├── .eslintrc.json ├── .gitattributes ├── .github ├── pull_request_template.md └── workflows │ ├── build.yml │ ├── pull-request-lint.yml │ ├── release.yml │ └── upgrade-main.yml ├── .gitignore ├── .mergify.yml ├── .npmignore ├── .projen ├── deps.json ├── files.json └── tasks.json ├── .projenrc.js ├── API.md ├── CHANGELOG.md ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE ├── README.md ├── assets └── image-builder-update-lambda │ └── image-builder-lambda-update-ssm.py ├── package.json ├── src └── index.ts ├── test ├── imagepipeline.test.ts ├── test_component_example.yml └── test_component_example_2.yml ├── tsconfig.dev.json └── yarn.lock /.eslintrc.json: -------------------------------------------------------------------------------- 1 | // ~~ Generated by projen. To modify, edit .projenrc.js and run "npx projen". 2 | { 3 | "env": { 4 | "jest": true, 5 | "node": true 6 | }, 7 | "root": true, 8 | "plugins": [ 9 | "@typescript-eslint", 10 | "import", 11 | "@stylistic" 12 | ], 13 | "parser": "@typescript-eslint/parser", 14 | "parserOptions": { 15 | "ecmaVersion": 2018, 16 | "sourceType": "module", 17 | "project": "./tsconfig.dev.json" 18 | }, 19 | "extends": [ 20 | "plugin:import/typescript" 21 | ], 22 | "settings": { 23 | "import/parsers": { 24 | "@typescript-eslint/parser": [ 25 | ".ts", 26 | ".tsx" 27 | ] 28 | }, 29 | "import/resolver": { 30 | "node": {}, 31 | "typescript": { 32 | "project": "./tsconfig.dev.json", 33 | "alwaysTryTypes": true 34 | } 35 | } 36 | }, 37 | "ignorePatterns": [ 38 | "*.js", 39 | "*.d.ts", 40 | "node_modules/", 41 | "*.generated.ts", 42 | "coverage", 43 | "!.projenrc.js" 44 | ], 45 | "rules": { 46 | "@stylistic/indent": [ 47 | "error", 48 | 2 49 | ], 50 | "@stylistic/quotes": [ 51 | "error", 52 | "single", 53 | { 54 | "avoidEscape": true 55 | } 56 | ], 57 | "@stylistic/comma-dangle": [ 58 | "error", 59 | "always-multiline" 60 | ], 61 | "@stylistic/comma-spacing": [ 62 | "error", 63 | { 64 | "before": false, 65 | "after": true 66 | } 67 | ], 68 | "@stylistic/no-multi-spaces": [ 69 | "error", 70 | { 71 | "ignoreEOLComments": false 72 | } 73 | ], 74 | "@stylistic/array-bracket-spacing": [ 75 | "error", 76 | "never" 77 | ], 78 | "@stylistic/array-bracket-newline": [ 79 | "error", 80 | "consistent" 81 | ], 82 | "@stylistic/object-curly-spacing": [ 83 | "error", 84 | "always" 85 | ], 86 | "@stylistic/object-curly-newline": [ 87 | "error", 88 | { 89 | "multiline": true, 90 | "consistent": true 91 | } 92 | ], 93 | "@stylistic/object-property-newline": [ 94 | "error", 95 | { 96 | "allowAllPropertiesOnSameLine": true 97 | } 98 | ], 99 | "@stylistic/keyword-spacing": [ 100 | "error" 101 | ], 102 | "@stylistic/brace-style": [ 103 | "error", 104 | "1tbs", 105 | { 106 | "allowSingleLine": true 107 | } 108 | ], 109 | "@stylistic/space-before-blocks": [ 110 | "error" 111 | ], 112 | "@stylistic/member-delimiter-style": [ 113 | "error" 114 | ], 115 | "@stylistic/semi": [ 116 | "error", 117 | "always" 118 | ], 119 | "@stylistic/max-len": [ 120 | "error", 121 | { 122 | "code": 150, 123 | "ignoreUrls": true, 124 | "ignoreStrings": true, 125 | "ignoreTemplateLiterals": true, 126 | "ignoreComments": true, 127 | "ignoreRegExpLiterals": true 128 | } 129 | ], 130 | "@stylistic/quote-props": [ 131 | "error", 132 | "consistent-as-needed" 133 | ], 134 | "@stylistic/key-spacing": [ 135 | "error" 136 | ], 137 | "@stylistic/no-multiple-empty-lines": [ 138 | "error" 139 | ], 140 | "@stylistic/no-trailing-spaces": [ 141 | "error" 142 | ], 143 | "curly": [ 144 | "error", 145 | "multi-line", 146 | "consistent" 147 | ], 148 | "@typescript-eslint/no-require-imports": "error", 149 | "import/no-extraneous-dependencies": [ 150 | "error", 151 | { 152 | "devDependencies": [ 153 | "**/test/**", 154 | "**/build-tools/**" 155 | ], 156 | "optionalDependencies": false, 157 | "peerDependencies": true 158 | } 159 | ], 160 | "import/no-unresolved": [ 161 | "error" 162 | ], 163 | "import/order": [ 164 | "warn", 165 | { 166 | "groups": [ 167 | "builtin", 168 | "external" 169 | ], 170 | "alphabetize": { 171 | "order": "asc", 172 | "caseInsensitive": true 173 | } 174 | } 175 | ], 176 | "import/no-duplicates": [ 177 | "error" 178 | ], 179 | "no-shadow": [ 180 | "off" 181 | ], 182 | "@typescript-eslint/no-shadow": "error", 183 | "@typescript-eslint/no-floating-promises": "error", 184 | "no-return-await": [ 185 | "off" 186 | ], 187 | "@typescript-eslint/return-await": "error", 188 | "dot-notation": [ 189 | "error" 190 | ], 191 | "no-bitwise": [ 192 | "error" 193 | ], 194 | "@typescript-eslint/member-ordering": [ 195 | "error", 196 | { 197 | "default": [ 198 | "public-static-field", 199 | "public-static-method", 200 | "protected-static-field", 201 | "protected-static-method", 202 | "private-static-field", 203 | "private-static-method", 204 | "field", 205 | "constructor", 206 | "method" 207 | ] 208 | } 209 | ] 210 | }, 211 | "overrides": [ 212 | { 213 | "files": [ 214 | ".projenrc.js" 215 | ], 216 | "rules": { 217 | "@typescript-eslint/no-require-imports": "off", 218 | "import/no-extraneous-dependencies": "off" 219 | } 220 | } 221 | ] 222 | } 223 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | # ~~ Generated by projen. To modify, edit .projenrc.js and run "npx projen". 2 | 3 | * text=auto eol=lf 4 | *.snap linguist-generated 5 | /.eslintrc.json linguist-generated 6 | /.gitattributes linguist-generated 7 | /.github/pull_request_template.md linguist-generated 8 | /.github/workflows/build.yml linguist-generated 9 | /.github/workflows/pull-request-lint.yml linguist-generated 10 | /.github/workflows/release.yml linguist-generated 11 | /.github/workflows/upgrade-main.yml linguist-generated 12 | /.gitignore linguist-generated 13 | /.mergify.yml linguist-generated 14 | /.npmignore linguist-generated 15 | /.projen/** linguist-generated 16 | /.projen/deps.json linguist-generated 17 | /.projen/files.json linguist-generated 18 | /.projen/tasks.json linguist-generated 19 | /API.md linguist-generated 20 | /LICENSE linguist-generated 21 | /package.json linguist-generated 22 | /tsconfig.dev.json linguist-generated 23 | /yarn.lock linguist-generated -------------------------------------------------------------------------------- /.github/pull_request_template.md: -------------------------------------------------------------------------------- 1 | # Fixes 2 | 3 | 4 | By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice. -------------------------------------------------------------------------------- /.github/workflows/build.yml: -------------------------------------------------------------------------------- 1 | # ~~ Generated by projen. To modify, edit .projenrc.js and run "npx projen". 2 | 3 | name: build 4 | on: 5 | pull_request: {} 6 | workflow_dispatch: {} 7 | jobs: 8 | build: 9 | runs-on: ubuntu-latest 10 | permissions: 11 | contents: write 12 | outputs: 13 | self_mutation_happened: ${{ steps.self_mutation.outputs.self_mutation_happened }} 14 | env: 15 | CI: "true" 16 | steps: 17 | - name: Checkout 18 | uses: actions/checkout@v4 19 | with: 20 | ref: ${{ github.event.pull_request.head.ref }} 21 | repository: ${{ github.event.pull_request.head.repo.full_name }} 22 | - name: Setup Node.js 23 | uses: actions/setup-node@v4 24 | with: 25 | node-version: lts/* 26 | - name: Install dependencies 27 | run: yarn install --check-files 28 | - name: build 29 | run: npx projen build 30 | - name: Find mutations 31 | id: self_mutation 32 | run: |- 33 | git add . 34 | git diff --staged --patch --exit-code > repo.patch || echo "self_mutation_happened=true" >> $GITHUB_OUTPUT 35 | working-directory: ./ 36 | - name: Upload patch 37 | if: steps.self_mutation.outputs.self_mutation_happened 38 | uses: actions/upload-artifact@v4.4.0 39 | with: 40 | name: repo.patch 41 | path: repo.patch 42 | overwrite: true 43 | - name: Fail build on mutation 44 | if: steps.self_mutation.outputs.self_mutation_happened 45 | run: |- 46 | echo "::error::Files were changed during build (see build log). If this was triggered from a fork, you will need to update your branch." 47 | cat repo.patch 48 | exit 1 49 | - name: Backup artifact permissions 50 | run: cd dist && getfacl -R . > permissions-backup.acl 51 | continue-on-error: true 52 | - name: Upload artifact 53 | uses: actions/upload-artifact@v4.4.0 54 | with: 55 | name: build-artifact 56 | path: dist 57 | overwrite: true 58 | self-mutation: 59 | needs: build 60 | runs-on: ubuntu-latest 61 | permissions: 62 | contents: write 63 | if: always() && needs.build.outputs.self_mutation_happened && !(github.event.pull_request.head.repo.full_name != github.repository) 64 | steps: 65 | - name: Checkout 66 | uses: actions/checkout@v4 67 | with: 68 | token: ${{ secrets.PROJEN_GITHUB_TOKEN }} 69 | ref: ${{ github.event.pull_request.head.ref }} 70 | repository: ${{ github.event.pull_request.head.repo.full_name }} 71 | - name: Download patch 72 | uses: actions/download-artifact@v4 73 | with: 74 | name: repo.patch 75 | path: ${{ runner.temp }} 76 | - name: Apply patch 77 | run: '[ -s ${{ runner.temp }}/repo.patch ] && git apply ${{ runner.temp }}/repo.patch || echo "Empty patch. Skipping."' 78 | - name: Set git identity 79 | run: |- 80 | git config user.name "github-actions" 81 | git config user.email "github-actions@github.com" 82 | - name: Push changes 83 | env: 84 | PULL_REQUEST_REF: ${{ github.event.pull_request.head.ref }} 85 | run: |- 86 | git add . 87 | git commit -s -m "chore: self mutation" 88 | git push origin HEAD:$PULL_REQUEST_REF 89 | package-js: 90 | needs: build 91 | runs-on: ubuntu-latest 92 | permissions: 93 | contents: read 94 | if: ${{ !needs.build.outputs.self_mutation_happened }} 95 | steps: 96 | - uses: actions/setup-node@v4 97 | with: 98 | node-version: lts/* 99 | - name: Download build artifacts 100 | uses: actions/download-artifact@v4 101 | with: 102 | name: build-artifact 103 | path: dist 104 | - name: Restore build artifact permissions 105 | run: cd dist && setfacl --restore=permissions-backup.acl 106 | continue-on-error: true 107 | - name: Checkout 108 | uses: actions/checkout@v4 109 | with: 110 | ref: ${{ github.event.pull_request.head.ref }} 111 | repository: ${{ github.event.pull_request.head.repo.full_name }} 112 | path: .repo 113 | - name: Install Dependencies 114 | run: cd .repo && yarn install --check-files --frozen-lockfile 115 | - name: Extract build artifact 116 | run: tar --strip-components=1 -xzvf dist/js/*.tgz -C .repo 117 | - name: Move build artifact out of the way 118 | run: mv dist dist.old 119 | - name: Create js artifact 120 | run: cd .repo && npx projen package:js 121 | - name: Collect js artifact 122 | run: mv .repo/dist dist 123 | package-python: 124 | needs: build 125 | runs-on: ubuntu-latest 126 | permissions: 127 | contents: read 128 | if: ${{ !needs.build.outputs.self_mutation_happened }} 129 | steps: 130 | - uses: actions/setup-node@v4 131 | with: 132 | node-version: lts/* 133 | - uses: actions/setup-python@v5 134 | with: 135 | python-version: 3.x 136 | - name: Download build artifacts 137 | uses: actions/download-artifact@v4 138 | with: 139 | name: build-artifact 140 | path: dist 141 | - name: Restore build artifact permissions 142 | run: cd dist && setfacl --restore=permissions-backup.acl 143 | continue-on-error: true 144 | - name: Checkout 145 | uses: actions/checkout@v4 146 | with: 147 | ref: ${{ github.event.pull_request.head.ref }} 148 | repository: ${{ github.event.pull_request.head.repo.full_name }} 149 | path: .repo 150 | - name: Install Dependencies 151 | run: cd .repo && yarn install --check-files --frozen-lockfile 152 | - name: Extract build artifact 153 | run: tar --strip-components=1 -xzvf dist/js/*.tgz -C .repo 154 | - name: Move build artifact out of the way 155 | run: mv dist dist.old 156 | - name: Create python artifact 157 | run: cd .repo && npx projen package:python 158 | - name: Collect python artifact 159 | run: mv .repo/dist dist 160 | -------------------------------------------------------------------------------- /.github/workflows/pull-request-lint.yml: -------------------------------------------------------------------------------- 1 | # ~~ Generated by projen. To modify, edit .projenrc.js and run "npx projen". 2 | 3 | name: pull-request-lint 4 | on: 5 | pull_request_target: 6 | types: 7 | - labeled 8 | - opened 9 | - synchronize 10 | - reopened 11 | - ready_for_review 12 | - edited 13 | merge_group: {} 14 | jobs: 15 | validate: 16 | name: Validate PR title 17 | runs-on: ubuntu-latest 18 | permissions: 19 | pull-requests: write 20 | if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') 21 | steps: 22 | - uses: amannn/action-semantic-pull-request@v5.4.0 23 | env: 24 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 25 | with: 26 | types: |- 27 | feat 28 | fix 29 | chore 30 | requireScope: false 31 | -------------------------------------------------------------------------------- /.github/workflows/release.yml: -------------------------------------------------------------------------------- 1 | # ~~ Generated by projen. To modify, edit .projenrc.js and run "npx projen". 2 | 3 | name: release 4 | on: 5 | push: 6 | branches: 7 | - main 8 | workflow_dispatch: {} 9 | concurrency: 10 | group: ${{ github.workflow }} 11 | cancel-in-progress: false 12 | jobs: 13 | release: 14 | runs-on: ubuntu-latest 15 | permissions: 16 | contents: write 17 | outputs: 18 | latest_commit: ${{ steps.git_remote.outputs.latest_commit }} 19 | tag_exists: ${{ steps.check_tag_exists.outputs.exists }} 20 | env: 21 | CI: "true" 22 | steps: 23 | - name: Checkout 24 | uses: actions/checkout@v4 25 | with: 26 | fetch-depth: 0 27 | - name: Set git identity 28 | run: |- 29 | git config user.name "github-actions" 30 | git config user.email "github-actions@github.com" 31 | - name: Setup Node.js 32 | uses: actions/setup-node@v4 33 | with: 34 | node-version: lts/* 35 | - name: Install dependencies 36 | run: yarn install --check-files --frozen-lockfile 37 | - name: release 38 | run: npx projen release 39 | - name: Check if version has already been tagged 40 | id: check_tag_exists 41 | run: |- 42 | TAG=$(cat dist/releasetag.txt) 43 | ([ ! -z "$TAG" ] && git ls-remote -q --exit-code --tags origin $TAG && (echo "exists=true" >> $GITHUB_OUTPUT)) || (echo "exists=false" >> $GITHUB_OUTPUT) 44 | cat $GITHUB_OUTPUT 45 | - name: Check for new commits 46 | id: git_remote 47 | run: |- 48 | echo "latest_commit=$(git ls-remote origin -h ${{ github.ref }} | cut -f1)" >> $GITHUB_OUTPUT 49 | cat $GITHUB_OUTPUT 50 | - name: Backup artifact permissions 51 | if: ${{ steps.git_remote.outputs.latest_commit == github.sha }} 52 | run: cd dist && getfacl -R . > permissions-backup.acl 53 | continue-on-error: true 54 | - name: Upload artifact 55 | if: ${{ steps.git_remote.outputs.latest_commit == github.sha }} 56 | uses: actions/upload-artifact@v4.4.0 57 | with: 58 | name: build-artifact 59 | path: dist 60 | overwrite: true 61 | release_github: 62 | name: Publish to GitHub Releases 63 | needs: 64 | - release 65 | - release_npm 66 | - release_pypi 67 | runs-on: ubuntu-latest 68 | permissions: 69 | contents: write 70 | if: needs.release.outputs.tag_exists != 'true' && needs.release.outputs.latest_commit == github.sha 71 | steps: 72 | - uses: actions/setup-node@v4 73 | with: 74 | node-version: lts/* 75 | - name: Download build artifacts 76 | uses: actions/download-artifact@v4 77 | with: 78 | name: build-artifact 79 | path: dist 80 | - name: Restore build artifact permissions 81 | run: cd dist && setfacl --restore=permissions-backup.acl 82 | continue-on-error: true 83 | - name: Release 84 | env: 85 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 86 | run: errout=$(mktemp); gh release create $(cat dist/releasetag.txt) -R $GITHUB_REPOSITORY -F dist/changelog.md -t $(cat dist/releasetag.txt) --target $GITHUB_SHA 2> $errout && true; exitcode=$?; if [ $exitcode -ne 0 ] && ! grep -q "Release.tag_name already exists" $errout; then cat $errout; exit $exitcode; fi 87 | release_npm: 88 | name: Publish to npm 89 | needs: release 90 | runs-on: ubuntu-latest 91 | permissions: 92 | id-token: write 93 | contents: read 94 | if: needs.release.outputs.tag_exists != 'true' && needs.release.outputs.latest_commit == github.sha 95 | steps: 96 | - uses: actions/setup-node@v4 97 | with: 98 | node-version: lts/* 99 | - name: Download build artifacts 100 | uses: actions/download-artifact@v4 101 | with: 102 | name: build-artifact 103 | path: dist 104 | - name: Restore build artifact permissions 105 | run: cd dist && setfacl --restore=permissions-backup.acl 106 | continue-on-error: true 107 | - name: Checkout 108 | uses: actions/checkout@v4 109 | with: 110 | path: .repo 111 | - name: Install Dependencies 112 | run: cd .repo && yarn install --check-files --frozen-lockfile 113 | - name: Extract build artifact 114 | run: tar --strip-components=1 -xzvf dist/js/*.tgz -C .repo 115 | - name: Move build artifact out of the way 116 | run: mv dist dist.old 117 | - name: Create js artifact 118 | run: cd .repo && npx projen package:js 119 | - name: Collect js artifact 120 | run: mv .repo/dist dist 121 | - name: Release 122 | env: 123 | NPM_DIST_TAG: latest 124 | NPM_REGISTRY: registry.npmjs.org 125 | NPM_CONFIG_PROVENANCE: "true" 126 | NPM_TOKEN: ${{ secrets.NPM_TOKEN }} 127 | run: npx -p publib@latest publib-npm 128 | release_pypi: 129 | name: Publish to PyPI 130 | needs: release 131 | runs-on: ubuntu-latest 132 | permissions: 133 | contents: read 134 | if: needs.release.outputs.tag_exists != 'true' && needs.release.outputs.latest_commit == github.sha 135 | steps: 136 | - uses: actions/setup-node@v4 137 | with: 138 | node-version: lts/* 139 | - uses: actions/setup-python@v5 140 | with: 141 | python-version: 3.x 142 | - name: Download build artifacts 143 | uses: actions/download-artifact@v4 144 | with: 145 | name: build-artifact 146 | path: dist 147 | - name: Restore build artifact permissions 148 | run: cd dist && setfacl --restore=permissions-backup.acl 149 | continue-on-error: true 150 | - name: Checkout 151 | uses: actions/checkout@v4 152 | with: 153 | path: .repo 154 | - name: Install Dependencies 155 | run: cd .repo && yarn install --check-files --frozen-lockfile 156 | - name: Extract build artifact 157 | run: tar --strip-components=1 -xzvf dist/js/*.tgz -C .repo 158 | - name: Move build artifact out of the way 159 | run: mv dist dist.old 160 | - name: Create python artifact 161 | run: cd .repo && npx projen package:python 162 | - name: Collect python artifact 163 | run: mv .repo/dist dist 164 | - name: Release 165 | env: 166 | TWINE_USERNAME: ${{ secrets.TWINE_USERNAME }} 167 | TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }} 168 | run: npx -p publib@latest publib-pypi 169 | -------------------------------------------------------------------------------- /.github/workflows/upgrade-main.yml: -------------------------------------------------------------------------------- 1 | # ~~ Generated by projen. To modify, edit .projenrc.js and run "npx projen". 2 | 3 | name: upgrade-main 4 | on: 5 | workflow_dispatch: {} 6 | schedule: 7 | - cron: 0 0 * * * 8 | jobs: 9 | upgrade: 10 | name: Upgrade 11 | runs-on: ubuntu-latest 12 | permissions: 13 | contents: read 14 | outputs: 15 | patch_created: ${{ steps.create_patch.outputs.patch_created }} 16 | steps: 17 | - name: Checkout 18 | uses: actions/checkout@v4 19 | with: 20 | ref: main 21 | - name: Setup Node.js 22 | uses: actions/setup-node@v4 23 | with: 24 | node-version: lts/* 25 | - name: Install dependencies 26 | run: yarn install --check-files --frozen-lockfile 27 | - name: Upgrade dependencies 28 | run: npx projen upgrade 29 | - name: Find mutations 30 | id: create_patch 31 | run: |- 32 | git add . 33 | git diff --staged --patch --exit-code > repo.patch || echo "patch_created=true" >> $GITHUB_OUTPUT 34 | working-directory: ./ 35 | - name: Upload patch 36 | if: steps.create_patch.outputs.patch_created 37 | uses: actions/upload-artifact@v4.4.0 38 | with: 39 | name: repo.patch 40 | path: repo.patch 41 | overwrite: true 42 | pr: 43 | name: Create Pull Request 44 | needs: upgrade 45 | runs-on: ubuntu-latest 46 | permissions: 47 | contents: read 48 | if: ${{ needs.upgrade.outputs.patch_created }} 49 | steps: 50 | - name: Checkout 51 | uses: actions/checkout@v4 52 | with: 53 | ref: main 54 | - name: Download patch 55 | uses: actions/download-artifact@v4 56 | with: 57 | name: repo.patch 58 | path: ${{ runner.temp }} 59 | - name: Apply patch 60 | run: '[ -s ${{ runner.temp }}/repo.patch ] && git apply ${{ runner.temp }}/repo.patch || echo "Empty patch. Skipping."' 61 | - name: Set git identity 62 | run: |- 63 | git config user.name "github-actions" 64 | git config user.email "github-actions@github.com" 65 | - name: Create Pull Request 66 | id: create-pr 67 | uses: peter-evans/create-pull-request@v6 68 | with: 69 | token: ${{ secrets.PROJEN_GITHUB_TOKEN }} 70 | commit-message: |- 71 | chore(deps): upgrade dependencies 72 | 73 | Upgrades project dependencies. See details in [workflow run]. 74 | 75 | [Workflow Run]: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} 76 | 77 | ------ 78 | 79 | *Automatically created by projen via the "upgrade-main" workflow* 80 | branch: github-actions/upgrade-main 81 | title: "chore(deps): upgrade dependencies" 82 | body: |- 83 | Upgrades project dependencies. See details in [workflow run]. 84 | 85 | [Workflow Run]: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} 86 | 87 | ------ 88 | 89 | *Automatically created by projen via the "upgrade-main" workflow* 90 | author: github-actions 91 | committer: github-actions 92 | signoff: true 93 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # ~~ Generated by projen. To modify, edit .projenrc.js and run "npx projen". 2 | !/.gitattributes 3 | !/.projen/tasks.json 4 | !/.projen/deps.json 5 | !/.projen/files.json 6 | !/.github/workflows/pull-request-lint.yml 7 | !/package.json 8 | !/LICENSE 9 | !/.npmignore 10 | logs 11 | *.log 12 | npm-debug.log* 13 | yarn-debug.log* 14 | yarn-error.log* 15 | lerna-debug.log* 16 | report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json 17 | pids 18 | *.pid 19 | *.seed 20 | *.pid.lock 21 | lib-cov 22 | coverage 23 | *.lcov 24 | .nyc_output 25 | build/Release 26 | node_modules/ 27 | jspm_packages/ 28 | *.tsbuildinfo 29 | .eslintcache 30 | *.tgz 31 | .yarn-integrity 32 | .cache 33 | /test-reports/ 34 | junit.xml 35 | /coverage/ 36 | !/.github/workflows/build.yml 37 | /dist/changelog.md 38 | /dist/version.txt 39 | !/.github/workflows/release.yml 40 | !/.mergify.yml 41 | !/.github/workflows/upgrade-main.yml 42 | !/.github/pull_request_template.md 43 | !/test/ 44 | !/tsconfig.dev.json 45 | !/src/ 46 | /lib 47 | /dist/ 48 | !/.eslintrc.json 49 | .jsii 50 | tsconfig.json 51 | !/API.md 52 | !/.projenrc.js 53 | -------------------------------------------------------------------------------- /.mergify.yml: -------------------------------------------------------------------------------- 1 | # ~~ Generated by projen. To modify, edit .projenrc.js and run "npx projen". 2 | 3 | queue_rules: 4 | - name: default 5 | update_method: merge 6 | conditions: 7 | - "#approved-reviews-by>=1" 8 | - -label~=(do-not-merge) 9 | - status-success=build 10 | - status-success=package-js 11 | - status-success=package-python 12 | merge_method: squash 13 | commit_message_template: |- 14 | {{ title }} (#{{ number }}) 15 | 16 | {{ body }} 17 | pull_request_rules: 18 | - name: Automatic merge on approval and successful build 19 | actions: 20 | delete_head_branch: {} 21 | queue: 22 | name: default 23 | conditions: 24 | - "#approved-reviews-by>=1" 25 | - -label~=(do-not-merge) 26 | - status-success=build 27 | - status-success=package-js 28 | - status-success=package-python 29 | -------------------------------------------------------------------------------- /.npmignore: -------------------------------------------------------------------------------- 1 | # ~~ Generated by projen. To modify, edit .projenrc.js and run "npx projen". 2 | /.projen/ 3 | /test-reports/ 4 | junit.xml 5 | /coverage/ 6 | permissions-backup.acl 7 | /dist/changelog.md 8 | /dist/version.txt 9 | /.mergify.yml 10 | /test/ 11 | /tsconfig.dev.json 12 | /src/ 13 | !/lib/ 14 | !/lib/**/*.js 15 | !/lib/**/*.d.ts 16 | dist 17 | /tsconfig.json 18 | /.github/ 19 | /.vscode/ 20 | /.idea/ 21 | /.projenrc.js 22 | tsconfig.tsbuildinfo 23 | /.eslintrc.json 24 | !.jsii 25 | /.gitattributes 26 | -------------------------------------------------------------------------------- /.projen/deps.json: -------------------------------------------------------------------------------- 1 | { 2 | "dependencies": [ 3 | { 4 | "name": "@stylistic/eslint-plugin", 5 | "version": "^2", 6 | "type": "build" 7 | }, 8 | { 9 | "name": "@types/jest", 10 | "type": "build" 11 | }, 12 | { 13 | "name": "@types/node", 14 | "type": "build" 15 | }, 16 | { 17 | "name": "@types/prettier", 18 | "version": "^3.0.0", 19 | "type": "build" 20 | }, 21 | { 22 | "name": "@typescript-eslint/eslint-plugin", 23 | "version": "^8", 24 | "type": "build" 25 | }, 26 | { 27 | "name": "@typescript-eslint/parser", 28 | "version": "^8", 29 | "type": "build" 30 | }, 31 | { 32 | "name": "aws-cdk-lib", 33 | "version": "^2.189.1", 34 | "type": "build" 35 | }, 36 | { 37 | "name": "commit-and-tag-version", 38 | "version": "^12", 39 | "type": "build" 40 | }, 41 | { 42 | "name": "eslint-import-resolver-typescript", 43 | "type": "build" 44 | }, 45 | { 46 | "name": "eslint-plugin-import", 47 | "type": "build" 48 | }, 49 | { 50 | "name": "eslint", 51 | "version": "^9", 52 | "type": "build" 53 | }, 54 | { 55 | "name": "jest", 56 | "type": "build" 57 | }, 58 | { 59 | "name": "jest-junit", 60 | "version": "^16", 61 | "type": "build" 62 | }, 63 | { 64 | "name": "jsii-diff", 65 | "type": "build" 66 | }, 67 | { 68 | "name": "jsii-docgen", 69 | "version": "^10.5.0", 70 | "type": "build" 71 | }, 72 | { 73 | "name": "jsii-pacmak", 74 | "type": "build" 75 | }, 76 | { 77 | "name": "jsii-rosetta", 78 | "version": "~5.6.0", 79 | "type": "build" 80 | }, 81 | { 82 | "name": "jsii", 83 | "version": "~5.6.0", 84 | "type": "build" 85 | }, 86 | { 87 | "name": "projen", 88 | "version": "^0.91.18", 89 | "type": "build" 90 | }, 91 | { 92 | "name": "ts-jest", 93 | "type": "build" 94 | }, 95 | { 96 | "name": "typescript", 97 | "type": "build" 98 | }, 99 | { 100 | "name": "aws-cdk-lib", 101 | "version": "^2.189.1", 102 | "type": "peer" 103 | }, 104 | { 105 | "name": "constructs", 106 | "version": "^10.4.2", 107 | "type": "peer" 108 | } 109 | ], 110 | "//": "~~ Generated by projen. To modify, edit .projenrc.js and run \"npx projen\"." 111 | } 112 | -------------------------------------------------------------------------------- /.projen/files.json: -------------------------------------------------------------------------------- 1 | { 2 | "files": [ 3 | ".eslintrc.json", 4 | ".gitattributes", 5 | ".github/pull_request_template.md", 6 | ".github/workflows/build.yml", 7 | ".github/workflows/pull-request-lint.yml", 8 | ".github/workflows/release.yml", 9 | ".github/workflows/upgrade-main.yml", 10 | ".gitignore", 11 | ".mergify.yml", 12 | ".projen/deps.json", 13 | ".projen/files.json", 14 | ".projen/tasks.json", 15 | "LICENSE", 16 | "tsconfig.dev.json" 17 | ], 18 | "//": "~~ Generated by projen. To modify, edit .projenrc.js and run \"npx projen\"." 19 | } 20 | -------------------------------------------------------------------------------- /.projen/tasks.json: -------------------------------------------------------------------------------- 1 | { 2 | "tasks": { 3 | "build": { 4 | "name": "build", 5 | "description": "Full release build", 6 | "steps": [ 7 | { 8 | "spawn": "default" 9 | }, 10 | { 11 | "spawn": "pre-compile" 12 | }, 13 | { 14 | "spawn": "compile" 15 | }, 16 | { 17 | "spawn": "post-compile" 18 | }, 19 | { 20 | "spawn": "test" 21 | }, 22 | { 23 | "spawn": "package" 24 | } 25 | ] 26 | }, 27 | "bump": { 28 | "name": "bump", 29 | "description": "Bumps version based on latest git tag and generates a changelog entry", 30 | "env": { 31 | "OUTFILE": "package.json", 32 | "CHANGELOG": "dist/changelog.md", 33 | "BUMPFILE": "dist/version.txt", 34 | "RELEASETAG": "dist/releasetag.txt", 35 | "RELEASE_TAG_PREFIX": "", 36 | "BUMP_PACKAGE": "commit-and-tag-version@^12" 37 | }, 38 | "steps": [ 39 | { 40 | "builtin": "release/bump-version" 41 | } 42 | ], 43 | "condition": "git log --oneline -1 | grep -qv \"chore(release):\"" 44 | }, 45 | "clobber": { 46 | "name": "clobber", 47 | "description": "hard resets to HEAD of origin and cleans the local repo", 48 | "env": { 49 | "BRANCH": "$(git branch --show-current)" 50 | }, 51 | "steps": [ 52 | { 53 | "exec": "git checkout -b scratch", 54 | "name": "save current HEAD in \"scratch\" branch" 55 | }, 56 | { 57 | "exec": "git checkout $BRANCH" 58 | }, 59 | { 60 | "exec": "git fetch origin", 61 | "name": "fetch latest changes from origin" 62 | }, 63 | { 64 | "exec": "git reset --hard origin/$BRANCH", 65 | "name": "hard reset to origin commit" 66 | }, 67 | { 68 | "exec": "git clean -fdx", 69 | "name": "clean all untracked files" 70 | }, 71 | { 72 | "say": "ready to rock! (unpushed commits are under the \"scratch\" branch)" 73 | } 74 | ], 75 | "condition": "git diff --exit-code > /dev/null" 76 | }, 77 | "compat": { 78 | "name": "compat", 79 | "description": "Perform API compatibility check against latest version", 80 | "steps": [ 81 | { 82 | "exec": "jsii-diff npm:$(node -p \"require('./package.json').name\") -k --ignore-file .compatignore || (echo \"\nUNEXPECTED BREAKING CHANGES: add keys such as 'removed:constructs.Node.of' to .compatignore to skip.\n\" && exit 1)" 83 | } 84 | ] 85 | }, 86 | "compile": { 87 | "name": "compile", 88 | "description": "Only compile", 89 | "steps": [ 90 | { 91 | "exec": "jsii --silence-warnings=reserved-word" 92 | } 93 | ] 94 | }, 95 | "default": { 96 | "name": "default", 97 | "description": "Synthesize project files", 98 | "steps": [ 99 | { 100 | "exec": "node .projenrc.js" 101 | } 102 | ] 103 | }, 104 | "docgen": { 105 | "name": "docgen", 106 | "description": "Generate API.md from .jsii manifest", 107 | "steps": [ 108 | { 109 | "exec": "jsii-docgen -o API.md" 110 | } 111 | ] 112 | }, 113 | "eject": { 114 | "name": "eject", 115 | "description": "Remove projen from the project", 116 | "env": { 117 | "PROJEN_EJECTING": "true" 118 | }, 119 | "steps": [ 120 | { 121 | "spawn": "default" 122 | } 123 | ] 124 | }, 125 | "eslint": { 126 | "name": "eslint", 127 | "description": "Runs eslint against the codebase", 128 | "env": { 129 | "ESLINT_USE_FLAT_CONFIG": "false" 130 | }, 131 | "steps": [ 132 | { 133 | "exec": "eslint --ext .ts,.tsx --fix --no-error-on-unmatched-pattern $@ src test build-tools .projenrc.js", 134 | "receiveArgs": true 135 | } 136 | ] 137 | }, 138 | "install": { 139 | "name": "install", 140 | "description": "Install project dependencies and update lockfile (non-frozen)", 141 | "steps": [ 142 | { 143 | "exec": "yarn install --check-files" 144 | } 145 | ] 146 | }, 147 | "install:ci": { 148 | "name": "install:ci", 149 | "description": "Install project dependencies using frozen lockfile", 150 | "steps": [ 151 | { 152 | "exec": "yarn install --check-files --frozen-lockfile" 153 | } 154 | ] 155 | }, 156 | "package": { 157 | "name": "package", 158 | "description": "Creates the distribution package", 159 | "steps": [ 160 | { 161 | "spawn": "package:js", 162 | "condition": "node -e \"if (!process.env.CI) process.exit(1)\"" 163 | }, 164 | { 165 | "spawn": "package-all", 166 | "condition": "node -e \"if (process.env.CI) process.exit(1)\"" 167 | } 168 | ] 169 | }, 170 | "package-all": { 171 | "name": "package-all", 172 | "description": "Packages artifacts for all target languages", 173 | "steps": [ 174 | { 175 | "spawn": "package:js" 176 | }, 177 | { 178 | "spawn": "package:python" 179 | } 180 | ] 181 | }, 182 | "package:js": { 183 | "name": "package:js", 184 | "description": "Create js language bindings", 185 | "steps": [ 186 | { 187 | "exec": "jsii-pacmak -v --target js" 188 | } 189 | ] 190 | }, 191 | "package:python": { 192 | "name": "package:python", 193 | "description": "Create python language bindings", 194 | "steps": [ 195 | { 196 | "exec": "jsii-pacmak -v --target python" 197 | } 198 | ] 199 | }, 200 | "post-compile": { 201 | "name": "post-compile", 202 | "description": "Runs after successful compilation", 203 | "steps": [ 204 | { 205 | "spawn": "docgen" 206 | } 207 | ] 208 | }, 209 | "post-upgrade": { 210 | "name": "post-upgrade", 211 | "description": "Runs after upgrading dependencies" 212 | }, 213 | "pre-compile": { 214 | "name": "pre-compile", 215 | "description": "Prepare the project for compilation" 216 | }, 217 | "release": { 218 | "name": "release", 219 | "description": "Prepare a release from \"main\" branch", 220 | "env": { 221 | "RELEASE": "true" 222 | }, 223 | "steps": [ 224 | { 225 | "exec": "rm -fr dist" 226 | }, 227 | { 228 | "spawn": "bump" 229 | }, 230 | { 231 | "spawn": "build" 232 | }, 233 | { 234 | "spawn": "unbump" 235 | }, 236 | { 237 | "exec": "git diff --ignore-space-at-eol --exit-code" 238 | } 239 | ] 240 | }, 241 | "test": { 242 | "name": "test", 243 | "description": "Run tests", 244 | "steps": [ 245 | { 246 | "exec": "jest --passWithNoTests --updateSnapshot", 247 | "receiveArgs": true 248 | }, 249 | { 250 | "spawn": "eslint" 251 | } 252 | ] 253 | }, 254 | "test:watch": { 255 | "name": "test:watch", 256 | "description": "Run jest in watch mode", 257 | "steps": [ 258 | { 259 | "exec": "jest --watch" 260 | } 261 | ] 262 | }, 263 | "unbump": { 264 | "name": "unbump", 265 | "description": "Restores version to 0.0.0", 266 | "env": { 267 | "OUTFILE": "package.json", 268 | "CHANGELOG": "dist/changelog.md", 269 | "BUMPFILE": "dist/version.txt", 270 | "RELEASETAG": "dist/releasetag.txt", 271 | "RELEASE_TAG_PREFIX": "", 272 | "BUMP_PACKAGE": "commit-and-tag-version@^12" 273 | }, 274 | "steps": [ 275 | { 276 | "builtin": "release/reset-version" 277 | } 278 | ] 279 | }, 280 | "upgrade": { 281 | "name": "upgrade", 282 | "description": "upgrade dependencies", 283 | "env": { 284 | "CI": "0" 285 | }, 286 | "steps": [ 287 | { 288 | "exec": "npx npm-check-updates@16 --upgrade --target=minor --peer --no-deprecated --dep=dev,peer,prod,optional --filter=@types/jest,@types/node,eslint-import-resolver-typescript,eslint-plugin-import,jest,jsii-diff,jsii-pacmak,ts-jest,typescript" 289 | }, 290 | { 291 | "exec": "yarn install --check-files" 292 | }, 293 | { 294 | "exec": "yarn upgrade @stylistic/eslint-plugin @types/jest @types/node @types/prettier @typescript-eslint/eslint-plugin @typescript-eslint/parser aws-cdk-lib commit-and-tag-version eslint-import-resolver-typescript eslint-plugin-import eslint jest jest-junit jsii-diff jsii-docgen jsii-pacmak jsii-rosetta jsii projen ts-jest typescript constructs" 295 | }, 296 | { 297 | "exec": "npx projen" 298 | }, 299 | { 300 | "spawn": "post-upgrade" 301 | } 302 | ] 303 | }, 304 | "watch": { 305 | "name": "watch", 306 | "description": "Watch & compile in the background", 307 | "steps": [ 308 | { 309 | "exec": "jsii -w --silence-warnings=reserved-word" 310 | } 311 | ] 312 | } 313 | }, 314 | "env": { 315 | "PATH": "$(npx -c \"node --print process.env.PATH\")" 316 | }, 317 | "//": "~~ Generated by projen. To modify, edit .projenrc.js and run \"npx projen\"." 318 | } 319 | -------------------------------------------------------------------------------- /.projenrc.js: -------------------------------------------------------------------------------- 1 | const { awscdk } = require('projen'); 2 | const project = new awscdk.AwsCdkConstructLibrary({ 3 | author: 'Cameron Magee', 4 | authorAddress: 'magcamer@amazon.com', 5 | copyrightOwner: 'Amazon.com, Inc. or its affiliates. All Rights Reserved.', 6 | cdkVersion: '2.189.1', 7 | constructsVersion: '10.4.2', 8 | defaultReleaseBranch: 'main', 9 | name: 'cdk-image-pipeline', 10 | repositoryUrl: 'https://github.com/aws-samples/cdk-image-pipeline.git', 11 | description: 'Quickly deploy a complete EC2 Image Builder Image Pipeline using CDK', 12 | packageName: 'cdk-image-pipeline', 13 | publishToPypi: { 14 | distName: 'cdk-image-pipeline', 15 | module: 'cdk_image_pipeline', 16 | }, 17 | license: 'Apache-2.0', 18 | pullRequestTemplateContents: ['# Fixes', ' ', ' ', 'By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.'], 19 | releaseToNpm: true, 20 | devDeps: ['@types/prettier@^3.0.0'], 21 | }); 22 | 23 | project.addPeerDeps('aws-cdk-lib@^2.189.1'); 24 | project.addDevDeps('aws-cdk-lib@^2.189.1'); 25 | project.addDevDeps('projen@^0.91.18'); 26 | 27 | project.synth(); -------------------------------------------------------------------------------- /API.md: -------------------------------------------------------------------------------- 1 | # API Reference 2 | 3 | ## Constructs 4 | 5 | ### ImagePipeline 6 | 7 | #### Initializers 8 | 9 | ```typescript 10 | import { ImagePipeline } from 'cdk-image-pipeline' 11 | 12 | new ImagePipeline(scope: Construct, id: string, props: ImagePipelineProps) 13 | ``` 14 | 15 | | **Name** | **Type** | **Description** | 16 | | --- | --- | --- | 17 | | scope | constructs.Construct | *No description.* | 18 | | id | string | *No description.* | 19 | | props | ImagePipelineProps | *No description.* | 20 | 21 | --- 22 | 23 | ##### `scope`Required 24 | 25 | - *Type:* constructs.Construct 26 | 27 | --- 28 | 29 | ##### `id`Required 30 | 31 | - *Type:* string 32 | 33 | --- 34 | 35 | ##### `props`Required 36 | 37 | - *Type:* ImagePipelineProps 38 | 39 | --- 40 | 41 | #### Methods 42 | 43 | | **Name** | **Description** | 44 | | --- | --- | 45 | | toString | Returns a string representation of this construct. | 46 | 47 | --- 48 | 49 | ##### `toString` 50 | 51 | ```typescript 52 | public toString(): string 53 | ``` 54 | 55 | Returns a string representation of this construct. 56 | 57 | #### Static Functions 58 | 59 | | **Name** | **Description** | 60 | | --- | --- | 61 | | isConstruct | Checks if `x` is a construct. | 62 | 63 | --- 64 | 65 | ##### `isConstruct` 66 | 67 | ```typescript 68 | import { ImagePipeline } from 'cdk-image-pipeline' 69 | 70 | ImagePipeline.isConstruct(x: any) 71 | ``` 72 | 73 | Checks if `x` is a construct. 74 | 75 | Use this method instead of `instanceof` to properly detect `Construct` 76 | instances, even when the construct library is symlinked. 77 | 78 | Explanation: in JavaScript, multiple copies of the `constructs` library on 79 | disk are seen as independent, completely different libraries. As a 80 | consequence, the class `Construct` in each copy of the `constructs` library 81 | is seen as a different class, and an instance of one class will not test as 82 | `instanceof` the other class. `npm install` will not create installations 83 | like this, but users may manually symlink construct libraries together or 84 | use a monorepo tool: in those cases, multiple copies of the `constructs` 85 | library can be accidentally installed, and `instanceof` will behave 86 | unpredictably. It is safest to avoid using `instanceof`, and using 87 | this type-testing method instead. 88 | 89 | ###### `x`Required 90 | 91 | - *Type:* any 92 | 93 | Any object. 94 | 95 | --- 96 | 97 | #### Properties 98 | 99 | | **Name** | **Type** | **Description** | 100 | | --- | --- | --- | 101 | | node | constructs.Node | The tree node. | 102 | | builderSnsTopic | aws-cdk-lib.aws_sns.Topic | SNS Topic where the internal ImageBuilder will notify about new builds. | 103 | | pipeline | aws-cdk-lib.aws_imagebuilder.CfnImagePipeline | The internal image pipeline created by this construct. | 104 | | imageRecipeComponents | aws-cdk-lib.aws_imagebuilder.CfnImageRecipe.ComponentConfigurationProperty[] | *No description.* | 105 | 106 | --- 107 | 108 | ##### `node`Required 109 | 110 | ```typescript 111 | public readonly node: Node; 112 | ``` 113 | 114 | - *Type:* constructs.Node 115 | 116 | The tree node. 117 | 118 | --- 119 | 120 | ##### `builderSnsTopic`Required 121 | 122 | ```typescript 123 | public readonly builderSnsTopic: Topic; 124 | ``` 125 | 126 | - *Type:* aws-cdk-lib.aws_sns.Topic 127 | 128 | SNS Topic where the internal ImageBuilder will notify about new builds. 129 | 130 | --- 131 | 132 | ##### `pipeline`Required 133 | 134 | ```typescript 135 | public readonly pipeline: CfnImagePipeline; 136 | ``` 137 | 138 | - *Type:* aws-cdk-lib.aws_imagebuilder.CfnImagePipeline 139 | 140 | The internal image pipeline created by this construct. 141 | 142 | --- 143 | 144 | ##### `imageRecipeComponents`Required 145 | 146 | ```typescript 147 | public readonly imageRecipeComponents: ComponentConfigurationProperty[]; 148 | ``` 149 | 150 | - *Type:* aws-cdk-lib.aws_imagebuilder.CfnImageRecipe.ComponentConfigurationProperty[] 151 | 152 | --- 153 | 154 | 155 | ## Structs 156 | 157 | ### ComponentProps 158 | 159 | #### Initializer 160 | 161 | ```typescript 162 | import { ComponentProps } from 'cdk-image-pipeline' 163 | 164 | const componentProps: ComponentProps = { ... } 165 | ``` 166 | 167 | #### Properties 168 | 169 | | **Name** | **Type** | **Description** | 170 | | --- | --- | --- | 171 | | document | string | Relative path to Image Builder component document. | 172 | | name | string | Name of the Component Document. | 173 | | version | string | Version for each component document. | 174 | 175 | --- 176 | 177 | ##### `document`Required 178 | 179 | ```typescript 180 | public readonly document: string; 181 | ``` 182 | 183 | - *Type:* string 184 | 185 | Relative path to Image Builder component document. 186 | 187 | --- 188 | 189 | ##### `name`Required 190 | 191 | ```typescript 192 | public readonly name: string; 193 | ``` 194 | 195 | - *Type:* string 196 | 197 | Name of the Component Document. 198 | 199 | --- 200 | 201 | ##### `version`Required 202 | 203 | ```typescript 204 | public readonly version: string; 205 | ``` 206 | 207 | - *Type:* string 208 | 209 | Version for each component document. 210 | 211 | --- 212 | 213 | ### ImagePipelineProps 214 | 215 | #### Initializer 216 | 217 | ```typescript 218 | import { ImagePipelineProps } from 'cdk-image-pipeline' 219 | 220 | const imagePipelineProps: ImagePipelineProps = { ... } 221 | ``` 222 | 223 | #### Properties 224 | 225 | | **Name** | **Type** | **Description** | 226 | | --- | --- | --- | 227 | | components | string \| ComponentProps[] | List of component props. | 228 | | parentImage | string | The source (parent) image that the image recipe uses as its base environment. | 229 | | additionalPolicies | aws-cdk-lib.aws_iam.ManagedPolicy[] | Additional policies to add to the instance profile associated with the Instance Configurations. | 230 | | amiIdSsmAccountId | string | Account ID for Parameter Store path above. | 231 | | amiIdSsmPath | string | Parameter Store path to store latest AMI ID under. | 232 | | amiIdSsmRegion | string | Region for Parameter Store path above. | 233 | | distributionAccountIDs | string[] | List of accounts to copy this AMI to, if the option to do so is enabled. | 234 | | distributionRegions | string[] | List of regions to copy this AMI to, if the option to do so is enabled. | 235 | | ebsVolumeConfigurations | VolumeProps[] | Configuration for the AMI's EBS volumes. | 236 | | email | string | Email used to receive Image Builder Pipeline Notifications via SNS. | 237 | | enableCrossAccountDistribution | boolean | Set to true if you want to copy this AMI to other accounts using a Distribution Configuration. | 238 | | enableVulnScans | boolean | Set to true if you want to enable continuous vulnerability scans through AWS Inpector. | 239 | | imageRecipeVersion | string | Image recipe version (Default: 0.0.1). | 240 | | instanceTypes | string[] | List of instance types used in the Instance Configuration (Default: [ 't3.medium', 'm5.large', 'm5.xlarge' ]). | 241 | | kmsKey | aws-cdk-lib.aws_kms.IKey | KMS Key used to encrypt the SNS topic. | 242 | | name | string | Name of the Image Pipeline. | 243 | | platform | string | Platform type Linux or Windows (Default: Linux). | 244 | | resourceTags | {[ key: string ]: string} | The tags attached to the resource created by Image Builder. | 245 | | schedule | ImagePipelineSchedule | Schedule configuration for the image pipeline. | 246 | | securityGroups | string[] | List of security group IDs for the Infrastructure Configuration. | 247 | | subnetId | string | Subnet ID for the Infrastructure Configuration. | 248 | | userDataScript | string | UserData script that will override default one (if specified). | 249 | | vulnScansRepoName | string | Store vulnerability scans through AWS Inpsector in ECR using this repo name (if option is enabled). | 250 | | vulnScansRepoTags | string[] | Store vulnerability scans through AWS Inpsector in ECR using these image tags (if option is enabled). | 251 | 252 | --- 253 | 254 | ##### `components`Required 255 | 256 | ```typescript 257 | public readonly components: string | ComponentProps[]; 258 | ``` 259 | 260 | - *Type:* string | ComponentProps[] 261 | 262 | List of component props. 263 | 264 | --- 265 | 266 | ##### `parentImage`Required 267 | 268 | ```typescript 269 | public readonly parentImage: string; 270 | ``` 271 | 272 | - *Type:* string 273 | 274 | The source (parent) image that the image recipe uses as its base environment. 275 | 276 | The value can be the parent image ARN or an Image Builder AMI ID 277 | 278 | --- 279 | 280 | ##### `additionalPolicies`Optional 281 | 282 | ```typescript 283 | public readonly additionalPolicies: ManagedPolicy[]; 284 | ``` 285 | 286 | - *Type:* aws-cdk-lib.aws_iam.ManagedPolicy[] 287 | 288 | Additional policies to add to the instance profile associated with the Instance Configurations. 289 | 290 | --- 291 | 292 | ##### `amiIdSsmAccountId`Optional 293 | 294 | ```typescript 295 | public readonly amiIdSsmAccountId: string; 296 | ``` 297 | 298 | - *Type:* string 299 | 300 | Account ID for Parameter Store path above. 301 | 302 | --- 303 | 304 | ##### `amiIdSsmPath`Optional 305 | 306 | ```typescript 307 | public readonly amiIdSsmPath: string; 308 | ``` 309 | 310 | - *Type:* string 311 | 312 | Parameter Store path to store latest AMI ID under. 313 | 314 | --- 315 | 316 | ##### `amiIdSsmRegion`Optional 317 | 318 | ```typescript 319 | public readonly amiIdSsmRegion: string; 320 | ``` 321 | 322 | - *Type:* string 323 | 324 | Region for Parameter Store path above. 325 | 326 | --- 327 | 328 | ##### `distributionAccountIDs`Optional 329 | 330 | ```typescript 331 | public readonly distributionAccountIDs: string[]; 332 | ``` 333 | 334 | - *Type:* string[] 335 | 336 | List of accounts to copy this AMI to, if the option to do so is enabled. 337 | 338 | --- 339 | 340 | ##### `distributionRegions`Optional 341 | 342 | ```typescript 343 | public readonly distributionRegions: string[]; 344 | ``` 345 | 346 | - *Type:* string[] 347 | 348 | List of regions to copy this AMI to, if the option to do so is enabled. 349 | 350 | --- 351 | 352 | ##### `ebsVolumeConfigurations`Optional 353 | 354 | ```typescript 355 | public readonly ebsVolumeConfigurations: VolumeProps[]; 356 | ``` 357 | 358 | - *Type:* VolumeProps[] 359 | 360 | Configuration for the AMI's EBS volumes. 361 | 362 | --- 363 | 364 | ##### `email`Optional 365 | 366 | ```typescript 367 | public readonly email: string; 368 | ``` 369 | 370 | - *Type:* string 371 | 372 | Email used to receive Image Builder Pipeline Notifications via SNS. 373 | 374 | --- 375 | 376 | ##### `enableCrossAccountDistribution`Optional 377 | 378 | ```typescript 379 | public readonly enableCrossAccountDistribution: boolean; 380 | ``` 381 | 382 | - *Type:* boolean 383 | 384 | Set to true if you want to copy this AMI to other accounts using a Distribution Configuration. 385 | 386 | --- 387 | 388 | ##### `enableVulnScans`Optional 389 | 390 | ```typescript 391 | public readonly enableVulnScans: boolean; 392 | ``` 393 | 394 | - *Type:* boolean 395 | 396 | Set to true if you want to enable continuous vulnerability scans through AWS Inpector. 397 | 398 | --- 399 | 400 | ##### `imageRecipeVersion`Optional 401 | 402 | ```typescript 403 | public readonly imageRecipeVersion: string; 404 | ``` 405 | 406 | - *Type:* string 407 | 408 | Image recipe version (Default: 0.0.1). 409 | 410 | --- 411 | 412 | ##### `instanceTypes`Optional 413 | 414 | ```typescript 415 | public readonly instanceTypes: string[]; 416 | ``` 417 | 418 | - *Type:* string[] 419 | 420 | List of instance types used in the Instance Configuration (Default: [ 't3.medium', 'm5.large', 'm5.xlarge' ]). 421 | 422 | --- 423 | 424 | ##### `kmsKey`Optional 425 | 426 | ```typescript 427 | public readonly kmsKey: IKey; 428 | ``` 429 | 430 | - *Type:* aws-cdk-lib.aws_kms.IKey 431 | 432 | KMS Key used to encrypt the SNS topic. 433 | 434 | --- 435 | 436 | ##### `name`Optional 437 | 438 | ```typescript 439 | public readonly name: string; 440 | ``` 441 | 442 | - *Type:* string 443 | 444 | Name of the Image Pipeline. 445 | 446 | --- 447 | 448 | ##### `platform`Optional 449 | 450 | ```typescript 451 | public readonly platform: string; 452 | ``` 453 | 454 | - *Type:* string 455 | 456 | Platform type Linux or Windows (Default: Linux). 457 | 458 | --- 459 | 460 | ##### `resourceTags`Optional 461 | 462 | ```typescript 463 | public readonly resourceTags: {[ key: string ]: string}; 464 | ``` 465 | 466 | - *Type:* {[ key: string ]: string} 467 | 468 | The tags attached to the resource created by Image Builder. 469 | 470 | --- 471 | 472 | ##### `schedule`Optional 473 | 474 | ```typescript 475 | public readonly schedule: ImagePipelineSchedule; 476 | ``` 477 | 478 | - *Type:* ImagePipelineSchedule 479 | 480 | Schedule configuration for the image pipeline. 481 | 482 | --- 483 | 484 | ##### `securityGroups`Optional 485 | 486 | ```typescript 487 | public readonly securityGroups: string[]; 488 | ``` 489 | 490 | - *Type:* string[] 491 | 492 | List of security group IDs for the Infrastructure Configuration. 493 | 494 | --- 495 | 496 | ##### `subnetId`Optional 497 | 498 | ```typescript 499 | public readonly subnetId: string; 500 | ``` 501 | 502 | - *Type:* string 503 | 504 | Subnet ID for the Infrastructure Configuration. 505 | 506 | --- 507 | 508 | ##### `userDataScript`Optional 509 | 510 | ```typescript 511 | public readonly userDataScript: string; 512 | ``` 513 | 514 | - *Type:* string 515 | - *Default:* none 516 | 517 | UserData script that will override default one (if specified). 518 | 519 | --- 520 | 521 | ##### `vulnScansRepoName`Optional 522 | 523 | ```typescript 524 | public readonly vulnScansRepoName: string; 525 | ``` 526 | 527 | - *Type:* string 528 | 529 | Store vulnerability scans through AWS Inpsector in ECR using this repo name (if option is enabled). 530 | 531 | --- 532 | 533 | ##### `vulnScansRepoTags`Optional 534 | 535 | ```typescript 536 | public readonly vulnScansRepoTags: string[]; 537 | ``` 538 | 539 | - *Type:* string[] 540 | 541 | Store vulnerability scans through AWS Inpsector in ECR using these image tags (if option is enabled). 542 | 543 | --- 544 | 545 | ### ImagePipelineSchedule 546 | 547 | #### Initializer 548 | 549 | ```typescript 550 | import { ImagePipelineSchedule } from 'cdk-image-pipeline' 551 | 552 | const imagePipelineSchedule: ImagePipelineSchedule = { ... } 553 | ``` 554 | 555 | #### Properties 556 | 557 | | **Name** | **Type** | **Description** | 558 | | --- | --- | --- | 559 | | scheduleExpression | string | The cron expression for the schedule. | 560 | | pipelineExecutionStartCondition | string | Optional pipeline execution start condition. | 561 | 562 | --- 563 | 564 | ##### `scheduleExpression`Required 565 | 566 | ```typescript 567 | public readonly scheduleExpression: string; 568 | ``` 569 | 570 | - *Type:* string 571 | 572 | The cron expression for the schedule. 573 | 574 | --- 575 | 576 | ##### `pipelineExecutionStartCondition`Optional 577 | 578 | ```typescript 579 | public readonly pipelineExecutionStartCondition: string; 580 | ``` 581 | 582 | - *Type:* string 583 | 584 | Optional pipeline execution start condition. 585 | 586 | --- 587 | 588 | ### VolumeProps 589 | 590 | #### Initializer 591 | 592 | ```typescript 593 | import { VolumeProps } from 'cdk-image-pipeline' 594 | 595 | const volumeProps: VolumeProps = { ... } 596 | ``` 597 | 598 | #### Properties 599 | 600 | | **Name** | **Type** | **Description** | 601 | | --- | --- | --- | 602 | | deviceName | string | Name of the volume. | 603 | | ebs | aws-cdk-lib.aws_imagebuilder.CfnImageRecipe.EbsInstanceBlockDeviceSpecificationProperty | EBS Block Store Parameters. | 604 | 605 | --- 606 | 607 | ##### `deviceName`Required 608 | 609 | ```typescript 610 | public readonly deviceName: string; 611 | ``` 612 | 613 | - *Type:* string 614 | 615 | Name of the volume. 616 | 617 | --- 618 | 619 | ##### `ebs`Required 620 | 621 | ```typescript 622 | public readonly ebs: EbsInstanceBlockDeviceSpecificationProperty; 623 | ``` 624 | 625 | - *Type:* aws-cdk-lib.aws_imagebuilder.CfnImageRecipe.EbsInstanceBlockDeviceSpecificationProperty 626 | 627 | EBS Block Store Parameters. 628 | 629 | --- 630 | 631 | 632 | 633 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | 3 | All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. 4 | 5 | ## [0.1.0](https://github.com/aws-samples/cdk-image-pipeline/compare/v0.0.1...v0.1.0) (2022-03-24) 6 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | ## Code of Conduct 2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 4 | opensource-codeofconduct@amazon.com with any additional questions or comments. 5 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing Guidelines 2 | 3 | Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional 4 | documentation, we greatly value feedback and contributions from our community. 5 | 6 | Please read through this document before submitting any issues or pull requests to ensure we have all the necessary 7 | information to effectively respond to your bug report or contribution. 8 | 9 | 10 | ## Reporting Bugs/Feature Requests 11 | 12 | We welcome you to use the GitHub issue tracker to report bugs or suggest features. 13 | 14 | When filing an issue, please check existing open, or recently closed, issues to make sure somebody else hasn't already 15 | reported the issue. Please try to include as much information as you can. Details like these are incredibly useful: 16 | 17 | * A reproducible test case or series of steps 18 | * The version of our code being used 19 | * Any modifications you've made relevant to the bug 20 | * Anything unusual about your environment or deployment 21 | 22 | 23 | ## Contributing via Pull Requests 24 | Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that: 25 | 26 | 1. You are working against the latest source on the *main* branch. 27 | 2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already. 28 | 3. You open an issue to discuss any significant work - we would hate for your time to be wasted. 29 | 30 | To send us a pull request, please: 31 | 32 | 1. Fork the repository. 33 | 2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change. 34 | 3. Ensure local tests pass. 35 | 4. Commit to your fork using clear commit messages. 36 | 5. Send us a pull request, answering any default questions in the pull request interface. 37 | 6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation. 38 | 39 | GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and 40 | [creating a pull request](https://help.github.com/articles/creating-a-pull-request/). 41 | 42 | 43 | ## Finding contributions to work on 44 | Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any 'help wanted' issues is a great place to start. 45 | 46 | 47 | ## Code of Conduct 48 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 49 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 50 | opensource-codeofconduct@amazon.com with any additional questions or comments. 51 | 52 | 53 | ## Security issue notifications 54 | If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue. 55 | 56 | 57 | ## Licensing 58 | 59 | See the [LICENSE](LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution. 60 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright [yyyy] [name of copyright owner] 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | [![npm version](https://badge.fury.io/js/cdk-image-pipeline.svg)](https://badge.fury.io/js/cdk-image-pipeline) 2 | [![PyPI version](https://badge.fury.io/py/cdk-image-pipeline.svg)](https://badge.fury.io/py/cdk-image-pipeline) 3 | [![GitHub version](https://badge.fury.io/gh/aws-samples%2Fcdk-image-pipeline.svg)](https://badge.fury.io/gh/aws-samples%2Fcdk-image-pipeline) 4 | 5 | # CDK Image Pipeline 6 | 7 | --- 8 | 9 | L3 construct that can be used to quickly deploy a complete EC2 Image Builder Image Pipeline. 10 | 11 | This construct creates the required infrastructure for an Image Pipeline: 12 | 13 | - Infrastructure configuration which specifies the infrastructure within which to build and test your EC2 Image Builder image. 14 | 15 | - An instance profile associated with the infrastructure configuration 16 | 17 | - An EC2 Image Builder recipe defines the base image to use as your starting point to create a new image, along with the set of components that you add to customize your image and verify that everything is working as expected. 18 | 19 | - Image Builder uses the AWS Task Orchestrator and Executor (AWSTOE) component management application to orchestrate complex workflows. AWSTOE components are based on YAML documents that define the scripts to customize or test your image. Support for multiple components. 20 | 21 | - Image Builder image pipelines provide an automation framework for creating and maintaining custom AMIs and container images. 22 | 23 | ## Install 24 | 25 | --- 26 | 27 | NPM install: 28 | 29 | ```sh 30 | npm install cdk-image-pipeline 31 | ```` 32 | 33 | PyPi install: 34 | 35 | ```sh 36 | pip install cdk-image-pipeline 37 | ``` 38 | 39 | ## Usage 40 | 41 | --- 42 | 43 | ```typescript 44 | import { ImagePipeline } from 'cdk-image-pipeline' 45 | import { Construct } from 'constructs'; 46 | 47 | // ... 48 | // Create a new image pipeline with the required properties 49 | new ImagePipeline(this, "MyImagePipeline", { 50 | components: [ 51 | { 52 | document: 'component_example.yml', 53 | name: 'Component', 54 | version: '0.0.1', 55 | }, 56 | { 57 | document: 'component_example_2.yml', 58 | name: 'Component2', 59 | version: '0.1.0', 60 | }, 61 | ], 62 | parentImage: 'ami-0e1d30f2c40c4c701', 63 | ebsVolumeConfigurations: [ 64 | { 65 | deviceName: '/dev/xvda', 66 | ebs: { 67 | encrypted: true, 68 | iops: 200, 69 | kmsKeyId: 'alias/app1/key', 70 | volumeSize: 20, 71 | volumeType: 'gp3', 72 | throughput: 1000, 73 | }, 74 | }, 75 | ], 76 | }) 77 | // ... 78 | ``` 79 | 80 | By default, the infrastructure configuration will deploy EC2 instances for the build/test phases into a default VPC using the default security group. If you want to control where the instances are launched, you can specify an existing VPC `SubnetID` and a list of `SecurityGroupIds`. In the example below, a new VPC is created and referenced in the `ImagePipeline` construct object. 81 | 82 | ```typescript 83 | import { ImagePipeline } from 'cdk-image-pipeline' 84 | import * as ec2 from 'aws-cdk-lib/aws-ec2'; 85 | import { Construct } from 'constructs'; 86 | 87 | // ... 88 | // create a new VPC 89 | const vpc = new ec2.Vpc(this, "Vpc", { 90 | cidr: "10.0.0.0/16", 91 | maxAzs: 2, 92 | subnetConfiguration: [ 93 | { 94 | cidrMask: 24, 95 | name: 'ingress', 96 | subnetType: ec2.SubnetType.PUBLIC, 97 | }, 98 | { 99 | cidrMask: 24, 100 | name: 'imagebuilder', 101 | subnetType: ec2.SubnetType.PRIVATE_WITH_NAT, 102 | }, 103 | ] 104 | }); 105 | 106 | // create a new security group within the VPC 107 | const sg = new ec2.SecurityGroup(this, "SecurityGroup", { 108 | vpc:vpc, 109 | }); 110 | 111 | // get the private subnet from the vpc 112 | const private_subnet = vpc.privateSubnets; 113 | 114 | 115 | new ImagePipeline(this, "MyImagePipeline", { 116 | components: [ 117 | { 118 | document: 'component_example.yml', 119 | name: 'Component', 120 | version: '0.0.1', 121 | }, 122 | { 123 | document: 'component_example_2.yml', 124 | name: 'Component2', 125 | version: '0.1.0', 126 | }, 127 | ], 128 | parentImage: 'ami-0e1d30f2c40c4c701', 129 | securityGroups: [sg.securityGroupId], 130 | subnetId: private_subnet[0].subnetId, 131 | }) 132 | // ... 133 | ``` 134 | 135 | Python usage: 136 | 137 | ```python 138 | from cdk_image_pipeline import ImagePipeline 139 | from constructs import Construct 140 | 141 | # ... 142 | image_pipeline = ImagePipeline( 143 | self, 144 | "LatestImagePipeline", 145 | components=[ 146 | { 147 | document: 'component_example.yml', 148 | name: 'Component', 149 | version: '0.0.1', 150 | }, 151 | { 152 | document: 'component_example_2.yml', 153 | name: 'Component2', 154 | version: '0.1.0', 155 | }, 156 | ], 157 | parent_image="ami-0e1d30f2c40c4c701", 158 | ) 159 | # ... 160 | ``` 161 | 162 | ```python 163 | from aws_cdk import ( 164 | # Duration, 165 | Stack, 166 | aws_ec2 as ec2, 167 | ) 168 | from constructs import Construct 169 | from cdk_image_pipeline import ImagePipeline 170 | 171 | # ... 172 | # create a new VPC 173 | vpc = ec2.Vpc( 174 | self, 175 | "MyVpcForImageBuilder", 176 | cidr="10.0.0.0/16", 177 | max_azs=2, 178 | subnet_configuration=[ 179 | ec2.SubnetConfiguration( 180 | name="Ingress", 181 | subnet_type=ec2.SubnetType.PUBLIC, 182 | cidr_mask=24, 183 | ), 184 | ec2.SubnetConfiguration( 185 | name="ImageBuilder", subnet_type=ec2.SubnetType.PRIVATE_WITH_NAT, cidr_mask=24 186 | ), 187 | ], 188 | ) 189 | 190 | # create a new security group within the VPC 191 | sg = ec2.SecurityGroup(self, "SG", vpc=vpc) 192 | 193 | # get the private subnet from the vpc 194 | priv_subnets = vpc.private_subnets 195 | 196 | 197 | image_pipeline = ImagePipeline( 198 | self, 199 | "LatestImagePipeline", 200 | components=[ 201 | { 202 | document: 'component_example.yml', 203 | name: 'Component', 204 | version: '0.0.1', 205 | }, 206 | { 207 | document: 'component_example_2.yml', 208 | name: 'Component2', 209 | version: '0.1.0', 210 | }, 211 | ], 212 | parent_image="ami-0e1d30f2c40c4c701", 213 | security_groups=[sg.security_group_id], 214 | subnet_id=priv_subnets[0].subnet_id 215 | ) 216 | # ... 217 | ``` 218 | 219 | 220 | ### Component Documents 221 | 222 | --- 223 | 224 | Image Builder uses the AWS Task Orchestrator and Executor (AWSTOE) component management application to orchestrate complex workflows. AWSTOE components are based on YAML documents that define the scripts to customize or test your image. 225 | 226 | You must provide a [component document](https://docs.aws.amazon.com/imagebuilder/latest/userguide/manage-components.html) in YAML to the `ImagePipeline` construct. See the example document below: 227 | 228 | ```yaml 229 | name: MyComponentDocument 230 | description: This is an example component document 231 | schemaVersion: 1.0 232 | 233 | phases: 234 | - name: build 235 | steps: 236 | - name: InstallUpdates 237 | action: UpdateOS 238 | - name: validate 239 | steps: 240 | - name: HelloWorldStep 241 | action: ExecuteBash 242 | inputs: 243 | commands: 244 | - echo "Hello World! Validate." 245 | - name: test 246 | steps: 247 | - name: HelloWorldStep 248 | action: ExecuteBash 249 | inputs: 250 | commands: 251 | - echo "Hello World! Test. 252 | ``` 253 | 254 | ### Multiple Components 255 | 256 | To specify multiple components, add additional component documents to the `componentDoucments` property. You can also add the names and versions of these components via the `componentNames` and `componentVersions` properties (_See usage examples above_). The components will be associated to the Image Recipe that gets created as part of the construct. 257 | 258 | Be sure to update the `imageRecipeVersion` property when making updates to your components after your initial deployment. 259 | 260 | ### SNS Encryption using KMS 261 | 262 | --- 263 | 264 | Specify a KMS Key via the `kmsKey` property which will be used to encrypt the SNS topic. 265 | 266 | ### Infrastructure Configuration Instance Types 267 | 268 | --- 269 | 270 | [Infrastructure configuration](https://docs.aws.amazon.com/imagebuilder/latest/userguide/manage-infra-config.html) contain settings for building and testing your EC2 Image Builder image. This construct allows you to specify a list of instance types you wish to use via the `instanceTypes` property. The default is: `['t3.medium', 'm5.large', 'm5.xlarge']`. 271 | 272 | ## Additional API notes 273 | 274 | --- 275 | 276 | [API Reference](API.md) 277 | -------------------------------------------------------------------------------- /assets/image-builder-update-lambda/image-builder-lambda-update-ssm.py: -------------------------------------------------------------------------------- 1 | import json 2 | import boto3 3 | import logging 4 | import os 5 | 6 | logger = logging.getLogger() 7 | logger.setLevel(logging.INFO) 8 | 9 | session = boto3.session.Session() 10 | 11 | 12 | def lambda_handler(event, context): 13 | logger.info('Printing event: {}'.format(event)) 14 | process_sns_event(event) 15 | return None 16 | 17 | 18 | def process_sns_event(event): 19 | for record in event['Records']: 20 | event_message = record['Sns']['Message'] 21 | 22 | ssm_parameter_name = os.getenv('SSM_PATH') 23 | 24 | # convert the event message to json 25 | message_json = json.loads(event_message) 26 | 27 | # obtain the image state 28 | image_state = message_json['state']['status'] 29 | 30 | # update the SSM parameter if the image state is available 31 | if image_state == 'AVAILABLE': 32 | logger.info('Image is available') 33 | 34 | recipe_name = message_json['name'] 35 | 36 | for ami in message_json['outputResources']['amis']: 37 | # obtain ami id 38 | logger.info('AMI ID: {}'.format(ami['image'])) 39 | 40 | # update SSM parameter 41 | ssm_client = session.client( 42 | service_name='ssm', 43 | region_name=ami['region'], 44 | ) 45 | response = ssm_client.put_parameter( 46 | Name=ssm_parameter_name, 47 | Description='Latest AMI ID', 48 | Value=ami['image'], 49 | Type='String', 50 | Overwrite=True, 51 | Tier='Standard', 52 | ) 53 | logger.info('SSM Updated: {}'.format(response)) 54 | 55 | # add tags to the SSM parameter 56 | ssm_client.add_tags_to_resource( 57 | ResourceType='Parameter', 58 | ResourceId=ssm_parameter_name, 59 | Tags=[ 60 | {'Key': 'Source', 'Value': 'EC2 Image Builder'}, 61 | {'Key': 'AMI_REGION', 'Value': ami['region']}, 62 | {'Key': 'AMI_ID', 'Value': ami['image']}, 63 | {'Key': 'AMI_NAME', 'Value': ami['name']}, 64 | {'Key': 'RECIPE_NAME', 'Value': recipe_name}, 65 | { 66 | 'Key': 'SOURCE_PIPELINE_ARN', 67 | 'Value': message_json['sourcePipelineArn'], 68 | }, 69 | ], 70 | ) 71 | 72 | # end of Lambda function 73 | return None -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "cdk-image-pipeline", 3 | "description": "Quickly deploy a complete EC2 Image Builder Image Pipeline using CDK", 4 | "repository": { 5 | "type": "git", 6 | "url": "https://github.com/aws-samples/cdk-image-pipeline.git" 7 | }, 8 | "scripts": { 9 | "build": "npx projen build", 10 | "bump": "npx projen bump", 11 | "clobber": "npx projen clobber", 12 | "compat": "npx projen compat", 13 | "compile": "npx projen compile", 14 | "default": "npx projen default", 15 | "docgen": "npx projen docgen", 16 | "eject": "npx projen eject", 17 | "eslint": "npx projen eslint", 18 | "package": "npx projen package", 19 | "package-all": "npx projen package-all", 20 | "package:js": "npx projen package:js", 21 | "package:python": "npx projen package:python", 22 | "post-compile": "npx projen post-compile", 23 | "post-upgrade": "npx projen post-upgrade", 24 | "pre-compile": "npx projen pre-compile", 25 | "release": "npx projen release", 26 | "test": "npx projen test", 27 | "test:watch": "npx projen test:watch", 28 | "unbump": "npx projen unbump", 29 | "upgrade": "npx projen upgrade", 30 | "watch": "npx projen watch", 31 | "projen": "npx projen" 32 | }, 33 | "author": { 34 | "name": "Cameron Magee", 35 | "email": "magcamer@amazon.com", 36 | "organization": false 37 | }, 38 | "devDependencies": { 39 | "@stylistic/eslint-plugin": "^2", 40 | "@types/jest": "^27", 41 | "@types/node": "^16 <= 16.18.78", 42 | "@types/prettier": "^3.0.0", 43 | "@typescript-eslint/eslint-plugin": "^8", 44 | "@typescript-eslint/parser": "^8", 45 | "aws-cdk-lib": "2.189.1", 46 | "commit-and-tag-version": "^12", 47 | "constructs": "10.4.2", 48 | "eslint": "^9", 49 | "eslint-import-resolver-typescript": "^2.7.1", 50 | "eslint-plugin-import": "^2.31.0", 51 | "jest": "^27", 52 | "jest-junit": "^16", 53 | "jsii": "~5.6.0", 54 | "jsii-diff": "^1.112.0", 55 | "jsii-docgen": "^10.5.0", 56 | "jsii-pacmak": "^1.112.0", 57 | "jsii-rosetta": "~5.6.0", 58 | "projen": "^0.91.18", 59 | "ts-jest": "^27", 60 | "typescript": "^4.9.5" 61 | }, 62 | "peerDependencies": { 63 | "aws-cdk-lib": "^2.189.1", 64 | "constructs": "^10.4.2" 65 | }, 66 | "keywords": [ 67 | "cdk" 68 | ], 69 | "main": "lib/index.js", 70 | "license": "Apache-2.0", 71 | "publishConfig": { 72 | "access": "public" 73 | }, 74 | "version": "0.0.0", 75 | "jest": { 76 | "coverageProvider": "v8", 77 | "testMatch": [ 78 | "/@(src|test)/**/*(*.)@(spec|test).ts?(x)", 79 | "/@(src|test)/**/__tests__/**/*.ts?(x)" 80 | ], 81 | "clearMocks": true, 82 | "collectCoverage": true, 83 | "coverageReporters": [ 84 | "json", 85 | "lcov", 86 | "clover", 87 | "cobertura", 88 | "text" 89 | ], 90 | "coverageDirectory": "coverage", 91 | "coveragePathIgnorePatterns": [ 92 | "/node_modules/" 93 | ], 94 | "testPathIgnorePatterns": [ 95 | "/node_modules/" 96 | ], 97 | "watchPathIgnorePatterns": [ 98 | "/node_modules/" 99 | ], 100 | "reporters": [ 101 | "default", 102 | [ 103 | "jest-junit", 104 | { 105 | "outputDirectory": "test-reports" 106 | } 107 | ] 108 | ], 109 | "preset": "ts-jest", 110 | "globals": { 111 | "ts-jest": { 112 | "tsconfig": "tsconfig.dev.json" 113 | } 114 | } 115 | }, 116 | "types": "lib/index.d.ts", 117 | "stability": "stable", 118 | "jsii": { 119 | "outdir": "dist", 120 | "targets": { 121 | "python": { 122 | "distName": "cdk-image-pipeline", 123 | "module": "cdk_image_pipeline" 124 | } 125 | }, 126 | "tsc": { 127 | "outDir": "lib", 128 | "rootDir": "src" 129 | } 130 | }, 131 | "//": "~~ Generated by projen. To modify, edit .projenrc.js and run \"npx projen\"." 132 | } 133 | -------------------------------------------------------------------------------- /src/index.ts: -------------------------------------------------------------------------------- 1 | import { createHash } from 'crypto'; 2 | import { readFileSync } from 'fs'; 3 | import * as path from 'path'; 4 | import { 5 | aws_iam as iam, 6 | aws_imagebuilder as imagebuilder, 7 | aws_kms as kms, 8 | aws_sns as sns, 9 | aws_sns_subscriptions as subscriptions, 10 | aws_lambda as lambda, 11 | Names, 12 | } from 'aws-cdk-lib'; 13 | import { SnsEventSource } from 'aws-cdk-lib/aws-lambda-event-sources'; 14 | import { Construct } from 'constructs'; 15 | 16 | export interface ComponentProps { 17 | /** 18 | * Relative path to Image Builder component document 19 | */ 20 | readonly document: string; 21 | /** 22 | * Name of the Component Document 23 | */ 24 | readonly name: string; 25 | /** 26 | * Version for each component document 27 | */ 28 | readonly version: string; 29 | } 30 | export interface VolumeProps { 31 | /** 32 | * Name of the volume 33 | */ 34 | readonly deviceName: string; 35 | /** 36 | * EBS Block Store Parameters 37 | */ 38 | readonly ebs: imagebuilder.CfnImageRecipe.EbsInstanceBlockDeviceSpecificationProperty; 39 | } 40 | 41 | export interface ImagePipelineSchedule { 42 | /** 43 | * The cron expression for the schedule. 44 | */ 45 | readonly scheduleExpression: string; 46 | 47 | /** 48 | * Optional pipeline execution start condition. 49 | */ 50 | readonly pipelineExecutionStartCondition?: 'EXPRESSION_MATCH_ONLY' | 'EXPRESSION_MATCH_AND_DEPENDENCY_UPDATES_AVAILABLE'; 51 | } 52 | 53 | 54 | export interface ImagePipelineProps { 55 | /** 56 | * Name of the Image Pipeline 57 | */ 58 | readonly name?: string; 59 | /** 60 | * List of component props 61 | */ 62 | readonly components: (ComponentProps | string)[]; 63 | /** 64 | * Additional policies to add to the instance profile associated with the Instance Configurations 65 | */ 66 | readonly additionalPolicies?: iam.ManagedPolicy[]; 67 | /** 68 | * UserData script that will override default one (if specified) 69 | * 70 | * @default - none 71 | */ 72 | readonly userDataScript?: string; 73 | /** 74 | * Image recipe version (Default: 0.0.1) 75 | */ 76 | readonly imageRecipeVersion?: string; 77 | /** 78 | * The source (parent) image that the image recipe uses as its base environment. The value can be the parent image ARN or an Image Builder AMI ID 79 | */ 80 | readonly parentImage: string; 81 | /** 82 | * KMS Key used to encrypt the SNS topic. 83 | */ 84 | readonly kmsKey?: kms.IKey; 85 | /** 86 | * List of instance types used in the Instance Configuration (Default: [ 't3.medium', 'm5.large', 'm5.xlarge' ]) 87 | */ 88 | readonly instanceTypes?: string[]; 89 | /** 90 | * Platform type Linux or Windows (Default: Linux) 91 | */ 92 | readonly platform?: string; 93 | /** 94 | * Email used to receive Image Builder Pipeline Notifications via SNS 95 | */ 96 | readonly email?: string; 97 | /** 98 | * List of security group IDs for the Infrastructure Configuration 99 | */ 100 | readonly securityGroups?: string[]; 101 | /** 102 | * Subnet ID for the Infrastructure Configuration 103 | */ 104 | readonly subnetId?: string; 105 | /** 106 | * Configuration for the AMI's EBS volumes 107 | */ 108 | readonly ebsVolumeConfigurations?: VolumeProps[]; 109 | /** 110 | * Set to true if you want to enable continuous vulnerability scans through AWS Inpector 111 | */ 112 | readonly enableVulnScans?: boolean; 113 | /** 114 | * Store vulnerability scans through AWS Inpsector in ECR using this repo name (if option is enabled) 115 | */ 116 | readonly vulnScansRepoName?: string; 117 | /** 118 | * Store vulnerability scans through AWS Inpsector in ECR using these image tags (if option is enabled) 119 | */ 120 | readonly vulnScansRepoTags?: string[]; 121 | /** 122 | * Set to true if you want to copy this AMI to other accounts using a Distribution Configuration 123 | */ 124 | readonly enableCrossAccountDistribution?: boolean; 125 | /** 126 | * List of accounts to copy this AMI to, if the option to do so is enabled 127 | */ 128 | readonly distributionAccountIDs?: string[]; 129 | /** 130 | * List of regions to copy this AMI to, if the option to do so is enabled 131 | */ 132 | readonly distributionRegions?: string[]; 133 | /** 134 | * Parameter Store path to store latest AMI ID under 135 | */ 136 | readonly amiIdSsmPath?: string; 137 | /** 138 | * Account ID for Parameter Store path above 139 | */ 140 | readonly amiIdSsmAccountId?: string; 141 | /** 142 | * Region for Parameter Store path above 143 | */ 144 | readonly amiIdSsmRegion?: string; 145 | /** 146 | * The tags attached to the resource created by Image Builder 147 | */ 148 | readonly resourceTags?: { [key: string]: string }; 149 | /** 150 | * Schedule configuration for the image pipeline. 151 | */ 152 | readonly schedule?: ImagePipelineSchedule; 153 | } 154 | 155 | export class ImagePipeline extends Construct { 156 | imageRecipeComponents: imagebuilder.CfnImageRecipe.ComponentConfigurationProperty[]; 157 | /** 158 | * The internal image pipeline created by this construct. 159 | */ 160 | readonly pipeline: imagebuilder.CfnImagePipeline; 161 | /** 162 | * SNS Topic where the internal ImageBuilder will notify about new builds. 163 | */ 164 | readonly builderSnsTopic: sns.Topic; 165 | 166 | constructor(scope: Construct, id: string, props: ImagePipelineProps) { 167 | super(scope, id); 168 | let infrastructureConfig: imagebuilder.CfnInfrastructureConfiguration; 169 | let imageRecipe: imagebuilder.CfnImageRecipe; 170 | this.imageRecipeComponents = []; 171 | 172 | const uid = Names.uniqueId(this); 173 | 174 | // Construct code below 175 | this.builderSnsTopic = new sns.Topic(this, 'ImageBuilderTopic', { 176 | displayName: 'Image Builder Notify', 177 | masterKey: props.kmsKey, 178 | }); 179 | 180 | if (props.email != null) { 181 | this.builderSnsTopic.addSubscription(new subscriptions.EmailSubscription(props.email)); 182 | } 183 | 184 | const role = new iam.Role(this, 'Role', { 185 | assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com'), 186 | description: 'IAM role used as part of an Image Builder pipeline', 187 | }); 188 | 189 | role.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('EC2InstanceProfileForImageBuilder')); 190 | role.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('EC2InstanceProfileForImageBuilderECRContainerBuilds')); 191 | role.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonSSMManagedInstanceCore')); 192 | if (typeof props.additionalPolicies !== 'undefined' && props.additionalPolicies.length >= 1) { 193 | for (const policy of props.additionalPolicies) { 194 | role.addManagedPolicy(policy); 195 | } 196 | } 197 | 198 | const profile = new iam.CfnInstanceProfile(this, 'InstanceProfile', { 199 | roles: [role.roleName], 200 | }); 201 | 202 | if (props.securityGroups == null || props.subnetId == null) { 203 | infrastructureConfig = new imagebuilder.CfnInfrastructureConfiguration(this, 'InfrastructureConfiguration', { 204 | instanceProfileName: profile.ref, 205 | name: `${uid}InfraConfig`, 206 | description: 'Example Infrastructure Configuration for Image Builder', 207 | resourceTags: props.resourceTags, 208 | instanceTypes: props.instanceTypes ?? ['t3.medium', 'm5.large', 'm5.xlarge'], 209 | snsTopicArn: this.builderSnsTopic.topicArn, 210 | }); 211 | } else { 212 | infrastructureConfig = new imagebuilder.CfnInfrastructureConfiguration(this, 'InfrastructureConfiguration', { 213 | instanceProfileName: profile.ref, 214 | name: `${uid}InfraConfig`, 215 | description: 'Example Infrastructure Configuration for Image Builder', 216 | resourceTags: props.resourceTags, 217 | instanceTypes: props.instanceTypes ?? ['t3.medium', 'm5.large', 'm5.xlarge'], 218 | snsTopicArn: this.builderSnsTopic.topicArn, 219 | securityGroupIds: props.securityGroups, 220 | subnetId: props.subnetId, 221 | }); 222 | } 223 | 224 | infrastructureConfig.addDependency(profile); 225 | 226 | /** 227 | * Image recipe configuration 228 | */ 229 | let imageRecipeProps: imagebuilder.CfnImageRecipeProps; 230 | imageRecipeProps = { 231 | components: [], 232 | name: 'Placeholder', 233 | parentImage: props.parentImage, 234 | version: props.imageRecipeVersion ?? '0.0.1', 235 | }; 236 | if (props.userDataScript) { 237 | imageRecipeProps = { 238 | ...imageRecipeProps, 239 | additionalInstanceConfiguration: { 240 | userDataOverride: props.userDataScript, 241 | }, 242 | }; 243 | }; 244 | if (props.ebsVolumeConfigurations) { 245 | imageRecipeProps = { 246 | ...imageRecipeProps, 247 | blockDeviceMappings: props.ebsVolumeConfigurations, 248 | }; 249 | } 250 | imageRecipe = new imagebuilder.CfnImageRecipe(this, 'ImageRecipe', imageRecipeProps); 251 | 252 | props.components.forEach((component) => { 253 | if (typeof component === 'string') { 254 | this.imageRecipeComponents.push({ componentArn: component }); 255 | } else { 256 | let newComponent = new imagebuilder.CfnComponent(this, component.name, { 257 | name: `${uid}${component.name}`, 258 | platform: props.platform ? props.platform : 'Linux', 259 | version: component.version, 260 | data: readFileSync(component.document).toString(), 261 | }); 262 | 263 | // add the component to the Image Recipe 264 | this.imageRecipeComponents.push({ componentArn: newComponent.attrArn }); 265 | } 266 | 267 | imageRecipe.components = this.imageRecipeComponents; 268 | }); 269 | 270 | const hashId = this.hash(props.components); 271 | imageRecipe.name = `${uid}${hashId}`; 272 | 273 | let imagePipelineProps: imagebuilder.CfnImagePipelineProps; 274 | imagePipelineProps = { 275 | infrastructureConfigurationArn: infrastructureConfig.attrArn, 276 | name: props.name ? props.name : `${uid}ImagePipeline`, 277 | description: 'A sample image pipeline', 278 | imageRecipeArn: imageRecipe.attrArn, 279 | }; 280 | 281 | if (props.schedule) { 282 | imagePipelineProps = { 283 | ...imagePipelineProps, 284 | schedule: { 285 | scheduleExpression: props.schedule.scheduleExpression, 286 | pipelineExecutionStartCondition: props.schedule.pipelineExecutionStartCondition || 'EXPRESSION_MATCH_ONLY', 287 | }, 288 | }; 289 | } 290 | 291 | if (props.enableVulnScans) { 292 | imagePipelineProps = { 293 | ...imagePipelineProps, 294 | imageScanningConfiguration: { 295 | imageScanningEnabled: props.enableVulnScans, 296 | ecrConfiguration: { 297 | repositoryName: props.vulnScansRepoName, 298 | containerTags: props.vulnScansRepoTags, 299 | }, 300 | }, 301 | }; 302 | } 303 | if (props.enableCrossAccountDistribution) { 304 | const distributionsList: imagebuilder.CfnDistributionConfiguration.DistributionProperty[] = []; 305 | props.distributionRegions?.forEach(distributionRegion => { 306 | const distributionConfig: any = { 307 | region: distributionRegion, 308 | amiDistributionConfiguration: { 309 | //Capital case here because it's an object of type any, but capital case is what is expected in CloudFormation 310 | //https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-imagebuilder-distributionconfiguration-amidistributionconfiguration.html 311 | Name: `${uid}-${distributionRegion}-{{imagebuilder:buildDate}}`, 312 | Description: `copy AMI to ${distributionRegion}`, 313 | TargetAccountIds: props.distributionAccountIDs, 314 | LaunchPermissionConfiguration: { 315 | UserIds: props.distributionAccountIDs, 316 | }, 317 | KmsKeyId: props.ebsVolumeConfigurations ? props.ebsVolumeConfigurations[0].ebs.kmsKeyId : 'aws/ebs', //use default AWS-managed key if one isn't given 318 | }, 319 | }; 320 | distributionsList.push(distributionConfig); 321 | }); 322 | const amiDistributionConfiguration = new imagebuilder.CfnDistributionConfiguration(this, 'amiDistributionConfiguration', { 323 | name: `${uid}DistributionConfig`, 324 | description: `Cross account distribution settings for ${uid}`, 325 | distributions: distributionsList, 326 | }); 327 | imagePipelineProps = { 328 | ...imagePipelineProps, 329 | distributionConfigurationArn: amiDistributionConfiguration.attrArn, 330 | }; 331 | } 332 | 333 | /** 334 | * Create Lambda to add latest built image's ID to Parameter Store 335 | * (only if a Parameter Store path is provided) 336 | */ 337 | if (props.amiIdSsmPath) { 338 | const amiIdSsmPath = props.amiIdSsmPath.replace(/^\/+/, '/'); 339 | const amiSsmUpdateLambdaPolicy = new iam.PolicyDocument({ 340 | statements: [ 341 | new iam.PolicyStatement({ 342 | resources: [`arn:aws:ssm:${props.amiIdSsmRegion}:${props.amiIdSsmAccountId}:parameter${amiIdSsmPath}`], 343 | actions: [ 344 | 'ssm:PutParameter', 345 | 'ssm:GetParameterHistory', 346 | 'ssm:GetParameter', 347 | 'ssm:GetParameters', 348 | 'ssm:AddTagsToResource', 349 | ], 350 | }), 351 | ], 352 | }); 353 | const amiSsmUpdateLambdaRole = new iam.Role(this, 'UpdateLambdaRole', { 354 | assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'), 355 | managedPolicies: [ 356 | iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSLambdaBasicExecutionRole'), 357 | ], 358 | inlinePolicies: { 359 | AmiSsmUpdateLambdaPolicy: amiSsmUpdateLambdaPolicy, 360 | }, 361 | }); 362 | const amiSsmUpdateLambda = new lambda.Function(this, 'UpdateLambda', { 363 | runtime: lambda.Runtime.PYTHON_3_10, 364 | code: lambda.Code.fromAsset(path.join(__dirname, '../assets/image-builder-update-lambda')), 365 | handler: 'image-builder-lambda-update-ssm.lambda_handler', 366 | role: amiSsmUpdateLambdaRole, 367 | environment: { 368 | SSM_PATH: amiIdSsmPath, 369 | }, 370 | memorySize: 256, 371 | }); 372 | amiSsmUpdateLambda.addEventSource(new SnsEventSource(this.builderSnsTopic, {})); 373 | } 374 | this.pipeline = new imagebuilder.CfnImagePipeline(this, 'ImagePipeline', imagePipelineProps); 375 | } 376 | 377 | /** 378 | * Helper function to hash an object to create unique resource names 379 | * 380 | * @param o an object to hash 381 | * @returns 6 character hash string 382 | */ 383 | private hash(o: object): string { 384 | // Remove any token references that would cause the result to be 385 | // non-deterministic. 386 | const cleanString = JSON.stringify(o).replace(/\${[^{]*}/g, ''); 387 | 388 | return createHash('sha256') 389 | .update(cleanString) 390 | .digest('hex') 391 | .toUpperCase() 392 | .slice(0, 6); 393 | } 394 | } 395 | -------------------------------------------------------------------------------- /test/imagepipeline.test.ts: -------------------------------------------------------------------------------- 1 | import * as cdk from 'aws-cdk-lib'; 2 | import { Match, Template } from 'aws-cdk-lib/assertions'; 3 | import { ImagePipeline, ImagePipelineProps } from '../src'; 4 | 5 | let template: Template; 6 | 7 | const props: ImagePipelineProps = { 8 | components: [ 9 | { 10 | document: 'test/test_component_example.yml', 11 | name: 'TestComponent', 12 | version: '1.0.0', 13 | }, 14 | { 15 | document: 'test/test_component_example_2.yml', 16 | name: 'TestComponent2', 17 | version: '1.0.0', 18 | }, 19 | ], 20 | parentImage: 'ami-04505e74c0741db8d', // Ubuntu Server 20.04 LTS 21 | email: 'unit@test.com', 22 | enableVulnScans: true, 23 | vulnScansRepoName: 'image-builder-vuln-scans', 24 | vulnScansRepoTags: ['al2-x86-base'], 25 | amiIdSsmPath: '/ec2-image-builder/al2-x86', 26 | amiIdSsmAccountId: '11223344556', 27 | amiIdSsmRegion: 'us-east-1', 28 | name: 'TestImagePipeline', 29 | }; 30 | 31 | const propsWithNetworking: ImagePipelineProps = { 32 | components: [ 33 | { 34 | document: 'test/test_component_example.yml', 35 | name: 'TestComponent', 36 | version: '1.0.0', 37 | }, 38 | ], 39 | parentImage: 'ami-04505e74c0741db8d', // Ubuntu Server 20.04 LTS 40 | securityGroups: ['sg-12345678'], 41 | subnetId: 'subnet-12345678', 42 | }; 43 | 44 | const propsWithVolumeConfig: ImagePipelineProps = { 45 | components: [ 46 | { 47 | document: 'test/test_component_example.yml', 48 | name: 'TestComponent', 49 | version: '1.0.0', 50 | }, 51 | ], 52 | parentImage: 'ami-04505e74c0741db8d', // Ubuntu Server 20.04 LTS 53 | securityGroups: ['sg-12345678'], 54 | subnetId: 'subnet-12345678', 55 | ebsVolumeConfigurations: [ 56 | { 57 | deviceName: '/dev/xvda', 58 | ebs: { 59 | encrypted: true, 60 | iops: 200, 61 | kmsKeyId: 'alias/app1/key', 62 | volumeSize: 20, 63 | volumeType: 'gp3', 64 | throughput: 1000, 65 | }, 66 | }, 67 | ], 68 | enableCrossAccountDistribution: true, 69 | distributionAccountIDs: ['111222333444'], 70 | distributionRegions: ['us-east-1'], 71 | }; 72 | 73 | const propsWithSchedule: ImagePipelineProps = { 74 | ...props, 75 | schedule: { 76 | scheduleExpression: 'cron(0 0 * * ? *)', 77 | pipelineExecutionStartCondition: 'EXPRESSION_MATCH_ONLY', 78 | }, 79 | }; 80 | 81 | const propsWithDefaultSchedule: ImagePipelineProps = { 82 | ...props, 83 | schedule: { 84 | scheduleExpression: 'cron(0 12 * * ? *)', 85 | }, 86 | }; 87 | 88 | beforeAll(() => { 89 | process.env.CDK_DEFAULT_ACCOUNT = '123456789012'; 90 | process.env.CDK_DEFAULT_REGION = 'us-east-1'; 91 | const app = new cdk.App(); 92 | const testStack = new cdk.Stack(app, 'testStack', { 93 | env: { 94 | account: process.env.CDK_DEFAULT_ACCOUNT, 95 | region: process.env.CDK_DEFAULT_REGION, 96 | }, 97 | }); 98 | new ImagePipeline(testStack, 'ImagePipelineStack', props); 99 | template = Template.fromStack(testStack); 100 | }); 101 | 102 | test('Image Pipeline is created with custom name', () => { 103 | template.hasResourceProperties('AWS::ImageBuilder::ImagePipeline', { 104 | Name: 'TestImagePipeline', 105 | }); 106 | }); 107 | 108 | test('Infrastructure Configuration SNS topic is created', () => { 109 | template.resourceCountIs('AWS::SNS::Topic', 1); 110 | }); 111 | 112 | test('Infrastructure Configuration creates Lambda function for adding AMI ID to SSM', () => { 113 | template.resourceCountIs('AWS::Lambda::Function', 1); 114 | }); 115 | 116 | test('Given an email address, an SNS Subscription should be created', () => { 117 | template.resourceCountIs('AWS::SNS::Subscription', 2); //2 because of the SSM update Lambda 118 | template.hasResourceProperties('AWS::SNS::Subscription', { 119 | Protocol: 'email', 120 | Endpoint: 'unit@test.com', 121 | }); 122 | }); 123 | 124 | test('Infrastructure Configuration is created', () => { 125 | template.resourceCountIs('AWS::ImageBuilder::InfrastructureConfiguration', 1); 126 | }); 127 | 128 | test('Infrastructure Configuration IAM Role and Instance Profile are created', () => { 129 | template.resourceCountIs('AWS::IAM::Role', 2); //2 because of the SSM update Lambda 130 | template.resourceCountIs('AWS::IAM::InstanceProfile', 1); 131 | }); 132 | 133 | test('IAM Role contains necessary permission set', () => { 134 | template.hasResourceProperties('AWS::IAM::Role', { 135 | Policies: [ 136 | { 137 | PolicyName: 'AmiSsmUpdateLambdaPolicy', 138 | PolicyDocument: { 139 | Statement: [ 140 | { 141 | Effect: 'Allow', 142 | Action: [ 143 | 'ssm:PutParameter', 144 | 'ssm:GetParameterHistory', 145 | 'ssm:GetParameter', 146 | 'ssm:GetParameters', 147 | 'ssm:AddTagsToResource', 148 | ], 149 | Resource: 'arn:aws:ssm:us-east-1:11223344556:parameter/ec2-image-builder/al2-x86', 150 | }, 151 | ], 152 | }, 153 | }, 154 | ], 155 | }); 156 | 157 | }); 158 | 159 | test('Infrastructure Configuration has the default instance types', () => { 160 | template.hasResourceProperties('AWS::ImageBuilder::InfrastructureConfiguration', { 161 | InstanceTypes: ['t3.medium', 'm5.large', 'm5.xlarge'], 162 | }); 163 | }); 164 | 165 | 166 | test('Infrastructure Configuration is built with provided Networking properties', () => { 167 | const app = new cdk.App(); 168 | const testStack = new cdk.Stack(app, 'testStack', { 169 | env: { 170 | account: process.env.CDK_DEFAULT_ACCOUNT, 171 | region: process.env.CDK_DEFAULT_REGION, 172 | }, 173 | }); 174 | new ImagePipeline(testStack, 'ImagePipelineStack', propsWithNetworking); 175 | const templateWithNetworking = Template.fromStack(testStack); 176 | 177 | templateWithNetworking.hasResourceProperties('AWS::ImageBuilder::InfrastructureConfiguration', { 178 | SnsTopicArn: Match.anyValue(), 179 | SecurityGroupIds: ['sg-12345678'], 180 | SubnetId: 'subnet-12345678', 181 | }); 182 | }); 183 | 184 | test('Infrastructure Configuration is built with provided EBS volume properties', () => { 185 | const app = new cdk.App(); 186 | const testStack = new cdk.Stack(app, 'testStack', { 187 | env: { 188 | account: process.env.CDK_DEFAULT_ACCOUNT, 189 | region: process.env.CDK_DEFAULT_REGION, 190 | }, 191 | }); 192 | new ImagePipeline(testStack, 'ImagePipelineStack', propsWithVolumeConfig); 193 | const templateWithVolume = Template.fromStack(testStack); 194 | 195 | templateWithVolume.hasResourceProperties('AWS::ImageBuilder::ImageRecipe', { 196 | BlockDeviceMappings: [ 197 | { 198 | DeviceName: '/dev/xvda', 199 | Ebs: { 200 | Encrypted: true, 201 | Iops: 200, 202 | KmsKeyId: 'alias/app1/key', 203 | VolumeSize: 20, 204 | VolumeType: 'gp3', 205 | Throughput: 1000, 206 | }, 207 | }, 208 | ], 209 | }); 210 | templateWithVolume.hasResourceProperties('AWS::ImageBuilder::InfrastructureConfiguration', { 211 | SnsTopicArn: Match.anyValue(), 212 | SecurityGroupIds: ['sg-12345678'], 213 | SubnetId: 'subnet-12345678', 214 | }); 215 | templateWithVolume.hasResourceProperties('AWS::ImageBuilder::DistributionConfiguration', { 216 | Distributions: [{ 217 | Region: 'us-east-1', 218 | AmiDistributionConfiguration: { 219 | TargetAccountIds: ['111222333444'], 220 | LaunchPermissionConfiguration: { 221 | UserIds: ['111222333444'], 222 | }, 223 | KmsKeyId: 'alias/app1/key', 224 | }, 225 | }], 226 | }); 227 | }); 228 | 229 | 230 | test('Infrastructure Configuration contains required properties', () => { 231 | template.hasResourceProperties('AWS::ImageBuilder::InfrastructureConfiguration', { 232 | SnsTopicArn: Match.anyValue(), 233 | }); 234 | }); 235 | 236 | test.skip('Infrastructure Configuration DependsOn Instance Profile', () => { 237 | // TODO 238 | }); 239 | 240 | test('Image Builder Component is created', () => { 241 | template.resourceCountIs('AWS::ImageBuilder::Component', props.components.length); 242 | }); 243 | 244 | test('Image Recipe is created', () => { 245 | template.resourceCountIs('AWS::ImageBuilder::ImageRecipe', 1); 246 | }); 247 | 248 | test('Image Pipeline has Inspector vulnerability scans configured', () => { 249 | template.resourceCountIs('AWS::ImageBuilder::ImagePipeline', 1); 250 | template.hasResourceProperties('AWS::ImageBuilder::ImagePipeline', { 251 | ImageScanningConfiguration: { 252 | ImageScanningEnabled: true, 253 | EcrConfiguration: { 254 | RepositoryName: 'image-builder-vuln-scans', 255 | ContainerTags: [ 256 | 'al2-x86-base', 257 | ], 258 | }, 259 | }, 260 | }); 261 | }); 262 | 263 | test('Image Pipeline supports schedule configuration', () => { 264 | const app1 = new cdk.App(); 265 | const testStack1 = new cdk.Stack(app1, 'testStackWithSchedule', { 266 | env: { 267 | account: process.env.CDK_DEFAULT_ACCOUNT, 268 | region: process.env.CDK_DEFAULT_REGION, 269 | }, 270 | }); 271 | 272 | new ImagePipeline(testStack1, 'ImagePipelineWithSchedule', propsWithSchedule); 273 | const templateWithSchedule = Template.fromStack(testStack1); 274 | 275 | templateWithSchedule.hasResourceProperties('AWS::ImageBuilder::ImagePipeline', { 276 | Schedule: { 277 | ScheduleExpression: 'cron(0 0 * * ? *)', 278 | PipelineExecutionStartCondition: 'EXPRESSION_MATCH_ONLY', 279 | }, 280 | }); 281 | 282 | // Test with default execution condition 283 | const app2 = new cdk.App(); 284 | const testStack2 = new cdk.Stack(app2, 'testStackWithDefaultSchedule', { 285 | env: { 286 | account: process.env.CDK_DEFAULT_ACCOUNT, 287 | region: process.env.CDK_DEFAULT_REGION, 288 | }, 289 | }); 290 | 291 | new ImagePipeline(testStack2, 'ImagePipelineWithDefaultSchedule', propsWithDefaultSchedule); 292 | const templateWithDefaultSchedule = Template.fromStack(testStack2); 293 | 294 | templateWithDefaultSchedule.hasResourceProperties('AWS::ImageBuilder::ImagePipeline', { 295 | Schedule: { 296 | ScheduleExpression: 'cron(0 12 * * ? *)', 297 | }, 298 | }); 299 | }); 300 | 301 | test('ImagePipeline exposes components as properties', () => { 302 | const app = new cdk.App(); 303 | const testStack = new cdk.Stack(app, 'testStack', { 304 | env: { 305 | account: process.env.CDK_DEFAULT_ACCOUNT, 306 | region: process.env.CDK_DEFAULT_REGION, 307 | }, 308 | }); 309 | const sut = new ImagePipeline(testStack, 'ImagePipelineStack', props); 310 | expect(sut.pipeline).toBeDefined(); 311 | expect(sut.builderSnsTopic).toBeDefined(); 312 | }); 313 | -------------------------------------------------------------------------------- /test/test_component_example.yml: -------------------------------------------------------------------------------- 1 | name: ComponentExample 2 | description: This is an example component document 3 | schemaVersion: 1.0 4 | 5 | phases: 6 | - name: build 7 | steps: 8 | - name: InstallUpdates 9 | action: UpdateOS 10 | - name: validate 11 | steps: 12 | - name: HelloWorldStep 13 | action: ExecuteBash 14 | inputs: 15 | commands: 16 | - echo "Hello World! Validate." 17 | - name: test 18 | steps: 19 | - name: HelloWorldStep 20 | action: ExecuteBash 21 | inputs: 22 | commands: 23 | - echo "Hello World! Test. -------------------------------------------------------------------------------- /test/test_component_example_2.yml: -------------------------------------------------------------------------------- 1 | name: ComponentExample 2 | description: This is an example component document 3 | schemaVersion: 1.0 4 | 5 | phases: 6 | - name: build 7 | steps: 8 | - name: InstallUpdates 9 | action: UpdateOS 10 | - name: DownloadSomeShellScriptFromS3 11 | action: S3Download 12 | inputs: 13 | - source: 's3://some-bucket/some_shell_script.sh' 14 | destination: '/tmp/some_shell_script.sh' 15 | - name: validate 16 | steps: 17 | - name: HelloWorldStep 18 | action: ExecuteBash 19 | inputs: 20 | commands: 21 | - echo "Hello World! Validate." 22 | - name: test 23 | steps: 24 | - name: HelloWorldStep 25 | action: ExecuteBash 26 | inputs: 27 | commands: 28 | - echo "Hello World! Test. -------------------------------------------------------------------------------- /tsconfig.dev.json: -------------------------------------------------------------------------------- 1 | // ~~ Generated by projen. To modify, edit .projenrc.js and run "npx projen". 2 | { 3 | "compilerOptions": { 4 | "alwaysStrict": true, 5 | "declaration": true, 6 | "esModuleInterop": true, 7 | "experimentalDecorators": true, 8 | "inlineSourceMap": true, 9 | "inlineSources": true, 10 | "lib": [ 11 | "es2020" 12 | ], 13 | "module": "CommonJS", 14 | "noEmitOnError": false, 15 | "noFallthroughCasesInSwitch": true, 16 | "noImplicitAny": true, 17 | "noImplicitReturns": true, 18 | "noImplicitThis": true, 19 | "noUnusedLocals": true, 20 | "noUnusedParameters": true, 21 | "resolveJsonModule": true, 22 | "strict": true, 23 | "strictNullChecks": true, 24 | "strictPropertyInitialization": true, 25 | "stripInternal": true, 26 | "target": "ES2020" 27 | }, 28 | "include": [ 29 | "src/**/*.ts", 30 | "test/**/*.ts", 31 | ".projenrc.js" 32 | ], 33 | "exclude": [ 34 | "node_modules" 35 | ] 36 | } 37 | --------------------------------------------------------------------------------