From 341f7a82ed35081f9bc7a072e90cf80441c8898a Mon Sep 17 00:00:00 2001 From: AWS CDK Automation <43080478+aws-cdk-automation@users.noreply.github.com> Date: Wed, 12 Jul 2023 05:28:00 -0400 Subject: [PATCH 1/5] docs(cfnspec): update CloudFormation documentation (#26334) --- .../spec-source/cfn-docs/cfn-docs.json | 42 +++++++++---------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/packages/@aws-cdk/cfnspec/spec-source/cfn-docs/cfn-docs.json b/packages/@aws-cdk/cfnspec/spec-source/cfn-docs/cfn-docs.json index 2d736ae24df83..aa2a37e3403c5 100644 --- a/packages/@aws-cdk/cfnspec/spec-source/cfn-docs/cfn-docs.json +++ b/packages/@aws-cdk/cfnspec/spec-source/cfn-docs/cfn-docs.json @@ -57434,14 +57434,14 @@ "AWS::RolesAnywhere::CRL": { "attributes": { "CrlId": "The unique primary identifier of the Crl", - "Ref": "The name of the CRL." + "Ref": "`Ref` returns `CrlId` ." }, - "description": "Creates a Crl.", + "description": "Imports the certificate revocation list (CRL). A CRL is a list of certificates that have been revoked by the issuing certificate Authority (CA). IAM Roles Anywhere validates against the CRL before issuing credentials.\n\n*Required permissions:* `rolesanywhere:ImportCrl` .", "properties": { - "CrlData": "x509 v3 Certificate Revocation List to revoke auth for corresponding certificates presented in CreateSession operations", - "Enabled": "The enabled status of the resource.", - "Name": "The customer specified name of the resource.", - "Tags": "A list of Tags.", + "CrlData": "The x509 v3 specified certificate revocation list (CRL).", + "Enabled": "Specifies whether the certificate revocation list (CRL) is enabled.", + "Name": "The name of the certificate revocation list (CRL).", + "Tags": "A list of tags to attach to the certificate revocation list (CRL).", "TrustAnchorArn": "The ARN of the TrustAnchor the certificate revocation list (CRL) will provide revocation for." } }, @@ -57449,18 +57449,18 @@ "attributes": { "ProfileArn": "The ARN of the profile.", "ProfileId": "The unique primary identifier of the Profile", - "Ref": "The name of the Profile" + "Ref": "`Ref` returns `ProfileId` ." }, - "description": "Creates a Profile.", + "description": "Creates a *profile* , a list of the roles that Roles Anywhere service is trusted to assume. You use profiles to intersect permissions with IAM managed policies.\n\n*Required permissions:* `rolesanywhere:CreateProfile` .", "properties": { - "DurationSeconds": "The number of seconds vended session credentials will be valid for", - "Enabled": "The enabled status of the resource.", - "ManagedPolicyArns": "A list of managed policy ARNs. Managed policies identified by this list will be applied to the vended session credentials.", - "Name": "The customer specified name of the resource.", - "RequireInstanceProperties": "Specifies whether instance properties are required in CreateSession requests with this profile.", - "RoleArns": "A list of IAM role ARNs that can be assumed when this profile is specified in a CreateSession request.", - "SessionPolicy": "A session policy that will applied to the trust boundary of the vended session credentials.", - "Tags": "A list of Tags." + "DurationSeconds": "Sets the maximum number of seconds that vended temporary credentials through [CreateSession](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-create-session.html) will be valid for, between 900 and 3600.", + "Enabled": "Indicates whether the profile is enabled.", + "ManagedPolicyArns": "A list of managed policy ARNs that apply to the vended session credentials.", + "Name": "The name of the profile.", + "RequireInstanceProperties": "Specifies whether instance properties are required in temporary credential requests with this profile.", + "RoleArns": "A list of IAM role ARNs. During `CreateSession` , if a matching role ARN is provided, the properties in this profile will be applied to the intersection session policy.", + "SessionPolicy": "A session policy that applies to the trust boundary of the vended session credentials.", + "Tags": "The tags to attach to the profile." } }, "AWS::RolesAnywhere::TrustAnchor": { @@ -57469,7 +57469,7 @@ "TrustAnchorArn": "The ARN of the trust anchor.", "TrustAnchorId": "The unique identifier of the trust anchor." }, - "description": "Creates a TrustAnchor.", + "description": "Creates a trust anchor to establish trust between IAM Roles Anywhere and your certificate authority (CA). You can define a trust anchor as a reference to an AWS Private Certificate Authority ( AWS Private CA ) or by uploading a CA certificate. Your AWS workloads can authenticate with the trust anchor using certificates issued by the CA in exchange for temporary AWS credentials.\n\n*Required permissions:* `rolesanywhere:CreateTrustAnchor` .", "properties": { "Enabled": "Indicates whether the trust anchor is enabled.", "Name": "The name of the trust anchor.", @@ -57479,15 +57479,15 @@ }, "AWS::RolesAnywhere::TrustAnchor.Source": { "attributes": {}, - "description": "Object representing the TrustAnchor type and its related certificate data.", + "description": "The trust anchor type and its related certificate data.", "properties": { - "SourceData": "A union object representing the data field of the TrustAnchor depending on its type", - "SourceType": "The type of the TrustAnchor." + "SourceData": "The data field of the trust anchor depending on its type.", + "SourceType": "The type of the TrustAnchor.\n\n> `AWS_ACM_PCA` is not an allowed value in your region." } }, "AWS::RolesAnywhere::TrustAnchor.SourceData": { "attributes": {}, - "description": "A union object representing the data field of the TrustAnchor depending on its type", + "description": "The data field of the trust anchor depending on its type.", "properties": { "AcmPcaArn": "The root certificate of the AWS Private Certificate Authority specified by this ARN is used in trust validation for temporary credential requests. Included for trust anchors of type `AWS_ACM_PCA` .\n\n> This field is not supported in your region.", "X509CertificateData": "The PEM-encoded data for the certificate anchor. Included for trust anchors of type `CERTIFICATE_BUNDLE` ." From b799c82526b755d3f6005fd022467d7dcb220bb3 Mon Sep 17 00:00:00 2001 From: Tatsuya Mori Date: Wed, 12 Jul 2023 20:13:29 +0900 Subject: [PATCH 2/5] fix(ecs): DeploymentAlarms property is specified for ECS service with CODE_DEPLOY and EXTERNAL deployment controller (#26317) From #25840, ECS L2 construct sets the default configuration for the `CfnService.deploymentConfiguration.alarms` property to: ``` alarmNames: [], rollback: false, enable: false, ``` However, alarm based rollback feature is only supported for ECS services that use the rolling update (ECS) deployment controller. https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-alarm-failure.html Due to this limitation, when deploymentController is set to CODE_DEPLOY or EXTERNAL, creation for the service will fail by conflict with `deploymentConfiguration.alarms` property. This PR solves the issue by skipping to set default configuration for the `CfnService.deploymentConfiguration.alarms` property for CODE_DEPLOY and EXTERNAL deployment controller. Closes #26307 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../aws-cdk-codedeploy-ecs-dg.assets.json | 4 +- .../aws-cdk-codedeploy-ecs-dg.template.json | 5 - .../manifest.json | 2 +- .../tree.json | 383 +++++++++--------- .../aws-ecs/lib/base/base-service.ts | 4 +- .../aws-ecs/test/base-service.test.ts | 125 ++++++ 6 files changed, 320 insertions(+), 203 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codedeploy/test/ecs/integ.deployment-group.js.snapshot/aws-cdk-codedeploy-ecs-dg.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-codedeploy/test/ecs/integ.deployment-group.js.snapshot/aws-cdk-codedeploy-ecs-dg.assets.json index dcf68b157c2b9..a0b1b02ba7950 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codedeploy/test/ecs/integ.deployment-group.js.snapshot/aws-cdk-codedeploy-ecs-dg.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codedeploy/test/ecs/integ.deployment-group.js.snapshot/aws-cdk-codedeploy-ecs-dg.assets.json @@ -1,7 +1,7 @@ { "version": "32.0.0", "files": { - "146a3a0178544a80f025b470e820a77ec783a43b2a5ae0a2590037423ed16a6b": { + "54ea34edd18b9383781f88fd1ab5487b7d2a4ca076f0a365fa77e3b3a4b109d9": { "source": { "path": "aws-cdk-codedeploy-ecs-dg.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "146a3a0178544a80f025b470e820a77ec783a43b2a5ae0a2590037423ed16a6b.json", + "objectKey": "54ea34edd18b9383781f88fd1ab5487b7d2a4ca076f0a365fa77e3b3a4b109d9.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codedeploy/test/ecs/integ.deployment-group.js.snapshot/aws-cdk-codedeploy-ecs-dg.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-codedeploy/test/ecs/integ.deployment-group.js.snapshot/aws-cdk-codedeploy-ecs-dg.template.json index db8c35d037078..64f48e53ec831 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codedeploy/test/ecs/integ.deployment-group.js.snapshot/aws-cdk-codedeploy-ecs-dg.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codedeploy/test/ecs/integ.deployment-group.js.snapshot/aws-cdk-codedeploy-ecs-dg.template.json @@ -449,11 +449,6 @@ "Ref": "EcsCluster97242B84" }, "DeploymentConfiguration": { - "Alarms": { - "AlarmNames": [], - "Enable": false, - "Rollback": false - }, "MaximumPercent": 200, "MinimumHealthyPercent": 50 }, diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codedeploy/test/ecs/integ.deployment-group.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-codedeploy/test/ecs/integ.deployment-group.js.snapshot/manifest.json index a5ae2431ff982..2ac61ce54d5a8 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codedeploy/test/ecs/integ.deployment-group.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codedeploy/test/ecs/integ.deployment-group.js.snapshot/manifest.json @@ -17,7 +17,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/146a3a0178544a80f025b470e820a77ec783a43b2a5ae0a2590037423ed16a6b.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/54ea34edd18b9383781f88fd1ab5487b7d2a4ca076f0a365fa77e3b3a4b109d9.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codedeploy/test/ecs/integ.deployment-group.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-codedeploy/test/ecs/integ.deployment-group.js.snapshot/tree.json index c374cae635fe2..b5cdc1e7eed0e 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codedeploy/test/ecs/integ.deployment-group.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codedeploy/test/ecs/integ.deployment-group.js.snapshot/tree.json @@ -31,8 +31,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnVPC", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "PublicSubnet1": { @@ -75,16 +75,16 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "Acl": { "id": "Acl", "path": "aws-cdk-codedeploy-ecs-dg/VPC/PublicSubnet1/Acl", "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "RouteTable": { @@ -105,8 +105,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "RouteTableAssociation": { @@ -124,8 +124,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "DefaultRoute": { @@ -144,8 +144,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "EIP": { @@ -164,8 +164,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnEIP", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "NATGateway": { @@ -192,14 +192,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnNatGateway", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.PublicSubnet", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "PublicSubnet2": { @@ -242,16 +242,16 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "Acl": { "id": "Acl", "path": "aws-cdk-codedeploy-ecs-dg/VPC/PublicSubnet2/Acl", "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "RouteTable": { @@ -272,8 +272,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "RouteTableAssociation": { @@ -291,8 +291,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "DefaultRoute": { @@ -311,8 +311,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "EIP": { @@ -331,8 +331,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnEIP", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "NATGateway": { @@ -359,14 +359,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnNatGateway", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.PublicSubnet", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "PrivateSubnet1": { @@ -409,16 +409,16 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "Acl": { "id": "Acl", "path": "aws-cdk-codedeploy-ecs-dg/VPC/PrivateSubnet1/Acl", "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "RouteTable": { @@ -439,8 +439,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "RouteTableAssociation": { @@ -458,8 +458,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "DefaultRoute": { @@ -478,14 +478,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.PrivateSubnet", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "PrivateSubnet2": { @@ -528,16 +528,16 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "Acl": { "id": "Acl", "path": "aws-cdk-codedeploy-ecs-dg/VPC/PrivateSubnet2/Acl", "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "RouteTable": { @@ -558,8 +558,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "RouteTableAssociation": { @@ -577,8 +577,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "DefaultRoute": { @@ -597,14 +597,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.PrivateSubnet", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "IGW": { @@ -622,8 +622,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnInternetGateway", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "VPCGW": { @@ -641,14 +641,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnVPCGatewayAttachment", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.Vpc", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "EcsCluster": { @@ -663,14 +663,14 @@ "aws:cdk:cloudformation:props": {} }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ecs.CfnCluster", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ecs.Cluster", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "TaskDef": { @@ -685,8 +685,8 @@ "id": "ImportTaskRole", "path": "aws-cdk-codedeploy-ecs-dg/TaskDef/TaskRole/ImportTaskRole", "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "Resource": { @@ -710,14 +710,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "Resource": { @@ -755,22 +755,22 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ecs.CfnTaskDefinition", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "Container": { "id": "Container", "path": "aws-cdk-codedeploy-ecs-dg/TaskDef/Container", "constructInfo": { - "fqn": "aws-cdk-lib.aws_ecs.ContainerDefinition", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ecs.FargateTaskDefinition", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "FargateService": { @@ -788,12 +788,7 @@ }, "deploymentConfiguration": { "maximumPercent": 200, - "minimumHealthyPercent": 50, - "alarms": { - "alarmNames": [], - "enable": false, - "rollback": false - } + "minimumHealthyPercent": 50 }, "deploymentController": { "type": "CODE_DEPLOY" @@ -835,8 +830,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ecs.CfnService", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "SecurityGroup": { @@ -863,8 +858,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSecurityGroup", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "from awscdkcodedeployecsdgServiceLBSecurityGroupEC967688:80": { @@ -892,20 +887,20 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSecurityGroupIngress", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.SecurityGroup", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ecs.FargateService", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "TaskDef2": { @@ -920,8 +915,8 @@ "id": "ImportTaskRole", "path": "aws-cdk-codedeploy-ecs-dg/TaskDef2/TaskRole/ImportTaskRole", "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "Resource": { @@ -945,14 +940,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "Resource": { @@ -990,22 +985,22 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ecs.CfnTaskDefinition", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "Container": { "id": "Container", "path": "aws-cdk-codedeploy-ecs-dg/TaskDef2/Container", "constructInfo": { - "fqn": "aws-cdk-lib.aws_ecs.ContainerDefinition", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ecs.FargateTaskDefinition", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "ServiceLB": { @@ -1045,8 +1040,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.CfnLoadBalancer", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "SecurityGroup": { @@ -1082,8 +1077,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSecurityGroup", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "to awscdkcodedeployecsdgFargateServiceSecurityGroup64C2B62E:80": { @@ -1111,14 +1106,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSecurityGroupEgress", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.SecurityGroup", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "ProdListener": { @@ -1147,8 +1142,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.CfnListener", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "BlueTGGroup": { @@ -1187,20 +1182,20 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.CfnTargetGroup", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationTargetGroup", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationListener", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "TestListener": { @@ -1229,20 +1224,20 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.CfnListener", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationListener", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationLoadBalancer", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "GreenTG": { @@ -1281,14 +1276,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.CfnTargetGroup", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationTargetGroup", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "BlueUnhealthyHosts": { @@ -1374,14 +1369,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_cloudwatch.CfnAlarm", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_cloudwatch.Alarm", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "Blue5xx": { @@ -1467,14 +1462,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_cloudwatch.CfnAlarm", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_cloudwatch.Alarm", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "GreenUnhealthyHosts": { @@ -1560,14 +1555,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_cloudwatch.CfnAlarm", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_cloudwatch.Alarm", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "Green5xx": { @@ -1653,14 +1648,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_cloudwatch.CfnAlarm", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_cloudwatch.Alarm", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "CanaryConfig": { @@ -1684,14 +1679,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_codedeploy.CfnDeploymentConfig", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_codedeploy.EcsDeploymentConfig", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "BlueGreenDG": { @@ -1706,8 +1701,8 @@ "id": "ImportServiceRole", "path": "aws-cdk-codedeploy-ecs-dg/BlueGreenDG/ServiceRole/ImportServiceRole", "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "Resource": { @@ -1745,14 +1740,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "Application": { @@ -1769,14 +1764,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_codedeploy.CfnApplication", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_codedeploy.EcsApplication", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "Resource": { @@ -1898,84 +1893,84 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_codedeploy.CfnDeploymentGroup", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_codedeploy.EcsDeploymentGroup", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "NewTaskDefinition": { "id": "NewTaskDefinition", "path": "aws-cdk-codedeploy-ecs-dg/NewTaskDefinition", "constructInfo": { - "fqn": "aws-cdk-lib.CfnOutput", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "Subnet1Id": { "id": "Subnet1Id", "path": "aws-cdk-codedeploy-ecs-dg/Subnet1Id", "constructInfo": { - "fqn": "aws-cdk-lib.CfnOutput", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "Subnet2Id": { "id": "Subnet2Id", "path": "aws-cdk-codedeploy-ecs-dg/Subnet2Id", "constructInfo": { - "fqn": "aws-cdk-lib.CfnOutput", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "SecurityGroupId": { "id": "SecurityGroupId", "path": "aws-cdk-codedeploy-ecs-dg/SecurityGroupId", "constructInfo": { - "fqn": "aws-cdk-lib.CfnOutput", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "CodeDeployApplicationName": { "id": "CodeDeployApplicationName", "path": "aws-cdk-codedeploy-ecs-dg/CodeDeployApplicationName", "constructInfo": { - "fqn": "aws-cdk-lib.CfnOutput", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "CodeDeployDeploymentGroupName": { "id": "CodeDeployDeploymentGroupName", "path": "aws-cdk-codedeploy-ecs-dg/CodeDeployDeploymentGroupName", "constructInfo": { - "fqn": "aws-cdk-lib.CfnOutput", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "BootstrapVersion": { "id": "BootstrapVersion", "path": "aws-cdk-codedeploy-ecs-dg/BootstrapVersion", "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "CheckBootstrapVersion": { "id": "CheckBootstrapVersion", "path": "aws-cdk-codedeploy-ecs-dg/CheckBootstrapVersion", "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "EcsDeploymentGroupTest": { @@ -2002,22 +1997,22 @@ "id": "BootstrapVersion", "path": "EcsDeploymentGroupTest/DefaultTest/DeployAssert/BootstrapVersion", "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "CheckBootstrapVersion": { "id": "CheckBootstrapVersion", "path": "EcsDeploymentGroupTest/DefaultTest/DeployAssert/CheckBootstrapVersion", "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } } }, @@ -2042,8 +2037,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.App", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } } } \ No newline at end of file diff --git a/packages/aws-cdk-lib/aws-ecs/lib/base/base-service.ts b/packages/aws-cdk-lib/aws-ecs/lib/base/base-service.ts index 1631c019e24b1..05a0054491554 100644 --- a/packages/aws-cdk-lib/aws-ecs/lib/base/base-service.ts +++ b/packages/aws-cdk-lib/aws-ecs/lib/base/base-service.ts @@ -682,7 +682,9 @@ export abstract class BaseService extends Resource enable: true, rollback: props.deploymentAlarms.behavior !== AlarmBehavior.FAIL_ON_ALARM, }; - } else if (this.deploymentAlarmsAvailableInRegion()) { + // CloudWatch alarms is only supported for Amazon ECS services that use the rolling update (ECS) deployment controller. + } else if ((!props.deploymentController || + props.deploymentController?.type === DeploymentControllerType.ECS) && this.deploymentAlarmsAvailableInRegion()) { this.deploymentAlarms = { alarmNames: [], enable: false, diff --git a/packages/aws-cdk-lib/aws-ecs/test/base-service.test.ts b/packages/aws-cdk-lib/aws-ecs/test/base-service.test.ts index b9a52a0b646b8..b1cda7643a844 100644 --- a/packages/aws-cdk-lib/aws-ecs/test/base-service.test.ts +++ b/packages/aws-cdk-lib/aws-ecs/test/base-service.test.ts @@ -75,6 +75,131 @@ describe('When import an ECS Service', () => { }); }); +describe('For alarm-based rollbacks', () => { + let stack: cdk.Stack; + + beforeEach(() => { + stack = new cdk.Stack(); + }); + + test('deploymentAlarms is set by default for ECS deployment controller', () => { + // GIVEN + const vpc = new ec2.Vpc(stack, 'Vpc'); + const cluster = new ecs.Cluster(stack, 'EcsCluster', { vpc }); + const taskDefinition = new ecs.FargateTaskDefinition(stack, 'FargateTaskDef'); + taskDefinition.addContainer('web', { + image: ecs.ContainerImage.fromRegistry('amazon/amazon-ecs-sample'), + }); + + // WHEN + new ecs.FargateService(stack, 'FargateService', { + cluster, + taskDefinition, + deploymentController: { + type: ecs.DeploymentControllerType.ECS, + }, + minHealthyPercent: 100, + maxHealthyPercent: 200, + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::ECS::Service', { + DeploymentConfiguration: { + Alarms: { + AlarmNames: [], + Enable: false, + Rollback: false, + }, + }, + }); + }); + + test('deploymentAlarms is set by default when deployment controller is not specified', () => { + // GIVEN + const vpc = new ec2.Vpc(stack, 'Vpc'); + const cluster = new ecs.Cluster(stack, 'EcsCluster', { vpc }); + const taskDefinition = new ecs.FargateTaskDefinition(stack, 'FargateTaskDef'); + taskDefinition.addContainer('web', { + image: ecs.ContainerImage.fromRegistry('amazon/amazon-ecs-sample'), + }); + + // WHEN + new ecs.FargateService(stack, 'FargateService', { + cluster, + taskDefinition, + minHealthyPercent: 100, + maxHealthyPercent: 200, + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::ECS::Service', { + DeploymentConfiguration: { + Alarms: { + AlarmNames: [], + Enable: false, + Rollback: false, + }, + }, + }); + }); + + test('should omit deploymentAlarms for CodeDeploy deployment controller', () => { + // GIVEN + const vpc = new ec2.Vpc(stack, 'Vpc'); + const cluster = new ecs.Cluster(stack, 'EcsCluster', { vpc }); + const taskDefinition = new ecs.FargateTaskDefinition(stack, 'FargateTaskDef'); + taskDefinition.addContainer('web', { + image: ecs.ContainerImage.fromRegistry('amazon/amazon-ecs-sample'), + }); + + // WHEN + new ecs.FargateService(stack, 'FargateService', { + cluster, + taskDefinition, + deploymentController: { + type: ecs.DeploymentControllerType.CODE_DEPLOY, + }, + minHealthyPercent: 100, + maxHealthyPercent: 200, + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::ECS::Service', { + DeploymentConfiguration: { + Alarms: Match.absent(), + }, + }); + }); + + test('should omit deploymentAlarms for External deployment controller', () => { + // GIVEN + const vpc = new ec2.Vpc(stack, 'Vpc'); + const cluster = new ecs.Cluster(stack, 'EcsCluster', { vpc }); + const taskDefinition = new ecs.FargateTaskDefinition(stack, 'FargateTaskDef'); + taskDefinition.addContainer('web', { + image: ecs.ContainerImage.fromRegistry('amazon/amazon-ecs-sample'), + }); + + // WHEN + new ecs.FargateService(stack, 'FargateService', { + cluster, + taskDefinition, + deploymentController: { + type: ecs.DeploymentControllerType.EXTERNAL, + }, + minHealthyPercent: 100, + maxHealthyPercent: 200, + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::ECS::Service', { + DeploymentConfiguration: { + Alarms: Match.absent(), + }, + }); + }); +}); + test.each([ /* breaker, flag => controller in template */ /* Flag off => value present if circuitbreaker */ From c755f50f7d2240345c3e9ee1c262a3b194db1618 Mon Sep 17 00:00:00 2001 From: Calvin Combs <66279577+comcalvi@users.noreply.github.com> Date: Wed, 12 Jul 2023 04:39:24 -0700 Subject: [PATCH 3/5] fix(batch): grant execution role logs:CreateLogStream by default (#26288) Grant `CreateLogStream` to the job definition's execution role by default. Without this permission, jobs will fail if they produce any output, unless `logging` is specified. Closes #25675. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../batch-events.assets.json | 6 +- .../batch-events.template.json | 43 +++ .../cdk.out | 2 +- .../integ.json | 2 +- .../manifest.json | 19 +- .../tree.json | 81 ++++- .../aws-stepfunctions-integ.assets.json | 6 +- .../aws-stepfunctions-integ.template.json | 27 ++ .../integ.run-batch-job.js.snapshot/cdk.out | 2 +- .../integ.json | 2 +- .../manifest.json | 13 +- .../integ.run-batch-job.js.snapshot/tree.json | 47 ++- .../aws-stepfunctions-integ.assets.json | 6 +- .../aws-stepfunctions-integ.template.json | 27 ++ .../integ.submit-job.js.snapshot/cdk.out | 2 +- .../integ.submit-job.js.snapshot/integ.json | 2 +- .../manifest.json | 13 +- .../integ.submit-job.js.snapshot/tree.json | 47 ++- .../lib/ecs-container-definition.ts | 14 +- .../test/ecs-container-definition.test.ts | 97 +++++- ...efaultTestDeployAssertA3886AB9.assets.json | 2 +- .../cdk.out | 2 +- .../integ.json | 2 +- .../manifest.json | 19 +- .../stack.assets.json | 6 +- .../stack.template.json | 43 +++ .../tree.json | 83 ++++- .../manifest.json | 14 +- .../stack.assets.json | 4 +- .../stack.template.json | 113 +++++++ .../tree.json | 183 ++++++++++- ...efaultTestDeployAssertDB834B9D.assets.json | 2 +- .../cdk.out | 2 +- .../integ.json | 2 +- .../manifest.json | 22 +- .../stack.assets.json | 6 +- .../stack.template.json | 129 ++++++++ .../tree.json | 287 +++++++++++++++--- 38 files changed, 1220 insertions(+), 159 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/batch/integ.job-definition-events.js.snapshot/batch-events.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/batch/integ.job-definition-events.js.snapshot/batch-events.assets.json index eee3e664f6039..05978415b977f 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/batch/integ.job-definition-events.js.snapshot/batch-events.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/batch/integ.job-definition-events.js.snapshot/batch-events.assets.json @@ -1,7 +1,7 @@ { - "version": "31.0.0", + "version": "32.0.0", "files": { - "d7dcc67b92ba98cf8898af8fd31d31f46001867bc6458f3c816a77850e10a990": { + "9ad3e49b4b05bbbb8d2ad91c2718d29b90ebcb493570a3f1c3e42005681045f4": { "source": { "path": "batch-events.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "d7dcc67b92ba98cf8898af8fd31d31f46001867bc6458f3c816a77850e10a990.json", + "objectKey": "9ad3e49b4b05bbbb8d2ad91c2718d29b90ebcb493570a3f1c3e42005681045f4.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/batch/integ.job-definition-events.js.snapshot/batch-events.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/batch/integ.job-definition-events.js.snapshot/batch-events.template.json index 64a5e706ba3d3..a948360bbf810 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/batch/integ.job-definition-events.js.snapshot/batch-events.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/batch/integ.job-definition-events.js.snapshot/batch-events.template.json @@ -79,6 +79,49 @@ } } }, + "containerExecutionRoleDefaultPolicyF00DA4D6": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/batch/job:*" + ] + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "containerExecutionRoleDefaultPolicyF00DA4D6", + "Roles": [ + { + "Ref": "containerExecutionRoleFD602179" + } + ] + } + }, "MyJob8719E923": { "Type": "AWS::Batch::JobDefinition", "Properties": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/batch/integ.job-definition-events.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/batch/integ.job-definition-events.js.snapshot/cdk.out index 7925065efbcc4..f0b901e7c06e5 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/batch/integ.job-definition-events.js.snapshot/cdk.out +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/batch/integ.job-definition-events.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"31.0.0"} \ No newline at end of file +{"version":"32.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/batch/integ.job-definition-events.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/batch/integ.job-definition-events.js.snapshot/integ.json index 6641b55a0ddc5..7afd725483c8b 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/batch/integ.job-definition-events.js.snapshot/integ.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/batch/integ.job-definition-events.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "31.0.0", + "version": "32.0.0", "testCases": { "integ.job-definition-events": { "stacks": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/batch/integ.job-definition-events.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/batch/integ.job-definition-events.js.snapshot/manifest.json index af8e10dc7201c..409e5d61f1daa 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/batch/integ.job-definition-events.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/batch/integ.job-definition-events.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "31.0.0", + "version": "32.0.0", "artifacts": { "batch-events.assets": { "type": "cdk:asset-manifest", @@ -17,7 +17,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/d7dcc67b92ba98cf8898af8fd31d31f46001867bc6458f3c816a77850e10a990.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/9ad3e49b4b05bbbb8d2ad91c2718d29b90ebcb493570a3f1c3e42005681045f4.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -57,6 +57,12 @@ "data": "containerExecutionRoleFD602179" } ], + "/batch-events/container/ExecutionRole/DefaultPolicy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "containerExecutionRoleDefaultPolicyF00DA4D6" + } + ], "/batch-events/MyJob/Resource": [ { "type": "aws:cdk:logicalId", @@ -110,15 +116,6 @@ "type": "aws:cdk:logicalId", "data": "CheckBootstrapVersion" } - ], - "MyQueue4F9177CF": [ - { - "type": "aws:cdk:logicalId", - "data": "MyQueue4F9177CF", - "trace": [ - "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" - ] - } ] }, "displayName": "batch-events" diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/batch/integ.job-definition-events.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/batch/integ.job-definition-events.js.snapshot/tree.json index 8ef25135c82c4..31fd4028219cd 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/batch/integ.job-definition-events.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/batch/integ.job-definition-events.js.snapshot/tree.json @@ -92,7 +92,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-batch-alpha.UnmanagedComputeEnvironment", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -128,7 +128,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-batch-alpha.JobQueue", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -172,17 +172,86 @@ "fqn": "aws-cdk-lib.aws_iam.CfnRole", "version": "0.0.0" } + }, + "DefaultPolicy": { + "id": "DefaultPolicy", + "path": "batch-events/container/ExecutionRole/DefaultPolicy", + "children": { + "Resource": { + "id": "Resource", + "path": "batch-events/container/ExecutionRole/DefaultPolicy/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Policy", + "aws:cdk:cloudformation:props": { + "policyDocument": { + "Statement": [ + { + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/batch/job:*" + ] + ] + } + } + ], + "Version": "2012-10-17" + }, + "policyName": "containerExecutionRoleDefaultPolicyF00DA4D6", + "roles": [ + { + "Ref": "containerExecutionRoleFD602179" + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Policy", + "version": "0.0.0" + } } }, "constructInfo": { "fqn": "aws-cdk-lib.aws_iam.Role", "version": "0.0.0" } + }, + "batchDefaultLogGroup": { + "id": "batchDefaultLogGroup", + "path": "batch-events/container/batchDefaultLogGroup", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-batch-alpha.EcsEc2ContainerDefinition", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "MyJob": { @@ -323,7 +392,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-batch-alpha.EcsJobDefinition", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -541,7 +610,7 @@ "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.270" + "version": "10.2.55" } } }, diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.run-batch-job.js.snapshot/aws-stepfunctions-integ.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.run-batch-job.js.snapshot/aws-stepfunctions-integ.assets.json index 87318898131e0..05dec2d6c9d8d 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.run-batch-job.js.snapshot/aws-stepfunctions-integ.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.run-batch-job.js.snapshot/aws-stepfunctions-integ.assets.json @@ -1,7 +1,7 @@ { - "version": "31.0.0", + "version": "32.0.0", "files": { - "02f57d4a4fe6e856437076797ed3037dbed370ebb26574bc4a5d570ab0b0b478": { + "d52c690255570b27d7cc2b49792058ef0c678d1fd7345f8dda5ef9e9a5d9dc05": { "source": { "path": "aws-stepfunctions-integ.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "02f57d4a4fe6e856437076797ed3037dbed370ebb26574bc4a5d570ab0b0b478.json", + "objectKey": "d52c690255570b27d7cc2b49792058ef0c678d1fd7345f8dda5ef9e9a5d9dc05.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.run-batch-job.js.snapshot/aws-stepfunctions-integ.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.run-batch-job.js.snapshot/aws-stepfunctions-integ.template.json index 5cb07cc3988d2..15d2930ca7bd3 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.run-batch-job.js.snapshot/aws-stepfunctions-integ.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.run-batch-job.js.snapshot/aws-stepfunctions-integ.template.json @@ -529,6 +529,33 @@ "Properties": { "PolicyDocument": { "Statement": [ + { + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/batch/job:*" + ] + ] + } + }, { "Action": [ "ecr:BatchCheckLayerAvailability", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.run-batch-job.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.run-batch-job.js.snapshot/cdk.out index 7925065efbcc4..f0b901e7c06e5 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.run-batch-job.js.snapshot/cdk.out +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.run-batch-job.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"31.0.0"} \ No newline at end of file +{"version":"32.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.run-batch-job.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.run-batch-job.js.snapshot/integ.json index c47e59ad459a8..6f4587658e3bc 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.run-batch-job.js.snapshot/integ.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.run-batch-job.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "31.0.0", + "version": "32.0.0", "testCases": { "integ.run-batch-job": { "stacks": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.run-batch-job.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.run-batch-job.js.snapshot/manifest.json index db09a3d1ea42b..8808d28aaea48 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.run-batch-job.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.run-batch-job.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "31.0.0", + "version": "32.0.0", "artifacts": { "aws-stepfunctions-integ.assets": { "type": "cdk:asset-manifest", @@ -17,7 +17,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/02f57d4a4fe6e856437076797ed3037dbed370ebb26574bc4a5d570ab0b0b478.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/d52c690255570b27d7cc2b49792058ef0c678d1fd7345f8dda5ef9e9a5d9dc05.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -260,15 +260,6 @@ "type": "aws:cdk:logicalId", "data": "CheckBootstrapVersion" } - ], - "JobQueueC5644E0D": [ - { - "type": "aws:cdk:logicalId", - "data": "JobQueueC5644E0D", - "trace": [ - "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" - ] - } ] }, "displayName": "aws-stepfunctions-integ" diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.run-batch-job.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.run-batch-job.js.snapshot/tree.json index ee7601231ded0..be6423c4434dd 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.run-batch-job.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.run-batch-job.js.snapshot/tree.json @@ -815,7 +815,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-batch-alpha.ManagedEc2EcsComputeEnvironment", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -851,7 +851,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-batch-alpha.JobQueue", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -908,6 +908,33 @@ "aws:cdk:cloudformation:props": { "policyDocument": { "Statement": [ + { + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/batch/job:*" + ] + ] + } + }, { "Action": [ "ecr:BatchCheckLayerAvailability", @@ -972,6 +999,14 @@ "version": "0.0.0" } }, + "batchDefaultLogGroup": { + "id": "batchDefaultLogGroup", + "path": "aws-stepfunctions-integ/Container/batchDefaultLogGroup", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, "AssetImage": { "id": "AssetImage", "path": "aws-stepfunctions-integ/Container/AssetImage", @@ -1000,8 +1035,8 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-batch-alpha.EcsEc2ContainerDefinition", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "JobDefinition": { @@ -1052,7 +1087,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-batch-alpha.EcsJobDefinition", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -1304,7 +1339,7 @@ "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.270" + "version": "10.2.55" } } }, diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.submit-job.js.snapshot/aws-stepfunctions-integ.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.submit-job.js.snapshot/aws-stepfunctions-integ.assets.json index 11136685a8eb4..f7396886702c3 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.submit-job.js.snapshot/aws-stepfunctions-integ.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.submit-job.js.snapshot/aws-stepfunctions-integ.assets.json @@ -1,7 +1,7 @@ { - "version": "31.0.0", + "version": "32.0.0", "files": { - "40eeb6dc0a7fbe38cdca73b998f41d71b047bf499a3554164309a332a0d0e539": { + "d920f520c73c8097151218b117e2201193abcd86b42fc5241e56c8dd98ae6ef1": { "source": { "path": "aws-stepfunctions-integ.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "40eeb6dc0a7fbe38cdca73b998f41d71b047bf499a3554164309a332a0d0e539.json", + "objectKey": "d920f520c73c8097151218b117e2201193abcd86b42fc5241e56c8dd98ae6ef1.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.submit-job.js.snapshot/aws-stepfunctions-integ.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.submit-job.js.snapshot/aws-stepfunctions-integ.template.json index 5ed0ed2b30ed9..5e87685375f07 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.submit-job.js.snapshot/aws-stepfunctions-integ.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.submit-job.js.snapshot/aws-stepfunctions-integ.template.json @@ -529,6 +529,33 @@ "Properties": { "PolicyDocument": { "Statement": [ + { + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/batch/job:*" + ] + ] + } + }, { "Action": [ "ecr:BatchCheckLayerAvailability", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.submit-job.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.submit-job.js.snapshot/cdk.out index 7925065efbcc4..f0b901e7c06e5 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.submit-job.js.snapshot/cdk.out +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.submit-job.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"31.0.0"} \ No newline at end of file +{"version":"32.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.submit-job.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.submit-job.js.snapshot/integ.json index f46207a13f9c9..6e1575ee62d3c 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.submit-job.js.snapshot/integ.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.submit-job.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "31.0.0", + "version": "32.0.0", "testCases": { "integ.submit-job": { "stacks": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.submit-job.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.submit-job.js.snapshot/manifest.json index 74acb5cb16ce3..73dccdde1d557 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.submit-job.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.submit-job.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "31.0.0", + "version": "32.0.0", "artifacts": { "aws-stepfunctions-integ.assets": { "type": "cdk:asset-manifest", @@ -17,7 +17,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/40eeb6dc0a7fbe38cdca73b998f41d71b047bf499a3554164309a332a0d0e539.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/d920f520c73c8097151218b117e2201193abcd86b42fc5241e56c8dd98ae6ef1.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -260,15 +260,6 @@ "type": "aws:cdk:logicalId", "data": "CheckBootstrapVersion" } - ], - "JobQueueC5644E0D": [ - { - "type": "aws:cdk:logicalId", - "data": "JobQueueC5644E0D", - "trace": [ - "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" - ] - } ] }, "displayName": "aws-stepfunctions-integ" diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.submit-job.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.submit-job.js.snapshot/tree.json index f97d2dbf74247..fce41457c9e6b 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.submit-job.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/batch/integ.submit-job.js.snapshot/tree.json @@ -815,7 +815,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-batch-alpha.ManagedEc2EcsComputeEnvironment", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -851,7 +851,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-batch-alpha.JobQueue", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -908,6 +908,33 @@ "aws:cdk:cloudformation:props": { "policyDocument": { "Statement": [ + { + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/batch/job:*" + ] + ] + } + }, { "Action": [ "ecr:BatchCheckLayerAvailability", @@ -972,6 +999,14 @@ "version": "0.0.0" } }, + "batchDefaultLogGroup": { + "id": "batchDefaultLogGroup", + "path": "aws-stepfunctions-integ/Container/batchDefaultLogGroup", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, "AssetImage": { "id": "AssetImage", "path": "aws-stepfunctions-integ/Container/AssetImage", @@ -1000,8 +1035,8 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-batch-alpha.EcsEc2ContainerDefinition", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "JobDefinition": { @@ -1052,7 +1087,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-batch-alpha.EcsJobDefinition", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -1304,7 +1339,7 @@ "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.270" + "version": "10.2.55" } } }, diff --git a/packages/@aws-cdk/aws-batch-alpha/lib/ecs-container-definition.ts b/packages/@aws-cdk/aws-batch-alpha/lib/ecs-container-definition.ts index c4b13e6829253..34a95037a33e3 100644 --- a/packages/@aws-cdk/aws-batch-alpha/lib/ecs-container-definition.ts +++ b/packages/@aws-cdk/aws-batch-alpha/lib/ecs-container-definition.ts @@ -6,6 +6,7 @@ import { Lazy, PhysicalName, Size } from 'aws-cdk-lib/core'; import { Construct, IConstruct } from 'constructs'; import { CfnJobDefinition } from 'aws-cdk-lib/aws-batch'; import { LinuxParameters } from './linux-parameters'; +import { LogGroup } from 'aws-cdk-lib/aws-logs'; const EFS_VOLUME_SYMBOL = Symbol.for('aws-cdk-lib/aws-batch/lib/container-definition.EfsVolume'); const HOST_VOLUME_SYMBOL = Symbol.for('aws-cdk-lib/aws-batch/lib/container-definition.HostVolume'); @@ -510,7 +511,7 @@ abstract class EcsContainerDefinitionBase extends Construct implements IEcsConta this.cpu = props.cpu; this.command = props.command; this.environment = props.environment; - this.executionRole = props.executionRole ?? createExecutionRole(this, 'ExecutionRole'); + this.executionRole = props.executionRole ?? createExecutionRole(this, 'ExecutionRole', props.logging ? true : false); this.jobRole = props.jobRole; this.linuxParameters = props.linuxParameters; this.memory = props.memory; @@ -964,10 +965,17 @@ export class EcsFargateContainerDefinition extends EcsContainerDefinitionBase im }; } -function createExecutionRole(scope: Construct, id: string): iam.IRole { - return new iam.Role(scope, id, { +function createExecutionRole(scope: Construct, id: string, logging: boolean): iam.IRole { + const execRole = new iam.Role(scope, id, { assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'), // needed for cross-account access with TagParameterContainerImage roleName: PhysicalName.GENERATE_IF_NEEDED, }); + + if (!logging) { + // all jobs will fail without this if they produce any output at all when no logging is specified + LogGroup.fromLogGroupName(scope, 'batchDefaultLogGroup', '/aws/batch/job').grantWrite(execRole); + } + + return execRole; } diff --git a/packages/@aws-cdk/aws-batch-alpha/test/ecs-container-definition.test.ts b/packages/@aws-cdk/aws-batch-alpha/test/ecs-container-definition.test.ts index 9665a124136bf..378c4a08e58b4 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/ecs-container-definition.test.ts +++ b/packages/@aws-cdk/aws-batch-alpha/test/ecs-container-definition.test.ts @@ -1,4 +1,3 @@ - import { Template } from 'aws-cdk-lib/assertions'; import * as path from 'path'; import { Vpc } from 'aws-cdk-lib/aws-ec2'; @@ -46,7 +45,15 @@ describe.each([EcsEc2ContainerDefinition, EcsFargateContainerDefinition])('%p', // GIVEN beforeEach(() => { stack = new Stack(); - pascalCaseExpectedProps = capitalizePropertyNames(stack, defaultExpectedProps); + pascalCaseExpectedProps = capitalizePropertyNames(stack, { + ...defaultExpectedProps, + containerProperties: { + ...defaultExpectedProps.containerProperties, + executionRoleArn: { + 'Fn::GetAtt': ['EcsContainerExecutionRole3B199293', 'Arn'], + } as any, + }, + }); }); test('ecs container defaults', () => { @@ -60,6 +67,58 @@ describe.each([EcsEc2ContainerDefinition, EcsFargateContainerDefinition])('%p', // THEN Template.fromStack(stack).hasResourceProperties('AWS::Batch::JobDefinition', { ...pascalCaseExpectedProps, + ContainerProperties: { + ExecutionRoleArn: { + 'Fn::GetAtt': ['EcsContainerExecutionRole3B199293', 'Arn'], + }, + ...pascalCaseExpectedProps.ContainerProperties, + }, + }); + + Template.fromStack(stack).hasResourceProperties('AWS::IAM::Role', { + AssumeRolePolicyDocument: { + Statement: [ + { + Action: 'sts:AssumeRole', + Effect: 'Allow', + Principal: { Service: 'ecs-tasks.amazonaws.com' }, + }, + ], + Version: '2012-10-17', + }, + }); + + Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: [ + { + Action: [ + 'logs:CreateLogStream', + 'logs:PutLogEvents', + ], + Effect: 'Allow', + Resource: { + 'Fn::Join': [ + '', + [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':logs:', + { Ref: 'AWS::Region' }, + ':', + { Ref: 'AWS::AccountId' }, + ':log-group:/aws/batch/job:*', + ], + ], + }, + }, + ], + Version: '2012-10-17', + }, + PolicyName: 'EcsContainerExecutionRoleDefaultPolicy6F59CD37', + Roles: [{ + Ref: 'EcsContainerExecutionRole3B199293', + }], }); }); @@ -185,7 +244,7 @@ describe.each([EcsEc2ContainerDefinition, EcsFargateContainerDefinition])('%p', }); }); - test('respects logging and creates an execution role for EC2 and Fargate containers', () => { + test('respects logging', () => { // WHEN new EcsJobDefinition(stack, 'ECSJobDefn', { container: new ContainerDefinition(stack, 'EcsContainer', { @@ -221,11 +280,13 @@ describe.each([EcsEc2ContainerDefinition, EcsFargateContainerDefinition])('%p', Template.fromStack(stack).hasResourceProperties('AWS::IAM::Role', { AssumeRolePolicyDocument: { - Statement: [{ - Action: 'sts:AssumeRole', - Effect: 'Allow', - Principal: { Service: 'ecs-tasks.amazonaws.com' }, - }], + Statement: [ + { + Action: 'sts:AssumeRole', + Effect: 'Allow', + Principal: { Service: 'ecs-tasks.amazonaws.com' }, + }, + ], Version: '2012-10-17', }, }); @@ -564,7 +625,15 @@ describe('EC2 containers', () => { // GIVEN beforeEach(() => { stack = new Stack(); - pascalCaseExpectedProps = capitalizePropertyNames(stack, defaultExpectedProps); + pascalCaseExpectedProps = capitalizePropertyNames(stack, { + ...defaultExpectedProps, + containerProperties: { + ...defaultExpectedProps.containerProperties, + executionRoleArn: { + 'Fn::GetAtt': ['EcsEc2ContainerExecutionRole90E18680', 'Arn'], + } as any, + }, + }); }); test('respects addUlimit()', () => { @@ -708,7 +777,15 @@ describe('Fargate containers', () => { // GIVEN beforeEach(() => { stack = new Stack(); - pascalCaseExpectedProps = capitalizePropertyNames(stack, defaultExpectedProps); + pascalCaseExpectedProps = capitalizePropertyNames(stack, { + ...defaultExpectedProps, + containerProperties: { + ...defaultExpectedProps.containerProperties, + executionRoleArn: { + 'Fn::GetAtt': ['EcsContainerExecutionRole3B199293', 'Arn'], + } as any, + }, + }); }); test('create executionRole by default', () => { diff --git a/packages/@aws-cdk/aws-batch-alpha/test/integ.batch-unique-name.js.snapshot/BatchUniqueNameTestDefaultTestDeployAssertA3886AB9.assets.json b/packages/@aws-cdk/aws-batch-alpha/test/integ.batch-unique-name.js.snapshot/BatchUniqueNameTestDefaultTestDeployAssertA3886AB9.assets.json index 88a57b8a212ac..3f096020141c2 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/integ.batch-unique-name.js.snapshot/BatchUniqueNameTestDefaultTestDeployAssertA3886AB9.assets.json +++ b/packages/@aws-cdk/aws-batch-alpha/test/integ.batch-unique-name.js.snapshot/BatchUniqueNameTestDefaultTestDeployAssertA3886AB9.assets.json @@ -1,5 +1,5 @@ { - "version": "31.0.0", + "version": "32.0.0", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { diff --git a/packages/@aws-cdk/aws-batch-alpha/test/integ.batch-unique-name.js.snapshot/cdk.out b/packages/@aws-cdk/aws-batch-alpha/test/integ.batch-unique-name.js.snapshot/cdk.out index 7925065efbcc4..f0b901e7c06e5 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/integ.batch-unique-name.js.snapshot/cdk.out +++ b/packages/@aws-cdk/aws-batch-alpha/test/integ.batch-unique-name.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"31.0.0"} \ No newline at end of file +{"version":"32.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-batch-alpha/test/integ.batch-unique-name.js.snapshot/integ.json b/packages/@aws-cdk/aws-batch-alpha/test/integ.batch-unique-name.js.snapshot/integ.json index 97b9e03789c80..c87c6567f2c0c 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/integ.batch-unique-name.js.snapshot/integ.json +++ b/packages/@aws-cdk/aws-batch-alpha/test/integ.batch-unique-name.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "31.0.0", + "version": "32.0.0", "testCases": { "BatchUniqueNameTest/DefaultTest": { "stacks": [ diff --git a/packages/@aws-cdk/aws-batch-alpha/test/integ.batch-unique-name.js.snapshot/manifest.json b/packages/@aws-cdk/aws-batch-alpha/test/integ.batch-unique-name.js.snapshot/manifest.json index 8e8e764599acf..4ae80081afe11 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/integ.batch-unique-name.js.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-batch-alpha/test/integ.batch-unique-name.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "31.0.0", + "version": "32.0.0", "artifacts": { "stack.assets": { "type": "cdk:asset-manifest", @@ -17,7 +17,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/b7ced7357affd7e042169b0e624c985927080c1c2782ecab4a60b7b323cf14c4.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/dcf58b3d7fe509c8815682983476ddf759ae76a3c8a96611f347f5d93c687a68.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -57,6 +57,12 @@ "data": "containerExecutionRoleFD602179" } ], + "/stack/container/ExecutionRole/DefaultPolicy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "containerExecutionRoleDefaultPolicyF00DA4D6" + } + ], "/stack/MyJob/Resource": [ { "type": "aws:cdk:logicalId", @@ -92,15 +98,6 @@ "type": "aws:cdk:logicalId", "data": "CheckBootstrapVersion" } - ], - "MyQueue4F9177CF": [ - { - "type": "aws:cdk:logicalId", - "data": "MyQueue4F9177CF", - "trace": [ - "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" - ] - } ] }, "displayName": "stack" diff --git a/packages/@aws-cdk/aws-batch-alpha/test/integ.batch-unique-name.js.snapshot/stack.assets.json b/packages/@aws-cdk/aws-batch-alpha/test/integ.batch-unique-name.js.snapshot/stack.assets.json index b3fe00f78a845..8359b52766a39 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/integ.batch-unique-name.js.snapshot/stack.assets.json +++ b/packages/@aws-cdk/aws-batch-alpha/test/integ.batch-unique-name.js.snapshot/stack.assets.json @@ -1,7 +1,7 @@ { - "version": "31.0.0", + "version": "32.0.0", "files": { - "b7ced7357affd7e042169b0e624c985927080c1c2782ecab4a60b7b323cf14c4": { + "dcf58b3d7fe509c8815682983476ddf759ae76a3c8a96611f347f5d93c687a68": { "source": { "path": "stack.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "b7ced7357affd7e042169b0e624c985927080c1c2782ecab4a60b7b323cf14c4.json", + "objectKey": "dcf58b3d7fe509c8815682983476ddf759ae76a3c8a96611f347f5d93c687a68.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-batch-alpha/test/integ.batch-unique-name.js.snapshot/stack.template.json b/packages/@aws-cdk/aws-batch-alpha/test/integ.batch-unique-name.js.snapshot/stack.template.json index 4fe3817737ebf..4947e491e1ecd 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/integ.batch-unique-name.js.snapshot/stack.template.json +++ b/packages/@aws-cdk/aws-batch-alpha/test/integ.batch-unique-name.js.snapshot/stack.template.json @@ -79,6 +79,49 @@ } } }, + "containerExecutionRoleDefaultPolicyF00DA4D6": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/batch/job:*" + ] + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "containerExecutionRoleDefaultPolicyF00DA4D6", + "Roles": [ + { + "Ref": "containerExecutionRoleFD602179" + } + ] + } + }, "MyJob8719E923": { "Type": "AWS::Batch::JobDefinition", "Properties": { diff --git a/packages/@aws-cdk/aws-batch-alpha/test/integ.batch-unique-name.js.snapshot/tree.json b/packages/@aws-cdk/aws-batch-alpha/test/integ.batch-unique-name.js.snapshot/tree.json index 66c1a3a44874a..68642fa7859d7 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/integ.batch-unique-name.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-batch-alpha/test/integ.batch-unique-name.js.snapshot/tree.json @@ -92,7 +92,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-batch-alpha.UnmanagedComputeEnvironment", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -128,7 +128,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-batch-alpha.JobQueue", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -172,17 +172,86 @@ "fqn": "aws-cdk-lib.aws_iam.CfnRole", "version": "0.0.0" } + }, + "DefaultPolicy": { + "id": "DefaultPolicy", + "path": "stack/container/ExecutionRole/DefaultPolicy", + "children": { + "Resource": { + "id": "Resource", + "path": "stack/container/ExecutionRole/DefaultPolicy/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Policy", + "aws:cdk:cloudformation:props": { + "policyDocument": { + "Statement": [ + { + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/batch/job:*" + ] + ] + } + } + ], + "Version": "2012-10-17" + }, + "policyName": "containerExecutionRoleDefaultPolicyF00DA4D6", + "roles": [ + { + "Ref": "containerExecutionRoleFD602179" + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Policy", + "version": "0.0.0" + } } }, "constructInfo": { "fqn": "aws-cdk-lib.aws_iam.Role", "version": "0.0.0" } + }, + "batchDefaultLogGroup": { + "id": "batchDefaultLogGroup", + "path": "stack/container/batchDefaultLogGroup", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-batch-alpha.EcsEc2ContainerDefinition", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "MyJob": { @@ -323,7 +392,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-batch-alpha.EcsJobDefinition", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -410,7 +479,7 @@ "path": "BatchUniqueNameTest/DefaultTest/Default", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.270" + "version": "10.2.55" } }, "DeployAssert": { @@ -456,7 +525,7 @@ "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.270" + "version": "10.2.55" } } }, diff --git a/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/manifest.json b/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/manifest.json index 765c5357a348f..930242adf5963 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/manifest.json @@ -17,7 +17,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/dbfcc646c8225dd32d69798b87a8a94086dd89a2b3137bdf4e0ec96d79cdd4cb.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/c8dd0c72ae74118e7b13f5ad3ad3bd3daaa9115456be74990c685759252458a6.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -207,6 +207,12 @@ "data": "myContainerExecutionRoleEBACF86C" } ], + "/stack/myContainer/ExecutionRole/DefaultPolicy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "myContainerExecutionRoleDefaultPolicy42DA929E" + } + ], "/stack/ECSJobDefn/Resource": [ { "type": "aws:cdk:logicalId", @@ -219,6 +225,12 @@ "data": "myFargateContainerExecutionRoleB9EB79EA" } ], + "/stack/myFargateContainer/ExecutionRole/DefaultPolicy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "myFargateContainerExecutionRoleDefaultPolicy4FF431BF" + } + ], "/stack/ECSFargateJobDefn/Resource": [ { "type": "aws:cdk:logicalId", diff --git a/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/stack.assets.json b/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/stack.assets.json index d33d36502bf5f..2ca8cbd4fec95 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/stack.assets.json +++ b/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/stack.assets.json @@ -1,7 +1,7 @@ { "version": "32.0.0", "files": { - "dbfcc646c8225dd32d69798b87a8a94086dd89a2b3137bdf4e0ec96d79cdd4cb": { + "c8dd0c72ae74118e7b13f5ad3ad3bd3daaa9115456be74990c685759252458a6": { "source": { "path": "stack.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "dbfcc646c8225dd32d69798b87a8a94086dd89a2b3137bdf4e0ec96d79cdd4cb.json", + "objectKey": "c8dd0c72ae74118e7b13f5ad3ad3bd3daaa9115456be74990c685759252458a6.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/stack.template.json b/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/stack.template.json index 00e64916fd22c..072500c6c0127 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/stack.template.json +++ b/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/stack.template.json @@ -490,6 +490,49 @@ } } }, + "myContainerExecutionRoleDefaultPolicy42DA929E": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/batch/job:*" + ] + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "myContainerExecutionRoleDefaultPolicy42DA929E", + "Roles": [ + { + "Ref": "myContainerExecutionRoleEBACF86C" + } + ] + } + }, "ECSJobDefn48425E25": { "Type": "AWS::Batch::JobDefinition", "Properties": { @@ -589,6 +632,49 @@ } } }, + "myFargateContainerExecutionRoleDefaultPolicy4FF431BF": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/batch/job:*" + ] + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "myFargateContainerExecutionRoleDefaultPolicy4FF431BF", + "Roles": [ + { + "Ref": "myFargateContainerExecutionRoleB9EB79EA" + } + ] + } + }, "ECSFargateJobDefn327BE725": { "Type": "AWS::Batch::JobDefinition", "Properties": { @@ -678,6 +764,33 @@ "Properties": { "PolicyDocument": { "Statement": [ + { + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/batch/job:*" + ] + ] + } + }, { "Action": [ "ecr:BatchCheckLayerAvailability", diff --git a/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/tree.json b/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/tree.json index 041b6d0faa434..45e4ea126882c 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/tree.json @@ -839,17 +839,86 @@ "fqn": "aws-cdk-lib.aws_iam.CfnRole", "version": "0.0.0" } + }, + "DefaultPolicy": { + "id": "DefaultPolicy", + "path": "stack/myContainer/ExecutionRole/DefaultPolicy", + "children": { + "Resource": { + "id": "Resource", + "path": "stack/myContainer/ExecutionRole/DefaultPolicy/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Policy", + "aws:cdk:cloudformation:props": { + "policyDocument": { + "Statement": [ + { + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/batch/job:*" + ] + ] + } + } + ], + "Version": "2012-10-17" + }, + "policyName": "myContainerExecutionRoleDefaultPolicy42DA929E", + "roles": [ + { + "Ref": "myContainerExecutionRoleEBACF86C" + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Policy", + "version": "0.0.0" + } } }, "constructInfo": { "fqn": "aws-cdk-lib.aws_iam.Role", "version": "0.0.0" } + }, + "batchDefaultLogGroup": { + "id": "batchDefaultLogGroup", + "path": "stack/myContainer/batchDefaultLogGroup", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } } }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.2.52" + "version": "10.2.55" } }, "ECSJobDefn": { @@ -992,17 +1061,86 @@ "fqn": "aws-cdk-lib.aws_iam.CfnRole", "version": "0.0.0" } + }, + "DefaultPolicy": { + "id": "DefaultPolicy", + "path": "stack/myFargateContainer/ExecutionRole/DefaultPolicy", + "children": { + "Resource": { + "id": "Resource", + "path": "stack/myFargateContainer/ExecutionRole/DefaultPolicy/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Policy", + "aws:cdk:cloudformation:props": { + "policyDocument": { + "Statement": [ + { + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/batch/job:*" + ] + ] + } + } + ], + "Version": "2012-10-17" + }, + "policyName": "myFargateContainerExecutionRoleDefaultPolicy4FF431BF", + "roles": [ + { + "Ref": "myFargateContainerExecutionRoleB9EB79EA" + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Policy", + "version": "0.0.0" + } } }, "constructInfo": { "fqn": "aws-cdk-lib.aws_iam.Role", "version": "0.0.0" } + }, + "batchDefaultLogGroup": { + "id": "batchDefaultLogGroup", + "path": "stack/myFargateContainer/batchDefaultLogGroup", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } } }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.2.52" + "version": "10.2.55" } }, "ECSFargateJobDefn": { @@ -1169,6 +1307,33 @@ "aws:cdk:cloudformation:props": { "policyDocument": { "Statement": [ + { + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/batch/job:*" + ] + ] + } + }, { "Action": [ "ecr:BatchCheckLayerAvailability", @@ -1232,11 +1397,19 @@ "fqn": "aws-cdk-lib.aws_iam.Role", "version": "0.0.0" } + }, + "batchDefaultLogGroup": { + "id": "batchDefaultLogGroup", + "path": "stack/EcsDockerContainer/batchDefaultLogGroup", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } } }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.2.52" + "version": "10.2.55" } }, "ECSDockerJobDefn": { @@ -1326,7 +1499,7 @@ "path": "BatchEcsJobDefinitionTest/DefaultTest/Default", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.2.52" + "version": "10.2.55" } }, "DeployAssert": { @@ -1372,7 +1545,7 @@ "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.2.52" + "version": "10.2.55" } } }, diff --git a/packages/@aws-cdk/aws-batch-alpha/test/integ.multinode-job-definition.js.snapshot/BatchMultiNodeJobDefinitionTestDefaultTestDeployAssertDB834B9D.assets.json b/packages/@aws-cdk/aws-batch-alpha/test/integ.multinode-job-definition.js.snapshot/BatchMultiNodeJobDefinitionTestDefaultTestDeployAssertDB834B9D.assets.json index 3f494b7c45c2e..17b5f9b65eb52 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/integ.multinode-job-definition.js.snapshot/BatchMultiNodeJobDefinitionTestDefaultTestDeployAssertDB834B9D.assets.json +++ b/packages/@aws-cdk/aws-batch-alpha/test/integ.multinode-job-definition.js.snapshot/BatchMultiNodeJobDefinitionTestDefaultTestDeployAssertDB834B9D.assets.json @@ -1,5 +1,5 @@ { - "version": "31.0.0", + "version": "32.0.0", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { diff --git a/packages/@aws-cdk/aws-batch-alpha/test/integ.multinode-job-definition.js.snapshot/cdk.out b/packages/@aws-cdk/aws-batch-alpha/test/integ.multinode-job-definition.js.snapshot/cdk.out index 7925065efbcc4..f0b901e7c06e5 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/integ.multinode-job-definition.js.snapshot/cdk.out +++ b/packages/@aws-cdk/aws-batch-alpha/test/integ.multinode-job-definition.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"31.0.0"} \ No newline at end of file +{"version":"32.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-batch-alpha/test/integ.multinode-job-definition.js.snapshot/integ.json b/packages/@aws-cdk/aws-batch-alpha/test/integ.multinode-job-definition.js.snapshot/integ.json index 8e804b6114cab..260082c7a2ab6 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/integ.multinode-job-definition.js.snapshot/integ.json +++ b/packages/@aws-cdk/aws-batch-alpha/test/integ.multinode-job-definition.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "31.0.0", + "version": "32.0.0", "testCases": { "BatchMultiNodeJobDefinitionTest/DefaultTest": { "stacks": [ diff --git a/packages/@aws-cdk/aws-batch-alpha/test/integ.multinode-job-definition.js.snapshot/manifest.json b/packages/@aws-cdk/aws-batch-alpha/test/integ.multinode-job-definition.js.snapshot/manifest.json index c74907da62cc2..743551c487d8c 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/integ.multinode-job-definition.js.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-batch-alpha/test/integ.multinode-job-definition.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "31.0.0", + "version": "32.0.0", "artifacts": { "stack.assets": { "type": "cdk:asset-manifest", @@ -17,7 +17,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/2ad190c3f65538c3f31f945af85e9694bb6677d6b0dbf3f724c89003d6e903b5.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/79bf9bc31318f31367fd9137a6bb59249d5afff9035d0d7dbd73aa96088735f2.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -39,6 +39,12 @@ "data": "myContainerExecutionRoleEBACF86C" } ], + "/stack/myContainer/ExecutionRole/DefaultPolicy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "myContainerExecutionRoleDefaultPolicy42DA929E" + } + ], "/stack/SingleContainerMultiNodeJob/Resource": [ { "type": "aws:cdk:logicalId", @@ -51,6 +57,12 @@ "data": "multinodecontainerExecutionRoleAB7AA30A" } ], + "/stack/multinodecontainer/ExecutionRole/DefaultPolicy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "multinodecontainerExecutionRoleDefaultPolicy2AAB071A" + } + ], "/stack/MultiContainerMultiNodeJob/Resource": [ { "type": "aws:cdk:logicalId", @@ -63,6 +75,12 @@ "data": "multiContainerExecutionRole317DED72" } ], + "/stack/multiContainer/ExecutionRole/DefaultPolicy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "multiContainerExecutionRoleDefaultPolicyE3E7D32C" + } + ], "/stack/BootstrapVersion": [ { "type": "aws:cdk:logicalId", diff --git a/packages/@aws-cdk/aws-batch-alpha/test/integ.multinode-job-definition.js.snapshot/stack.assets.json b/packages/@aws-cdk/aws-batch-alpha/test/integ.multinode-job-definition.js.snapshot/stack.assets.json index 574b7c73ccab1..eb96840e2c534 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/integ.multinode-job-definition.js.snapshot/stack.assets.json +++ b/packages/@aws-cdk/aws-batch-alpha/test/integ.multinode-job-definition.js.snapshot/stack.assets.json @@ -1,7 +1,7 @@ { - "version": "31.0.0", + "version": "32.0.0", "files": { - "2ad190c3f65538c3f31f945af85e9694bb6677d6b0dbf3f724c89003d6e903b5": { + "79bf9bc31318f31367fd9137a6bb59249d5afff9035d0d7dbd73aa96088735f2": { "source": { "path": "stack.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "2ad190c3f65538c3f31f945af85e9694bb6677d6b0dbf3f724c89003d6e903b5.json", + "objectKey": "79bf9bc31318f31367fd9137a6bb59249d5afff9035d0d7dbd73aa96088735f2.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-batch-alpha/test/integ.multinode-job-definition.js.snapshot/stack.template.json b/packages/@aws-cdk/aws-batch-alpha/test/integ.multinode-job-definition.js.snapshot/stack.template.json index ccf13f3c895f8..548695e4384f8 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/integ.multinode-job-definition.js.snapshot/stack.template.json +++ b/packages/@aws-cdk/aws-batch-alpha/test/integ.multinode-job-definition.js.snapshot/stack.template.json @@ -17,6 +17,49 @@ } } }, + "myContainerExecutionRoleDefaultPolicy42DA929E": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/batch/job:*" + ] + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "myContainerExecutionRoleDefaultPolicy42DA929E", + "Roles": [ + { + "Ref": "myContainerExecutionRoleEBACF86C" + } + ] + } + }, "SingleContainerMultiNodeJob1118AC82": { "Type": "AWS::Batch::JobDefinition", "Properties": { @@ -77,6 +120,49 @@ } } }, + "multinodecontainerExecutionRoleDefaultPolicy2AAB071A": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/batch/job:*" + ] + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "multinodecontainerExecutionRoleDefaultPolicy2AAB071A", + "Roles": [ + { + "Ref": "multinodecontainerExecutionRoleAB7AA30A" + } + ] + } + }, "MultiContainerMultiNodeJobBA8ED368": { "Type": "AWS::Batch::JobDefinition", "Properties": { @@ -160,6 +246,49 @@ "Version": "2012-10-17" } } + }, + "multiContainerExecutionRoleDefaultPolicyE3E7D32C": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/batch/job:*" + ] + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "multiContainerExecutionRoleDefaultPolicyE3E7D32C", + "Roles": [ + { + "Ref": "multiContainerExecutionRole317DED72" + } + ] + } } }, "Parameters": { diff --git a/packages/@aws-cdk/aws-batch-alpha/test/integ.multinode-job-definition.js.snapshot/tree.json b/packages/@aws-cdk/aws-batch-alpha/test/integ.multinode-job-definition.js.snapshot/tree.json index b72641f15378e..1b8ed884bff95 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/integ.multinode-job-definition.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-batch-alpha/test/integ.multinode-job-definition.js.snapshot/tree.json @@ -20,8 +20,8 @@ "id": "ImportExecutionRole", "path": "stack/myContainer/ExecutionRole/ImportExecutionRole", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "Resource": { @@ -45,20 +45,89 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.CfnRole", + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" + } + }, + "DefaultPolicy": { + "id": "DefaultPolicy", + "path": "stack/myContainer/ExecutionRole/DefaultPolicy", + "children": { + "Resource": { + "id": "Resource", + "path": "stack/myContainer/ExecutionRole/DefaultPolicy/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Policy", + "aws:cdk:cloudformation:props": { + "policyDocument": { + "Statement": [ + { + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/batch/job:*" + ] + ] + } + } + ], + "Version": "2012-10-17" + }, + "policyName": "myContainerExecutionRoleDefaultPolicy42DA929E", + "roles": [ + { + "Ref": "myContainerExecutionRoleEBACF86C" + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Policy", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.Role", + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0" + } + }, + "batchDefaultLogGroup": { + "id": "batchDefaultLogGroup", + "path": "stack/myContainer/batchDefaultLogGroup", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-batch.EcsEc2ContainerDefinition", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "SingleContainerMultiNodeJob": { @@ -112,13 +181,13 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-batch.CfnJobDefinition", + "fqn": "aws-cdk-lib.aws_batch.CfnJobDefinition", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-batch.MultiNodeJobDefinition", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -134,8 +203,8 @@ "id": "ImportExecutionRole", "path": "stack/multinodecontainer/ExecutionRole/ImportExecutionRole", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "Resource": { @@ -159,20 +228,89 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.CfnRole", + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" + } + }, + "DefaultPolicy": { + "id": "DefaultPolicy", + "path": "stack/multinodecontainer/ExecutionRole/DefaultPolicy", + "children": { + "Resource": { + "id": "Resource", + "path": "stack/multinodecontainer/ExecutionRole/DefaultPolicy/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Policy", + "aws:cdk:cloudformation:props": { + "policyDocument": { + "Statement": [ + { + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/batch/job:*" + ] + ] + } + } + ], + "Version": "2012-10-17" + }, + "policyName": "multinodecontainerExecutionRoleDefaultPolicy2AAB071A", + "roles": [ + { + "Ref": "multinodecontainerExecutionRoleAB7AA30A" + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Policy", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.Role", + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0" + } + }, + "batchDefaultLogGroup": { + "id": "batchDefaultLogGroup", + "path": "stack/multinodecontainer/batchDefaultLogGroup", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-batch.EcsEc2ContainerDefinition", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "MultiContainerMultiNodeJob": { @@ -250,13 +388,13 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-batch.CfnJobDefinition", + "fqn": "aws-cdk-lib.aws_batch.CfnJobDefinition", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-batch.MultiNodeJobDefinition", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -272,8 +410,8 @@ "id": "ImportExecutionRole", "path": "stack/multiContainer/ExecutionRole/ImportExecutionRole", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "Resource": { @@ -297,42 +435,111 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.CfnRole", + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" + } + }, + "DefaultPolicy": { + "id": "DefaultPolicy", + "path": "stack/multiContainer/ExecutionRole/DefaultPolicy", + "children": { + "Resource": { + "id": "Resource", + "path": "stack/multiContainer/ExecutionRole/DefaultPolicy/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Policy", + "aws:cdk:cloudformation:props": { + "policyDocument": { + "Statement": [ + { + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/batch/job:*" + ] + ] + } + } + ], + "Version": "2012-10-17" + }, + "policyName": "multiContainerExecutionRoleDefaultPolicyE3E7D32C", + "roles": [ + { + "Ref": "multiContainerExecutionRole317DED72" + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Policy", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.Role", + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0" + } + }, + "batchDefaultLogGroup": { + "id": "batchDefaultLogGroup", + "path": "stack/multiContainer/batchDefaultLogGroup", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-batch.EcsEc2ContainerDefinition", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.55" } }, "BootstrapVersion": { "id": "BootstrapVersion", "path": "stack/BootstrapVersion", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" } }, "CheckBootstrapVersion": { "id": "CheckBootstrapVersion", "path": "stack/CheckBootstrapVersion", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" } }, "BatchMultiNodeJobDefinitionTest": { @@ -348,7 +555,7 @@ "path": "BatchMultiNodeJobDefinitionTest/DefaultTest/Default", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.270" + "version": "10.2.55" } }, "DeployAssert": { @@ -359,33 +566,33 @@ "id": "BootstrapVersion", "path": "BatchMultiNodeJobDefinitionTest/DefaultTest/DeployAssert/BootstrapVersion", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" } }, "CheckBootstrapVersion": { "id": "CheckBootstrapVersion", "path": "BatchMultiNodeJobDefinitionTest/DefaultTest/DeployAssert/CheckBootstrapVersion", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/integ-tests.IntegTestCase", + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/integ-tests.IntegTest", + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", "version": "0.0.0" } }, @@ -394,13 +601,13 @@ "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.270" + "version": "10.2.55" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" } } } \ No newline at end of file From 1a8f5ade8ea0bc26bee0cefd73085aaf788434c8 Mon Sep 17 00:00:00 2001 From: Rico Hermans Date: Wed, 12 Jul 2023 14:04:36 +0200 Subject: [PATCH 4/5] fix(cli): credential plugin exceptions stop the entire CLI (#26244) Credential provider plugins may sometimes misbehave. Catch any exceptions they may throw and continue. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../lib/api/aws-auth/credential-plugins.ts | 24 ++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts b/packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts index 95b8ad2eb9c16..640e8cf4b462f 100644 --- a/packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts +++ b/packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts @@ -1,5 +1,6 @@ import { debug } from './_env'; import { Mode } from './credentials'; +import { warning } from '../../logging'; import { CredentialProviderSource, PluginHost } from '../plugin'; /** @@ -33,12 +34,29 @@ export class CredentialPlugins { const triedSources: CredentialProviderSource[] = []; // Otherwise, inspect the various credential sources we have for (const source of PluginHost.instance.credentialProviderSources) { - if (!(await source.isAvailable())) { + let available: boolean; + try { + available = await source.isAvailable(); + } catch (e: any) { + // This shouldn't happen, but let's guard against it anyway + warning(`Uncaught exception in ${source.name}: ${e.message}`); + available = false; + } + + if (!available) { debug('Credentials source %s is not available, ignoring it.', source.name); continue; } triedSources.push(source); - if (!(await source.canProvideCredentials(awsAccountId))) { continue; } + let canProvide: boolean; + try { + canProvide = await source.canProvideCredentials(awsAccountId); + } catch (e: any) { + // This shouldn't happen, but let's guard against it anyway + warning(`Uncaught exception in ${source.name}: ${e.message}`); + canProvide = false; + } + if (!canProvide) { continue; } debug(`Using ${source.name} credentials for account ${awsAccountId}`); const providerOrCreds = await source.getProvider(awsAccountId, mode); @@ -55,4 +73,4 @@ export class CredentialPlugins { export interface PluginCredentials { readonly credentials: AWS.Credentials; readonly pluginName: string; -} \ No newline at end of file +} From 546456a80a9204d9294831b759f04d3d4e3da72a Mon Sep 17 00:00:00 2001 From: Luca Pizzini Date: Wed, 12 Jul 2023 14:31:02 +0200 Subject: [PATCH 5/5] feat(custom-resources): add custom environmentEncryption for Provider lambda functions (#26236) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The `providerFunctionEnvEncryption` property on the `Provider` class allows users to specify a custom KMS key that will be used to encrypt the environment variables of the generated lambda functions. Closes #26197. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../aws-cdk-lib/custom-resources/README.md | 21 +++++++++++++ .../lib/provider-framework/provider.ts | 11 +++++++ .../test/provider-framework/provider.test.ts | 31 +++++++++++++++++++ 3 files changed, 63 insertions(+) diff --git a/packages/aws-cdk-lib/custom-resources/README.md b/packages/aws-cdk-lib/custom-resources/README.md index 940e6303e0e83..b36075ac9199c 100644 --- a/packages/aws-cdk-lib/custom-resources/README.md +++ b/packages/aws-cdk-lib/custom-resources/README.md @@ -387,6 +387,27 @@ const myProvider = new cr.Provider(this, 'MyProvider', { ``` +### Customizing Provider Function environment encryption key + +Sometimes it may be useful to manually set a AWS KMS key for the Provider Function Lambda and therefore +be able to view, manage and audit the key usage. + +```ts +declare const onEvent: lambda.Function; +declare const isComplete: lambda.Function; +declare const myRole: iam.Role; + +const key = new kms.Key(this, 'MyKey'); +const myProvider = new cr.Provider(this, 'MyProvider', { + onEventHandler: onEvent, + isCompleteHandler: isComplete, + logRetention: logs.RetentionDays.ONE_DAY, + role: myRole, + providerFunctionEnvEncryption: key, // Optional +}); + +``` + ## Custom Resources for AWS APIs Sometimes a single API call can fill the gap in the CloudFormation coverage. In diff --git a/packages/aws-cdk-lib/custom-resources/lib/provider-framework/provider.ts b/packages/aws-cdk-lib/custom-resources/lib/provider-framework/provider.ts index d9e28da32dcaa..a0690b3d5055e 100644 --- a/packages/aws-cdk-lib/custom-resources/lib/provider-framework/provider.ts +++ b/packages/aws-cdk-lib/custom-resources/lib/provider-framework/provider.ts @@ -6,6 +6,7 @@ import { WaiterStateMachine } from './waiter-state-machine'; import { CustomResourceProviderConfig, ICustomResourceProvider } from '../../../aws-cloudformation'; import * as ec2 from '../../../aws-ec2'; import * as iam from '../../../aws-iam'; +import * as kms from '../../../aws-kms'; import * as lambda from '../../../aws-lambda'; import * as logs from '../../../aws-logs'; import { Duration } from '../../../core'; @@ -118,6 +119,13 @@ export interface ProviderProps { * @default - CloudFormation default name from unique physical ID */ readonly providerFunctionName?: string; + + /** + * AWS KMS key used to encrypt provider lambda's environment variables. + * + * @default - AWS Lambda creates and uses an AWS managed customer master key (CMK) + */ + readonly providerFunctionEnvEncryption?: kms.IKey; } /** @@ -149,6 +157,7 @@ export class Provider extends Construct implements ICustomResourceProvider { private readonly vpcSubnets?: ec2.SubnetSelection; private readonly securityGroups?: ec2.ISecurityGroup[]; private readonly role?: iam.IRole; + private readonly providerFunctionEnvEncryption?: kms.IKey; constructor(scope: Construct, id: string, props: ProviderProps) { super(scope, id); @@ -167,6 +176,7 @@ export class Provider extends Construct implements ICustomResourceProvider { this.securityGroups = props.securityGroups; this.role = props.role; + this.providerFunctionEnvEncryption = props.providerFunctionEnvEncryption; const onEventFunction = this.createFunction(consts.FRAMEWORK_ON_EVENT_HANDLER_NAME, props.providerFunctionName); @@ -216,6 +226,7 @@ export class Provider extends Construct implements ICustomResourceProvider { securityGroups: this.securityGroups, role: this.role, functionName: name, + environmentEncryption: this.providerFunctionEnvEncryption, }); fn.addEnvironment(consts.USER_ON_EVENT_FUNCTION_ARN_ENV, this.onEventHandler.functionArn); diff --git a/packages/aws-cdk-lib/custom-resources/test/provider-framework/provider.test.ts b/packages/aws-cdk-lib/custom-resources/test/provider-framework/provider.test.ts index 0a69d13b1f0ce..aa164cb5fa1d0 100644 --- a/packages/aws-cdk-lib/custom-resources/test/provider-framework/provider.test.ts +++ b/packages/aws-cdk-lib/custom-resources/test/provider-framework/provider.test.ts @@ -2,6 +2,7 @@ import * as path from 'path'; import { Template } from '../../../assertions'; import * as ec2 from '../../../aws-ec2'; import * as iam from '../../../aws-iam'; +import * as kms from '../../../aws-kms'; import * as lambda from '../../../aws-lambda'; import * as logs from '../../../aws-logs'; import { Duration, Stack } from '../../../core'; @@ -419,3 +420,33 @@ describe('name', () => { }); }); }); + +describe('environment encryption', () => { + it('uses custom KMS key for environment encryption when present', () => { + // GIVEN + const stack = new Stack(); + const key: kms.IKey = new kms.Key(stack, 'EnvVarEncryptKey', { + description: 'sample key', + }); + + // WHEN + new cr.Provider(stack, 'MyProvider', { + onEventHandler: new lambda.Function(stack, 'MyHandler', { + code: lambda.Code.fromAsset(path.join(__dirname, './integration-test-fixtures/s3-file-handler')), + handler: 'index.onEvent', + runtime: lambda.Runtime.NODEJS_14_X, + }), + providerFunctionEnvEncryption: key, + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Function', { + KmsKeyArn: { + 'Fn::GetAtt': [ + 'EnvVarEncryptKey1A7CABDB', + 'Arn', + ], + }, + }); + }); +});