From 467fc528155ee9ad34b87ef89b0ae7b7bdbc59d6 Mon Sep 17 00:00:00 2001 From: Calvin Combs <66279577+comcalvi@users.noreply.github.com> Date: Thu, 29 Jun 2023 01:13:11 -0700 Subject: [PATCH] fix(batch): Allow ECS JobDefinition Containers to pass Secrets as Environment Variables & Enable Kubernetes Secret Volumes (#26126) Changes the type of `secrets` from `ISecret[]` to `{ [key: string]: ISecret }`. The `key` is the name of the environment variable to expose to the container. Also enables the specification of EKS Kubernetes volumes, which our README documented but wasn't actually supported because of a CFN issue that has since been fixed. Closes #25559. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/@aws-cdk/aws-batch-alpha/README.md | 23 ++++ .../lib/ecs-container-definition.ts | 18 +-- .../lib/eks-container-definition.ts | 6 +- .../aws-batch-alpha/lib/eks-job-definition.ts | 3 +- .../test/ecs-container-definition.test.ts | 60 +-------- .../test/eks-container-definition.test.ts | 126 +++++++++++++++--- ...efaultTestDeployAssertE5BAAC9B.assets.json | 2 +- .../cdk.out | 2 +- .../integ.json | 2 +- .../manifest.json | 10 +- .../stack.assets.json | 6 +- .../stack.template.json | 16 +++ .../tree.json | 90 +++++++++---- .../test/integ.ecs-job-definition.ts | 4 + ...efaultTestDeployAssertE5BAAC9B.assets.json | 2 +- .../cdk.out | 2 +- .../integ.json | 2 +- .../manifest.json | 4 +- .../stack.assets.json | 6 +- .../stack.template.json | 22 +++ .../tree.json | 52 +++++--- .../test/integ.eks-job-definition.ts | 14 +- .../test/job-definition-base.test.ts | 12 -- 23 files changed, 317 insertions(+), 167 deletions(-) diff --git a/packages/@aws-cdk/aws-batch-alpha/README.md b/packages/@aws-cdk/aws-batch-alpha/README.md index 8ee8f6fb6c50c..434d108e303ae 100644 --- a/packages/@aws-cdk/aws-batch-alpha/README.md +++ b/packages/@aws-cdk/aws-batch-alpha/README.md @@ -495,6 +495,29 @@ jobDefn.container.addVolume(batch.EcsVolume.efs({ })); ``` +### Secrets + +You can expose SecretsManager Secret ARNs to your container as environment variables. +The following example defines the `MY_SECRET_ENV_VAR` environment variable that contains the +ARN of the Secret defined by `mySecret`: + +```ts +import * as cdk from 'aws-cdk-lib'; + +declare const mySecret: secretsmanager.ISecret; + +const jobDefn = new batch.EcsJobDefinition(this, 'JobDefn', { + container: new batch.EcsEc2ContainerDefinition(this, 'containerDefn', { + image: ecs.ContainerImage.fromRegistry('public.ecr.aws/amazonlinux/amazonlinux:latest'), + memory: cdk.Size.mebibytes(2048), + cpu: 256, + secrets: { + MY_SECRET_ENV_VAR: mySecret, + } + }), +}); +``` + ### Running Kubernetes Workflows Batch also supports running workflows on EKS. The following example creates a `JobDefinition` that runs on EKS: diff --git a/packages/@aws-cdk/aws-batch-alpha/lib/ecs-container-definition.ts b/packages/@aws-cdk/aws-batch-alpha/lib/ecs-container-definition.ts index 323798cd66cdf..c4b13e6829253 100644 --- a/packages/@aws-cdk/aws-batch-alpha/lib/ecs-container-definition.ts +++ b/packages/@aws-cdk/aws-batch-alpha/lib/ecs-container-definition.ts @@ -342,13 +342,14 @@ export interface IEcsContainerDefinition extends IConstruct { readonly readonlyRootFilesystem?: boolean; /** - * The secrets for the container. Can be referenced in your job definition. + * A map from environment variable names to the secrets for the container. Allows your job definitions + * to reference the secret by the environment variable name defined in this property. * * @see https://docs.aws.amazon.com/batch/latest/userguide/specifying-sensitive-data.html * * @default - no secrets */ - readonly secrets?: secretsmanager.ISecret[]; + readonly secrets?: { [envVarName: string]: secretsmanager.ISecret }; /** * The user name to use inside the container @@ -458,13 +459,14 @@ export interface EcsContainerDefinitionProps { readonly readonlyRootFilesystem?: boolean; /** - * The secrets for the container. Can be referenced in your job definition. + * A map from environment variable names to the secrets for the container. Allows your job definitions + * to reference the secret by the environment variable name defined in this property. * * @see https://docs.aws.amazon.com/batch/latest/userguide/specifying-sensitive-data.html * * @default - no secrets */ - readonly secrets?: secretsmanager.ISecret[]; + readonly secrets?: { [envVarName: string]: secretsmanager.ISecret }; /** * The user name to use inside the container @@ -495,7 +497,7 @@ abstract class EcsContainerDefinitionBase extends Construct implements IEcsConta public readonly linuxParameters?: LinuxParameters; public readonly logDriverConfig?: ecs.LogDriverConfig; public readonly readonlyRootFilesystem?: boolean; - public readonly secrets?: secretsmanager.ISecret[]; + public readonly secrets?: { [envVarName: string]: secretsmanager.ISecret }; public readonly user?: string; public readonly volumes: EcsVolume[]; @@ -553,12 +555,12 @@ abstract class EcsContainerDefinitionBase extends Construct implements IEcsConta logConfiguration: this.logDriverConfig, readonlyRootFilesystem: this.readonlyRootFilesystem, resourceRequirements: this._renderResourceRequirements(), - secrets: this.secrets?.map((secret) => { + secrets: this.secrets ? Object.entries(this.secrets).map(([name, secret]) => { return { - name: secret.secretName, + name, valueFrom: secret.secretArn, }; - }), + }) : undefined, mountPoints: Lazy.any({ produce: () => { if (this.volumes.length === 0) { diff --git a/packages/@aws-cdk/aws-batch-alpha/lib/eks-container-definition.ts b/packages/@aws-cdk/aws-batch-alpha/lib/eks-container-definition.ts index 446e85d416f3f..63b47a97b1951 100644 --- a/packages/@aws-cdk/aws-batch-alpha/lib/eks-container-definition.ts +++ b/packages/@aws-cdk/aws-batch-alpha/lib/eks-container-definition.ts @@ -647,9 +647,9 @@ export interface EksVolumeOptions { readonly name: string; /** - * The path on the container where the container is mounted. + * The path on the container where the volume is mounted. * - * @default - the container is not mounted + * @default - the volume is not mounted */ readonly mountPath?: string; @@ -902,7 +902,7 @@ export class SecretPathVolume extends EksVolume { constructor(options: SecretPathVolumeOptions) { super(options); this.secretName = options.secretName; - this.optional = options.optional; + this.optional = options.optional ?? true; } } diff --git a/packages/@aws-cdk/aws-batch-alpha/lib/eks-job-definition.ts b/packages/@aws-cdk/aws-batch-alpha/lib/eks-job-definition.ts index f5a58b482bf9c..3d84252dd52e0 100644 --- a/packages/@aws-cdk/aws-batch-alpha/lib/eks-job-definition.ts +++ b/packages/@aws-cdk/aws-batch-alpha/lib/eks-job-definition.ts @@ -192,14 +192,13 @@ export class EksJobDefinition extends JobDefinitionBase implements IEksJobDefini }; } if (SecretPathVolume.isSecretPathVolume(volume)) { - /*return { + return { name: volume.name, secret: { optional: volume.optional, secretName: volume.secretName, }, }; - */ } throw new Error('unknown volume type'); diff --git a/packages/@aws-cdk/aws-batch-alpha/test/ecs-container-definition.test.ts b/packages/@aws-cdk/aws-batch-alpha/test/ecs-container-definition.test.ts index c2eaa8705225a..9665a124136bf 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/ecs-container-definition.test.ts +++ b/packages/@aws-cdk/aws-batch-alpha/test/ecs-container-definition.test.ts @@ -255,9 +255,9 @@ describe.each([EcsEc2ContainerDefinition, EcsFargateContainerDefinition])('%p', new EcsJobDefinition(stack, 'ECSJobDefn', { container: new ContainerDefinition(stack, 'EcsContainer', { ...defaultContainerProps, - secrets: [ - new Secret(stack, 'testSecret'), - ], + secrets: { + envName: new Secret(stack, 'testSecret'), + }, }), }); @@ -268,59 +268,7 @@ describe.each([EcsEc2ContainerDefinition, EcsFargateContainerDefinition])('%p', ...pascalCaseExpectedProps.ContainerProperties, Secrets: [ { - Name: { - 'Fn::Join': [ - '-', - [ - { - 'Fn::Select': [ - 0, - { - 'Fn::Split': [ - '-', - { - 'Fn::Select': [ - 6, - { - 'Fn::Split': [ - ':', - { - Ref: 'testSecretB96AD12C', - }, - ], - }, - ], - }, - ], - }, - ], - }, - { - 'Fn::Select': [ - 1, - { - 'Fn::Split': [ - '-', - { - 'Fn::Select': [ - 6, - { - 'Fn::Split': [ - ':', - { - Ref: 'testSecretB96AD12C', - }, - ], - }, - ], - }, - ], - }, - ], - }, - ], - ], - }, + Name: 'envName', ValueFrom: { Ref: 'testSecretB96AD12C' }, }, ], diff --git a/packages/@aws-cdk/aws-batch-alpha/test/eks-container-definition.test.ts b/packages/@aws-cdk/aws-batch-alpha/test/eks-container-definition.test.ts index aad8c169664ad..6cb61084a0966 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/eks-container-definition.test.ts +++ b/packages/@aws-cdk/aws-batch-alpha/test/eks-container-definition.test.ts @@ -33,7 +33,7 @@ describe('eks container', () => { test('eks container defaults', () => { // WHEN - new EksJobDefinition(stack, 'ECSJobDefn', { + new EksJobDefinition(stack, 'EksJobDefn', { container: new EksContainerDefinition(stack, 'EcsEc2Container', { ...defaultContainerProps, }), @@ -47,7 +47,7 @@ describe('eks container', () => { test('respects args', () => { // WHEN - new EksJobDefinition(stack, 'ECSJobDefn', { + new EksJobDefinition(stack, 'EksJobDefn', { container: new EksContainerDefinition(stack, 'EcsEc2Container', { ...defaultContainerProps, args: ['arg1', 'arg2'], @@ -71,7 +71,7 @@ describe('eks container', () => { test('respects command', () => { // WHEN - new EksJobDefinition(stack, 'ECSJobDefn', { + new EksJobDefinition(stack, 'EksJobDefn', { container: new EksContainerDefinition(stack, 'EcsEc2Container', { ...defaultContainerProps, command: ['echo', 'bar'], @@ -95,7 +95,7 @@ describe('eks container', () => { test('respects cpuLimit', () => { // WHEN - new EksJobDefinition(stack, 'ECSJobDefn', { + new EksJobDefinition(stack, 'EksJobDefn', { container: new EksContainerDefinition(stack, 'EcsEc2Container', { ...defaultContainerProps, cpuLimit: 256, @@ -123,7 +123,7 @@ describe('eks container', () => { test('respects cpuReservation', () => { // WHEN - new EksJobDefinition(stack, 'ECSJobDefn', { + new EksJobDefinition(stack, 'EksJobDefn', { container: new EksContainerDefinition(stack, 'EcsEc2Container', { ...defaultContainerProps, cpuReservation: 256, @@ -151,7 +151,7 @@ describe('eks container', () => { test('respects memoryLimitMiB', () => { // WHEN - new EksJobDefinition(stack, 'ECSJobDefn', { + new EksJobDefinition(stack, 'EksJobDefn', { container: new EksContainerDefinition(stack, 'EcsEc2Container', { ...defaultContainerProps, memoryLimit: Size.mebibytes(2048), @@ -179,7 +179,7 @@ describe('eks container', () => { test('respects memoryReservation', () => { // WHEN - new EksJobDefinition(stack, 'ECSJobDefn', { + new EksJobDefinition(stack, 'EksJobDefn', { container: new EksContainerDefinition(stack, 'EcsEc2Container', { ...defaultContainerProps, memoryReservation: Size.mebibytes(2048), @@ -207,7 +207,7 @@ describe('eks container', () => { test('respects gpuLimit', () => { // WHEN - new EksJobDefinition(stack, 'ECSJobDefn', { + new EksJobDefinition(stack, 'EksJobDefn', { container: new EksContainerDefinition(stack, 'EcsEc2Container', { ...defaultContainerProps, gpuLimit: 20, @@ -235,7 +235,7 @@ describe('eks container', () => { test('respects gpuReservation', () => { // WHEN - new EksJobDefinition(stack, 'ECSJobDefn', { + new EksJobDefinition(stack, 'EksJobDefn', { container: new EksContainerDefinition(stack, 'EcsEc2Container', { ...defaultContainerProps, gpuReservation: 20, @@ -263,7 +263,7 @@ describe('eks container', () => { test('respects resource requests and limits', () => { // WHEN - new EksJobDefinition(stack, 'ECSJobDefn', { + new EksJobDefinition(stack, 'EksJobDefn', { container: new EksContainerDefinition(stack, 'EcsEc2Container', { ...defaultContainerProps, cpuLimit: 256, @@ -303,7 +303,7 @@ describe('eks container', () => { test('respects env', () => { // WHEN - new EksJobDefinition(stack, 'ECSJobDefn', { + new EksJobDefinition(stack, 'EksJobDefn', { container: new EksContainerDefinition(stack, 'EcsEc2Container', { ...defaultContainerProps, env: { @@ -339,7 +339,7 @@ describe('eks container', () => { test('respects imagePullPolicy', () => { // WHEN - new EksJobDefinition(stack, 'ECSJobDefn', { + new EksJobDefinition(stack, 'EksJobDefn', { container: new EksContainerDefinition(stack, 'EcsEc2Container', { ...defaultContainerProps, imagePullPolicy: ImagePullPolicy.NEVER, @@ -363,7 +363,7 @@ describe('eks container', () => { test('respects name', () => { // WHEN - new EksJobDefinition(stack, 'ECSJobDefn', { + new EksJobDefinition(stack, 'EksJobDefn', { container: new EksContainerDefinition(stack, 'EcsEc2Container', { ...defaultContainerProps, name: 'myContainerName', @@ -387,7 +387,7 @@ describe('eks container', () => { test('respects privileged', () => { // WHEN - new EksJobDefinition(stack, 'ECSJobDefn', { + new EksJobDefinition(stack, 'EksJobDefn', { container: new EksContainerDefinition(stack, 'EcsEc2Container', { ...defaultContainerProps, privileged: true, @@ -413,7 +413,7 @@ describe('eks container', () => { test('respects readonlyFileSystem', () => { // WHEN - new EksJobDefinition(stack, 'ECSJobDefn', { + new EksJobDefinition(stack, 'EksJobDefn', { container: new EksContainerDefinition(stack, 'EcsEc2Container', { ...defaultContainerProps, readonlyRootFilesystem: true, @@ -439,7 +439,7 @@ describe('eks container', () => { test('respects runAsGroup', () => { // WHEN - new EksJobDefinition(stack, 'ECSJobDefn', { + new EksJobDefinition(stack, 'EksJobDefn', { container: new EksContainerDefinition(stack, 'EcsEc2Container', { ...defaultContainerProps, runAsGroup: 1, @@ -465,7 +465,7 @@ describe('eks container', () => { test('respects runAsRoot', () => { // WHEN - new EksJobDefinition(stack, 'ECSJobDefn', { + new EksJobDefinition(stack, 'EksJobDefEksJobDefn', { container: new EksContainerDefinition(stack, 'EcsEc2Container', { ...defaultContainerProps, runAsRoot: true, @@ -491,7 +491,7 @@ describe('eks container', () => { test('respects runAsUser', () => { // WHEN - new EksJobDefinition(stack, 'ECSJobDefn', { + new EksJobDefinition(stack, 'EksJobDefn', { container: new EksContainerDefinition(stack, 'EcsEc2Container', { ...defaultContainerProps, runAsUser: 90, @@ -517,7 +517,7 @@ describe('eks container', () => { test('respects emptyDir volumes', () => { // WHEN - new EksJobDefinition(stack, 'ECSJobDefn', { + new EksJobDefinition(stack, 'EksJobDefn', { container: new EksContainerDefinition(stack, 'EcsEc2Container', { ...defaultContainerProps, volumes: [ @@ -560,7 +560,7 @@ describe('eks container', () => { test('respects hostPath volumes', () => { // WHEN - new EksJobDefinition(stack, 'ECSJobDefn', { + new EksJobDefinition(stack, 'EksJobDefn', { container: new EksContainerDefinition(stack, 'EcsEc2Container', { ...defaultContainerProps, volumes: [EksVolume.hostPath({ @@ -597,9 +597,48 @@ describe('eks container', () => { }); }); + test('respects secret volumes, and ensures optional defaults to true', () => { + // WHEN + new EksJobDefinition(stack, 'EksJobDefn', { + container: new EksContainerDefinition(stack, 'EcsEc2Container', { + ...defaultContainerProps, + volumes: [EksVolume.secret({ + name: 'secretVolumeName', + secretName: 'myKubeSecret', + mountPath: '/mount/path', + readonly: true, + })], + }), + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::Batch::JobDefinition', { + ...pascalCaseExpectedProps, + EksProperties: { + PodProperties: { + ...pascalCaseExpectedProps.EksProperties.PodProperties, + Containers: [{ + ...pascalCaseExpectedProps.EksProperties.PodProperties.Containers[0], + VolumeMounts: [{ + MountPath: '/mount/path', + ReadOnly: true, + }], + }], + Volumes: [{ + Name: 'secretVolumeName', + Secret: { + SecretName: 'myKubeSecret', + Optional: true, + }, + }], + }, + }, + }); + }); + test('respects addVolume() with emptyDir volume', () => { // GIVEN - const jobDefn = new EksJobDefinition(stack, 'ECSJobDefn', { + const jobDefn = new EksJobDefinition(stack, 'EksJobDefn', { container: new EksContainerDefinition(stack, 'EcsEc2Container', { ...defaultContainerProps, }), @@ -642,7 +681,7 @@ describe('eks container', () => { test('respects addVolume() with hostPath volume', () => { // GIVEN - const jobDefn = new EksJobDefinition(stack, 'ECSJobDefn', { + const jobDefn = new EksJobDefinition(stack, 'EksJobDefn', { container: new EksContainerDefinition(stack, 'EcsEc2Container', { ...defaultContainerProps, }), @@ -680,4 +719,47 @@ describe('eks container', () => { }, }); }); + + test('respects addVolume() with secret volume (optional: false)', () => { + // GIVEN + const jobDefn = new EksJobDefinition(stack, 'EKSJobDefn', { + container: new EksContainerDefinition(stack, 'EcsEc2Container', { + ...defaultContainerProps, + }), + }); + + // WHEN + jobDefn.container.addVolume(EksVolume.secret({ + name: 'secretVolumeName', + secretName: 'secretName', + optional: false, + mountPath: '/mount/path', + readonly: true, + })); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::Batch::JobDefinition', { + ...pascalCaseExpectedProps, + EksProperties: { + PodProperties: { + ...pascalCaseExpectedProps.EksProperties.PodProperties, + Containers: [{ + ...pascalCaseExpectedProps.EksProperties.PodProperties.Containers[0], + VolumeMounts: [{ + MountPath: '/mount/path', + Name: 'secretVolumeName', + ReadOnly: true, + }], + }], + Volumes: [{ + Name: 'secretVolumeName', + Secret: { + SecretName: 'secretName', + Optional: false, + }, + }], + }, + }, + }); + }); }); diff --git a/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/BatchEcsJobDefinitionTestDefaultTestDeployAssertE5BAAC9B.assets.json b/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/BatchEcsJobDefinitionTestDefaultTestDeployAssertE5BAAC9B.assets.json index 337b93a040095..e4db2badc242c 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/BatchEcsJobDefinitionTestDefaultTestDeployAssertE5BAAC9B.assets.json +++ b/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/BatchEcsJobDefinitionTestDefaultTestDeployAssertE5BAAC9B.assets.json @@ -1,5 +1,5 @@ { - "version": "31.0.0", + "version": "32.0.0", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { diff --git a/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/cdk.out b/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/cdk.out index 7925065efbcc4..f0b901e7c06e5 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/cdk.out +++ b/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"31.0.0"} \ No newline at end of file +{"version":"32.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/integ.json b/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/integ.json index 65cdb342d321b..6039a8d046450 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/integ.json +++ b/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "31.0.0", + "version": "32.0.0", "testCases": { "BatchEcsJobDefinitionTest/DefaultTest": { "stacks": [ diff --git a/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/manifest.json b/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/manifest.json index 7647ac0d6cf43..765c5357a348f 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "31.0.0", + "version": "32.0.0", "artifacts": { "stack.assets": { "type": "cdk:asset-manifest", @@ -17,7 +17,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/7eabaa659955f076359ed72f88d929cfe7651a904b6038ae0f3b3215ab36ac6c.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/dbfcc646c8225dd32d69798b87a8a94086dd89a2b3137bdf4e0ec96d79cdd4cb.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -195,6 +195,12 @@ "data": "myFileSystemEfsMountTarget2E187D733" } ], + "/stack/mySecret/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "mySecretE4D0A59C" + } + ], "/stack/myContainer/ExecutionRole/Resource": [ { "type": "aws:cdk:logicalId", diff --git a/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/stack.assets.json b/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/stack.assets.json index a7e4620dbd902..d33d36502bf5f 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/stack.assets.json +++ b/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/stack.assets.json @@ -1,7 +1,7 @@ { - "version": "31.0.0", + "version": "32.0.0", "files": { - "7eabaa659955f076359ed72f88d929cfe7651a904b6038ae0f3b3215ab36ac6c": { + "dbfcc646c8225dd32d69798b87a8a94086dd89a2b3137bdf4e0ec96d79cdd4cb": { "source": { "path": "stack.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "7eabaa659955f076359ed72f88d929cfe7651a904b6038ae0f3b3215ab36ac6c.json", + "objectKey": "dbfcc646c8225dd32d69798b87a8a94086dd89a2b3137bdf4e0ec96d79cdd4cb.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/stack.template.json b/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/stack.template.json index 5bff5ac49c8a5..00e64916fd22c 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/stack.template.json +++ b/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/stack.template.json @@ -465,6 +465,14 @@ } } }, + "mySecretE4D0A59C": { + "Type": "AWS::SecretsManager::Secret", + "Properties": { + "GenerateSecretString": {} + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, "myContainerExecutionRoleEBACF86C": { "Type": "AWS::IAM::Role", "Properties": { @@ -525,6 +533,14 @@ "Value": "12" } ], + "Secrets": [ + { + "Name": "MY_SECRET_ENV_VAR", + "ValueFrom": { + "Ref": "mySecretE4D0A59C" + } + } + ], "Ulimits": [ { "HardLimit": 50, diff --git a/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/tree.json b/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/tree.json index e536fd05d3c4a..041b6d0faa434 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.js.snapshot/tree.json @@ -775,6 +775,30 @@ "version": "0.0.0" } }, + "mySecret": { + "id": "mySecret", + "path": "stack/mySecret", + "children": { + "Resource": { + "id": "Resource", + "path": "stack/mySecret/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::SecretsManager::Secret", + "aws:cdk:cloudformation:props": { + "generateSecretString": {} + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_secretsmanager.CfnSecret", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_secretsmanager.Secret", + "version": "0.0.0" + } + }, "myContainer": { "id": "myContainer", "path": "stack/myContainer", @@ -824,8 +848,8 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-batch-alpha.EcsEc2ContainerDefinition", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.52" } }, "ECSJobDefn": { @@ -868,6 +892,14 @@ "value": "12" } ], + "secrets": [ + { + "name": "MY_SECRET_ENV_VAR", + "valueFrom": { + "Ref": "mySecretE4D0A59C" + } + } + ], "mountPoints": [ { "containerPath": "ahhh", @@ -916,7 +948,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-batch-alpha.EcsJobDefinition", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -969,8 +1001,8 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-batch-alpha.EcsFargateContainerDefinition", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.52" } }, "ECSFargateJobDefn": { @@ -1054,7 +1086,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-batch-alpha.EcsJobDefinition", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -1066,22 +1098,22 @@ "id": "Staging", "path": "stack/dockerImageAsset/Staging", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.AssetStaging", + "version": "0.0.0" } }, "Repository": { "id": "Repository", "path": "stack/dockerImageAsset/Repository", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ecr.RepositoryBase", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_ecr_assets.DockerImageAsset", + "version": "0.0.0" } }, "EcsDockerContainer": { @@ -1096,8 +1128,8 @@ "id": "ImportExecutionRole", "path": "stack/EcsDockerContainer/ExecutionRole/ImportExecutionRole", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "Resource": { @@ -1121,8 +1153,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" } }, "DefaultPolicy": { @@ -1185,26 +1217,26 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_iam.Policy", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0" } } }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.270" + "version": "10.2.52" } }, "ECSDockerJobDefn": { @@ -1249,14 +1281,14 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.aws_batch.CfnJobDefinition", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "BootstrapVersion": { @@ -1294,7 +1326,7 @@ "path": "BatchEcsJobDefinitionTest/DefaultTest/Default", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.2.9" + "version": "10.2.52" } }, "DeployAssert": { @@ -1340,7 +1372,7 @@ "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.2.9" + "version": "10.2.52" } } }, diff --git a/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.ts b/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.ts index 2c18122d740af..7dcf064a36cf8 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.ts +++ b/packages/@aws-cdk/aws-batch-alpha/test/integ.ecs-job-definition.ts @@ -7,6 +7,7 @@ import * as integ from '@aws-cdk/integ-tests-alpha'; import * as batch from '../lib'; import { DockerImageAsset } from 'aws-cdk-lib/aws-ecr-assets'; import * as path from 'path'; +import { Secret } from 'aws-cdk-lib/aws-secretsmanager'; const app = new App(); const stack = new Stack(app, 'stack'); @@ -40,6 +41,9 @@ new batch.EcsJobDefinition(stack, 'ECSJobDefn', { name: batch.UlimitName.CORE, softLimit: 10, }], + secrets: { + MY_SECRET_ENV_VAR: new Secret(stack, 'mySecret'), + }, }), }); diff --git a/packages/@aws-cdk/aws-batch-alpha/test/integ.eks-job-definition.js.snapshot/BatchEcsJobDefinitionTestDefaultTestDeployAssertE5BAAC9B.assets.json b/packages/@aws-cdk/aws-batch-alpha/test/integ.eks-job-definition.js.snapshot/BatchEcsJobDefinitionTestDefaultTestDeployAssertE5BAAC9B.assets.json index 0f5545b944f8a..e4db2badc242c 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/integ.eks-job-definition.js.snapshot/BatchEcsJobDefinitionTestDefaultTestDeployAssertE5BAAC9B.assets.json +++ b/packages/@aws-cdk/aws-batch-alpha/test/integ.eks-job-definition.js.snapshot/BatchEcsJobDefinitionTestDefaultTestDeployAssertE5BAAC9B.assets.json @@ -1,5 +1,5 @@ { - "version": "30.1.0", + "version": "32.0.0", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { diff --git a/packages/@aws-cdk/aws-batch-alpha/test/integ.eks-job-definition.js.snapshot/cdk.out b/packages/@aws-cdk/aws-batch-alpha/test/integ.eks-job-definition.js.snapshot/cdk.out index b72fef144f05c..f0b901e7c06e5 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/integ.eks-job-definition.js.snapshot/cdk.out +++ b/packages/@aws-cdk/aws-batch-alpha/test/integ.eks-job-definition.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"30.1.0"} \ No newline at end of file +{"version":"32.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-batch-alpha/test/integ.eks-job-definition.js.snapshot/integ.json b/packages/@aws-cdk/aws-batch-alpha/test/integ.eks-job-definition.js.snapshot/integ.json index 38e1bef264143..6039a8d046450 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/integ.eks-job-definition.js.snapshot/integ.json +++ b/packages/@aws-cdk/aws-batch-alpha/test/integ.eks-job-definition.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "30.1.0", + "version": "32.0.0", "testCases": { "BatchEcsJobDefinitionTest/DefaultTest": { "stacks": [ diff --git a/packages/@aws-cdk/aws-batch-alpha/test/integ.eks-job-definition.js.snapshot/manifest.json b/packages/@aws-cdk/aws-batch-alpha/test/integ.eks-job-definition.js.snapshot/manifest.json index 68dbc42b8fe7b..3d1e44bd73cdf 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/integ.eks-job-definition.js.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-batch-alpha/test/integ.eks-job-definition.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "30.1.0", + "version": "32.0.0", "artifacts": { "stack.assets": { "type": "cdk:asset-manifest", @@ -17,7 +17,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/213e7ea5ab99caf36ccb103cecea697bd723a4413a42b71cd94069791d3f146d.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/a8db080420a6ed60209e00bb93fe2579b81f60509f47e3a9723b2ba4b0c50b01.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ diff --git a/packages/@aws-cdk/aws-batch-alpha/test/integ.eks-job-definition.js.snapshot/stack.assets.json b/packages/@aws-cdk/aws-batch-alpha/test/integ.eks-job-definition.js.snapshot/stack.assets.json index 886ca8843dae2..1776ee6cd6e00 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/integ.eks-job-definition.js.snapshot/stack.assets.json +++ b/packages/@aws-cdk/aws-batch-alpha/test/integ.eks-job-definition.js.snapshot/stack.assets.json @@ -1,7 +1,7 @@ { - "version": "30.1.0", + "version": "32.0.0", "files": { - "213e7ea5ab99caf36ccb103cecea697bd723a4413a42b71cd94069791d3f146d": { + "a8db080420a6ed60209e00bb93fe2579b81f60509f47e3a9723b2ba4b0c50b01": { "source": { "path": "stack.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "213e7ea5ab99caf36ccb103cecea697bd723a4413a42b71cd94069791d3f146d.json", + "objectKey": "a8db080420a6ed60209e00bb93fe2579b81f60509f47e3a9723b2ba4b0c50b01.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-batch-alpha/test/integ.eks-job-definition.js.snapshot/stack.template.json b/packages/@aws-cdk/aws-batch-alpha/test/integ.eks-job-definition.js.snapshot/stack.template.json index 1259f7bb6fb04..a5d5eca078cfd 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/integ.eks-job-definition.js.snapshot/stack.template.json +++ b/packages/@aws-cdk/aws-batch-alpha/test/integ.eks-job-definition.js.snapshot/stack.template.json @@ -48,6 +48,14 @@ "Name": "woah", "ReadOnly": true }, + { + "MountPath": "/secret/path", + "Name": "secretVolumeName" + }, + { + "MountPath": "/secret/path2", + "Name": "defaultOptionalSettingSecretVolume" + }, { "MountPath": "/fooasdfadfs", "Name": "hostPath" @@ -63,6 +71,20 @@ }, "Name": "woah" }, + { + "Name": "secretVolumeName", + "Secret": { + "Optional": false, + "SecretName": "secretName" + } + }, + { + "Name": "defaultOptionalSettingSecretVolume", + "Secret": { + "Optional": true, + "SecretName": "NewSecretName" + } + }, { "HostPath": { "Path": "/foo/bar" diff --git a/packages/@aws-cdk/aws-batch-alpha/test/integ.eks-job-definition.js.snapshot/tree.json b/packages/@aws-cdk/aws-batch-alpha/test/integ.eks-job-definition.js.snapshot/tree.json index e0399e670f2fe..fb73eb4052198 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/integ.eks-job-definition.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-batch-alpha/test/integ.eks-job-definition.js.snapshot/tree.json @@ -12,8 +12,8 @@ "id": "EksContainer", "path": "stack/EksContainer", "constructInfo": { - "fqn": "@aws-cdk/aws-batch.EksContainerDefinition", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.52" } }, "EksJobDefn": { @@ -71,6 +71,14 @@ "mountPath": "/mount/path", "readOnly": true }, + { + "name": "secretVolumeName", + "mountPath": "/secret/path" + }, + { + "name": "defaultOptionalSettingSecretVolume", + "mountPath": "/secret/path2" + }, { "name": "hostPath", "mountPath": "/fooasdfadfs" @@ -86,6 +94,20 @@ "sizeLimit": "2048Mi" } }, + { + "name": "secretVolumeName", + "secret": { + "optional": false, + "secretName": "secretName" + } + }, + { + "name": "defaultOptionalSettingSecretVolume", + "secret": { + "optional": true, + "secretName": "NewSecretName" + } + }, { "name": "hostPath", "hostPath": { @@ -100,13 +122,13 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-batch.CfnJobDefinition", + "fqn": "aws-cdk-lib.aws_batch.CfnJobDefinition", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-batch.EksJobDefinition", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -114,7 +136,7 @@ "id": "BootstrapVersion", "path": "stack/BootstrapVersion", "constructInfo": { - "fqn": "@aws-cdk/core.CfnParameter", + "fqn": "aws-cdk-lib.CfnParameter", "version": "0.0.0" } }, @@ -122,13 +144,13 @@ "id": "CheckBootstrapVersion", "path": "stack/CheckBootstrapVersion", "constructInfo": { - "fqn": "@aws-cdk/core.CfnRule", + "fqn": "aws-cdk-lib.CfnRule", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/core.Stack", + "fqn": "aws-cdk-lib.Stack", "version": "0.0.0" } }, @@ -145,7 +167,7 @@ "path": "BatchEcsJobDefinitionTest/DefaultTest/Default", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.264" + "version": "10.2.52" } }, "DeployAssert": { @@ -156,7 +178,7 @@ "id": "BootstrapVersion", "path": "BatchEcsJobDefinitionTest/DefaultTest/DeployAssert/BootstrapVersion", "constructInfo": { - "fqn": "@aws-cdk/core.CfnParameter", + "fqn": "aws-cdk-lib.CfnParameter", "version": "0.0.0" } }, @@ -164,25 +186,25 @@ "id": "CheckBootstrapVersion", "path": "BatchEcsJobDefinitionTest/DefaultTest/DeployAssert/CheckBootstrapVersion", "constructInfo": { - "fqn": "@aws-cdk/core.CfnRule", + "fqn": "aws-cdk-lib.CfnRule", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/core.Stack", + "fqn": "aws-cdk-lib.Stack", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/integ-tests.IntegTestCase", + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/integ-tests.IntegTest", + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", "version": "0.0.0" } }, @@ -191,12 +213,12 @@ "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.264" + "version": "10.2.52" } } }, "constructInfo": { - "fqn": "@aws-cdk/core.App", + "fqn": "aws-cdk-lib.App", "version": "0.0.0" } } diff --git a/packages/@aws-cdk/aws-batch-alpha/test/integ.eks-job-definition.ts b/packages/@aws-cdk/aws-batch-alpha/test/integ.eks-job-definition.ts index 4c585b7d1e656..5b1138acce8e3 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/integ.eks-job-definition.ts +++ b/packages/@aws-cdk/aws-batch-alpha/test/integ.eks-job-definition.ts @@ -33,11 +33,17 @@ new batch.EksJobDefinition(stack, 'EksJobDefn', { readonly: true, sizeLimit: Size.mebibytes(2048), }), - /*batch.EksVolume.secret({ - name: 'foofoo', - secretName: 'foo', + batch.EksVolume.secret({ + name: 'secretVolumeName', + secretName: 'secretName', + mountPath: '/secret/path', + optional: false, + }), + batch.EksVolume.secret({ + name: 'defaultOptionalSettingSecretVolume', + secretName: 'NewSecretName', + mountPath: '/secret/path2', }), - */ batch.EksVolume.hostPath({ name: 'hostPath', hostPath: '/foo/bar', diff --git a/packages/@aws-cdk/aws-batch-alpha/test/job-definition-base.test.ts b/packages/@aws-cdk/aws-batch-alpha/test/job-definition-base.test.ts index 0662f8d5ab6ed..43334f08926f4 100644 --- a/packages/@aws-cdk/aws-batch-alpha/test/job-definition-base.test.ts +++ b/packages/@aws-cdk/aws-batch-alpha/test/job-definition-base.test.ts @@ -223,16 +223,4 @@ describe.each([batch.EcsJobDefinition, batch.EksJobDefinition, batch.MultiNodeJo }, }); }); - - /* - test('can be imported from name', () => { - // WHEN - const importedJob = JobDefinition.fromJobDefinitionName(stack, 'job-def-clone', 'job-def-name'); - - // THEN - expect(importedJob.jobDefinitionName).toEqual('job-def-name'); - expect(importedJob.jobDefinitionArn) - .toEqual(`arn:${Aws.PARTITION}:batch:${Aws.REGION}:${Aws.ACCOUNT_ID}:job-definition/job-def-name`); - }); - */ });