC provider will reject unauthorized connections" + }, + "@aws-cdk/core:enableAdditionalMetadataCollection": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK will expand the scope of usage data collected to better inform CDK development and improve communication for security concerns and emerging issues." + }, + "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": { + "userValue": false, + "recommendedValue": false, + "explanation": "[Deprecated] When enabled, Lambda will create new inline policies with AddToRolePolicy instead of adding to the Default Policy Statement" + }, + "@aws-cdk/aws-s3:setUniqueReplicationRoleName": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK will automatically generate a unique role name that is used for s3 object replication." + }, + "@aws-cdk/pipelines:reduceStageRoleTrustScope": { + "recommendedValue": true, + "explanation": "Remove the root account principal from Stage addActions trust policy", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-events:requireEventBusPolicySid": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, grantPutEventsTo() will use resource policies with Statement IDs for service principals." + }, + "@aws-cdk/core:aspectPrioritiesMutating": { + "userValue": true, + "recommendedValue": true, + "explanation": "When set to true, Aspects added by the construct library on your behalf will be given a priority of MUTATING." + }, + "@aws-cdk/aws-dynamodb:retainTableReplica": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, table replica will be default to the removal policy of source table unless specified otherwise." + }, + "@aws-cdk/cognito:logUserPoolClientSecretValue": { + "recommendedValue": false, + "explanation": "When disabled, the value of the user pool client secret will not be logged in the custom resource lambda function logs." + }, + "@aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope": { + "recommendedValue": true, + "explanation": "When enabled, scopes down the trust policy for the cross-account action role", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-stepfunctions:useDistributedMapResultWriterV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the resultWriterV2 property of DistributedMap will be used insted of resultWriter" + }, + "@aws-cdk/s3-notifications:addS3TrustKeyPolicyForSnsSubscriptions": { + "userValue": true, + "recommendedValue": true, + "explanation": "Add an S3 trust policy to a KMS key resource policy for SNS subscriptions." + }, + "@aws-cdk/aws-ec2:requirePrivateSubnetsForEgressOnlyInternetGateway": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the EgressOnlyGateway resource is only created if private subnets are defined in the dual-stack VPC." + }, + "@aws-cdk/aws-ec2-alpha:useResourceIdForVpcV2Migration": { + "recommendedValue": false, + "explanation": "When enabled, use resource IDs for VPC V2 migration" + }, + "@aws-cdk/aws-s3:publicAccessBlockedByDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, setting any combination of options for BlockPublicAccess will automatically set true for any options not defined." + }, + "@aws-cdk/aws-lambda:useCdkManagedLogGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK creates and manages loggroup for the lambda function" + }, + "@aws-cdk/aws-elasticloadbalancingv2:networkLoadBalancerWithSecurityGroupByDefault": { + "recommendedValue": true, + "explanation": "When enabled, Network Load Balancer will be created with a security group by default." + }, + "@aws-cdk/aws-stepfunctions-tasks:httpInvokeDynamicJsonPathEndpoint": { + "recommendedValue": true, + "explanation": "When enabled, allows using a dynamic apiEndpoint with JSONPath format in HttpInvoke tasks.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-ecs-patterns:uniqueTargetGroupId": { + "recommendedValue": true, + "explanation": "When enabled, ECS patterns will generate unique target group IDs to prevent conflicts during load balancer replacement" + } + } + } + } + }, + "minimumCliVersion": "2.1031.2" +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.ami.js.snapshot/tree.json b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.ami.js.snapshot/tree.json new file mode 100644 index 0000000000000..796fab7d500d9 --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.ami.js.snapshot/tree.json @@ -0,0 +1 @@ +{"version":"tree-0.1","tree":{"id":"App","path":"","constructInfo":{"fqn":"aws-cdk-lib.App","version":"0.0.0"},"children":{"aws-cdk-imagebuilder-image-pipeline-ami-required-parameters":{"id":"aws-cdk-imagebuilder-image-pipeline-ami-required-parameters","path":"aws-cdk-imagebuilder-image-pipeline-ami-required-parameters","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"ImageRecipe":{"id":"ImageRecipe","path":"aws-cdk-imagebuilder-image-pipeline-ami-required-parameters/ImageRecipe","constructInfo":{"fqn":"@aws-cdk/aws-imagebuilder-alpha.ImageRecipe","version":"0.0.0","metadata":[]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-ami-required-parameters/ImageRecipe/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_imagebuilder.CfnImageRecipe","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::ImageBuilder::ImageRecipe","aws:cdk:cloudformation:props":{"name":"aws-cdk-imagebuilder-image-pipeline-ami-required-parameters-imagerecipe-8db6c8ef","parentImage":"ssm:/aws/service/ami-amazon-linux-latest/al2023-ami-minimal-kernel-default-x86_64","version":"1.0.x"}}}}},"ImagePipeline-AMI":{"id":"ImagePipeline-AMI","path":"aws-cdk-imagebuilder-image-pipeline-ami-required-parameters/ImagePipeline-AMI","constructInfo":{"fqn":"@aws-cdk/aws-imagebuilder-alpha.ImagePipeline","version":"0.0.0","metadata":[]},"children":{"InfrastructureConfiguration":{"id":"InfrastructureConfiguration","path":"aws-cdk-imagebuilder-image-pipeline-ami-required-parameters/ImagePipeline-AMI/InfrastructureConfiguration","constructInfo":{"fqn":"@aws-cdk/aws-imagebuilder-alpha.InfrastructureConfiguration","version":"0.0.0","metadata":["*"]},"children":{"InstanceProfileRole":{"id":"InstanceProfileRole","path":"aws-cdk-imagebuilder-image-pipeline-ami-required-parameters/ImagePipeline-AMI/InfrastructureConfiguration/InstanceProfileRole","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Role","version":"0.0.0","metadata":[]},"children":{"ImportInstanceProfileRole":{"id":"ImportInstanceProfileRole","path":"aws-cdk-imagebuilder-image-pipeline-ami-required-parameters/ImagePipeline-AMI/InfrastructureConfiguration/InstanceProfileRole/ImportInstanceProfileRole","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*"]}},"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-ami-required-parameters/ImagePipeline-AMI/InfrastructureConfiguration/InstanceProfileRole/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnRole","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Role","aws:cdk:cloudformation:props":{"assumeRolePolicyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"Service":"ec2.amazonaws.com"}}],"Version":"2012-10-17"},"managedPolicyArns":[{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":iam::aws:policy/AmazonSSMManagedInstanceCore"]]},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":iam::aws:policy/EC2InstanceProfileForImageBuilder"]]}]}}}}},"InstanceProfile":{"id":"InstanceProfile","path":"aws-cdk-imagebuilder-image-pipeline-ami-required-parameters/ImagePipeline-AMI/InfrastructureConfiguration/InstanceProfile","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.InstanceProfile","version":"0.0.0","metadata":[{"role":"*"}]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-ami-required-parameters/ImagePipeline-AMI/InfrastructureConfiguration/InstanceProfile/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnInstanceProfile","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::InstanceProfile","aws:cdk:cloudformation:props":{"roles":[{"Ref":"ImagePipelineAMIInfrastructureConfigurationInstanceProfileRole507BD514"}]}}}}},"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-ami-required-parameters/ImagePipeline-AMI/InfrastructureConfiguration/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_imagebuilder.CfnInfrastructureConfiguration","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::ImageBuilder::InfrastructureConfiguration","aws:cdk:cloudformation:props":{"instanceMetadataOptions":{"httpTokens":"required","httpPutResponseHopLimit":2},"instanceProfileName":{"Ref":"ImagePipelineAMIInfrastructureConfigurationInstanceProfile43042B10"},"name":"aws-cdk-imagebuilder-image-pipeline-ami-required-parameters-imagepipeline-ami-infrastructureconfiguration-f4861ab8"}}}}},"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-ami-required-parameters/ImagePipeline-AMI/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_imagebuilder.CfnImagePipeline","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::ImageBuilder::ImagePipeline","aws:cdk:cloudformation:props":{"imageRecipeArn":{"Fn::GetAtt":["ImageRecipe8C789631","Arn"]},"infrastructureConfigurationArn":{"Fn::GetAtt":["ImagePipelineAMIInfrastructureConfiguration8BB437DC","Arn"]},"name":"aws-cdk-imagebuilder-image-pipeline-ami-required-parameters-imagepipeline-ami-a91b44cb"}}}}},"BootstrapVersion":{"id":"BootstrapVersion","path":"aws-cdk-imagebuilder-image-pipeline-ami-required-parameters/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"aws-cdk-imagebuilder-image-pipeline-ami-required-parameters/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}},"ImagePipelineTest-AMI-DefaultParameters":{"id":"ImagePipelineTest-AMI-DefaultParameters","path":"ImagePipelineTest-AMI-DefaultParameters","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTest","version":"0.0.0"},"children":{"DefaultTest":{"id":"DefaultTest","path":"ImagePipelineTest-AMI-DefaultParameters/DefaultTest","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTestCase","version":"0.0.0"},"children":{"Default":{"id":"Default","path":"ImagePipelineTest-AMI-DefaultParameters/DefaultTest/Default","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"}},"DeployAssert":{"id":"DeployAssert","path":"ImagePipelineTest-AMI-DefaultParameters/DefaultTest/DeployAssert","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"BootstrapVersion":{"id":"BootstrapVersion","path":"ImagePipelineTest-AMI-DefaultParameters/DefaultTest/DeployAssert/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"ImagePipelineTest-AMI-DefaultParameters/DefaultTest/DeployAssert/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}}}}}},"Tree":{"id":"Tree","path":"Tree","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"}}}}} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.ami.ts b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.ami.ts new file mode 100644 index 0000000000000..d2ecaf8182316 --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.ami.ts @@ -0,0 +1,18 @@ +import * as integ from '@aws-cdk/integ-tests-alpha'; +import * as cdk from 'aws-cdk-lib'; +import * as imagebuilder from '../lib'; + +const app = new cdk.App(); +const stack = new cdk.Stack(app, 'aws-cdk-imagebuilder-image-pipeline-ami-required-parameters'); + +const imageRecipe = new imagebuilder.ImageRecipe(stack, 'ImageRecipe', { + baseImage: imagebuilder.BaseImage.fromSsmParameterName( + '/aws/service/ami-amazon-linux-latest/al2023-ami-minimal-kernel-default-x86_64', + ), +}); + +new imagebuilder.ImagePipeline(stack, 'ImagePipeline-AMI', { recipe: imageRecipe }); + +new integ.IntegTest(app, 'ImagePipelineTest-AMI-DefaultParameters', { + testCases: [stack], +}); diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.container.js.snapshot/ImagePipelineTestContainerDefaultParametersDefaultTestDeployAssertC25E9F2B.assets.json b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.container.js.snapshot/ImagePipelineTestContainerDefaultParametersDefaultTestDeployAssertC25E9F2B.assets.json new file mode 100644 index 0000000000000..f88a284553f0c --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.container.js.snapshot/ImagePipelineTestContainerDefaultParametersDefaultTestDeployAssertC25E9F2B.assets.json @@ -0,0 +1,20 @@ +{ + "version": "48.0.0", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "displayName": "ImagePipelineTestContainerDefaultParametersDefaultTestDeployAssertC25E9F2B Template", + "source": { + "path": "ImagePipelineTestContainerDefaultParametersDefaultTestDeployAssertC25E9F2B.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region-d8d86b35": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.container.js.snapshot/ImagePipelineTestContainerDefaultParametersDefaultTestDeployAssertC25E9F2B.template.json b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.container.js.snapshot/ImagePipelineTestContainerDefaultParametersDefaultTestDeployAssertC25E9F2B.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.container.js.snapshot/ImagePipelineTestContainerDefaultParametersDefaultTestDeployAssertC25E9F2B.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.container.js.snapshot/aws-cdk-imagebuilder-image-pipeline-container-required-parameters.assets.json b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.container.js.snapshot/aws-cdk-imagebuilder-image-pipeline-container-required-parameters.assets.json new file mode 100644 index 0000000000000..43b221cc5e345 --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.container.js.snapshot/aws-cdk-imagebuilder-image-pipeline-container-required-parameters.assets.json @@ -0,0 +1,20 @@ +{ + "version": "48.0.0", + "files": { + "c464468e1c8b2552d201895de8d1b282b1d798477ab29aad9136f03d33f55dfd": { + "displayName": "aws-cdk-imagebuilder-image-pipeline-container-required-parameters Template", + "source": { + "path": "aws-cdk-imagebuilder-image-pipeline-container-required-parameters.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region-19e5ea59": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "c464468e1c8b2552d201895de8d1b282b1d798477ab29aad9136f03d33f55dfd.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.container.js.snapshot/aws-cdk-imagebuilder-image-pipeline-container-required-parameters.template.json b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.container.js.snapshot/aws-cdk-imagebuilder-image-pipeline-container-required-parameters.template.json new file mode 100644 index 0000000000000..a289ea5b9f20d --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.container.js.snapshot/aws-cdk-imagebuilder-image-pipeline-container-required-parameters.template.json @@ -0,0 +1,157 @@ +{ + "Resources": { + "Repository22E53BBD": { + "Type": "AWS::ECR::Repository", + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "ContainerRecipe8A7CC9ED": { + "Type": "AWS::ImageBuilder::ContainerRecipe", + "Properties": { + "ContainerType": "DOCKER", + "DockerfileTemplateData": "FROM {{{ imagebuilder:parentImage }}}\n{{{ imagebuilder:environments }}}\n{{{ imagebuilder:components }}}", + "ImageOsVersionOverride": "Amazon Linux 2023", + "Name": "aws-cdk-imagebuilder-image-pipeline-container-required-parameters-containerrecipe-d3a4c120", + "ParentImage": "public.ecr.aws/amazonlinux/amazonlinux:latest", + "PlatformOverride": "Linux", + "TargetRepository": { + "RepositoryName": { + "Ref": "Repository22E53BBD" + }, + "Service": "ECR" + }, + "Version": "1.0.x" + } + }, + "ImagePipelineContainerInfrastructureConfigurationInstanceProfileRole55E1213B": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "ec2.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/AmazonSSMManagedInstanceCore" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/EC2InstanceProfileForImageBuilder" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/EC2InstanceProfileForImageBuilderECRContainerBuilds" + ] + ] + } + ] + } + }, + "ImagePipelineContainerInfrastructureConfigurationInstanceProfileCB9700ED": { + "Type": "AWS::IAM::InstanceProfile", + "Properties": { + "Roles": [ + { + "Ref": "ImagePipelineContainerInfrastructureConfigurationInstanceProfileRole55E1213B" + } + ] + } + }, + "ImagePipelineContainerInfrastructureConfigurationCCD4265B": { + "Type": "AWS::ImageBuilder::InfrastructureConfiguration", + "Properties": { + "InstanceMetadataOptions": { + "HttpPutResponseHopLimit": 2, + "HttpTokens": "required" + }, + "InstanceProfileName": { + "Ref": "ImagePipelineContainerInfrastructureConfigurationInstanceProfileCB9700ED" + }, + "Name": "aws-cdk-imagebuilder-image-pipeline-container-required-parameters-imagepipeline-container-infrastructureconfiguration-1c74b770" + } + }, + "ImagePipelineContainer507B5032": { + "Type": "AWS::ImageBuilder::ImagePipeline", + "Properties": { + "ContainerRecipeArn": { + "Fn::GetAtt": [ + "ContainerRecipe8A7CC9ED", + "Arn" + ] + }, + "InfrastructureConfigurationArn": { + "Fn::GetAtt": [ + "ImagePipelineContainerInfrastructureConfigurationCCD4265B", + "Arn" + ] + }, + "Name": "aws-cdk-imagebuilder-image-pipeline-container-required-parameters-imagepipeline-container-c642ca08" + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.container.js.snapshot/cdk.out b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.container.js.snapshot/cdk.out new file mode 100644 index 0000000000000..523a9aac37cbf --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.container.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"48.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.container.js.snapshot/integ.json b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.container.js.snapshot/integ.json new file mode 100644 index 0000000000000..641bcb26f6c00 --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.container.js.snapshot/integ.json @@ -0,0 +1,13 @@ +{ + "version": "48.0.0", + "testCases": { + "ImagePipelineTest-Container-DefaultParameters/DefaultTest": { + "stacks": [ + "aws-cdk-imagebuilder-image-pipeline-container-required-parameters" + ], + "assertionStack": "ImagePipelineTest-Container-DefaultParameters/DefaultTest/DeployAssert", + "assertionStackName": "ImagePipelineTestContainerDefaultParametersDefaultTestDeployAssertC25E9F2B" + } + }, + "minimumCliVersion": "2.1027.0" +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.container.js.snapshot/manifest.json b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.container.js.snapshot/manifest.json new file mode 100644 index 0000000000000..0059743274afa --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.container.js.snapshot/manifest.json @@ -0,0 +1,677 @@ +{ + "version": "48.0.0", + "artifacts": { + "aws-cdk-imagebuilder-image-pipeline-container-required-parameters.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "aws-cdk-imagebuilder-image-pipeline-container-required-parameters.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "aws-cdk-imagebuilder-image-pipeline-container-required-parameters": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "aws-cdk-imagebuilder-image-pipeline-container-required-parameters.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/c464468e1c8b2552d201895de8d1b282b1d798477ab29aad9136f03d33f55dfd.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "aws-cdk-imagebuilder-image-pipeline-container-required-parameters.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "aws-cdk-imagebuilder-image-pipeline-container-required-parameters.assets" + ], + "metadata": { + "/aws-cdk-imagebuilder-image-pipeline-container-required-parameters/Repository": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "removalPolicy": "destroy" + } + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-required-parameters/Repository/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "Repository22E53BBD" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-required-parameters/ContainerRecipe/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ContainerRecipe8A7CC9ED" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-required-parameters/ImagePipeline-Container/InfrastructureConfiguration": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-required-parameters/ImagePipeline-Container/InfrastructureConfiguration/InstanceProfileRole": [ + { + "type": "aws:cdk:warning", + "data": "Failed to add construct metadata for node [InstanceProfileRole]. Reason: ValidationError: The result of fromAwsManagedPolicyName can not be used in this API [ack: @aws-cdk/core:addConstructMetadataFailed]" + }, + { + "type": "aws:cdk:warning", + "data": "Failed to add method metadata for node [InstanceProfileRole], method name addManagedPolicy. Reason: ValidationError: The result of fromAwsManagedPolicyName can not be used in this API [ack: @aws-cdk/core:addMethodMetadataFailed]" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-required-parameters/ImagePipeline-Container/InfrastructureConfiguration/InstanceProfileRole/ImportInstanceProfileRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-required-parameters/ImagePipeline-Container/InfrastructureConfiguration/InstanceProfileRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ImagePipelineContainerInfrastructureConfigurationInstanceProfileRole55E1213B" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-required-parameters/ImagePipeline-Container/InfrastructureConfiguration/InstanceProfile": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "role": "*" + } + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-required-parameters/ImagePipeline-Container/InfrastructureConfiguration/InstanceProfile/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ImagePipelineContainerInfrastructureConfigurationInstanceProfileCB9700ED" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-required-parameters/ImagePipeline-Container/InfrastructureConfiguration/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ImagePipelineContainerInfrastructureConfigurationCCD4265B" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-required-parameters/ImagePipeline-Container/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ImagePipelineContainer507B5032" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-required-parameters/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/aws-cdk-imagebuilder-image-pipeline-container-required-parameters/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "aws-cdk-imagebuilder-image-pipeline-container-required-parameters" + }, + "ImagePipelineTestContainerDefaultParametersDefaultTestDeployAssertC25E9F2B.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "ImagePipelineTestContainerDefaultParametersDefaultTestDeployAssertC25E9F2B.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "ImagePipelineTestContainerDefaultParametersDefaultTestDeployAssertC25E9F2B": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "ImagePipelineTestContainerDefaultParametersDefaultTestDeployAssertC25E9F2B.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "ImagePipelineTestContainerDefaultParametersDefaultTestDeployAssertC25E9F2B.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "ImagePipelineTestContainerDefaultParametersDefaultTestDeployAssertC25E9F2B.assets" + ], + "metadata": { + "/ImagePipelineTest-Container-DefaultParameters/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/ImagePipelineTest-Container-DefaultParameters/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "ImagePipelineTest-Container-DefaultParameters/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + }, + "aws-cdk-lib/feature-flag-report": { + "type": "cdk:feature-flag-report", + "properties": { + "module": "aws-cdk-lib", + "flags": { + "@aws-cdk/aws-signer:signingProfileNamePassedToCfn": { + "userValue": true, + "recommendedValue": true, + "explanation": "Pass signingProfileName to CfnSigningProfile" + }, + "@aws-cdk/core:newStyleStackSynthesis": { + "recommendedValue": true, + "explanation": "Switch to new stack synthesis method which enables CI/CD", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:stackRelativeExports": { + "recommendedValue": true, + "explanation": "Name exports based on the construct paths relative to the stack, rather than the global construct path", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-ecs-patterns:secGroupsDisablesImplicitOpenListener": { + "userValue": true, + "recommendedValue": true, + "explanation": "Disable implicit openListener when custom security groups are provided" + }, + "@aws-cdk/aws-rds:lowercaseDbIdentifier": { + "recommendedValue": true, + "explanation": "Force lowercasing of RDS Cluster names in CDK", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": { + "recommendedValue": true, + "explanation": "Allow adding/removing multiple UsagePlanKeys independently", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-lambda:recognizeVersionProps": { + "recommendedValue": true, + "explanation": "Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-lambda:recognizeLayerVersion": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`." + }, + "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": { + "recommendedValue": true, + "explanation": "Enable this feature flag to have cloudfront distributions use the security policy TLSv1.2_2021 by default.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:checkSecretUsage": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this flag to make it impossible to accidentally use SecretValues in unsafe locations" + }, + "@aws-cdk/core:target-partitions": { + "recommendedValue": [ + "aws", + "aws-cn" + ], + "explanation": "What regions to include in lookup tables of environment agnostic stacks" + }, + "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": { + "userValue": true, + "recommendedValue": true, + "explanation": "ECS extensions will automatically add an `awslogs` driver if no logging is specified" + }, + "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to have Launch Templates generated by the `InstanceRequireImdsv2Aspect` use unique names." + }, + "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": { + "userValue": true, + "recommendedValue": true, + "explanation": "ARN format used by ECS. In the new ARN format, the cluster name is part of the resource ID." + }, + "@aws-cdk/aws-iam:minimizePolicies": { + "userValue": true, + "recommendedValue": true, + "explanation": "Minimize IAM policies by combining Statements" + }, + "@aws-cdk/core:validateSnapshotRemovalPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Error on snapshot removal policies on resources that do not support it." + }, + "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate key aliases that include the stack name" + }, + "@aws-cdk/aws-s3:createDefaultLoggingPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to create an S3 bucket policy by default in cases where an AWS service would automatically create the Policy if one does not exist." + }, + "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": { + "userValue": true, + "recommendedValue": true, + "explanation": "Restrict KMS key policy for encrypted Queues a bit more" + }, + "@aws-cdk/aws-apigateway:disableCloudWatchRole": { + "userValue": true, + "recommendedValue": true, + "explanation": "Make default CloudWatch Role behavior safe for multiple API Gateways in one environment" + }, + "@aws-cdk/core:enablePartitionLiterals": { + "userValue": true, + "recommendedValue": true, + "explanation": "Make ARNs concrete if AWS partition is known" + }, + "@aws-cdk/aws-events:eventsTargetQueueSameAccount": { + "userValue": true, + "recommendedValue": true, + "explanation": "Event Rules may only push to encrypted SQS queues in the same account" + }, + "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": { + "userValue": true, + "recommendedValue": true, + "explanation": "Avoid setting the \"ECS\" deployment controller when adding a circuit breaker" + }, + "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature to create default policy names for imported roles that depend on the stack the role is in." + }, + "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use S3 Bucket Policy instead of ACLs for Server Access Logging" + }, + "@aws-cdk/aws-route53-patters:useCertificate": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use the official `Certificate` resource instead of `DnsValidatedCertificate`" + }, + "@aws-cdk/customresources:installLatestAwsSdkDefault": { + "userValue": false, + "recommendedValue": false, + "explanation": "Whether to install the latest SDK by default in AwsCustomResource" + }, + "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use unique resource name for Database Proxy" + }, + "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "Remove CloudWatch alarms from deployment group" + }, + "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Include authorizer configuration in the calculation of the API deployment logical ID." + }, + "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": { + "userValue": true, + "recommendedValue": true, + "explanation": "Define user data for a launch template by default when a machine image is provided." + }, + "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": { + "userValue": true, + "recommendedValue": true, + "explanation": "SecretTargetAttachments uses the ResourcePolicy of the attached Secret." + }, + "@aws-cdk/aws-redshift:columnId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Whether to use an ID to track Redshift column changes" + }, + "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable AmazonEMRServicePolicy_v2 managed policies" + }, + "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "Restrict access to the VPC default security group" + }, + "@aws-cdk/aws-apigateway:requestValidatorUniqueId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate a unique id for each RequestValidator added to a method" + }, + "@aws-cdk/aws-kms:aliasNameRef": { + "userValue": true, + "recommendedValue": true, + "explanation": "KMS Alias name and keyArn will have implicit reference to KMS Key" + }, + "@aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable grant methods on Aliases imported by name to use kms:ResourceAliases condition" + }, + "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate a launch template when creating an AutoScalingGroup" + }, + "@aws-cdk/core:includePrefixInUniqueNameGeneration": { + "userValue": true, + "recommendedValue": true, + "explanation": "Include the stack prefix in the stack name generation process" + }, + "@aws-cdk/aws-efs:denyAnonymousAccess": { + "userValue": true, + "recommendedValue": true, + "explanation": "EFS denies anonymous clients accesses" + }, + "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables support for Multi-AZ with Standby deployment for opensearch domains" + }, + "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables aws-lambda-nodejs.Function to use the latest available NodeJs runtime as the default" + }, + "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, mount targets will have a stable logicalId that is linked to the associated subnet." + }, + "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, a scope of InstanceParameterGroup for AuroraClusterInstance with each parameters will change." + }, + "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, will always use the arn for identifiers for CfnSourceApiAssociation in the GraphqlApi construct rather than id." + }, + "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, creating an RDS database cluster from a snapshot will only render credentials for snapshot credentials." + }, + "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the CodeCommit source action is using the default branch name 'main'." + }, + "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the logical ID of a Lambda permission for a Lambda action includes an alarm ID." + }, + "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables Pipeline to set the default value for crossAccountKeys to false." + }, + "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables Pipeline to set the default pipeline type to V2." + }, + "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only." + }, + "@aws-cdk/pipelines:reduceAssetRoleTrustScope": { + "recommendedValue": true, + "explanation": "Remove the root account principal from PipelineAssetsFileRole trust policy", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-eks:nodegroupNameAttribute": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, nodegroupName attribute of the provisioned EKS NodeGroup will not have the cluster name prefix." + }, + "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default volume type of the EBS volume will be GP3" + }, + "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, remove default deployment alarm settings" + }, + "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": { + "userValue": false, + "recommendedValue": false, + "explanation": "When enabled, the custom resource used for `AwsCustomResource` will configure the `logApiResponseData` property as true by default" + }, + "@aws-cdk/aws-s3:keepNotificationInImportedBucket": { + "userValue": false, + "recommendedValue": false, + "explanation": "When enabled, Adding notifications to a bucket in the current stack will not remove notification from imported stack." + }, + "@aws-cdk/aws-stepfunctions-tasks:useNewS3UriParametersForBedrockInvokeModelTask": { + "recommendedValue": true, + "explanation": "When enabled, use new props for S3 URI field in task definition of state machine for bedrock invoke model.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:explicitStackTags": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, stack tags need to be assigned explicitly on a Stack." + }, + "@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature": { + "userValue": false, + "recommendedValue": false, + "explanation": "When set to true along with canContainersAccessInstanceRole=false in ECS cluster, new updated commands will be added to UserData to block container accessing IMDS. **Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)**" + }, + "@aws-cdk/aws-ecs:disableEcsImdsBlocking": { + "userValue": true, + "recommendedValue": true, + "explanation": "When set to true, CDK synth will throw exception if canContainersAccessInstanceRole is false. **IMPORTANT: See [details.](#aws-cdkaws-ecsdisableEcsImdsBlocking)**" + }, + "@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, we will only grant the necessary permissions when users specify cloudwatch log group through logConfiguration" + }, + "@aws-cdk/aws-dynamodb:resourcePolicyPerReplica": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled will allow you to specify a resource policy per replica, and not copy the source table policy to all replicas" + }, + "@aws-cdk/aws-ec2:ec2SumTImeoutEnabled": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, initOptions.timeout and resourceSignalTimeout values will be summed together." + }, + "@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, a Lambda authorizer Permission created when using GraphqlApi will be properly scoped with a SourceArn." + }, + "@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the value of property `instanceResourceId` in construct `DatabaseInstanceReadReplica` will be set to the correct value which is `DbiResourceId` instead of currently `DbInstanceArn`" + }, + "@aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CFN templates added with `cfn-include` will error if the template contains Resource Update or Create policies with CFN Intrinsics that include non-primitive values." + }, + "@aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, both `@aws-sdk` and `@smithy` packages will be excluded from the Lambda Node.js 18.x runtime to prevent version mismatches in bundled applications." + }, + "@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the resource of IAM Run Ecs policy generated by SFN EcsRunTask will reference the definition, instead of constructing ARN." + }, + "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the BastionHost construct will use the latest Amazon Linux 2023 AMI, instead of Amazon Linux 2." + }, + "@aws-cdk/core:aspectStabilization": { + "recommendedValue": true, + "explanation": "When enabled, a stabilization loop will be run when invoking Aspects during synthesis.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, use a new method for DNS Name of user pool domain target without creating a custom resource." + }, + "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere" + }, + "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default behaviour of OIDC provider will reject unauthorized connections" + }, + "@aws-cdk/core:enableAdditionalMetadataCollection": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK will expand the scope of usage data collected to better inform CDK development and improve communication for security concerns and emerging issues." + }, + "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": { + "userValue": false, + "recommendedValue": false, + "explanation": "[Deprecated] When enabled, Lambda will create new inline policies with AddToRolePolicy instead of adding to the Default Policy Statement" + }, + "@aws-cdk/aws-s3:setUniqueReplicationRoleName": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK will automatically generate a unique role name that is used for s3 object replication." + }, + "@aws-cdk/pipelines:reduceStageRoleTrustScope": { + "recommendedValue": true, + "explanation": "Remove the root account principal from Stage addActions trust policy", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-events:requireEventBusPolicySid": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, grantPutEventsTo() will use resource policies with Statement IDs for service principals." + }, + "@aws-cdk/core:aspectPrioritiesMutating": { + "userValue": true, + "recommendedValue": true, + "explanation": "When set to true, Aspects added by the construct library on your behalf will be given a priority of MUTATING." + }, + "@aws-cdk/aws-dynamodb:retainTableReplica": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, table replica will be default to the removal policy of source table unless specified otherwise." + }, + "@aws-cdk/cognito:logUserPoolClientSecretValue": { + "recommendedValue": false, + "explanation": "When disabled, the value of the user pool client secret will not be logged in the custom resource lambda function logs." + }, + "@aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope": { + "recommendedValue": true, + "explanation": "When enabled, scopes down the trust policy for the cross-account action role", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-stepfunctions:useDistributedMapResultWriterV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the resultWriterV2 property of DistributedMap will be used insted of resultWriter" + }, + "@aws-cdk/s3-notifications:addS3TrustKeyPolicyForSnsSubscriptions": { + "userValue": true, + "recommendedValue": true, + "explanation": "Add an S3 trust policy to a KMS key resource policy for SNS subscriptions." + }, + "@aws-cdk/aws-ec2:requirePrivateSubnetsForEgressOnlyInternetGateway": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the EgressOnlyGateway resource is only created if private subnets are defined in the dual-stack VPC." + }, + "@aws-cdk/aws-ec2-alpha:useResourceIdForVpcV2Migration": { + "recommendedValue": false, + "explanation": "When enabled, use resource IDs for VPC V2 migration" + }, + "@aws-cdk/aws-s3:publicAccessBlockedByDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, setting any combination of options for BlockPublicAccess will automatically set true for any options not defined." + }, + "@aws-cdk/aws-lambda:useCdkManagedLogGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK creates and manages loggroup for the lambda function" + }, + "@aws-cdk/aws-elasticloadbalancingv2:networkLoadBalancerWithSecurityGroupByDefault": { + "recommendedValue": true, + "explanation": "When enabled, Network Load Balancer will be created with a security group by default." + }, + "@aws-cdk/aws-stepfunctions-tasks:httpInvokeDynamicJsonPathEndpoint": { + "recommendedValue": true, + "explanation": "When enabled, allows using a dynamic apiEndpoint with JSONPath format in HttpInvoke tasks.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-ecs-patterns:uniqueTargetGroupId": { + "recommendedValue": true, + "explanation": "When enabled, ECS patterns will generate unique target group IDs to prevent conflicts during load balancer replacement" + } + } + } + } + }, + "minimumCliVersion": "2.1031.2" +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.container.js.snapshot/tree.json b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.container.js.snapshot/tree.json new file mode 100644 index 0000000000000..f69ae3f4ba57b --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.container.js.snapshot/tree.json @@ -0,0 +1 @@ +{"version":"tree-0.1","tree":{"id":"App","path":"","constructInfo":{"fqn":"aws-cdk-lib.App","version":"0.0.0"},"children":{"aws-cdk-imagebuilder-image-pipeline-container-required-parameters":{"id":"aws-cdk-imagebuilder-image-pipeline-container-required-parameters","path":"aws-cdk-imagebuilder-image-pipeline-container-required-parameters","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"Repository":{"id":"Repository","path":"aws-cdk-imagebuilder-image-pipeline-container-required-parameters/Repository","constructInfo":{"fqn":"aws-cdk-lib.aws_ecr.Repository","version":"0.0.0","metadata":[{"removalPolicy":"destroy"}]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-container-required-parameters/Repository/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_ecr.CfnRepository","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::ECR::Repository","aws:cdk:cloudformation:props":{}}}}},"ContainerRecipe":{"id":"ContainerRecipe","path":"aws-cdk-imagebuilder-image-pipeline-container-required-parameters/ContainerRecipe","constructInfo":{"fqn":"@aws-cdk/aws-imagebuilder-alpha.ContainerRecipe","version":"0.0.0","metadata":[]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-container-required-parameters/ContainerRecipe/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_imagebuilder.CfnContainerRecipe","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::ImageBuilder::ContainerRecipe","aws:cdk:cloudformation:props":{"containerType":"DOCKER","dockerfileTemplateData":"FROM {{{ imagebuilder:parentImage }}}\n{{{ imagebuilder:environments }}}\n{{{ imagebuilder:components }}}","imageOsVersionOverride":"Amazon Linux 2023","name":"aws-cdk-imagebuilder-image-pipeline-container-required-parameters-containerrecipe-d3a4c120","parentImage":"public.ecr.aws/amazonlinux/amazonlinux:latest","platformOverride":"Linux","targetRepository":{"repositoryName":{"Ref":"Repository22E53BBD"},"service":"ECR"},"version":"1.0.x"}}}}},"ImagePipeline-Container":{"id":"ImagePipeline-Container","path":"aws-cdk-imagebuilder-image-pipeline-container-required-parameters/ImagePipeline-Container","constructInfo":{"fqn":"@aws-cdk/aws-imagebuilder-alpha.ImagePipeline","version":"0.0.0","metadata":[]},"children":{"InfrastructureConfiguration":{"id":"InfrastructureConfiguration","path":"aws-cdk-imagebuilder-image-pipeline-container-required-parameters/ImagePipeline-Container/InfrastructureConfiguration","constructInfo":{"fqn":"@aws-cdk/aws-imagebuilder-alpha.InfrastructureConfiguration","version":"0.0.0","metadata":["*"]},"children":{"InstanceProfileRole":{"id":"InstanceProfileRole","path":"aws-cdk-imagebuilder-image-pipeline-container-required-parameters/ImagePipeline-Container/InfrastructureConfiguration/InstanceProfileRole","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Role","version":"0.0.0","metadata":[]},"children":{"ImportInstanceProfileRole":{"id":"ImportInstanceProfileRole","path":"aws-cdk-imagebuilder-image-pipeline-container-required-parameters/ImagePipeline-Container/InfrastructureConfiguration/InstanceProfileRole/ImportInstanceProfileRole","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*"]}},"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-container-required-parameters/ImagePipeline-Container/InfrastructureConfiguration/InstanceProfileRole/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnRole","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Role","aws:cdk:cloudformation:props":{"assumeRolePolicyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"Service":"ec2.amazonaws.com"}}],"Version":"2012-10-17"},"managedPolicyArns":[{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":iam::aws:policy/AmazonSSMManagedInstanceCore"]]},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":iam::aws:policy/EC2InstanceProfileForImageBuilder"]]},{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":iam::aws:policy/EC2InstanceProfileForImageBuilderECRContainerBuilds"]]}]}}}}},"InstanceProfile":{"id":"InstanceProfile","path":"aws-cdk-imagebuilder-image-pipeline-container-required-parameters/ImagePipeline-Container/InfrastructureConfiguration/InstanceProfile","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.InstanceProfile","version":"0.0.0","metadata":[{"role":"*"}]},"children":{"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-container-required-parameters/ImagePipeline-Container/InfrastructureConfiguration/InstanceProfile/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnInstanceProfile","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::InstanceProfile","aws:cdk:cloudformation:props":{"roles":[{"Ref":"ImagePipelineContainerInfrastructureConfigurationInstanceProfileRole55E1213B"}]}}}}},"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-container-required-parameters/ImagePipeline-Container/InfrastructureConfiguration/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_imagebuilder.CfnInfrastructureConfiguration","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::ImageBuilder::InfrastructureConfiguration","aws:cdk:cloudformation:props":{"instanceMetadataOptions":{"httpTokens":"required","httpPutResponseHopLimit":2},"instanceProfileName":{"Ref":"ImagePipelineContainerInfrastructureConfigurationInstanceProfileCB9700ED"},"name":"aws-cdk-imagebuilder-image-pipeline-container-required-parameters-imagepipeline-container-infrastructureconfiguration-1c74b770"}}}}},"Resource":{"id":"Resource","path":"aws-cdk-imagebuilder-image-pipeline-container-required-parameters/ImagePipeline-Container/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_imagebuilder.CfnImagePipeline","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::ImageBuilder::ImagePipeline","aws:cdk:cloudformation:props":{"containerRecipeArn":{"Fn::GetAtt":["ContainerRecipe8A7CC9ED","Arn"]},"infrastructureConfigurationArn":{"Fn::GetAtt":["ImagePipelineContainerInfrastructureConfigurationCCD4265B","Arn"]},"name":"aws-cdk-imagebuilder-image-pipeline-container-required-parameters-imagepipeline-container-c642ca08"}}}}},"BootstrapVersion":{"id":"BootstrapVersion","path":"aws-cdk-imagebuilder-image-pipeline-container-required-parameters/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"aws-cdk-imagebuilder-image-pipeline-container-required-parameters/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}},"ImagePipelineTest-Container-DefaultParameters":{"id":"ImagePipelineTest-Container-DefaultParameters","path":"ImagePipelineTest-Container-DefaultParameters","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTest","version":"0.0.0"},"children":{"DefaultTest":{"id":"DefaultTest","path":"ImagePipelineTest-Container-DefaultParameters/DefaultTest","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTestCase","version":"0.0.0"},"children":{"Default":{"id":"Default","path":"ImagePipelineTest-Container-DefaultParameters/DefaultTest/Default","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"}},"DeployAssert":{"id":"DeployAssert","path":"ImagePipelineTest-Container-DefaultParameters/DefaultTest/DeployAssert","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"BootstrapVersion":{"id":"BootstrapVersion","path":"ImagePipelineTest-Container-DefaultParameters/DefaultTest/DeployAssert/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"ImagePipelineTest-Container-DefaultParameters/DefaultTest/DeployAssert/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}}}}}},"Tree":{"id":"Tree","path":"Tree","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"}}}}} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.container.ts b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.container.ts new file mode 100644 index 0000000000000..e8759519ff10e --- /dev/null +++ b/packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.default-parameters.image-pipeline.container.ts @@ -0,0 +1,21 @@ +import * as integ from '@aws-cdk/integ-tests-alpha'; +import * as cdk from 'aws-cdk-lib'; +import * as ecr from 'aws-cdk-lib/aws-ecr'; +import * as imagebuilder from '../lib'; + +const app = new cdk.App(); +const stack = new cdk.Stack(app, 'aws-cdk-imagebuilder-image-pipeline-container-required-parameters'); + +const repository = new ecr.Repository(stack, 'Repository', { removalPolicy: cdk.RemovalPolicy.DESTROY }); + +const containerRecipe = new imagebuilder.ContainerRecipe(stack, 'ContainerRecipe', { + baseImage: imagebuilder.BaseContainerImage.fromEcrPublic('amazonlinux', 'amazonlinux', 'latest'), + targetRepository: imagebuilder.Repository.fromEcr(repository), + osVersion: imagebuilder.OSVersion.AMAZON_LINUX_2023, +}); + +new imagebuilder.ImagePipeline(stack, 'ImagePipeline-Container', { recipe: containerRecipe }); + +new integ.IntegTest(app, 'ImagePipelineTest-Container-DefaultParameters', { + testCases: [stack], +});