diff --git a/packages/@aws-cdk/aws-codepipeline/lib/pipeline.ts b/packages/@aws-cdk/aws-codepipeline/lib/pipeline.ts index c1e4df100aa23..65b7e84abbf61 100644 --- a/packages/@aws-cdk/aws-codepipeline/lib/pipeline.ts +++ b/packages/@aws-cdk/aws-codepipeline/lib/pipeline.ts @@ -479,7 +479,7 @@ export class Pipeline extends PipelineBase { } /** @internal */ - public _attachActionToPipeline(stage: Stage, action: IAction, actionScope: CoreConstruct): FullActionDescriptor { + public _attachActionToPipeline(stage: Stage, action: IAction, actionScope: Construct): FullActionDescriptor { const richAction = new RichAction(action, this); // handle cross-region actions here @@ -491,8 +491,8 @@ export class Pipeline extends PipelineBase { // // CodePipeline Variables validateNamespaceName(richAction.actionProperties.variablesNamespace); - // bind the Action - const actionConfig = richAction.bind(actionScope, stage, { + // bind the Action (type h4x) + const actionConfig = richAction.bind(actionScope as CoreConstruct, stage, { role: actionRole ? actionRole : this.role, bucket: crossRegionInfo.artifactBucket, }); diff --git a/packages/@aws-cdk/aws-codepipeline/lib/private/stage.ts b/packages/@aws-cdk/aws-codepipeline/lib/private/stage.ts index e9ed5a6995f02..b5f5aa86dc1c4 100644 --- a/packages/@aws-cdk/aws-codepipeline/lib/private/stage.ts +++ b/packages/@aws-cdk/aws-codepipeline/lib/private/stage.ts @@ -1,5 +1,6 @@ import * as events from '@aws-cdk/aws-events'; import * as cdk from '@aws-cdk/core'; +import { Construct, Node } from 'constructs'; import { IAction, IPipeline, IStage } from '../action'; import { Artifact } from '../artifact'; import { CfnPipeline } from '../codepipeline.generated'; @@ -137,7 +138,15 @@ export class Stage implements IStage { private attachActionToPipeline(action: IAction): FullActionDescriptor { // notify the Pipeline of the new Action - const actionScope = new cdk.Construct(this.scope, action.actionProperties.actionName); + // + // It may be that a construct already exists with the given action name (CDK Pipelines + // may do this to maintain construct tree compatibility between versions). + // + // If so, we simply reuse it. + let actionScope = Node.of(this.scope).tryFindChild(action.actionProperties.actionName) as Construct | undefined; + if (!actionScope) { + actionScope = new cdk.Construct(this.scope, action.actionProperties.actionName); + } return this._pipeline._attachActionToPipeline(this, action, actionScope); } diff --git a/packages/@aws-cdk/pipelines/ORIGINAL_API.md b/packages/@aws-cdk/pipelines/ORIGINAL_API.md new file mode 100644 index 0000000000000..3f1bd5920bcd2 --- /dev/null +++ b/packages/@aws-cdk/pipelines/ORIGINAL_API.md @@ -0,0 +1,498 @@ +# CDK Pipelines, original API + +This document describes the API the CDK Pipelines library originally went into +Developer Preview with. The API has since been reworked, but the original one +left in place because of popular uptake. The original API still works and is +still supported, but the revised one is preferred for future projects. + +## Definining the pipeline + +In the original API, you have to import the `aws-codepipeline` construct +library and create `Artifact` objects for the source and Cloud Assembly +artifacts: + +```ts +import { Construct, Stage, Stack, StackProps, StageProps } from '@aws-cdk/core'; +import { CdkPipeline } from '@aws-cdk/pipelines'; +import * as codepipeline from '@aws-cdk/aws-codepipeline'; + +/** + * Stack to hold the pipeline + */ +class MyPipelineStack extends Stack { + constructor(scope: Construct, id: string, props?: StackProps) { + super(scope, id, props); + + const sourceArtifact = new codepipeline.Artifact(); + const cloudAssemblyArtifact = new codepipeline.Artifact(); + + const pipeline = new CdkPipeline(this, 'Pipeline', { + cloudAssemblyArtifact, + + sourceAction: new codepipeline_actions.GitHubSourceAction({ + actionName: 'GitHub', + output: sourceArtifact, + oauthToken: SecretValue.secretsManager('GITHUB_TOKEN_NAME'), + // Replace these with your actual GitHub project name + owner: 'OWNER', + repo: 'REPO', + branch: 'main', // default: 'master' + }), + + synthAction: SimpleSynthAction.standardNpmSynth({ + sourceArtifact, + cloudAssemblyArtifact, + + // Use this if you need a build step (if you're not using ts-node + // or if you have TypeScript Lambdas that need to be compiled). + buildCommand: 'npm run build', + }), + }); + + // Do this as many times as necessary with any account and region + // Account and region may different from the pipeline's. + pipeline.addApplicationStage(new MyApplication(this, 'Prod', { + env: { + account: '123456789012', + region: 'eu-west-1', + } + })); + } +} +``` + +### A note on cost + +By default, the `CdkPipeline` construct creates an AWS Key Management Service +(AWS KMS) Customer Master Key (CMK) for you to encrypt the artifacts in the +artifact bucket, which incurs a cost of +**$1/month**. This default configuration is necessary to allow cross-account +deployments. + +If you do not intend to perform cross-account deployments, you can disable +the creation of the Customer Master Keys by passing `crossAccountKeys: false` +when defining the Pipeline: + +```ts +const pipeline = new pipelines.CdkPipeline(this, 'Pipeline', { + crossAccountKeys: false, + + // ... +}); +``` + +### Defining the Pipeline (Source and Synth) + +The pipeline is defined by instantiating `CdkPipeline` in a Stack. This defines the +source location for the pipeline as well as the build commands. For example, the following +defines a pipeline whose source is stored in a GitHub repository, and uses NPM +to build. The Pipeline will be provisioned in account `111111111111` and region +`eu-west-1`: + +```ts +class MyPipelineStack extends Stack { + constructor(scope: Construct, id: string, props?: StackProps) { + super(scope, id, props); + + const sourceArtifact = new codepipeline.Artifact(); + const cloudAssemblyArtifact = new codepipeline.Artifact(); + + const pipeline = new CdkPipeline(this, 'Pipeline', { + pipelineName: 'MyAppPipeline', + cloudAssemblyArtifact, + + sourceAction: new codepipeline_actions.GitHubSourceAction({ + actionName: 'GitHub', + output: sourceArtifact, + oauthToken: SecretValue.secretsManager('GITHUB_TOKEN_NAME'), + // Replace these with your actual GitHub project name + owner: 'OWNER', + repo: 'REPO', + branch: 'main', // default: 'master' + }), + + synthAction: SimpleSynthAction.standardNpmSynth({ + sourceArtifact, + cloudAssemblyArtifact, + + // Optionally specify a VPC in which the action runs + vpc: new ec2.Vpc(this, 'NpmSynthVpc'), + + // Use this if you need a build step (if you're not using ts-node + // or if you have TypeScript Lambdas that need to be compiled). + buildCommand: 'npm run build', + }), + }); + } +} + +const app = new App(); +new MyPipelineStack(app, 'PipelineStack', { + env: { + account: '111111111111', + region: 'eu-west-1', + } +}); +``` + +If you prefer more control over the underlying CodePipeline object, you can +create one yourself, including custom Source and Build stages: + +```ts +const codePipeline = new cp.Pipeline(pipelineStack, 'CodePipeline', { + stages: [ + { + stageName: 'CustomSource', + actions: [...], + }, + { + stageName: 'CustomBuild', + actions: [...], + }, + ], +}); + +const app = new App(); +const cdkPipeline = new CdkPipeline(app, 'CdkPipeline', { + codePipeline, + cloudAssemblyArtifact, +}); +``` + +If you use assets for files or Docker images, every asset will get its own upload action during the asset stage. +By setting the value `singlePublisherPerType` to `true`, only one action for files and one action for +Docker images is created that handles all assets of the respective type. + +If you need to run commands to setup proxies, mirrors, etc you can supply them using the `assetPreInstallCommands`. + +#### Sources + +Any of the regular sources from the [`@aws-cdk/aws-codepipeline-actions`](https://docs.aws.amazon.com/cdk/api/latest/docs/aws-codepipeline-actions-readme.html#github) module can be used. + +#### Synths + +You define how to build and synth the project by specifying a `synthAction`. +This can be any CodePipeline action that produces an artifact with a CDK +Cloud Assembly in it (the contents of the `cdk.out` directory created when +`cdk synth` is called). Pass the output artifact of the synth in the +Pipeline's `cloudAssemblyArtifact` property. + +`SimpleSynthAction` is available for synths that can be performed by running a couple +of simple shell commands (install, build, and synth) using AWS CodeBuild. When +using these, the source repository does not need to have a `buildspec.yml`. An example +of using `SimpleSynthAction` to run a Maven build followed by a CDK synth: + +```ts +const pipeline = new CdkPipeline(this, 'Pipeline', { + // ... + synthAction: new SimpleSynthAction({ + sourceArtifact, + cloudAssemblyArtifact, + installCommands: ['npm install -g aws-cdk'], + buildCommands: ['mvn package'], + synthCommand: 'cdk synth', + }) +}); +``` + +Available as factory functions on `SimpleSynthAction` are some common +convention-based synth: + +* `SimpleSynthAction.standardNpmSynth()`: build using NPM conventions. Expects a `package-lock.json`, + a `cdk.json`, and expects the CLI to be a versioned dependency in `package.json`. Does + not perform a build step by default. +* `CdkSynth.standardYarnSynth()`: build using Yarn conventions. Expects a `yarn.lock` + a `cdk.json`, and expects the CLI to be a versioned dependency in `package.json`. Does + not perform a build step by default. + +If you need a custom build/synth step that is not covered by `SimpleSynthAction`, you can +always add a custom CodeBuild project and pass a corresponding `CodeBuildAction` to the +pipeline. + +#### Add Additional permissions to the CodeBuild Project Role for building and synthesizing + +You can customize the role permissions used by the CodeBuild project so it has access to +the needed resources. eg: Adding CodeArtifact repo permissions so we pull npm packages +from the CA repo instead of NPM. + +```ts +class MyPipelineStack extends Stack { + constructor(scope: Construct, id: string, props?: StackProps) { + ... + const pipeline = new CdkPipeline(this, 'Pipeline', { + ... + synthAction: SimpleSynthAction.standardNpmSynth({ + sourceArtifact, + cloudAssemblyArtifact, + + // Use this to customize and a permissions required for the build + // and synth + rolePolicyStatements: [ + new PolicyStatement({ + actions: ['codeartifact:*', 'sts:GetServiceBearerToken'], + resources: ['arn:codeartifact:repo:arn'], + }), + ], + + // Then you can login to codeartifact repository + // and npm will now pull packages from your repository + // Note the codeartifact login command requires more params to work. + buildCommands: [ + 'aws codeartifact login --tool npm', + 'npm run build', + ], + }), + }); + } +} +``` + +### Adding Application Stages + +To define an application that can be added to the pipeline integrally, define a subclass +of `Stage`. The `Stage` can contain one or more stack which make up your application. If +there are dependencies between the stacks, the stacks will automatically be added to the +pipeline in the right order. Stacks that don't depend on each other will be deployed in +parallel. You can add a dependency relationship between stacks by calling +`stack1.addDependency(stack2)`. + +Stages take a default `env` argument which the Stacks inside the Stage will fall back to +if no `env` is defined for them. + +An application is added to the pipeline by calling `addApplicationStage()` with instances +of the Stage. The same class can be instantiated and added to the pipeline multiple times +to define different stages of your DTAP or multi-region application pipeline: + +```ts +// Testing stage +pipeline.addApplicationStage(new MyApplication(this, 'Testing', { + env: { account: '111111111111', region: 'eu-west-1' } +})); + +// Acceptance stage +pipeline.addApplicationStage(new MyApplication(this, 'Acceptance', { + env: { account: '222222222222', region: 'eu-west-1' } +})); + +// Production stage +pipeline.addApplicationStage(new MyApplication(this, 'Production', { + env: { account: '333333333333', region: 'eu-west-1' } +})); +``` + +> Be aware that adding new stages via `addApplicationStage()` will +> automatically add them to the pipeline and deploy the new stacks, but +> *removing* them from the pipeline or deleting the pipeline stack will not +> automatically delete deployed application stacks. You must delete those +> stacks by hand using the AWS CloudFormation console or the AWS CLI. + +### More Control + +Every *Application Stage* added by `addApplicationStage()` will lead to the addition of +an individual *Pipeline Stage*, which is subsequently returned. You can add more +actions to the stage by calling `addAction()` on it. For example: + +```ts +const testingStage = pipeline.addApplicationStage(new MyApplication(this, 'Testing', { + env: { account: '111111111111', region: 'eu-west-1' } +})); + +// Add a action -- in this case, a Manual Approval action +// (for illustration purposes: testingStage.addManualApprovalAction() is a +// convenience shorthand that does the same) +testingStage.addAction(new ManualApprovalAction({ + actionName: 'ManualApproval', + runOrder: testingStage.nextSequentialRunOrder(), +})); +``` + +You can also add more than one *Application Stage* to one *Pipeline Stage*. For example: + +```ts +// Create an empty pipeline stage +const testingStage = pipeline.addStage('Testing'); + +// Add two application stages to the same pipeline stage +testingStage.addApplication(new MyApplication1(this, 'MyApp1', { + env: { account: '111111111111', region: 'eu-west-1' } +})); +testingStage.addApplication(new MyApplication2(this, 'MyApp2', { + env: { account: '111111111111', region: 'eu-west-1' } +})); +``` + +Even more, adding a manual approval action or reserving space for some extra sequential actions +between 'Prepare' and 'Execute' ChangeSet actions is possible. + +```ts + pipeline.addApplicationStage(new MyApplication(this, 'Production'), { + manualApprovals: true, + extraRunOrderSpace: 1, + }); +``` + +### Adding validations to the pipeline + +You can add any type of CodePipeline Action to the pipeline in order to validate +the deployments you are performing. + +The CDK Pipelines construct library comes with a `ShellScriptAction` which uses AWS CodeBuild +to run a set of shell commands (potentially running a test set that comes with your application, +using stack outputs of the deployed stacks). + +In its simplest form, adding validation actions looks like this: + +```ts +const stage = pipeline.addApplicationStage(new MyApplication(/* ... */)); + +stage.addActions(new ShellScriptAction({ + actionName: 'MyValidation', + commands: ['curl -Ssf https://my.webservice.com/'], + // Optionally specify a VPC if, for example, the service is deployed with a private load balancer + vpc, + // Optionally specify SecurityGroups + securityGroups, + // Optionally specify a BuildEnvironment + environment, +})); +``` + +#### Using CloudFormation Stack Outputs in ShellScriptAction + +Because many CloudFormation deployments result in the generation of resources with unpredictable +names, validations have support for reading back CloudFormation Outputs after a deployment. This +makes it possible to pass (for example) the generated URL of a load balancer to the test set. + +To use Stack Outputs, expose the `CfnOutput` object you're interested in, and +call `pipeline.stackOutput()` on it: + +```ts +class MyLbApplication extends Stage { + public readonly loadBalancerAddress: CfnOutput; + + constructor(scope: Construct, id: string, props?: StageProps) { + super(scope, id, props); + + const lbStack = new LoadBalancerStack(this, 'Stack'); + + // Or create this in `LoadBalancerStack` directly + this.loadBalancerAddress = new CfnOutput(lbStack, 'LbAddress', { + value: `https://${lbStack.loadBalancer.loadBalancerDnsName}/` + }); + } +} + +const lbApp = new MyLbApplication(this, 'MyApp', { + env: { /* ... */ } +}); +const stage = pipeline.addApplicationStage(lbApp); +stage.addActions(new ShellScriptAction({ + // ... + useOutputs: { + // When the test is executed, this will make $URL contain the + // load balancer address. + URL: pipeline.stackOutput(lbApp.loadBalancerAddress), + } +}); +``` + +#### Using additional files in Shell Script Actions + +As part of a validation, you probably want to run a test suite that's more +elaborate than what can be expressed in a couple of lines of shell script. +You can bring additional files into the shell script validation by supplying +the `additionalArtifacts` property. + +Here are some typical examples for how you might want to bring in additional +files from several sources: + +* Directory from the source repository +* Additional compiled artifacts from the synth step + +#### Controlling IAM permissions + +IAM permissions can be added to the execution role of a `ShellScriptAction` in +two ways. + +Either pass additional policy statements in the `rolePolicyStatements` property: + +```ts +new ShellScriptAction({ + // ... + rolePolicyStatements: [ + new iam.PolicyStatement({ + actions: ['s3:GetObject'], + resources: ['*'], + }), + ], +})); +``` + +The Action can also be used as a Grantable after having been added to a Pipeline: + +```ts +const action = new ShellScriptAction({ /* ... */ }); +pipeline.addStage('Test').addActions(action); + +bucket.grantRead(action); +``` + +#### Additional files from the source repository + +Bringing in additional files from the source repository is appropriate if the +files in the source repository are directly usable in the test (for example, +if they are executable shell scripts themselves). Pass the `sourceArtifact`: + +```ts +const sourceArtifact = new codepipeline.Artifact(); + +const pipeline = new CdkPipeline(this, 'Pipeline', { + // ... +}); + +const validationAction = new ShellScriptAction({ + actionName: 'TestUsingSourceArtifact', + additionalArtifacts: [sourceArtifact], + + // 'test.sh' comes from the source repository + commands: ['./test.sh'], +}); +``` + +#### Additional files from the synth step + +Getting the additional files from the synth step is appropriate if your +tests need the compilation step that is done as part of synthesis. + +On the synthesis step, specify `additionalArtifacts` to package +additional subdirectories into artifacts, and use the same artifact +in the `ShellScriptAction`'s `additionalArtifacts`: + +```ts +// If you are using additional output artifacts from the synth step, +// they must be named. +const cloudAssemblyArtifact = new codepipeline.Artifact('CloudAsm'); +const integTestsArtifact = new codepipeline.Artifact('IntegTests'); + +const pipeline = new CdkPipeline(this, 'Pipeline', { + synthAction: SimpleSynthAction.standardNpmSynth({ + sourceArtifact, + cloudAssemblyArtifact, + buildCommands: ['npm run build'], + additionalArtifacts: [ + { + directory: 'test', + artifact: integTestsArtifact, + } + ], + }), + // ... +}); + +const validationAction = new ShellScriptAction({ + actionName: 'TestUsingBuildArtifact', + additionalArtifacts: [integTestsArtifact], + // 'test.js' was produced from 'test/test.ts' during the synth step + commands: ['node ./test.js'], +}); +``` \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/README.md b/packages/@aws-cdk/pipelines/README.md index 6e4f73c895b1f..76a8c3a84f8fb 100644 --- a/packages/@aws-cdk/pipelines/README.md +++ b/packages/@aws-cdk/pipelines/README.md @@ -17,19 +17,36 @@ A construct library for painless Continuous Delivery of CDK applications. -![Developer Preview](https://img.shields.io/badge/developer--preview-informational.svg?style=for-the-badge) - -> This module is in **developer preview**. We may make breaking changes to address unforeseen API issues. Therefore, these APIs are not subject to [Semantic Versioning](https://semver.org/), and breaking changes will be announced in release notes. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. +> This module contains two sets of APIs: an **original** and a **modern** version of +CDK Pipelines. The *modern* API has been updated to be easier to work with and +customize, and will be the preferred API going forward. The *original* version +of the API is still available for backwards compatibility, but we recommend migrating +to the new version if possible. +> +> Compared to the original API, the modern API: has more sensible defaults; is +> more flexible; supports parallel deployments; supports multiple synth inputs; +> allows more control of CodeBuild project generation; supports deployment +> engines other than CodePipeline. +> +> The README for the original API can be found in [our GitHub repository](https://github.com/aws/aws-cdk/blob/master/packages/@aws-cdk/pipelines/ORIGINAL_API.md). ## At a glance -Defining a pipeline for your application is as simple as defining a subclass -of `Stage`, and calling `pipeline.addApplicationStage()` with instances of -that class. Deploying to a different account or region looks exactly the -same, the *CDK Pipelines* library takes care of the details. +Deploying your application continuously starts by defining a +`MyApplicationStage`, a subclass of `Stage` that contains the stacks that make +up a single copy of your application. -(Note that have to *bootstrap* all environments before the following code -will work, see the section **CDK Environment Bootstrapping** below). +You then define a `Pipeline`, instantiate as many instances of +`MyApplicationStage` as you want for your test and production environments, with +different parameters for each, and calling `pipeline.addStage()` for each of +them. You can deploy to the same account and Region, or to a different one, +with the same amount of code. The *CDK Pipelines* library takes care of the +details. + +CDK Pipelines supports multiple *deployment engines* (see below), and comes with +a deployment engine that deployes CDK apps using AWS CodePipeline. To use the +CodePipeline engine, define a `CodePipeline` construct. The following +example creates a CodePipeline that deploys an application from GitHub: ```ts /** The stacks for our app are defined in my-stacks.ts. The internals of these @@ -38,10 +55,42 @@ will work, see the section **CDK Environment Bootstrapping** below). * to this table in its properties. */ import { DatabaseStack, ComputeStack } from '../lib/my-stacks'; - import { Construct, Stage, Stack, StackProps, StageProps } from '@aws-cdk/core'; -import { CdkPipeline } from '@aws-cdk/pipelines'; -import * as codepipeline from '@aws-cdk/aws-codepipeline'; +import { CodePipeline, CodePipelineSource, ShellStep } from '@aws-cdk/pipelines'; + +/** + * Stack to hold the pipeline + */ +class MyPipelineStack extends Stack { + constructor(scope: Construct, id: string, props?: StackProps) { + super(scope, id, props); + + const pipeline = new CodePipeline(this, 'Pipeline', { + synth: new ShellStep('Synth', { + // Use a connection created using the AWS console to authenticate to GitHub + // Other sources are available. + input: CodePipelineSource.connection('my-org/my-app', 'main', { + connectionArn: 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', // Created using the AWS console * });', + }), + commands: [ + 'npm ci', + 'npm run build', + 'npx cdk synth', + ], + }), + }); + + // 'MyApplication' is defined below. Call `addStage` as many times as + // necessary with any account and region (may be different from the + // pipeline's). + pipeline.addStage(new MyApplication(this, 'Prod', { + env: { + account: '123456789012', + region: 'eu-west-1', + } + })); + } +} /** * Your application @@ -62,30 +111,13 @@ class MyApplication extends Stage { } } -/** - * Stack to hold the pipeline - */ -class MyPipelineStack extends Stack { - constructor(scope: Construct, id: string, props?: StackProps) { - super(scope, id, props); - - const sourceArtifact = new codepipeline.Artifact(); - const cloudAssemblyArtifact = new codepipeline.Artifact(); - - const pipeline = new CdkPipeline(this, 'Pipeline', { - // ...source and build information here (see below) - }); - - // Do this as many times as necessary with any account and region - // Account and region may different from the pipeline's. - pipeline.addApplicationStage(new MyApplication(this, 'Prod', { - env: { - account: '123456789012', - region: 'eu-west-1', - } - })); +// In your main file +new MyPipelineStack(app, 'PipelineStack', { + env: { + account: '123456789012', + region: 'eu-west-1', } -} +}); ``` The pipeline is **self-mutating**, which means that if you add new @@ -93,10 +125,13 @@ application stages in the source code, or new stacks to `MyApplication`, the pipeline will automatically reconfigure itself to deploy those new stages and stacks. +(Note that have to *bootstrap* all environments before the above code +will work, see the section **CDK Environment Bootstrapping** below). + ## CDK Versioning -This library uses prerelease features of the CDK framework, which can be enabled by adding the -following to `cdk.json`: +This library uses prerelease features of the CDK framework, which can be enabled +by adding the following to `cdk.json`: ```js { @@ -107,484 +142,538 @@ following to `cdk.json`: } ``` -## A note on cost +## Provisioning the pipeline -By default, the `CdkPipeline` construct creates an AWS Key Management Service -(AWS KMS) Customer Master Key (CMK) for you to encrypt the artifacts in the -artifact bucket, which incurs a cost of -**$1/month**. This default configuration is necessary to allow cross-account -deployments. +To provision the pipeline you have defined, making sure the target environment +has been bootstrapped (see below), and then executing deploying the +`PipelineStack` *once*. Afterwards, the pipeline will keep itself up-to-date. -If you do not intend to perform cross-account deployments, you can disable -the creation of the Customer Master Keys by passing `crossAccountKeys: false` -when defining the Pipeline: +> **Important**: be sure to `git commit` and `git push` before deploying the +> Pipeline stack using `cdk deploy`! +> +> The reason is that the pipeline will start deploying and self-mutating +> right away based on the sources in the repository, so the sources it finds +> in there should be the ones you want it to find. -```ts -const pipeline = new pipelines.CdkPipeline(this, 'Pipeline', { - crossAccountKeys: false, +Run the following commands to get the pipeline going: - // ... -}); +```console +$ git commit -a +$ git push +$ cdk deploy PipelineStack ``` -## Defining the Pipeline (Source and Synth) +Administrative permissions to the account are only necessary up until +this point. We recommend you shed access to these credentials after doing this. + +### Working on the pipeline + +The self-mutation feature of the Pipeline might at times get in the way +of the pipeline development workflow. Each change to the pipeline must be pushed +to git, otherwise, after the pipeline was updated using `cdk deploy`, it will +automatically revert to the state found in git. -The pipeline is defined by instantiating `CdkPipeline` in a Stack. This defines the -source location for the pipeline as well as the build commands. For example, the following -defines a pipeline whose source is stored in a GitHub repository, and uses NPM -to build. The Pipeline will be provisioned in account `111111111111` and region -`eu-west-1`: +To make the development more convenient, the self-mutation feature can be turned +off temporarily, by passing `selfMutation: false` property, example: ```ts -class MyPipelineStack extends Stack { - constructor(scope: Construct, id: string, props?: StackProps) { - super(scope, id, props); +// Modern API +const pipeline = new CodePipeline(this, 'Pipeline', { + selfMutation: false, + ... +}); - const sourceArtifact = new codepipeline.Artifact(); - const cloudAssemblyArtifact = new codepipeline.Artifact(); - - const pipeline = new CdkPipeline(this, 'Pipeline', { - pipelineName: 'MyAppPipeline', - cloudAssemblyArtifact, - - sourceAction: new codepipeline_actions.GitHubSourceAction({ - actionName: 'GitHub', - output: sourceArtifact, - oauthToken: SecretValue.secretsManager('GITHUB_TOKEN_NAME'), - // Replace these with your actual GitHub project name - owner: 'OWNER', - repo: 'REPO', - branch: 'main', // default: 'master' - }), +// Original API +const pipeline = new CdkPipeline(this, 'Pipeline', { + selfMutating: false, + ... +}); +``` - synthAction: SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, +## Definining the pipeline - // Optionally specify a VPC in which the action runs - vpc: new ec2.Vpc(this, 'NpmSynthVpc'), +This section of the documentation describes the AWS CodePipeline engine, which +comes with this library. If you want to use a different deployment engine, read +the section *Using a different deployment engine* below. - // Use this if you need a build step (if you're not using ts-node - // or if you have TypeScript Lambdas that need to be compiled). - buildCommand: 'npm run build', - }), - }); - } -} +### Synth and sources -const app = new App(); -new MyPipelineStack(app, 'PipelineStack', { - env: { - account: '111111111111', - region: 'eu-west-1', - } -}); -``` +To define a pipeline, instantiate a `CodePipeline` construct from the +`@aws-cdk/pipelines` module. It takes one argument, a `synth` step, which is +expected to produce the CDK Cloud Assembly as its single output (the contents of +the `cdk.out` directory after running `cdk synth`). "Steps" are arbitrary +actions in the pipeline, typically used to run scripts or commands. -If you prefer more control over the underlying CodePipeline object, you can -create one yourself, including custom Source and Build stages: +For the synth, use a `ShellStep` and specify the commands necessary to build +your project and run `cdk synth`; the specific commands required will depend on +the programming language you are using. For a typical NPM-based project, the synth +will look like this: ```ts -const codePipeline = new cp.Pipeline(pipelineStack, 'CodePipeline', { - stages: [ - { - stageName: 'CustomSource', - actions: [...], - }, - { - stageName: 'CustomBuild', - actions: [...], - }, - ], +const source = /* the repository source */; + +const pipeline = new CodePipeline(this, 'Pipeline', { + synth: new ShellStep('Synth', { + input: source, + commands: [ + 'npm ci', + 'npm run build', + 'npx cdk synth', + ], + }), }); +``` -const app = new App(); -const cdkPipeline = new CdkPipeline(app, 'CdkPipeline', { - codePipeline, - cloudAssemblyArtifact, +The pipeline assumes that your `ShellStep` will produce a `cdk.out` +directory in the root, containing the CDK cloud assembly. If your +CDK project lives in a subdirectory, be sure to adjust the +`primaryOutputDirectory` to match: + +```ts +const pipeline = new CodePipeline(this, 'Pipeline', { + synth: new ShellStep('Synth', { + input: source, + commands: [ + 'cd mysubdir', + 'npm ci', + 'npm run build', + 'npx cdk synth', + ], + primaryOutputDirectory: 'mysubdir/cdk.out', + }), }); ``` -If you use assets for files or Docker images, every asset will get its own upload action during the asset stage. -By setting the value `singlePublisherPerType` to `true`, only one action for files and one action for -Docker images is created that handles all assets of the respective type. +The underlying `@aws-cdk/aws-codepipeline.Pipeline` construct will be produced +when `app.synth()` is called. You can also force it to be produced +earlier by calling `pipeline.buildPipeline()`. After you've called +that method, you can inspect the constructs that were produced by +accessing the properties of the `pipeline` object. -If you need to run commands to setup proxies, mirrors, etc you can supply them using the `assetPreInstallCommands`. +#### CodePipeline Sources -## Initial pipeline deployment +In CodePipeline, *Sources* define where the source of your application lives. +When a change to the source is detected, the pipeline will start executing. +Source objects can be created by factory methods on the `CodePipelineSource` class: -You provision this pipeline by making sure the target environment has been -bootstrapped (see below), and then executing deploying the `PipelineStack` -*once*. Afterwards, the pipeline will keep itself up-to-date. - -> **Important**: be sure to `git commit` and `git push` before deploying the -> Pipeline stack using `cdk deploy`! -> -> The reason is that the pipeline will start deploying and self-mutating -> right away based on the sources in the repository, so the sources it finds -> in there should be the ones you want it to find. +##### GitHub, GitHub Enterprise, BitBucket using a connection -Run the following commands to get the pipeline going: +The recommended way of connecting to GitHub or BitBucket is by using a *connection*. +You will first use the AWS Console to authenticate to the source control +provider, and then use the connection ARN in your pipeline definition: -```console -$ git commit -a -$ git push -$ cdk deploy PipelineStack +```ts +CodePipelineSource.connection('org/repo', 'branch', { + connectionArn: 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', +}); ``` -Administrative permissions to the account are only necessary up until -this point. We recommend you shed access to these credentials after doing this. +##### GitHub using OAuth -### Sources +You can also authenticate to GitHub using a personal access token. This expects +that you've created a personal access token and stored it in Secrets Manager. +By default, the source object will look for a secret named **github-token**, but +you can change the name. The token should have the **repo** and **admin:repo_hook** +scopes. -Any of the regular sources from the [`@aws-cdk/aws-codepipeline-actions`](https://docs.aws.amazon.com/cdk/api/latest/docs/aws-codepipeline-actions-readme.html#github) module can be used. - -### Synths +```ts +CodePipelineSource.gitHub('org/repo', 'branch', { + // This is optional + authentication: SecretValue.secretsManager('my-token'), +}); +``` -You define how to build and synth the project by specifying a `synthAction`. -This can be any CodePipeline action that produces an artifact with a CDK -Cloud Assembly in it (the contents of the `cdk.out` directory created when -`cdk synth` is called). Pass the output artifact of the synth in the -Pipeline's `cloudAssemblyArtifact` property. +##### CodeCommit -`SimpleSynthAction` is available for synths that can be performed by running a couple -of simple shell commands (install, build, and synth) using AWS CodeBuild. When -using these, the source repository does not need to have a `buildspec.yml`. An example -of using `SimpleSynthAction` to run a Maven build followed by a CDK synth: +You can use a CodeCommit repository as the source. Either create or import +that the CodeCommit repository and then use `CodePipelineSource.codeCommit` +to reference it: ```ts -const pipeline = new CdkPipeline(this, 'Pipeline', { - // ... - synthAction: new SimpleSynthAction({ - sourceArtifact, - cloudAssemblyArtifact, - installCommands: ['npm install -g aws-cdk'], - buildCommands: ['mvn package'], - synthCommand: 'cdk synth', - }) -}); +const repository = codecommit.fromRepositoryName(this, 'Repository', 'my-repository'); +CodePipelineSource.codeCommit(repository); ``` -Available as factory functions on `SimpleSynthAction` are some common -convention-based synth: +##### S3 -* `SimpleSynthAction.standardNpmSynth()`: build using NPM conventions. Expects a `package-lock.json`, - a `cdk.json`, and expects the CLI to be a versioned dependency in `package.json`. Does - not perform a build step by default. -* `CdkSynth.standardYarnSynth()`: build using Yarn conventions. Expects a `yarn.lock` - a `cdk.json`, and expects the CLI to be a versioned dependency in `package.json`. Does - not perform a build step by default. +You can use a zip file in S3 as the source of the pipeline. The pipeline will be +triggered every time the file in S3 is changed: -If you need a custom build/synth step that is not covered by `SimpleSynthAction`, you can -always add a custom CodeBuild project and pass a corresponding `CodeBuildAction` to the -pipeline. +```ts +const bucket = s3.Bucket.fromBucketName(this, 'Bucket', 'my-bucket'); +CodePipelineSource.s3(bucket, 'my/source.zip'); +``` -## Adding Application Stages +#### Additional inputs -To define an application that can be added to the pipeline integrally, define a subclass -of `Stage`. The `Stage` can contain one or more stack which make up your application. If -there are dependencies between the stacks, the stacks will automatically be added to the -pipeline in the right order. Stacks that don't depend on each other will be deployed in -parallel. You can add a dependency relationship between stacks by calling -`stack1.addDependency(stack2)`. +`ShellStep` allows passing in more than one input: additional +inputs will be placed in the directories you specify. Any step that produces an +output file set can be used as an input, such as a `CodePipelineSource`, but +also other `ShellStep`: -Stages take a default `env` argument which the Stacks inside the Stage will fall back to -if no `env` is defined for them. +```ts +const prebuild = new ShellStep('Prebuild', { + input: CodePipelineSource.gitHub('myorg/repo1'), + primaryOutputDirectory: './build', + commands: ['./build.sh'], +}); -An application is added to the pipeline by calling `addApplicationStage()` with instances -of the Stage. The same class can be instantiated and added to the pipeline multiple times -to define different stages of your DTAP or multi-region application pipeline: +const pipeline = new CodePipeline(this, 'Pipeline', { + synth: new ShellStep('Synth', { + input: CodePipelineSource.gitHub('myorg/repo2'), + additionalInputs: { + 'subdir': CodePipelineSource.gitHub('myorg/repo3'), + '../siblingdir': prebuild, + }, -```ts -// Testing stage -pipeline.addApplicationStage(new MyApplication(this, 'Testing', { - env: { account: '111111111111', region: 'eu-west-1' } -})); + commands: ['./build.sh'], + }) +}); +``` -// Acceptance stage -pipeline.addApplicationStage(new MyApplication(this, 'Acceptance', { - env: { account: '222222222222', region: 'eu-west-1' } -})); +### CDK application deployments -// Production stage -pipeline.addApplicationStage(new MyApplication(this, 'Production', { - env: { account: '333333333333', region: 'eu-west-1' } +After you have defined the pipeline and the `synth` step, you can add one or +more CDK `Stages` which will be deployed to their target environments. To do +so, call `pipeline.addStage()` on the Stage object: + +```ts +// Do this as many times as necessary with any account and region +// Account and region may different from the pipeline's. +pipeline.addStage(new MyApplicationStage(this, 'Prod', { + env: { + account: '123456789012', + region: 'eu-west-1', + } })); ``` -> Be aware that adding new stages via `addApplicationStage()` will -> automatically add them to the pipeline and deploy the new stacks, but -> *removing* them from the pipeline or deleting the pipeline stack will not -> automatically delete deployed application stacks. You must delete those -> stacks by hand using the AWS CloudFormation console or the AWS CLI. +CDK Pipelines will automatically discover all `Stacks` in the given `Stage` +object, determine their dependency order, and add appropriate actions to the +pipeline to publish the assets referenced in those stacks and deploy the stacks +in the right order. + +If the `Stacks` are targeted at an environment in a different AWS account or +Region and that environment has been +[bootstrapped](https://docs.aws.amazon.com/cdk/latest/guide/bootstrapping.html) +, CDK Pipelines will transparently make sure the IAM roles are set up +correctly and any requisite replication Buckets are created. -### More Control +#### Deploying in parallel -Every *Application Stage* added by `addApplicationStage()` will lead to the addition of -an individual *Pipeline Stage*, which is subsequently returned. You can add more -actions to the stage by calling `addAction()` on it. For example: +By default, all applications added to CDK Pipelines by calling `addStage()` will +be deployed in sequence, one after the other. If you have a lot of stages, you can +speed up the pipeline by choosing to deploy some stages in parallel. You do this +by calling `addWave()` instead of `addStage()`: a *wave* is a set of stages that +are all deployed in parallel instead of sequentially. Waves themselves are still +deployed in sequence. For example, the following will deploy two copies of your +application to `eu-west-1` and `eu-central-1` in parallel: ```ts -const testingStage = pipeline.addApplicationStage(new MyApplication(this, 'Testing', { - env: { account: '111111111111', region: 'eu-west-1' } +const europeWave = pipeline.addWave('Europe'); +europeWave.addStage(new MyApplicationStage(this, 'Ireland', { + env: { region: 'eu-west-1' } })); - -// Add a action -- in this case, a Manual Approval action -// (for illustration purposes: testingStage.addManualApprovalAction() is a -// convenience shorthand that does the same) -testingStage.addAction(new ManualApprovalAction({ - actionName: 'ManualApproval', - runOrder: testingStage.nextSequentialRunOrder(), +europeWave.addStage(new MyApplicationStage(this, 'Germany', { + env: { region: 'eu-central-1' } })); ``` -You can also add more than one *Application Stage* to one *Pipeline Stage*. For example: +#### Deploying to other accounts / encrypting the Artifact Bucket -```ts -// Create an empty pipeline stage -const testingStage = pipeline.addStage('Testing'); +CDK Pipelines can transparently deploy to other Regions and other accounts +(provided those target environments have been +[*bootstrapped*](https://docs.aws.amazon.com/cdk/latest/guide/bootstrapping.html)). +However, deploying to another account requires one additional piece of +configuration: you need to enable `crossAccountKeys: true` when creating the +pipeline. -// Add two application stages to the same pipeline stage -testingStage.addApplication(new MyApplication1(this, 'MyApp1', { - env: { account: '111111111111', region: 'eu-west-1' } -})); -testingStage.addApplication(new MyApplication2(this, 'MyApp2', { - env: { account: '111111111111', region: 'eu-west-1' } -})); -``` +This will encrypt the artifact bucket(s), but incurs a cost for maintaining the +KMS key. -Even more, adding a manual approval action or reserving space for some extra sequential actions -between 'Prepare' and 'Execute' ChangeSet actions is possible. +Example: ```ts - pipeline.addApplicationStage(new MyApplication(this, 'Production'), { - manualApprovals: true, - extraRunOrderSpace: 1, - }); +const pipeline = new CodePipeline(this, 'Pipeline', { + // Encrypt artifacts, required for cross-account deployments + crossAccountKeys: true, +}); ``` -## Adding validations to the pipeline - -You can add any type of CodePipeline Action to the pipeline in order to validate -the deployments you are performing. +### Validation -The CDK Pipelines construct library comes with a `ShellScriptAction` which uses AWS CodeBuild -to run a set of shell commands (potentially running a test set that comes with your application, -using stack outputs of the deployed stacks). +Every `addStage()` and `addWave()` command takes additional options. As part of these options, +you can specify `pre` and `post` steps, which are arbitrary steps that run before or after +the contents of the stage or wave, respectively. You can use these to add validations like +manual or automated gates to your pipeline. -In its simplest form, adding validation actions looks like this: +The following example shows both an automated approval in the form of a `ShellStep`, and +a manual approvel in the form of a `ManualApprovalStep` added to the pipeline. Both must +pass in order to promote from the `PreProd` to the `Prod` environment: ```ts -const stage = pipeline.addApplicationStage(new MyApplication(/* ... */)); - -stage.addActions(new ShellScriptAction({ - actionName: 'MyValidation', - commands: ['curl -Ssf https://my.webservice.com/'], - // Optionally specify a VPC if, for example, the service is deployed with a private load balancer - vpc, - // Optionally specify SecurityGroups - securityGroups, - // Optionally specify a BuildEnvironment - environment, -})); +const preprod = new MyApplicationStage(this, 'PreProd', { ... }); +const prod = new MyApplicationStage(this, 'Prod', { ... }); + +pipeline.addStage(preprod, { + post: [ + new ShellStep('Validate Endpoint', { + commands: ['curl -Ssf https://my.webservice.com/'], + }), + ], +}); +pipeline.addStage(prod, { + pre: [ + new ManualApprovalStep('PromoteToProd'), + ], +}); ``` -### Using CloudFormation Stack Outputs in ShellScriptAction +#### Using CloudFormation Stack Outputs in approvals Because many CloudFormation deployments result in the generation of resources with unpredictable names, validations have support for reading back CloudFormation Outputs after a deployment. This makes it possible to pass (for example) the generated URL of a load balancer to the test set. To use Stack Outputs, expose the `CfnOutput` object you're interested in, and -call `pipeline.stackOutput()` on it: +pass it to `envFromCfnOutputs` of the `ShellStep`: ```ts -class MyLbApplication extends Stage { +class MyApplicationStage extends Stage { public readonly loadBalancerAddress: CfnOutput; - - constructor(scope: Construct, id: string, props?: StageProps) { - super(scope, id, props); - - const lbStack = new LoadBalancerStack(this, 'Stack'); - - // Or create this in `LoadBalancerStack` directly - this.loadBalancerAddress = new CfnOutput(lbStack, 'LbAddress', { - value: `https://${lbStack.loadBalancer.loadBalancerDnsName}/` - }); - } + // ... } -const lbApp = new MyLbApplication(this, 'MyApp', { - env: { /* ... */ } -}); -const stage = pipeline.addApplicationStage(lbApp); -stage.addActions(new ShellScriptAction({ - // ... - useOutputs: { - // When the test is executed, this will make $URL contain the - // load balancer address. - URL: pipeline.stackOutput(lbApp.loadBalancerAddress), - } +const lbApp = new MyApplicationStage(this, 'MyApp', { /* ... */ }); +pipeline.addStage(lbApp, { + post: [ + new ShellStep('HitEndpoint', { + envFromCfnOutputs: { + // Make the load balancer address available as $URL inside the commands + URL: lbApp.loadBalancerAddress, + }, + commands: ['curl -Ssf $URL'], + }); + ], }); ``` -### Using additional files in Shell Script Actions +#### Running scripts compiled during the synth step As part of a validation, you probably want to run a test suite that's more elaborate than what can be expressed in a couple of lines of shell script. You can bring additional files into the shell script validation by supplying -the `additionalArtifacts` property. +the `input` or `additionalInputs` property of `ShellStep`. The input can +be produced by the `Synth` step, or come from a source or any other build +step. -Here are some typical examples for how you might want to bring in additional -files from several sources: +Here's an example that captures an additional output directory in the synth +step and runs tests from there: -* Directory from the source repository -* Additional compiled artifacts from the synth step +```ts +const synth = new ShellStep('Synth', { /* ... */ }); +const pipeline = new CodePipeline(this, 'Pipeline', { synth }); -### Controlling IAM permissions +new ShellStep('Approve', { + // Use the contents of the 'integ' directory from the synth step as the input + input: synth.addOutputDirectory('integ'), + commands: ['cd integ && ./run.sh'], +}); +``` -IAM permissions can be added to the execution role of a `ShellScriptAction` in -two ways. +### Customizing CodeBuild Projects -Either pass additional policy statements in the `rolePolicyStatements` property: +CDK pipelines will generate CodeBuild projects for each `ShellStep` you use, and it +will also generate CodeBuild projects to publish assets and perform the self-mutation +of the pipeline. To control the various aspects of the CodeBuild projects that get +generated, use a `CodeBuildStep` instead of a `ShellStep`. This class has a number +of properties that allow you to customize various aspects of the projects: ```ts -new ShellScriptAction({ - // ... - rolePolicyStatements: [ - new iam.PolicyStatement({ - actions: ['s3:GetObject'], - resources: ['*'], - }), - ], -})); -``` +new CodeBuildStep('Synth', { + // ...standard RunScript props... + commands: [/* ... */], + env: { /* ... */ }, + + // If you are using a CodeBuildStep explicitly, set the 'cdk.out' directory + // to be the synth step's output. + primaryOutputDirectory: 'cdk.out', + + // Control the name of the project + projectName: 'MyProject', + + // Control parts of the BuildSpec other than the regular 'build' and 'install' commands + partialBuildSpec: codebuild.BuildSpec.fromObject({ + version: '0.2', + // ... + }), -The Action can also be used as a Grantable after having been added to a Pipeline: + // Control the build environment + buildEnvironment: { + computeType: codebuild.ComputeType.LARGE, + }, -```ts -const action = new ShellScriptAction({ /* ... */ }); -pipeline.addStage('Test').addActions(action); + // Control Elastic Network Interface creation + vpc: vpc, + subnetSelection: { subnetType: ec2.SubnetType.PRIVATE }, + securityGroups: [mySecurityGroup], -bucket.grantRead(action); + // Additional policy statements for the execution role + rolePolicy: [ + new iam.PolicyStatement({ /* ... */ }), + ], +}); ``` -#### Additional files from the source repository - -Bringing in additional files from the source repository is appropriate if the -files in the source repository are directly usable in the test (for example, -if they are executable shell scripts themselves). Pass the `sourceArtifact`: +You can also configure defaults for *all* CodeBuild projects by passing `codeBuildDefaults`, +or just for the asset publishing and self-mutation projects by passing `assetPublishingCodeBuildDefaults` +or `selfMutationCodeBuildDefaults`: ```ts -const sourceArtifact = new codepipeline.Artifact(); - -const pipeline = new CdkPipeline(this, 'Pipeline', { +new CodePipeline(this, 'Pipeline', { // ... -}); -const validationAction = new ShellScriptAction({ - actionName: 'TestUsingSourceArtifact', - additionalArtifacts: [sourceArtifact], + // Defaults for all CodeBuild projects + codeBuildDefaults: { + // Prepend commands and configuration to all projects + partialBuildSpec: codebuild.BuildSpec.fromObject({ + version: '0.2', + // ... + }), + + // Control the build environment + buildEnvironment: { + computeType: codebuild.ComputeType.LARGE, + }, - // 'test.sh' comes from the source repository - commands: ['./test.sh'], + // Control Elastic Network Interface creation + vpc: vpc, + subnetSelection: { subnetType: ec2.SubnetType.PRIVATE }, + securityGroups: [mySecurityGroup], + + // Additional policy statements for the execution role + rolePolicy: [ + new iam.PolicyStatement({ /* ... */ }), + ], + }, + + assetPublishingCodeBuildDefaults: { /* ... */ }, + selfMutationCodeBuildDefaults: { /* ... */ }, }); ``` -#### Additional files from the synth step +### Arbitrary CodePipeline actions -Getting the additional files from the synth step is appropriate if your -tests need the compilation step that is done as part of synthesis. +If you want to add a type of CodePipeline action to the CDK Pipeline that +doesn't have a matching class yet, you can define your own step class that extends +`Step` and implements `ICodePipelineActionFactory`. -On the synthesis step, specify `additionalArtifacts` to package -additional subdirectories into artifacts, and use the same artifact -in the `ShellScriptAction`'s `additionalArtifacts`: +Here's a simple example that adds a Jenkins step: ```ts -// If you are using additional output artifacts from the synth step, -// they must be named. -const cloudAssemblyArtifact = new codepipeline.Artifact('CloudAsm'); -const integTestsArtifact = new codepipeline.Artifact('IntegTests'); +class MyJenkinsStep extends Step implements ICodePipelineActionFactory { + constructor(private readonly provider: codepipeline_actions.JenkinsProvider, private readonly input: FileSet) { + } -const pipeline = new CdkPipeline(this, 'Pipeline', { - synthAction: SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - buildCommands: ['npm run build'], - additionalArtifacts: [ - { - directory: 'test', - artifact: integTestsArtifact, - } - ], - }), - // ... -}); + public produceAction(stage: codepipeline.IStage, options: ProduceActionOptions): CodePipelineActionFactoryResult { -const validationAction = new ShellScriptAction({ - actionName: 'TestUsingBuildArtifact', - additionalArtifacts: [integTestsArtifact], - // 'test.js' was produced from 'test/test.ts' during the synth step - commands: ['node ./test.js'], -}); + // This is where you control what type of Action gets added to the + // CodePipeline + stage.addAction(new codepipeline_actions.JenkinsAction({ + // Copy 'actionName' and 'runOrder' from the options + actionName: options.actionName, + runOrder: options.runOrder, + + // Jenkins-specific configuration + type: cpactions.JenkinsActionType.TEST, + jenkinsProvider: this.provider, + projectName: 'MyJenkinsProject', + + // Translate the FileSet into a codepipeline.Artifact + inputs: [options.artifacts.toCodePipeline(this.input)], + })); + + return { runOrdersConsumed: 1 }; + } +} ``` -#### Add Additional permissions to the CodeBuild Project Role for building and synthesizing +## Using Docker in the pipeline + +Docker can be used in 3 different places in the pipeline: + +* If you are using Docker image assets in your application stages: Docker will + run in the asset publishing projects. +* If you are using Docker image assets in your stack (for example as + images for your CodeBuild projects): Docker will run in the self-mutate project. +* If you are using Docker to bundle file assets anywhere in your project (for + example, if you are using such construct libraries as + `@aws-cdk/aws-lambda-nodejs`): Docker will run in the + *synth* project. -You can customize the role permissions used by the CodeBuild project so it has access to -the needed resources. eg: Adding CodeArtifact repo permissions so we pull npm packages -from the CA repo instead of NPM. +For the first case, you don't need to do anything special. For the other two cases, +you need to make sure that **privileged mode** is enabled on the correct CodeBuild +projects, so that Docker can run correctly. The follow sections describe how to do +that. + +You may also need to authenticate to Docker registries to avoid being throttled. +See the section **Authenticating to Docker registries** below for information on how to do +that. + +### Using Docker image assets in the pipeline + +If your `PipelineStack` is using Docker image assets (as opposed to the application +stacks the pipeline is deploying), for example by the use of `LinuxBuildImage.fromAsset()`, +you need to pass `dockerEnabledForSelfMutation: true` to the pipeline. For example: ```ts -class MyPipelineStack extends Stack { - constructor(scope: Construct, id: string, props?: StackProps) { - ... - const pipeline = new CdkPipeline(this, 'Pipeline', { - ... - synthAction: SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - - // Use this to customize and a permissions required for the build - // and synth - rolePolicyStatements: [ - new PolicyStatement({ - actions: ['codeartifact:*', 'sts:GetServiceBearerToken'], - resources: ['arn:codeartifact:repo:arn'], - }), - ], +const pipeline = new CodePipeline(this, 'Pipeline', { + // ... - // Then you can login to codeartifact repository - // and npm will now pull packages from your repository - // Note the codeartifact login command requires more params to work. - buildCommands: [ - 'aws codeartifact login --tool npm', - 'npm run build', - ], - }), - }); - } -} + // Turn this on because the pipeline uses Docker image assets + dockerEnabledForSelfMutation: true, +}); + +pipeline.addWave('MyWave', { + post: [ + new CodeBuildStep('RunApproval', { + commands: ['command-from-image'], + buildEnvironment: { + // The user of a Docker image asset in the pipeline requires turning on + // 'dockerEnabledForSelfMutation'. + buildImage: LinuxBuildImage.fromAsset(this, 'Image', { + directory: './docker-image', + }) + }, + }) + ], +}); ``` -### Developing the pipeline +> **Important**: You must turn on the `dockerEnabledForSelfMutation` flag, +> commit and allow the pipeline to self-update *before* adding the actual +> Docker asset. -The self-mutation feature of the `CdkPipeline` might at times get in the way -of the pipeline development workflow. Each change to the pipeline must be pushed -to git, otherwise, after the pipeline was updated using `cdk deploy`, it will -automatically revert to the state found in git. +### Using bundled file assets -To make the development more convenient, the self-mutation feature can be turned -off temporarily, by passing `selfMutating: false` property, example: +If you are using asset bundling anywhere (such as automatically done for you +if you add a construct like `@aws-cdk/aws-lambda-nodejs`), you need to pass +`dockerEnabledForSynth: true` to the pipeline. For example: ```ts -const pipeline = new CdkPipeline(this, 'Pipeline', { - selfMutating: false, - ... +const pipeline = new CodePipeline(this, 'Pipeline', { + // ... + + // Turn this on because the application uses bundled file assets + dockerEnabledForSynth: true, }); ``` -## Docker Registry Credentials +> **Important**: You must turn on the `dockerEnabledForSynth` flag, +> commit and allow the pipeline to self-update *before* adding the actual +> Docker asset. + +### Authenticating to Docker registries You can specify credentials to use for authenticating to Docker registries as part of the pipeline definition. This can be useful if any Docker image assets — in the pipeline or @@ -597,26 +686,27 @@ const customRegSecret = secretsmanager.Secret.fromSecretCompleteArn(this, 'CRSec const repo1 = ecr.Repository.fromRepositoryArn(stack, 'Repo', 'arn:aws:ecr:eu-west-1:0123456789012:repository/Repo1'); const repo2 = ecr.Repository.fromRepositoryArn(stack, 'Repo', 'arn:aws:ecr:eu-west-1:0123456789012:repository/Repo2'); -const pipeline = new CdkPipeline(this, 'Pipeline', { +const pipeline = new CodePipeline(this, 'Pipeline', { dockerCredentials: [ DockerCredential.dockerHub(dockerHubSecret), DockerCredential.customRegistry('dockerregistry.example.com', customRegSecret), DockerCredential.ecr([repo1, repo2]); ], - ... + // ... }); ``` -You can authenticate to DockerHub, or any other Docker registry, by specifying a secret -with the username and secret/password to pass to `docker login`. The names of the fields -within the secret to use for the username and password can be customized. Authentication -to ECR repostories is done using the execution role of the relevant CodeBuild job. Both -types of credentials can be provided with an optional role to assume before requesting -the credentials. +For authenticating to Docker registries that require a username and password combination +(like DockerHub), create a Secrets Manager Secret with fields named `username` +and `secret`, and import it (the field names change be customized). -By default, the Docker credentials provided to the pipeline will be available to the -Synth/Build, Self-Update, and Asset Publishing actions within the pipeline. The scope of -the credentials can be limited via the `DockerCredentialUsage` option. +Authentication to ECR repostories is done using the execution role of the +relevant CodeBuild job. Both types of credentials can be provided with an +optional role to assume before requesting the credentials. + +By default, the Docker credentials provided to the pipeline will be available to +the **Synth**, **Self-Update**, and **Asset Publishing** actions within the +*pipeline. The scope of the credentials can be limited via the `DockerCredentialUsage` option. ```ts const dockerHubSecret = secretsmanager.Secret.fromSecretCompleteArn(this, 'DHSecret', 'arn:aws:...'); @@ -640,6 +730,11 @@ Before you can provision the pipeline, you have to *bootstrap* the environment y to create it in. If you are deploying your application to different environments, you also have to bootstrap those and be sure to add a *trust* relationship. +After you have bootstrapped an environment and created a pipeline that deploys +to it, it's important that you don't delete the stack or change its *Qualifier*, +or future deployments to this environment will fail. If you want to upgrade +the bootstrap stack to a newer version, do that by updating it in-place. + > This library requires a newer version of the bootstrapping stack which has > been updated specifically to support cross-account continuous delivery. In the future, > this new bootstrapping stack will become the default, but for now it is still @@ -821,6 +916,16 @@ leading NPM 6 reading that same file to not install all required packages anymor Make sure you are using the same NPM version everywhere, either downgrade your workstation's version or upgrade the CodeBuild version. +### Cannot find module '.../check-node-version.js' (MODULE_NOT_FOUND) + +The above error may be produced by `npx` when executing the CDK CLI, or any +project that uses the AWS SDK for JavaScript, without the target application +having been installed yet. For example, it can be triggered by `npx cdk synth` +if `aws-cdk` is not in your `package.json`. + +Work around this by either installing the target application using NPM *before* +running `npx`, or set the environment variable `NPM_CONFIG_UNSAFE_PERM=true`. + ### Cannot connect to the Docker daemon at unix:///var/run/docker.sock If, in the 'Synth' action (inside the 'Build' stage) of your pipeline, you get an error like this: @@ -858,6 +963,13 @@ update to the right state). ### S3 error: Access Denied +An "S3 Access Denied" error can have two causes: + +* Asset hashes have changed, but self-mutation has been disabled in the pipeline. +* You have deleted and recreated the bootstrap stack, or changed its qualifier. + +#### Self-mutation step has been removed + Some constructs, such as EKS clusters, generate nested stacks. When CloudFormation tries to deploy those stacks, it may fail with this error: @@ -876,7 +988,7 @@ const pipeline = new CdkPipeline(this, 'MyPipeline', { }); ``` -### Action Execution Denied +#### Bootstrap roles have been renamed or recreated While attempting to deploy an application stage, the "Prepare" or "Deploy" stage may fail with a cryptic error like: @@ -922,7 +1034,7 @@ new MyStack(this, 'MyStack', { * Re-deploy the pipeline to use the original qualifier. * Delete the temporary bootstrap stack(s) -#### Manual Alternative +##### Manual Alternative Alternatively, the errors can be resolved by finding each impacted resource and policy, and correcting the policies by replacing the canonical IDs (e.g., `AROAYBRETNYCYV6ZF2R93`) with the appropriate ARNs. As an example, the KMS @@ -942,13 +1054,6 @@ encryption key policy for the artifacts bucket may have a statement that looks l Any resource or policy that references the qualifier (`hnb659fds` by default) will need to be updated. -## Current Limitations - -Limitations that we are aware of and will address: - -* **No context queries**: context queries are not supported. That means that - Vpc.fromLookup() and other functions like it will not work [#8905](https://github.com/aws/aws-cdk/issues/8905). - ## Known Issues There are some usability issues that are caused by underlying technology, and diff --git a/packages/@aws-cdk/pipelines/lib/blueprint/asset-type.ts b/packages/@aws-cdk/pipelines/lib/blueprint/asset-type.ts new file mode 100644 index 0000000000000..3fe015586a7c9 --- /dev/null +++ b/packages/@aws-cdk/pipelines/lib/blueprint/asset-type.ts @@ -0,0 +1,15 @@ +/** + * Type of the asset that is being published + */ +export enum AssetType { + /** + * A file + */ + FILE = 'file', + + /** + * A Docker image + */ + DOCKER_IMAGE = 'docker-image', +} + diff --git a/packages/@aws-cdk/pipelines/lib/blueprint/file-set.ts b/packages/@aws-cdk/pipelines/lib/blueprint/file-set.ts new file mode 100644 index 0000000000000..8070bf30de2be --- /dev/null +++ b/packages/@aws-cdk/pipelines/lib/blueprint/file-set.ts @@ -0,0 +1,66 @@ +import { Step } from './step'; + +/** + * A set of files traveling through the deployment pipeline + * + * Individual steps in the pipeline produce or consume + * `FileSet`s. + */ +export class FileSet implements IFileSetProducer { + /** + * The primary output of a file set producer + * + * The primary output of a FileSet is itself. + */ + public readonly primaryOutput?: FileSet = this; + private _producer?: Step; + + constructor( + /** Human-readable descriptor for this file set (does not need to be unique) */ + public readonly id: string, producer?: Step) { + this._producer = producer; + } + + /** + * The Step that produces this FileSet + */ + public get producer() { + if (!this._producer) { + throw new Error(`FileSet '${this.id}' doesn\'t have a producer; call 'fileSet.producedBy()'`); + } + return this._producer; + } + + /** + * Mark the given Step as the producer for this FileSet + * + * This method can only be called once. + */ + public producedBy(producer?: Step) { + if (this._producer) { + throw new Error(`FileSet '${this.id}' already has a producer (${this._producer}) while setting producer: ${producer}`); + } + this._producer = producer; + } + + /** + * Return a string representation of this FileSet + */ + public toString() { + return `FileSet(${this.id})`; + } +} + +/** + * Any class that produces, or is itself, a `FileSet` + * + * Steps implicitly produce a primary FileSet as an output. + */ +export interface IFileSetProducer { + /** + * The `FileSet` produced by this file set producer + * + * @default - This producer doesn't produce any file set + */ + readonly primaryOutput?: FileSet; +} \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/lib/blueprint/index.ts b/packages/@aws-cdk/pipelines/lib/blueprint/index.ts new file mode 100644 index 0000000000000..d842ca1c7cd67 --- /dev/null +++ b/packages/@aws-cdk/pipelines/lib/blueprint/index.ts @@ -0,0 +1,8 @@ +export * from './asset-type'; +export * from './file-set'; +export * from './script-step'; +export * from './stack-deployment'; +export * from './stage-deployment'; +export * from './step'; +export * from './wave'; +export * from './manual-approval'; \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/lib/blueprint/manual-approval.ts b/packages/@aws-cdk/pipelines/lib/blueprint/manual-approval.ts new file mode 100644 index 0000000000000..859c279533fa3 --- /dev/null +++ b/packages/@aws-cdk/pipelines/lib/blueprint/manual-approval.ts @@ -0,0 +1,37 @@ +import { Step } from './step'; + +/** + * Construction properties for a `ManualApprovalStep` + */ +export interface ManualApprovalStepProps { + /** + * The comment to display with this manual approval + * + * @default - No comment + */ + readonly comment?: string; +} + +/** + * A manual approval step + * + * If this step is added to a Pipeline, the Pipeline will + * be paused waiting for a human to resume it + * + * Only engines that support pausing the deployment will + * support this step type. + */ +export class ManualApprovalStep extends Step { + /** + * The comment associated with this manual approval + * + * @default - No comment + */ + public readonly comment?: string; + + constructor(id: string, props: ManualApprovalStepProps = {}) { + super(id); + + this.comment = props.comment; + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/lib/blueprint/script-step.ts b/packages/@aws-cdk/pipelines/lib/blueprint/script-step.ts new file mode 100644 index 0000000000000..75c1883d92419 --- /dev/null +++ b/packages/@aws-cdk/pipelines/lib/blueprint/script-step.ts @@ -0,0 +1,275 @@ +import { CfnOutput, Stack } from '@aws-cdk/core'; +import { mapValues } from '../private/javascript'; +import { FileSet, IFileSetProducer } from './file-set'; +import { StackDeployment } from './stack-deployment'; +import { Step } from './step'; + +/** + * Construction properties for a `ShellStep`. + */ +export interface ShellStepProps { + /** + * Commands to run + */ + readonly commands: string[]; + + /** + * Installation commands to run before the regular commands + * + * For deployment engines that support it, install commands will be classified + * differently in the job history from the regular `commands`. + * + * @default - No installation commands + */ + readonly installCommands?: string[]; + + /** + * Environment variables to set + * + * @default - No environment variables + */ + readonly env?: Record; + + /** + * Set environment variables based on Stack Outputs + * + * `ShellStep`s following stack or stage deployments may + * access the `CfnOutput`s of those stacks to get access to + * --for example--automatically generated resource names or + * endpoint URLs. + * + * @default - No environment variables created from stack outputs + */ + readonly envFromCfnOutputs?: Record; + + /** + * FileSet to run these scripts on + * + * The files in the FileSet will be placed in the working directory when + * the script is executed. Use `additionalInputs` to download file sets + * to other directories as well. + * + * @default - No input specified + */ + readonly input?: IFileSetProducer; + + /** + * Additional FileSets to put in other directories + * + * Specifies a mapping from directory name to FileSets. During the + * script execution, the FileSets will be available in the directories + * indicated. + * + * The directory names may be relative. For example, you can put + * the main input and an additional input side-by-side with the + * following configuration: + * + * ```ts + * const script = new ShellStep('MainScript', { + * // ... + * input: MyEngineSource.gitHub('org/source1'), + * additionalInputs: { + * '../siblingdir': MyEngineSource.gitHub('org/source2'), + * } + * }); + * ``` + * + * @default - No additional inputs + */ + readonly additionalInputs?: Record; + + /** + * The directory that will contain the primary output fileset + * + * After running the script, the contents of the given directory + * will be treated as the primary output of this Step. + * + * @default - No primary output + */ + readonly primaryOutputDirectory?: string; + +} + +/** + * Run shell script commands in the pipeline + */ +export class ShellStep extends Step { + /** + * Commands to run + */ + public readonly commands: string[]; + + /** + * Installation commands to run before the regular commands + * + * For deployment engines that support it, install commands will be classified + * differently in the job history from the regular `commands`. + * + * @default - No installation commands + */ + public readonly installCommands: string[]; + + /** + * Environment variables to set + * + * @default - No environment variables + */ + public readonly env: Record; + + /** + * Set environment variables based on Stack Outputs + * + * @default - No environment variables created from stack outputs + */ + public readonly envFromCfnOutputs: Record; + + /** + * Input FileSets + * + * A list of `(FileSet, directory)` pairs, which are a copy of the + * input properties. This list should not be modified directly. + */ + public readonly inputs: FileSetLocation[] = []; + + /** + * Output FileSets + * + * A list of `(FileSet, directory)` pairs, which are a copy of the + * input properties. This list should not be modified directly. + */ + public readonly outputs: FileSetLocation[] = []; + + private readonly _additionalOutputs: Record = {}; + + private _primaryOutputDirectory?: string; + + constructor(id: string, props: ShellStepProps) { + super(id); + + this.commands = props.commands; + this.installCommands = props.installCommands ?? []; + this.env = props.env ?? {}; + this.envFromCfnOutputs = mapValues(props.envFromCfnOutputs ?? {}, StackOutputReference.fromCfnOutput); + + // Inputs + if (props.input) { + const fileSet = props.input.primaryOutput; + if (!fileSet) { + throw new Error(`'${id}': primary input should be a step that produces a file set, got ${props.input}`); + } + this.addDependencyFileSet(fileSet); + this.inputs.push({ directory: '.', fileSet }); + } + + for (const [directory, step] of Object.entries(props.additionalInputs ?? {})) { + if (directory === '.') { + throw new Error(`'${id}': input for directory '.' should be passed via 'input' property`); + } + + const fileSet = step.primaryOutput; + if (!fileSet) { + throw new Error(`'${id}': additionalInput for directory '${directory}' should be a step that produces a file set, got ${step}`); + } + this.addDependencyFileSet(fileSet); + this.inputs.push({ directory, fileSet }); + } + + // Outputs + + if (props.primaryOutputDirectory) { + this._primaryOutputDirectory = props.primaryOutputDirectory; + const fileSet = new FileSet('Output', this); + this.configurePrimaryOutput(fileSet); + this.outputs.push({ directory: props.primaryOutputDirectory, fileSet }); + } + } + + /** + * Configure the given output directory as primary output + * + * If no primary output has been configured yet, this directory + * will become the primary output of this ShellStep, otherwise this + * method will throw if the given directory is different than the + * currently configured primary output directory. + */ + public primaryOutputDirectory(directory: string): FileSet { + if (this._primaryOutputDirectory !== undefined) { + if (this._primaryOutputDirectory !== directory) { + throw new Error(`${this}: primaryOutputDirectory is '${this._primaryOutputDirectory}', cannot be changed to '${directory}'`); + } + + return this.primaryOutput!; + } + + this._primaryOutputDirectory = directory; + const fileSet = new FileSet('Output', this); + this.configurePrimaryOutput(fileSet); + this.outputs.push({ directory: directory, fileSet }); + return fileSet; + } + + /** + * Add an additional output FileSet based on a directory. + * + * + * After running the script, the contents of the given directory + * will be exported as a `FileSet`. Use the `FileSet` as the + * input to another step. + * + * Multiple calls with the exact same directory name string (not normalized) + * will return the same FileSet. + */ + public addOutputDirectory(directory: string): FileSet { + let fileSet = this._additionalOutputs[directory]; + if (!fileSet) { + fileSet = new FileSet(directory, this); + this._additionalOutputs[directory] = fileSet; + this.outputs.push({ directory, fileSet }); + } + return fileSet; + } +} + +/** + * Location of a FileSet consumed or produced by a ShellStep + */ +export interface FileSetLocation { + /** + * The (relative) directory where the FileSet is found + */ + readonly directory: string; + + /** + * The FileSet object + */ + readonly fileSet: FileSet; +} + +/** + * A Reference to a Stack Output + */ +export class StackOutputReference { + /** + * Create a StackOutputReference that references the given CfnOutput + */ + public static fromCfnOutput(output: CfnOutput) { + const stack = Stack.of(output); + return new StackOutputReference(stack.node.path, stack.artifactId, stack.resolve(output.logicalId)); + } + + private constructor( + /** A human-readable description of the producing stack */ + public readonly stackDescription: string, + /** Artifact id of the producing stack */ + private readonly stackArtifactId: string, + /** Output name of the producing stack */ + public readonly outputName: string) { + } + + /** + * Whether or not this stack output is being produced by the given Stack deployment + */ + public isProducedBy(stack: StackDeployment) { + return stack.stackArtifactId === this.stackArtifactId; + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/lib/blueprint/stack-deployment.ts b/packages/@aws-cdk/pipelines/lib/blueprint/stack-deployment.ts new file mode 100644 index 0000000000000..2fe74ef15ccd3 --- /dev/null +++ b/packages/@aws-cdk/pipelines/lib/blueprint/stack-deployment.ts @@ -0,0 +1,311 @@ +import * as path from 'path'; +import { parse as parseUrl } from 'url'; +import * as cxapi from '@aws-cdk/cx-api'; +import { AssetManifestReader, DockerImageManifestEntry, FileManifestEntry } from '../private/asset-manifest'; +import { isAssetManifest } from '../private/cloud-assembly-internals'; +import { AssetType } from './asset-type'; + +/** + * Properties for a `StackDeployment` + */ +export interface StackDeploymentProps { + /** + * Artifact ID for this stack + */ + readonly stackArtifactId: string; + + /** + * Construct path for this stack + */ + readonly constructPath: string; + + /** + * Name for this stack + */ + readonly stackName: string; + + /** + * Region where the stack should be deployed + * + * @default - Pipeline region + */ + readonly region?: string; + + /** + * Account where the stack should be deployed + * + * @default - Pipeline account + */ + readonly account?: string; + + /** + * Role to assume before deploying this stack + * + * @default - Don't assume any role + */ + readonly assumeRoleArn?: string; + + /** + * Execution role to pass to CloudFormation + * + * @default - No execution role + */ + readonly executionRoleArn?: string; + + /** + * Tags to apply to the stack + * + * @default - No tags + */ + readonly tags?: Record; + + /** + * Template path on disk to cloud assembly (cdk.out) + */ + readonly absoluteTemplatePath: string; + + /** + * Assets referenced by this stack + * + * @default - No assets + */ + readonly assets?: StackAsset[]; + + /** + * The S3 URL which points to the template asset location in the publishing + * bucket. + * + * @default - Stack template is not published + */ + readonly templateS3Uri?: string; +} + +/** + * Deployment of a single Stack + * + * You don't need to instantiate this class -- it will + * be automatically instantiated as necessary when you + * add a `Stage` to a pipeline. + */ +export class StackDeployment { + /** + * Build a `StackDeployment` from a Stack Artifact in a Cloud Assembly. + */ + public static fromArtifact(stackArtifact: cxapi.CloudFormationStackArtifact): StackDeployment { + const artRegion = stackArtifact.environment.region; + const region = artRegion === cxapi.UNKNOWN_REGION ? undefined : artRegion; + const artAccount = stackArtifact.environment.account; + const account = artAccount === cxapi.UNKNOWN_ACCOUNT ? undefined : artAccount; + + return new StackDeployment({ + account, + region, + tags: stackArtifact.tags, + stackArtifactId: stackArtifact.id, + constructPath: stackArtifact.hierarchicalId, + stackName: stackArtifact.stackName, + absoluteTemplatePath: path.join(stackArtifact.assembly.directory, stackArtifact.templateFile), + assumeRoleArn: stackArtifact.assumeRoleArn, + executionRoleArn: stackArtifact.cloudFormationExecutionRoleArn, + assets: extractStackAssets(stackArtifact), + templateS3Uri: stackArtifact.stackTemplateAssetObjectUrl, + }); + } + + /** + * Artifact ID for this stack + */ + public readonly stackArtifactId: string; + + /** + * Construct path for this stack + */ + public readonly constructPath: string; + + /** + * Name for this stack + */ + public readonly stackName: string; + + /** + * Region where the stack should be deployed + * + * @default - Pipeline region + */ + public readonly region?: string; + + /** + * Account where the stack should be deployed + * + * @default - Pipeline account + */ + public readonly account?: string; + + /** + * Role to assume before deploying this stack + * + * @default - Don't assume any role + */ + public readonly assumeRoleArn?: string; + + /** + * Execution role to pass to CloudFormation + * + * @default - No execution role + */ + public readonly executionRoleArn?: string; + + /** + * Tags to apply to the stack + */ + public readonly tags: Record; + + /** + * Assets referenced by this stack + */ + public readonly assets: StackAsset[]; + + /** + * Other stacks this stack depends on + */ + public readonly stackDependencies: StackDeployment[] = []; + + /** + * The asset that represents the CloudFormation template for this stack. + */ + public readonly templateAsset?: StackAsset; + + /** + * The S3 URL which points to the template asset location in the publishing + * bucket. + * + * This is `undefined` if the stack template is not published. Use the + * `DefaultStackSynthesizer` to ensure it is. + * + * @example https://bucket.s3.amazonaws.com/object/key + */ + public readonly templateUrl?: string; + + /** + * Template path on disk to CloudAssembly + */ + public readonly absoluteTemplatePath: string; + + private constructor(props: StackDeploymentProps) { + this.stackArtifactId = props.stackArtifactId; + this.constructPath = props.constructPath; + this.account = props.account; + this.region = props.region; + this.tags = props.tags ?? {}; + this.assumeRoleArn = props.assumeRoleArn; + this.executionRoleArn = props.executionRoleArn; + this.stackName = props.stackName; + this.absoluteTemplatePath = props.absoluteTemplatePath; + this.templateUrl = props.templateS3Uri ? s3UrlFromUri(props.templateS3Uri, props.region) : undefined; + + this.assets = new Array(); + + for (const asset of props.assets ?? []) { + if (asset.isTemplate) { + this.templateAsset = asset; + } else { + this.assets.push(asset); + } + } + } + + /** + * Add a dependency on another stack + */ + public addStackDependency(stackDeployment: StackDeployment) { + this.stackDependencies.push(stackDeployment); + } +} + +/** + * An asset used by a Stack + */ +export interface StackAsset { + /** + * Absolute asset manifest path + * + * This needs to be made relative at a later point in time, but when this + * information is parsed we don't know about the root cloud assembly yet. + */ + readonly assetManifestPath: string; + + /** + * Asset identifier + */ + readonly assetId: string; + + /** + * Asset selector to pass to `cdk-assets`. + */ + readonly assetSelector: string; + + /** + * Type of asset to publish + */ + readonly assetType: AssetType; + + /** + * Role ARN to assume to publish + * + * @default - No need to assume any role + */ + readonly assetPublishingRoleArn?: string; + + /** + * Does this asset represent the CloudFormation template for the stack + * + * @default false + */ + readonly isTemplate: boolean; +} + +function extractStackAssets(stackArtifact: cxapi.CloudFormationStackArtifact): StackAsset[] { + const ret = new Array(); + + const assetManifests = stackArtifact.dependencies.filter(isAssetManifest); + for (const manifestArtifact of assetManifests) { + const manifest = AssetManifestReader.fromFile(manifestArtifact.file); + + for (const entry of manifest.entries) { + let assetType: AssetType; + let isTemplate = false; + + if (entry instanceof DockerImageManifestEntry) { + assetType = AssetType.DOCKER_IMAGE; + } else if (entry instanceof FileManifestEntry) { + isTemplate = entry.source.packaging === 'file' && entry.source.path === stackArtifact.templateFile; + assetType = AssetType.FILE; + } else { + throw new Error(`Unrecognized asset type: ${entry.type}`); + } + + ret.push({ + assetManifestPath: manifestArtifact.file, + assetId: entry.id.assetId, + assetSelector: entry.id.toString(), + assetType, + assetPublishingRoleArn: entry.destination.assumeRoleArn, + isTemplate, + }); + } + } + + return ret; +} + +/** + * Takes an s3://bucket/object-key uri and returns a region-aware https:// url for it + * + * @param uri The s3 URI + * @param region The region (if undefined, we will return the global endpoint) + * @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/VirtualHosting.html#virtual-hosted-style-access + */ +function s3UrlFromUri(uri: string, region: string | undefined) { + const url = parseUrl(uri); + return `https://${url.hostname}.s3.${region ? `${region}.` : ''}amazonaws.com${url.path}`; +} \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/lib/blueprint/stage-deployment.ts b/packages/@aws-cdk/pipelines/lib/blueprint/stage-deployment.ts new file mode 100644 index 0000000000000..499d324dfb25f --- /dev/null +++ b/packages/@aws-cdk/pipelines/lib/blueprint/stage-deployment.ts @@ -0,0 +1,118 @@ +import * as cdk from '@aws-cdk/core'; +import { CloudFormationStackArtifact } from '@aws-cdk/cx-api'; +import { isStackArtifact } from '../private/cloud-assembly-internals'; +import { StackDeployment } from './stack-deployment'; +import { Step } from './step'; + +/** + * Properties for a `StageDeployment` + */ +export interface StageDeploymentProps { + /** + * Stage name to use in the pipeline + * + * @default - Use Stage's construct ID + */ + readonly stageName?: string; + + /** + * Additional steps to run before any of the stacks in the stage + * + * @default - No additional steps + */ + readonly pre?: Step[]; + + /** + * Additional steps to run after all of the stacks in the stage + * + * @default - No additional steps + */ + readonly post?: Step[]; +} + +/** + * Deployment of a single `Stage` + * + * A `Stage` consists of one or more `Stacks`, which will be + * deployed in dependency order. + */ +export class StageDeployment { + /** + * Create a new `StageDeployment` from a `Stage` + * + * Synthesizes the target stage, and deployes the stacks found inside + * in dependency order. + */ + public static fromStage(stage: cdk.Stage, props: StageDeploymentProps = {}) { + const assembly = stage.synth(); + if (assembly.stacks.length === 0) { + // If we don't check here, a more puzzling "stage contains no actions" + // error will be thrown come deployment time. + throw new Error(`The given Stage construct ('${stage.node.path}') should contain at least one Stack`); + } + + const stepFromArtifact = new Map(); + for (const artifact of assembly.stacks) { + const step = StackDeployment.fromArtifact(artifact); + stepFromArtifact.set(artifact, step); + } + + for (const artifact of assembly.stacks) { + const thisStep = stepFromArtifact.get(artifact); + if (!thisStep) { + throw new Error('Logic error: we just added a step for this artifact but it disappeared.'); + } + + const stackDependencies = artifact.dependencies.filter(isStackArtifact); + for (const dep of stackDependencies) { + const depStep = stepFromArtifact.get(dep); + if (!depStep) { + throw new Error(`Stack '${artifact.id}' depends on stack not found in same Stage: '${dep.id}'`); + } + thisStep.addStackDependency(depStep); + } + } + + return new StageDeployment(Array.from(stepFromArtifact.values()), { + stageName: stage.stageName, + ...props, + }); + } + + /** + * The display name of this stage + */ + public readonly stageName: string; + + /** + * Additional steps that are run before any of the stacks in the stage + */ + public readonly pre: Step[]; + + /** + * Additional steps that are run after all of the stacks in the stage + */ + public readonly post: Step[]; + + private constructor( + /** The stacks deployed in this stage */ + public readonly stacks: StackDeployment[], props: StageDeploymentProps = {}) { + this.stageName = props.stageName ?? ''; + this.pre = props.pre ?? []; + this.post = props.post ?? []; + } + + /** + * Add an additional step to run before any of the stacks in this stage + */ + public addPre(...steps: Step[]) { + this.pre.push(...steps); + } + + /** + * Add an additional step to run after all of the stacks in this stage + */ + public addPost(...steps: Step[]) { + this.post.push(...steps); + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/lib/blueprint/step.ts b/packages/@aws-cdk/pipelines/lib/blueprint/step.ts new file mode 100644 index 0000000000000..e252765efd04e --- /dev/null +++ b/packages/@aws-cdk/pipelines/lib/blueprint/step.ts @@ -0,0 +1,72 @@ +import { FileSet, IFileSetProducer } from './file-set'; + +/** + * A generic Step which can be added to a Pipeline + * + * Steps can be used to add Sources, Build Actions and Validations + * to your pipeline. + * + * This class is abstract. See specific subclasses of Step for + * useful steps to add to your Pipeline + */ +export abstract class Step implements IFileSetProducer { + /** + * The list of FileSets consumed by this Step + */ + public readonly dependencyFileSets: FileSet[] = []; + + /** + * Whether or not this is a Source step + * + * What it means to be a Source step depends on the engine. + */ + public readonly isSource: boolean = false; + + private _primaryOutput?: FileSet; + + constructor( + /** Identifier for this step */ + public readonly id: string) { + } + + /** + * Return the steps this step depends on, based on the FileSets it requires + */ + public get dependencies(): Step[] { + return this.dependencyFileSets.map(f => f.producer); + } + + /** + * Return a string representation of this Step + */ + public toString() { + return `${this.constructor.name}(${this.id})`; + } + + /** + * The primary FileSet produced by this Step + * + * Not all steps produce an output FileSet--if they do + * you can substitute the `Step` object for the `FileSet` object. + */ + public get primaryOutput(): FileSet | undefined { + // Accessor so it can be mutable in children + return this._primaryOutput; + } + + /** + * Add an additional FileSet to the set of file sets required by this step + * + * This will lead to a dependency on the producer of that file set. + */ + protected addDependencyFileSet(fs: FileSet) { + this.dependencyFileSets.push(fs); + } + + /** + * Configure the given FileSet as the primary output of this step + */ + protected configurePrimaryOutput(fs: FileSet) { + this._primaryOutput = fs; + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/lib/blueprint/wave.ts b/packages/@aws-cdk/pipelines/lib/blueprint/wave.ts new file mode 100644 index 0000000000000..709d43a1ed8bd --- /dev/null +++ b/packages/@aws-cdk/pipelines/lib/blueprint/wave.ts @@ -0,0 +1,113 @@ +import * as cdk from '@aws-cdk/core'; +import { StageDeployment } from './stage-deployment'; +import { Step } from './step'; + +/** + * Construction properties for a `Wave` + */ +export interface WaveProps { + /** + * Additional steps to run before any of the stages in the wave + * + * @default - No additional steps + */ + readonly pre?: Step[]; + + /** + * Additional steps to run after all of the stages in the wave + * + * @default - No additional steps + */ + readonly post?: Step[]; +} + +/** + * Multiple stages that are deployed in parallel + */ +export class Wave { + /** + * Additional steps that are run before any of the stages in the wave + */ + public readonly pre: Step[]; + + /** + * Additional steps that are run after all of the stages in the wave + */ + public readonly post: Step[]; + + /** + * The stages that are deployed in this wave + */ + public readonly stages: StageDeployment[] = []; + + constructor( + /** Identifier for this Wave */ + public readonly id: string, props: WaveProps = {}) { + this.pre = props.pre ?? []; + this.post = props.post ?? []; + } + + /** + * Add a Stage to this wave + * + * It will be deployed in parallel with all other stages in this + * wave. + */ + public addStage(stage: cdk.Stage, options: AddStageOpts = {}) { + const ret = StageDeployment.fromStage(stage, options); + this.stages.push(ret); + return ret; + } + + /** + * Add an additional step to run before any of the stages in this wave + */ + public addPre(...steps: Step[]) { + this.pre.push(...steps); + } + + /** + * Add an additional step to run after all of the stages in this wave + */ + public addPost(...steps: Step[]) { + this.post.push(...steps); + } +} + +/** + * Options to pass to `addStage` + */ +export interface AddStageOpts { + /** + * Additional steps to run before any of the stacks in the stage + * + * @default - No additional steps + */ + readonly pre?: Step[]; + + /** + * Additional steps to run after all of the stacks in the stage + * + * @default - No additional steps + */ + readonly post?: Step[]; +} + +/** + * Options to pass to `addWave` + */ +export interface WaveOptions { + /** + * Additional steps to run before any of the stages in the wave + * + * @default - No additional steps + */ + readonly pre?: Step[]; + + /** + * Additional steps to run after all of the stages in the wave + * + * @default - No additional steps + */ + readonly post?: Step[]; +} \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/lib/codepipeline/_codebuild-factory.ts b/packages/@aws-cdk/pipelines/lib/codepipeline/_codebuild-factory.ts new file mode 100644 index 0000000000000..f814e8b8fe272 --- /dev/null +++ b/packages/@aws-cdk/pipelines/lib/codepipeline/_codebuild-factory.ts @@ -0,0 +1,502 @@ +import * as crypto from 'crypto'; +import * as fs from 'fs'; +import * as path from 'path'; +import * as codebuild from '@aws-cdk/aws-codebuild'; +import * as codepipeline from '@aws-cdk/aws-codepipeline'; +import * as codepipeline_actions from '@aws-cdk/aws-codepipeline-actions'; +import * as ec2 from '@aws-cdk/aws-ec2'; +import * as iam from '@aws-cdk/aws-iam'; +import { IDependable, Stack } from '@aws-cdk/core'; +import { Construct, Node } from 'constructs'; +import { FileSetLocation, ShellStep, StackDeployment, StackOutputReference } from '../blueprint'; +import { PipelineQueries } from '../helpers-internal/pipeline-queries'; +import { cloudAssemblyBuildSpecDir, obtainScope } from '../private/construct-internals'; +import { mapValues, mkdict, noEmptyObject, noUndefined, partition } from '../private/javascript'; +import { ArtifactMap } from './artifact-map'; +import { CodeBuildStep } from './codebuild-step'; +import { CodeBuildOptions } from './codepipeline'; +import { ICodePipelineActionFactory, ProduceActionOptions, CodePipelineActionFactoryResult } from './codepipeline-action-factory'; + +export interface CodeBuildFactoryProps { + /** + * Name for the generated CodeBuild project + * + * @default - Automatically generated + */ + readonly projectName?: string; + + /** + * Customization options for the project + * + * Will at CodeBuild production time be combined with the option + * defaults configured on the pipeline. + * + * @default - No special values + */ + readonly projectOptions?: CodeBuildOptions; + + /** + * Custom execution role to be used for the CodeBuild project + * + * @default - A role is automatically created + */ + readonly role?: iam.IRole; + + /** + * If true, the build spec will be passed via the Cloud Assembly instead of rendered onto the Project + * + * Doing this has two advantages: + * + * - Bypass size restrictions: the buildspec on the project is restricted + * in size, while buildspecs coming from an input artifact are not restricted + * in such a way. + * - Bypass pipeline update: if the SelfUpdate step has to change the buildspec, + * that just takes time. On the other hand, if the buildspec comes from the + * pipeline artifact, no such update has to take place. + * + * @default false + */ + readonly passBuildSpecViaCloudAssembly?: boolean; + + /** + * Override the construct tree where the CodeBuild project is created. + * + * Normally, the construct tree will look like this: + * + * ── Pipeline + * └── 'MyStage' <- options.scope + * └── 'MyAction' <- this is the CodeBuild project + * + * If this flag is set, the construct tree will look like this: + * + * ── Pipeline + * └── 'MyStage' <- options.scope + * └── 'MyAction' <- just a scope + * └── 'BackwardsCompatName' <- CodeBuild project + * + * This is to maintain logicalID compatibility with the previous iteration + * of pipelines (where the Action was a construct that would create the Project). + * + * @default true + */ + readonly additionalConstructLevel?: boolean; + + /** + * Additional dependency that the CodeBuild project should take + * + * @default - + */ + readonly additionalDependable?: IDependable; + + readonly inputs?: FileSetLocation[]; + readonly outputs?: FileSetLocation[]; + + readonly stepId?: string; + + readonly commands: string[]; + readonly installCommands?: string[]; + + readonly env?: Record; + readonly envFromCfnOutputs?: Record; + + /** + * If given, override the scope from the produce call with this scope. + */ + readonly scope?: Construct; + + /** + * Whether or not the given CodeBuild project is going to be the synth step + * + * @default false + */ + readonly isSynth?: boolean; +} + +/** + * Produce a CodeBuild project from a RunScript step and some CodeBuild-specific customizations + * + * The functionality here is shared between the `CodePipeline` translating a `ShellStep` into + * a CodeBuild project, as well as the `CodeBuildStep` straight up. + */ +export class CodeBuildFactory implements ICodePipelineActionFactory { + // eslint-disable-next-line max-len + public static fromShellStep(constructId: string, scriptStep: ShellStep, additional?: Partial): ICodePipelineActionFactory { + return new CodeBuildFactory(constructId, { + commands: scriptStep.commands, + env: scriptStep.env, + envFromCfnOutputs: scriptStep.envFromCfnOutputs, + inputs: scriptStep.inputs, + outputs: scriptStep.outputs, + stepId: scriptStep.id, + installCommands: scriptStep.installCommands, + ...additional, + }); + } + + public static fromCodeBuildStep(constructId: string, step: CodeBuildStep, additional?: Partial): ICodePipelineActionFactory { + const factory = CodeBuildFactory.fromShellStep(constructId, step, { + projectName: step.projectName, + role: step.role, + projectOptions: { + buildEnvironment: step.buildEnvironment, + rolePolicy: step.rolePolicyStatements, + securityGroups: step.securityGroups, + partialBuildSpec: step.partialBuildSpec, + vpc: step.vpc, + subnetSelection: step.subnetSelection, + ...additional?.projectOptions, + }, + ...additional, + }); + + return { + produceAction: (stage, options) => { + const result = factory.produceAction(stage, options); + if (result.project) { + step._setProject(result.project); + } + return result; + }, + }; + } + + private _project?: codebuild.IProject; + private stepId: string; + + private constructor( + private readonly constructId: string, + private readonly props: CodeBuildFactoryProps) { + + this.stepId = props.stepId ?? constructId; + } + + public get project(): codebuild.IProject { + if (!this._project) { + throw new Error('Project becomes available after produce() has been called'); + } + return this._project; + } + + public produceAction(stage: codepipeline.IStage, options: ProduceActionOptions): CodePipelineActionFactoryResult { + const projectOptions = mergeCodeBuildOptions(options.codeBuildDefaults, this.props.projectOptions); + + const inputs = this.props.inputs ?? []; + const outputs = this.props.outputs ?? []; + + const mainInput = inputs.find(x => x.directory === '.'); + const extraInputs = inputs.filter(x => x.directory !== '.'); + + const inputArtifact = mainInput + ? options.artifacts.toCodePipeline(mainInput.fileSet) + : options.fallbackArtifact; + const extraInputArtifacts = extraInputs.map(x => options.artifacts.toCodePipeline(x.fileSet)); + const outputArtifacts = outputs.map(x => options.artifacts.toCodePipeline(x.fileSet)); + + if (!inputArtifact) { + // This should actually never happen because CodeBuild projects shouldn't be added before the + // Source, which always produces at least an artifact. + throw new Error(`CodeBuild action '${this.stepId}' requires an input (and the pipeline doesn't have a Source to fall back to). Add an input or a pipeline source.`); + } + + const installCommands = [ + ...generateInputArtifactLinkCommands(options.artifacts, extraInputs), + ...this.props.installCommands ?? [], + ]; + + const buildSpecHere = codebuild.BuildSpec.fromObject({ + version: '0.2', + phases: { + install: (installCommands.length ?? 0) > 0 ? { commands: installCommands } : undefined, + build: this.props.commands.length > 0 ? { commands: this.props.commands } : undefined, + }, + artifacts: noEmptyObject(renderArtifactsBuildSpec(options.artifacts, this.props.outputs ?? [])), + }); + + // Partition environment variables into environment variables that can go on the project + // and environment variables that MUST go in the pipeline (those that reference CodePipeline variables) + const env = noUndefined(this.props.env ?? {}); + + const [actionEnvs, projectEnvs] = partition(Object.entries(env ?? {}), ([, v]) => containsPipelineVariable(v)); + + const environment = mergeBuildEnvironments( + projectOptions?.buildEnvironment ?? {}, + { + environmentVariables: noEmptyObject(mapValues(mkdict(projectEnvs), value => ({ value }))), + }); + + const fullBuildSpec = options.codeBuildDefaults?.partialBuildSpec + ? codebuild.mergeBuildSpecs(options.codeBuildDefaults?.partialBuildSpec, buildSpecHere) + : buildSpecHere; + + const osFromEnvironment = environment.buildImage && environment.buildImage instanceof codebuild.WindowsBuildImage + ? ec2.OperatingSystemType.WINDOWS + : ec2.OperatingSystemType.LINUX; + + const actualBuildSpec = filterBuildSpecCommands(fullBuildSpec, osFromEnvironment); + + const scope = this.props.scope ?? options.scope; + + let projectBuildSpec; + if (this.props.passBuildSpecViaCloudAssembly) { + // Write to disk and replace with a reference + const relativeSpecFile = `buildspec-${Node.of(scope).addr}-${this.constructId}.yaml`; + const absSpecFile = path.join(cloudAssemblyBuildSpecDir(scope), relativeSpecFile); + fs.writeFileSync(absSpecFile, Stack.of(scope).resolve(actualBuildSpec.toBuildSpec()), { encoding: 'utf-8' }); + projectBuildSpec = codebuild.BuildSpec.fromSourceFilename(relativeSpecFile); + } else { + projectBuildSpec = actualBuildSpec; + } + + // A hash over the values that make the CodeBuild Project unique (and necessary + // to restart the pipeline if one of them changes). projectName is not necessary to include + // here because the pipeline will definitely restart if projectName changes. + // (Resolve tokens) + const projectConfigHash = hash(Stack.of(scope).resolve({ + environment: serializeBuildEnvironment(environment), + buildSpecString: actualBuildSpec.toBuildSpec(), + })); + + const actionName = options.actionName ?? this.stepId; + + let projectScope = scope; + if (this.props.additionalConstructLevel ?? true) { + projectScope = obtainScope(scope, actionName); + } + + const project = new codebuild.PipelineProject(projectScope, this.constructId, { + projectName: this.props.projectName, + environment, + vpc: projectOptions.vpc, + subnetSelection: projectOptions.subnetSelection, + securityGroups: projectOptions.securityGroups, + buildSpec: projectBuildSpec, + role: this.props.role, + }); + + if (this.props.additionalDependable) { + project.node.addDependency(this.props.additionalDependable); + } + + if (projectOptions.rolePolicy !== undefined) { + projectOptions.rolePolicy.forEach(policyStatement => { + project.addToRolePolicy(policyStatement); + }); + } + + const queries = new PipelineQueries(options.pipeline); + + const stackOutputEnv = mapValues(this.props.envFromCfnOutputs ?? {}, outputRef => + `#{${stackVariableNamespace(queries.producingStack(outputRef))}.${outputRef.outputName}}`, + ); + + const configHashEnv = options.beforeSelfMutation + ? { _PROJECT_CONFIG_HASH: projectConfigHash } + : {}; + + stage.addAction(new codepipeline_actions.CodeBuildAction({ + actionName: actionName, + input: inputArtifact, + extraInputs: extraInputArtifacts, + outputs: outputArtifacts, + project, + runOrder: options.runOrder, + + // Inclusion of the hash here will lead to the pipeline structure for any changes + // made the config of the underlying CodeBuild Project. + // Hence, the pipeline will be restarted. This is necessary if the users + // adds (for example) build or test commands to the buildspec. + environmentVariables: noEmptyObject(cbEnv({ + ...mkdict(actionEnvs), + ...configHashEnv, + ...stackOutputEnv, + })), + })); + + this._project = project; + + return { runOrdersConsumed: 1, project }; + } +} + +/** + * Generate commands to move additional input artifacts into the right place + */ +function generateInputArtifactLinkCommands(artifacts: ArtifactMap, inputs: FileSetLocation[]): string[] { + return inputs.map(input => { + const fragments = []; + + if (!['.', '..'].includes(path.dirname(input.directory))) { + fragments.push(`mkdir -p "${input.directory}"`); + } + + const artifact = artifacts.toCodePipeline(input.fileSet); + + fragments.push(`ln -s "$CODEBUILD_SRC_DIR_${artifact.artifactName}" "${input.directory}"`); + + return fragments.join(' && '); + }); +} + +function renderArtifactsBuildSpec(artifactMap: ArtifactMap, outputs: FileSetLocation[]) { + // save the generated files in the output artifact + // This part of the buildspec has to look completely different depending on whether we're + // using secondary artifacts or not. + if (outputs.length === 0) { return {}; } + + if (outputs.length === 1) { + return { + 'base-directory': outputs[0].directory, + 'files': '**/*', + }; + } + + const secondary: Record = {}; + for (const output of outputs) { + const art = artifactMap.toCodePipeline(output.fileSet); + + if (!art.artifactName) { + throw new Error('You must give the output artifact a name'); + } + secondary[art.artifactName] = { + 'base-directory': output.directory, + 'files': '**/*', + }; + } + + return { 'secondary-artifacts': secondary }; +} + +export function mergeCodeBuildOptions(...opts: Array) { + const xs = [{}, ...opts.filter(isDefined)]; + while (xs.length > 1) { + const [a, b] = xs.splice(xs.length - 2, 2); + xs.push(merge2(a, b)); + } + return xs[0]; + + function merge2(a: CodeBuildOptions, b: CodeBuildOptions): CodeBuildOptions { + return { + buildEnvironment: mergeBuildEnvironments(a.buildEnvironment, b.buildEnvironment), + rolePolicy: definedArray([...a.rolePolicy ?? [], ...b.rolePolicy ?? []]), + securityGroups: definedArray([...a.securityGroups ?? [], ...b.securityGroups ?? []]), + partialBuildSpec: mergeBuildSpecs(a.partialBuildSpec, b.partialBuildSpec), + vpc: b.vpc ?? a.vpc, + subnetSelection: b.subnetSelection ?? a.subnetSelection, + }; + } +} + +function mergeBuildEnvironments(a: codebuild.BuildEnvironment, b?: codebuild.BuildEnvironment): codebuild.BuildEnvironment; +function mergeBuildEnvironments(a: codebuild.BuildEnvironment | undefined, b: codebuild.BuildEnvironment): codebuild.BuildEnvironment; +function mergeBuildEnvironments(a?: codebuild.BuildEnvironment, b?: codebuild.BuildEnvironment): codebuild.BuildEnvironment | undefined; +function mergeBuildEnvironments(a?: codebuild.BuildEnvironment, b?: codebuild.BuildEnvironment) { + if (!a || !b) { return a ?? b; } + + return { + buildImage: b.buildImage ?? a.buildImage, + computeType: b.computeType ?? a.computeType, + environmentVariables: { + ...a.environmentVariables, + ...b.environmentVariables, + }, + privileged: b.privileged ?? a.privileged, + }; +} + +export function mergeBuildSpecs(a: codebuild.BuildSpec, b?: codebuild.BuildSpec): codebuild.BuildSpec; +export function mergeBuildSpecs(a: codebuild.BuildSpec | undefined, b: codebuild.BuildSpec): codebuild.BuildSpec; +export function mergeBuildSpecs(a?: codebuild.BuildSpec, b?: codebuild.BuildSpec): codebuild.BuildSpec | undefined; +export function mergeBuildSpecs(a?: codebuild.BuildSpec, b?: codebuild.BuildSpec) { + if (!a || !b) { return a ?? b; } + return codebuild.mergeBuildSpecs(a, b); +} + +function isDefined(x: A | undefined): x is NonNullable { + return x !== undefined; +} + +function hash(obj: A) { + const d = crypto.createHash('sha256'); + d.update(JSON.stringify(obj)); + return d.digest('hex'); +} + +/** + * Serialize a build environment to data (get rid of constructs & objects), so we can JSON.stringify it + */ +function serializeBuildEnvironment(env: codebuild.BuildEnvironment) { + return { + privileged: env.privileged, + environmentVariables: env.environmentVariables, + type: env.buildImage?.type, + imageId: env.buildImage?.imageId, + computeType: env.computeType, + imagePullPrincipalType: env.buildImage?.imagePullPrincipalType, + secretsManagerArn: env.buildImage?.secretsManagerCredentials?.secretArn, + }; +} + +export function stackVariableNamespace(stack: StackDeployment) { + return stack.stackArtifactId; +} + +/** + * Whether the given string contains a reference to a CodePipeline variable + */ +function containsPipelineVariable(s: string) { + return !!s.match(/#\{[^}]+\}/); +} + +/** + * Turn a collection into a collection of CodePipeline environment variables + */ +function cbEnv(xs: Record): Record { + return mkdict(Object.entries(xs) + .filter(([, v]) => v !== undefined) + .map(([k, v]) => [k, { value: v }] as const)); +} + +function definedArray(xs: A[]): A[] | undefined { + return xs.length > 0 ? xs : undefined; +} + +/** + * If lines in the buildspec start with '!WINDOWS!' or '!LINUX!', only render them on that platform. + * + * Very private protocol for now, but may come in handy in other libraries as well. + */ +function filterBuildSpecCommands(buildSpec: codebuild.BuildSpec, osType: ec2.OperatingSystemType) { + if (!buildSpec.isImmediate) { return buildSpec; } + const spec = (buildSpec as any).spec; + + const winTag = '!WINDOWS!'; + const linuxTag = '!LINUX!'; + const expectedTag = osType === ec2.OperatingSystemType.WINDOWS ? winTag : linuxTag; + + return codebuild.BuildSpec.fromObject(recurse(spec)); + + function recurse(x: any): any { + if (Array.isArray(x)) { + const ret: any[] = []; + for (const el of x) { + const [tag, payload] = extractTag(el); + if (tag === undefined || tag === expectedTag) { + ret.push(payload); + } + } + return ret; + } + if (x && typeof x === 'object') { + return mapValues(x, recurse); + } + return x; + } + + function extractTag(x: any): [string | undefined, any] { + if (typeof x !== 'string') { return [undefined, x]; } + for (const tag of [winTag, linuxTag]) { + if (x.startsWith(tag)) { return [tag, x.substr(tag.length)]; } + } + return [undefined, x]; + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/lib/codepipeline/artifact-map.ts b/packages/@aws-cdk/pipelines/lib/codepipeline/artifact-map.ts new file mode 100644 index 0000000000000..4ec4b086815c7 --- /dev/null +++ b/packages/@aws-cdk/pipelines/lib/codepipeline/artifact-map.ts @@ -0,0 +1,71 @@ +import * as cp from '@aws-cdk/aws-codepipeline'; +import { FileSet } from '../blueprint'; +import { PipelineGraph } from '../helpers-internal'; + +/** + * Translate FileSets to CodePipeline Artifacts + */ +export class ArtifactMap { + private artifacts = new Map(); + private usedNames = new Set(); + + /** + * Return the matching CodePipeline artifact for a FileSet + */ + public toCodePipeline(x: FileSet): cp.Artifact { + if (x instanceof CodePipelineFileSet) { + return x._artifact; + } + + let ret = this.artifacts.get(x); + if (!ret) { + // They all need a name + const artifactName = this.makeUniqueName(`${x.producer.id}.${x.id}`); + this.usedNames.add(artifactName); + this.artifacts.set(x, ret = new cp.Artifact(artifactName)); + } + return ret; + } + + private makeUniqueName(baseName: string) { + let i = 1; + baseName = sanitizeArtifactName(baseName); + let name = baseName; + while (this.usedNames.has(name)) { + name = `${baseName}${++i}`; + } + return name; + } +} + +function sanitizeArtifactName(x: string): string { + // FIXME: Does this REALLY not allow '.'? The docs don't mention it, but action names etc. do! + return x.replace(/[^A-Za-z0-9@\-_]/g, '_'); +} + +/** + * A FileSet created from a CodePipeline artifact + * + * You only need to use this if you want to add CDK Pipeline stages + * add the end of an existing CodePipeline, which should be very rare. + */ +export class CodePipelineFileSet extends FileSet { + /** + * Turn a CodePipeline Artifact into a FileSet + */ + public static fromArtifact(artifact: cp.Artifact) { + return new CodePipelineFileSet(artifact); + } + + /** + * The artifact this class is wrapping + * + * @internal + */ + public readonly _artifact: cp.Artifact; + + private constructor(artifact: cp.Artifact) { + super(artifact.artifactName ?? 'Imported', PipelineGraph.NO_STEP); + this._artifact = artifact; + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/lib/codepipeline/codebuild-step.ts b/packages/@aws-cdk/pipelines/lib/codepipeline/codebuild-step.ts new file mode 100644 index 0000000000000..064c283ef2f12 --- /dev/null +++ b/packages/@aws-cdk/pipelines/lib/codepipeline/codebuild-step.ts @@ -0,0 +1,189 @@ +import * as codebuild from '@aws-cdk/aws-codebuild'; +import * as ec2 from '@aws-cdk/aws-ec2'; +import * as iam from '@aws-cdk/aws-iam'; +import { ShellStep, ShellStepProps } from '../blueprint'; + +/** + * Construction props for SimpleSynthAction + */ +export interface CodeBuildStepProps extends ShellStepProps { + /** + * Name for the generated CodeBuild project + * + * @default - Automatically generated + */ + readonly projectName?: string; + + /** + * Additional configuration that can only be configured via BuildSpec + * + * You should not use this to specify output artifacts; those + * should be supplied via the other properties of this class, otherwise + * CDK Pipelines won't be able to inspect the artifacts. + * + * Set the `commands` to an empty array if you want to fully specify + * the BuildSpec using this field. + * + * The BuildSpec must be available inline--it cannot reference a file + * on disk. + * + * @default - BuildSpec completely derived from other properties + */ + readonly partialBuildSpec?: codebuild.BuildSpec; + + /** + * The VPC where to execute the SimpleSynth. + * + * @default - No VPC + */ + readonly vpc?: ec2.IVpc; + + /** + * Which subnets to use. + * + * Only used if 'vpc' is supplied. + * + * @default - All private subnets. + */ + readonly subnetSelection?: ec2.SubnetSelection; + + /** + * Policy statements to add to role used during the synth + * + * Can be used to add acces to a CodeArtifact repository etc. + * + * @default - No policy statements added to CodeBuild Project Role + */ + readonly rolePolicyStatements?: iam.PolicyStatement[]; + + /** + * Custom execution role to be used for the CodeBuild project + * + * @default - A role is automatically created + */ + readonly role?: iam.IRole; + + /** + * Changes to environment + * + * This environment will be combined with the pipeline's default + * environment. + * + * @default - Use the pipeline's default build environment + */ + readonly buildEnvironment?: codebuild.BuildEnvironment; + + /** + * Which security group to associate with the script's project network interfaces. + * If no security group is identified, one will be created automatically. + * + * Only used if 'vpc' is supplied. + * + * @default - Security group will be automatically created. + */ + readonly securityGroups?: ec2.ISecurityGroup[]; +} + +/** + * Run a script as a CodeBuild Project + */ +export class CodeBuildStep extends ShellStep { + /** + * Name for the generated CodeBuild project + * + * @default - No value specified at construction time, use defaults + */ + public readonly projectName?: string; + + /** + * Additional configuration that can only be configured via BuildSpec + * + * @default - No value specified at construction time, use defaults + */ + public readonly partialBuildSpec?: codebuild.BuildSpec; + + /** + * The VPC where to execute the SimpleSynth. + * + * @default - No value specified at construction time, use defaults + */ + public readonly vpc?: ec2.IVpc; + + /** + * Which subnets to use. + * + * @default - No value specified at construction time, use defaults + */ + public readonly subnetSelection?: ec2.SubnetSelection; + + /** + * Policy statements to add to role used during the synth + * + * @default - No value specified at construction time, use defaults + */ + public readonly rolePolicyStatements?: iam.PolicyStatement[]; + + /** + * Custom execution role to be used for the CodeBuild project + * + * @default - No value specified at construction time, use defaults + */ + public readonly role?: iam.IRole; + + /** + * Build environment + * + * @default - No value specified at construction time, use defaults + */ + readonly buildEnvironment?: codebuild.BuildEnvironment; + + /** + * Which security group to associate with the script's project network interfaces. + * + * @default - No value specified at construction time, use defaults + */ + readonly securityGroups?: ec2.ISecurityGroup[]; + + private _project?: codebuild.IProject; + + constructor(id: string, props: CodeBuildStepProps) { + super(id, props); + + this.projectName = props.projectName; + this.buildEnvironment = props.buildEnvironment; + this.partialBuildSpec = props.partialBuildSpec; + this.vpc = props.vpc; + this.subnetSelection = props.subnetSelection; + this.role = props.role; + this.rolePolicyStatements = props.rolePolicyStatements; + this.securityGroups = props.securityGroups; + } + + /** + * CodeBiuld Project generated for the pipeline + * + * Will only be available after the pipeline has been built. + */ + public get project(): codebuild.IProject { + if (!this._project) { + throw new Error('Project becomes available after the pipeline has been built'); + } + return this._project; + } + + /** + * The CodeBuild Project's principal + */ + public get grantPrincipal(): iam.IPrincipal { + return this.project.grantPrincipal; + } + + /** + * Set the internal project value + * + * @internal + */ + public _setProject(project: codebuild.IProject) { + this._project = project; + } +} diff --git a/packages/@aws-cdk/pipelines/lib/codepipeline/codepipeline-action-factory.ts b/packages/@aws-cdk/pipelines/lib/codepipeline/codepipeline-action-factory.ts new file mode 100644 index 0000000000000..89d419b56223d --- /dev/null +++ b/packages/@aws-cdk/pipelines/lib/codepipeline/codepipeline-action-factory.ts @@ -0,0 +1,100 @@ +import * as cb from '@aws-cdk/aws-codebuild'; +import * as cp from '@aws-cdk/aws-codepipeline'; +import { Construct } from 'constructs'; +import { PipelineBase } from '../main'; +import { ArtifactMap } from './artifact-map'; +import { CodeBuildOptions } from './codepipeline'; + +/** + * Options for the `CodePipelineActionFactory.produce()` method. + */ +export interface ProduceActionOptions { + /** + * Scope in which to create constructs + */ + readonly scope: Construct; + + /** + * Name the action should get + */ + readonly actionName: string; + + /** + * RunOrder the action should get + */ + readonly runOrder: number; + + /** + * Helper object to translate FileSets to CodePipeline Artifacts + */ + readonly artifacts: ArtifactMap; + + /** + * An input artifact that CodeBuild projects that don't actually need an input artifact can use + * + * CodeBuild Projects MUST have an input artifact in order to be added to the Pipeline. If + * the Project doesn't actually care about its input (it can be anything), it can use the + * Artifact passed here. + * + * @default - A fallback artifact does not exist + */ + readonly fallbackArtifact?: cp.Artifact; + + /** + * The pipeline the action is being generated for + */ + readonly pipeline: PipelineBase; + + /** + * If this action factory creates a CodeBuild step, default options to inherit + * + * @default - No CodeBuild project defaults + */ + readonly codeBuildDefaults?: CodeBuildOptions; + + /** + * Whether or not this action is inserted before self mutation. + * + * If it is, the action should take care to reflect some part of + * its own definition in the pipeline action definition, to + * trigger a restart after self-mutation (if necessary). + * + * @default false + */ + readonly beforeSelfMutation?: boolean; +} + +/** + * Factory for explicit CodePipeline Actions + * + * If you have specific types of Actions you want to add to a + * CodePipeline, write a subclass of `Step` that implements this + * interface, and add the action or actions you want in the `produce` method. + * + * There needs to be a level of indirection here, because some aspects of the + * Action creation need to be controlled by the workflow engine (name and + * runOrder). All the rest of the properties are controlled by the factory. + */ +export interface ICodePipelineActionFactory { + /** + * Create the desired Action and add it to the pipeline + */ + produceAction(stage: cp.IStage, options: ProduceActionOptions): CodePipelineActionFactoryResult; +} + +/** + * The result of adding actions to the pipeline + */ +export interface CodePipelineActionFactoryResult { + /** + * How many RunOrders were consumed + */ + readonly runOrdersConsumed: number; + + /** + * If a CodeBuild project got created, the project + * + * @default - This factory did not create a CodeBuild project + */ + readonly project?: cb.IProject; +} \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/lib/codepipeline/codepipeline-source.ts b/packages/@aws-cdk/pipelines/lib/codepipeline/codepipeline-source.ts new file mode 100644 index 0000000000000..d97b4c5f925de --- /dev/null +++ b/packages/@aws-cdk/pipelines/lib/codepipeline/codepipeline-source.ts @@ -0,0 +1,354 @@ +import * as codecommit from '@aws-cdk/aws-codecommit'; +import * as cp from '@aws-cdk/aws-codepipeline'; +import { Artifact } from '@aws-cdk/aws-codepipeline'; +import * as cp_actions from '@aws-cdk/aws-codepipeline-actions'; +import { Action, CodeCommitTrigger, GitHubTrigger, S3Trigger } from '@aws-cdk/aws-codepipeline-actions'; +import * as iam from '@aws-cdk/aws-iam'; +import { IBucket } from '@aws-cdk/aws-s3'; +import { SecretValue } from '@aws-cdk/core'; +import { FileSet, Step } from '../blueprint'; +import { CodePipelineActionFactoryResult, ProduceActionOptions, ICodePipelineActionFactory } from './codepipeline-action-factory'; + +/** + * CodePipeline source steps + * + * This class contains a number of factory methods for the different types + * of sources that CodePipeline supports. + */ +export abstract class CodePipelineSource extends Step implements ICodePipelineActionFactory { + /** + * Returns a GitHub source, using OAuth tokens to authenticate with + * GitHub and a separate webhook to detect changes. This is no longer + * the recommended method. Please consider using `connection()` + * instead. + * + * Pass in the owner and repository in a single string, like this: + * + * ```ts + * CodePipelineSource.gitHub('owner/repo', 'main'); + * ``` + * + * Authentication will be done by a secret called `github-token` in AWS + * Secrets Manager (unless specified otherwise). + * + * The token should have these permissions: + * + * * **repo** - to read the repository + * * **admin:repo_hook** - if you plan to use webhooks (true by default) + */ + public static gitHub(repoString: string, branch: string, props: GitHubSourceOptions = {}): CodePipelineSource { + return new GitHubSource(repoString, branch, props); + } + + /** + * Returns an S3 source. + * + * @param bucket The bucket where the source code is located. + * @param props The options, which include the key that identifies the source code file and + * and how the pipeline should be triggered. + * + * Example: + * + * ```ts + * const bucket: IBucket = ... + * CodePipelineSource.s3(bucket, { + * key: 'path/to/file.zip', + * }); + * ``` + */ + public static s3(bucket: IBucket, objectKey: string, props: S3SourceOptions = {}): CodePipelineSource { + return new S3Source(bucket, objectKey, props); + } + + /** + * Returns a CodeStar connection source. A CodeStar connection allows AWS CodePipeline to + * access external resources, such as repositories in GitHub, GitHub Enterprise or + * BitBucket. + * + * To use this method, you first need to create a CodeStar connection + * using the AWS console. In the process, you may have to sign in to the external provider + * -- GitHub, for example -- to authorize AWS to read and modify your repository. + * Once you have done this, copy the connection ARN and use it to create the source. + * + * Example: + * + * ```ts + * CodePipelineSource.connection('owner/repo', 'main', { + * connectionArn: 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', // Created using the AWS console + * }); + * ``` + * + * @param repoString A string that encodes owner and repository separated by a slash (e.g. 'owner/repo'). + * @param branch The branch to use. + * @param props The source properties, including the connection ARN. + * + * @see https://docs.aws.amazon.com/dtconsole/latest/userguide/welcome-connections.html + */ + public static connection(repoString: string, branch: string, props: ConnectionSourceOptions): CodePipelineSource { + return new CodeStarConnectionSource(repoString, branch, props); + } + + /** + * Returns a CodeCommit source. + * + * @param repository The CodeCommit repository. + * @param branch The branch to use. + * @param props The source properties. + * + * Example: + * + * ```ts + * const repository: IRepository = ... + * CodePipelineSource.codeCommit(repository, 'main'); + * ``` + */ + public static codeCommit(repository: codecommit.IRepository, branch: string, props: CodeCommitSourceOptions = {}): CodePipelineSource { + return new CodeCommitSource(repository, branch, props); + } + + // tells `PipelineGraph` to hoist a "Source" step + public readonly isSource = true; + + public produceAction(stage: cp.IStage, options: ProduceActionOptions): CodePipelineActionFactoryResult { + const output = options.artifacts.toCodePipeline(this.primaryOutput!); + const action = this.getAction(output, options.actionName, options.runOrder); + stage.addAction(action); + return { runOrdersConsumed: 1 }; + } + + protected abstract getAction(output: Artifact, actionName: string, runOrder: number): Action; +} + +/** + * Options for GitHub sources + */ +export interface GitHubSourceOptions { + /** + * A GitHub OAuth token to use for authentication. + * + * It is recommended to use a Secrets Manager `Secret` to obtain the token: + * + * ```ts + * const oauth = cdk.SecretValue.secretsManager('my-github-token'); + * new GitHubSource(this, 'GitHubSource', { oauthToken: oauth, ... }); + * ``` + * + * The GitHub Personal Access Token should have these scopes: + * + * * **repo** - to read the repository + * * **admin:repo_hook** - if you plan to use webhooks (true by default) + * + * @see https://docs.aws.amazon.com/codepipeline/latest/userguide/GitHub-create-personal-token-CLI.html + * + * @default - SecretValue.secretsManager('github-token') + */ + readonly authentication?: SecretValue; + + /** + * How AWS CodePipeline should be triggered + * + * With the default value "WEBHOOK", a webhook is created in GitHub that triggers the action. + * With "POLL", CodePipeline periodically checks the source for changes. + * With "None", the action is not triggered through changes in the source. + * + * To use `WEBHOOK`, your GitHub Personal Access Token should have + * **admin:repo_hook** scope (in addition to the regular **repo** scope). + * + * @default GitHubTrigger.WEBHOOK + */ + readonly trigger?: GitHubTrigger; + +} + +/** + * Extend CodePipelineSource so we can type-test in the CodePipelineEngine. + */ +class GitHubSource extends CodePipelineSource { + private readonly owner: string; + private readonly repo: string; + private readonly authentication: SecretValue; + + constructor(repoString: string, readonly branch: string, readonly props: GitHubSourceOptions) { + super(repoString); + + const parts = repoString.split('/'); + if (parts.length !== 2) { + throw new Error(`GitHub repository name should look like '/', got '${repoString}'`); + } + this.owner = parts[0]; + this.repo = parts[1]; + this.authentication = props.authentication ?? SecretValue.secretsManager('github-token'); + this.configurePrimaryOutput(new FileSet('Source', this)); + } + + protected getAction(output: Artifact, actionName: string, runOrder: number) { + return new cp_actions.GitHubSourceAction({ + output, + actionName, + runOrder, + oauthToken: this.authentication, + owner: this.owner, + repo: this.repo, + branch: this.branch, + trigger: this.props.trigger, + }); + } +} + +/** + * Options for S3 sources + */ +export interface S3SourceOptions { + /** + * How should CodePipeline detect source changes for this Action. + * Note that if this is S3Trigger.EVENTS, you need to make sure to include the source Bucket in a CloudTrail Trail, + * as otherwise the CloudWatch Events will not be emitted. + * + * @default S3Trigger.POLL + * @see https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/log-s3-data-events.html + */ + readonly trigger?: S3Trigger; +} + +class S3Source extends CodePipelineSource { + constructor(readonly bucket: IBucket, private readonly objectKey: string, readonly props: S3SourceOptions) { + super(bucket.bucketName); + + this.configurePrimaryOutput(new FileSet('Source', this)); + } + + protected getAction(output: Artifact, actionName: string, runOrder: number) { + return new cp_actions.S3SourceAction({ + output, + actionName, + runOrder, + bucketKey: this.objectKey, + trigger: this.props.trigger, + bucket: this.bucket, + }); + } +} + +/** + * Configuration options for CodeStar source + */ +export interface ConnectionSourceOptions { + /** + * The ARN of the CodeStar Connection created in the AWS console + * that has permissions to access this GitHub or BitBucket repository. + * + * @example 'arn:aws:codestar-connections:us-east-1:123456789012:connection/12345678-abcd-12ab-34cdef5678gh' + * @see https://docs.aws.amazon.com/codepipeline/latest/userguide/connections-create.html + */ + readonly connectionArn: string; + + + // long URL in @see + /** + * Whether the output should be the contents of the repository + * (which is the default), + * or a link that allows CodeBuild to clone the repository before building. + * + * **Note**: if this option is true, + * then only CodeBuild actions can use the resulting {@link output}. + * + * @default false + * @see https://docs.aws.amazon.com/codepipeline/latest/userguide/action-reference-CodestarConnectionSource.html#action-reference-CodestarConnectionSource-config + */ + readonly codeBuildCloneOutput?: boolean; + + /** + * Controls automatically starting your pipeline when a new commit + * is made on the configured repository and branch. If unspecified, + * the default value is true, and the field does not display by default. + * + * @default true + * @see https://docs.aws.amazon.com/codepipeline/latest/userguide/action-reference-CodestarConnectionSource.html + */ + readonly triggerOnPush?: boolean; +} + +class CodeStarConnectionSource extends CodePipelineSource { + private readonly owner: string; + private readonly repo: string; + + constructor(repoString: string, readonly branch: string, readonly props: ConnectionSourceOptions) { + super(repoString); + + const parts = repoString.split('/'); + if (parts.length !== 2) { + throw new Error(`CodeStar repository name should look like '/', got '${repoString}'`); + } + this.owner = parts[0]; + this.repo = parts[1]; + this.configurePrimaryOutput(new FileSet('Source', this)); + } + + protected getAction(output: Artifact, actionName: string, runOrder: number) { + return new cp_actions.CodeStarConnectionsSourceAction({ + output, + actionName, + runOrder, + connectionArn: this.props.connectionArn, + owner: this.owner, + repo: this.repo, + branch: this.branch, + codeBuildCloneOutput: this.props.codeBuildCloneOutput, + triggerOnPush: this.props.triggerOnPush, + }); + } +} + +/** + * Configuration options for a CodeCommit source + */ +export interface CodeCommitSourceOptions { + /** + * How should CodePipeline detect source changes for this Action. + * + * @default CodeCommitTrigger.EVENTS + */ + readonly trigger?: CodeCommitTrigger; + + /** + * Role to be used by on commit event rule. + * Used only when trigger value is CodeCommitTrigger.EVENTS. + * + * @default a new role will be created. + */ + readonly eventRole?: iam.IRole; + + /** + * Whether the output should be the contents of the repository + * (which is the default), + * or a link that allows CodeBuild to clone the repository before building. + * + * **Note**: if this option is true, + * then only CodeBuild actions can use the resulting {@link output}. + * + * @default false + * @see https://docs.aws.amazon.com/codepipeline/latest/userguide/action-reference-CodeCommit.html + */ + readonly codeBuildCloneOutput?: boolean; +} + +class CodeCommitSource extends CodePipelineSource { + constructor(readonly repository: codecommit.IRepository, readonly branch: string, readonly props: CodeCommitSourceOptions) { + super(repository.repositoryName); + + this.configurePrimaryOutput(new FileSet('Source', this)); + } + + protected getAction(output: Artifact, actionName: string, runOrder: number) { + return new cp_actions.CodeCommitSourceAction({ + output, + actionName, + runOrder, + branch: this.branch, + trigger: this.props.trigger, + repository: this.repository, + eventRole: this.props.eventRole, + codeBuildCloneOutput: this.props.codeBuildCloneOutput, + }); + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/lib/codepipeline/codepipeline.ts b/packages/@aws-cdk/pipelines/lib/codepipeline/codepipeline.ts new file mode 100644 index 0000000000000..1c61a2c8cc42d --- /dev/null +++ b/packages/@aws-cdk/pipelines/lib/codepipeline/codepipeline.ts @@ -0,0 +1,961 @@ +import * as path from 'path'; +import * as cb from '@aws-cdk/aws-codebuild'; +import * as cp from '@aws-cdk/aws-codepipeline'; +import * as cpa from '@aws-cdk/aws-codepipeline-actions'; +import * as ec2 from '@aws-cdk/aws-ec2'; +import * as iam from '@aws-cdk/aws-iam'; +import { Aws, Fn, IDependable, Lazy, PhysicalName, Stack } from '@aws-cdk/core'; +import * as cxapi from '@aws-cdk/cx-api'; +import { Construct, Node } from 'constructs'; +import { AssetType, FileSet, IFileSetProducer, ManualApprovalStep, ShellStep, StackAsset, StackDeployment, Step } from '../blueprint'; +import { DockerCredential, dockerCredentialsInstallCommands, DockerCredentialUsage } from '../docker-credentials'; +import { GraphNode, GraphNodeCollection, isGraph, AGraphNode, PipelineGraph } from '../helpers-internal'; +import { PipelineBase } from '../main'; +import { appOf, assemblyBuilderOf, embeddedAsmPath, obtainScope } from '../private/construct-internals'; +import { toPosixPath } from '../private/fs'; +import { enumerate, flatten, maybeSuffix, noUndefined } from '../private/javascript'; +import { writeTemplateConfiguration } from '../private/template-configuration'; +import { CodeBuildFactory, mergeCodeBuildOptions, stackVariableNamespace } from './_codebuild-factory'; +import { ArtifactMap } from './artifact-map'; +import { CodeBuildStep } from './codebuild-step'; +import { CodePipelineActionFactoryResult, ICodePipelineActionFactory } from './codepipeline-action-factory'; + + +/** + * Properties for a `CodePipeline` + */ +export interface CodePipelineProps { + /** + * The build step that produces the CDK Cloud Assembly + * + * The primary output of this step needs to be the `cdk.out` directory + * generated by the `cdk synth` command. + * + * If you use a `ShellStep` here and you don't configure an output directory, + * the output directory will automatically be assumed to be `cdk.out`. + */ + readonly synth: IFileSetProducer; + + /** + * The name of the CodePipeline pipeline + * + * @default - Automatically generated + */ + readonly pipelineName?: string; + + /** + * Create KMS keys for the artifact buckets, allowing cross-account deployments + * + * The artifact buckets have to be encrypted to support deploying CDK apps to + * another account, so if you want to do that or want to have your artifact + * buckets encrypted, be sure to set this value to `true`. + * + * Be aware there is a cost associated with maintaining the KMS keys. + * + * @default false + */ + readonly crossAccountKeys?: boolean; + + /** + * CDK CLI version to use in self-mutation and asset publishing steps + * + * If you want to lock the CDK CLI version used in the pipeline, by steps + * that are automatically generated for you, specify the version here. + * + * You should not typically need to specify this value. + * + * @default - Latest version + */ + readonly cliVersion?: string; + + /** + * Whether the pipeline will update itself + * + * This needs to be set to `true` to allow the pipeline to reconfigure + * itself when assets or stages are being added to it, and `true` is the + * recommended setting. + * + * You can temporarily set this to `false` while you are iterating + * on the pipeline itself and prefer to deploy changes using `cdk deploy`. + * + * @default true + */ + readonly selfMutation?: boolean; + + /** + * Enable Docker for the self-mutate step + * + * Set this to true if the pipeline itself uses Docker container assets + * (for example, if you use `LinuxBuildImage.fromAsset()` as the build + * image of a CodeBuild step in the pipeline). + * + * You do not need to set it if you build Docker image assets in the + * application Stages and Stacks that are *deployed* by this pipeline. + * + * Configures privileged mode for the self-mutation CodeBuild action. + * + * If you are about to turn this on in an already-deployed Pipeline, + * set the value to `true` first, commit and allow the pipeline to + * self-update, and only then use the Docker asset in the pipeline. + * + * @default false + */ + readonly dockerEnabledForSelfMutation?: boolean; + + /** + * Enable Docker for the 'synth' step + * + * Set this to true if you are using file assets that require + * "bundling" anywhere in your application (meaning an asset + * compilation step will be run with the tools provided by + * a Docker image), both for the Pipeline stack as well as the + * application stacks. + * + * A common way to use bundling assets in your application is by + * using the `@aws-cdk/aws-lambda-nodejs` library. + * + * Configures privileged mode for the synth CodeBuild action. + * + * If you are about to turn this on in an already-deployed Pipeline, + * set the value to `true` first, commit and allow the pipeline to + * self-update, and only then use the bundled asset. + * + * @default false + */ + readonly dockerEnabledForSynth?: boolean; + + /** + * Customize the CodeBuild projects created for this pipeline + * + * @default - All projects run non-privileged build, SMALL instance, LinuxBuildImage.STANDARD_5_0 + */ + readonly codeBuildDefaults?: CodeBuildOptions; + + /** + * Additional customizations to apply to the asset publishing CodeBuild projects + * + * @default - Only `codeBuildProjectDefaults` are applied + */ + readonly assetPublishingCodeBuildDefaults?: CodeBuildOptions; + + /** + * Additional customizations to apply to the self mutation CodeBuild projects + * + * @default - Only `codeBuildProjectDefaults` are applied + */ + readonly selfMutationCodeBuildDefaults?: CodeBuildOptions; + + /** + * Publish assets in multiple CodeBuild projects + * + * If set to false, use one Project per type to publish all assets. + * + * Publishing in parallel improves concurrency and may reduce publishing + * latency, but may also increase overall provisioning time of the CodeBuild + * projects. + * + * Experiment and see what value works best for you. + * + * @default true + */ + readonly publishAssetsInParallel?: boolean; + + /** + * A list of credentials used to authenticate to Docker registries. + * + * Specify any credentials necessary within the pipeline to build, synth, update, or publish assets. + * + * @default [] + */ + readonly dockerCredentials?: DockerCredential[]; + + /** + * An existing Pipeline to be reused and built upon. + * + * [disable-awslint:ref-via-interface] + * + * @default - a new underlying pipeline is created. + */ + readonly codePipeline?: cp.Pipeline; +} + +/** + * Options for customizing a single CodeBuild project + */ +export interface CodeBuildOptions { + /** + * Partial build environment, will be combined with other build environments that apply + * + * @default - Non-privileged build, SMALL instance, LinuxBuildImage.STANDARD_5_0 + */ + readonly buildEnvironment?: cb.BuildEnvironment; + + /** + * Policy statements to add to role + * + * @default - No policy statements added to CodeBuild Project Role + */ + readonly rolePolicy?: iam.PolicyStatement[]; + + /** + * Partial buildspec, will be combined with other buildspecs that apply + * + * The BuildSpec must be available inline--it cannot reference a file + * on disk. + * + * @default - No initial BuildSpec + */ + readonly partialBuildSpec?: cb.BuildSpec; + + /** + * Which security group(s) to associate with the project network interfaces. + * + * Only used if 'vpc' is supplied. + * + * @default - Security group will be automatically created. + */ + readonly securityGroups?: ec2.ISecurityGroup[]; + + /** + * The VPC where to create the CodeBuild network interfaces in. + * + * @default - No VPC + */ + readonly vpc?: ec2.IVpc; + + /** + * Which subnets to use. + * + * Only used if 'vpc' is supplied. + * + * @default - All private subnets. + */ + readonly subnetSelection?: ec2.SubnetSelection; +} + + +/** + * A CDK Pipeline that uses CodePipeline to deploy CDK apps + * + * This is a `Pipeline` with its `engine` property set to + * `CodePipelineEngine`, and exists for nicer ergonomics for + * users that don't need to switch out engines. + */ +export class CodePipeline extends PipelineBase { + private _pipeline?: cp.Pipeline; + private artifacts = new ArtifactMap(); + private _synthProject?: cb.IProject; + private readonly selfMutation: boolean; + private _myCxAsmRoot?: string; + private readonly dockerCredentials: DockerCredential[]; + + /** + * Asset roles shared for publishing + */ + private readonly assetCodeBuildRoles: Record = {}; + + /** + * Policies created for the build projects that they have to depend on + */ + private readonly assetAttachedPolicies: Record = {}; + + /** + * Per asset type, the target role ARNs that need to be assumed + */ + private readonly assetPublishingRoles: Record> = {}; + + /** + * This is set to the very first artifact produced in the pipeline + */ + private _fallbackArtifact?: cp.Artifact; + + private _cloudAssemblyFileSet?: FileSet; + + private readonly singlePublisherPerAssetType: boolean; + + constructor(scope: Construct, id: string, private readonly props: CodePipelineProps) { + super(scope, id, props); + + this.selfMutation = props.selfMutation ?? true; + this.dockerCredentials = props.dockerCredentials ?? []; + this.singlePublisherPerAssetType = !(props.publishAssetsInParallel ?? true); + } + + /** + * The CodeBuild project that performs the Synth + * + * Only available after the pipeline has been built. + */ + public get synthProject(): cb.IProject { + if (!this._synthProject) { + throw new Error('Call pipeline.buildPipeline() before reading this property'); + } + return this._synthProject; + } + + /** + * The CodePipeline pipeline that deploys the CDK app + * + * Only available after the pipeline has been built. + */ + public get pipeline(): cp.Pipeline { + if (!this._pipeline) { + throw new Error('Pipeline not created yet'); + } + return this._pipeline; + } + + + protected doBuildPipeline(): void { + if (this._pipeline) { + throw new Error('Pipeline already created'); + } + + this._myCxAsmRoot = path.resolve(assemblyBuilderOf(appOf(this)).outdir); + + if (this.props.codePipeline) { + if (this.props.pipelineName) { + throw new Error('Cannot set \'pipelineName\' if an existing CodePipeline is given using \'codePipeline\''); + } + if (this.props.crossAccountKeys !== undefined) { + throw new Error('Cannot set \'crossAccountKeys\' if an existing CodePipeline is given using \'codePipeline\''); + } + + this._pipeline = this.props.codePipeline; + } else { + this._pipeline = new cp.Pipeline(this, 'Pipeline', { + pipelineName: this.props.pipelineName, + crossAccountKeys: this.props.crossAccountKeys ?? false, + // This is necessary to make self-mutation work (deployments are guaranteed + // to happen only after the builds of the latest pipeline definition). + restartExecutionOnUpdate: true, + }); + } + + const graphFromBp = new PipelineGraph(this, { + selfMutation: this.selfMutation, + singlePublisherPerAssetType: this.singlePublisherPerAssetType, + }); + this._cloudAssemblyFileSet = graphFromBp.cloudAssemblyFileSet; + + this.pipelineStagesAndActionsFromGraph(graphFromBp); + } + + private get myCxAsmRoot(): string { + if (!this._myCxAsmRoot) { + throw new Error('Can\'t read \'myCxAsmRoot\' if build deployment not called yet'); + } + return this._myCxAsmRoot; + } + + /** + * Scope for Assets-related resources. + * + * Purely exists for construct tree backwards compatibility with legacy pipelines + */ + private get assetsScope(): Construct { + return obtainScope(this, 'Assets'); + } + + private pipelineStagesAndActionsFromGraph(structure: PipelineGraph) { + // Translate graph into Pipeline Stages and Actions + let beforeSelfMutation = this.selfMutation; + for (const stageNode of flatten(structure.graph.sortedChildren())) { + if (!isGraph(stageNode)) { + throw new Error(`Top-level children must be graphs, got '${stageNode}'`); + } + + // Group our ordered tranches into blocks of 50. + // We can map these onto stages without exceeding the capacity of a Stage. + const chunks = chunkTranches(50, stageNode.sortedLeaves()); + const actionsOverflowStage = chunks.length > 1; + for (const [i, tranches] of enumerate(chunks)) { + const stageName = actionsOverflowStage ? `${stageNode.id}.${i + 1}` : stageNode.id; + const pipelineStage = this.pipeline.addStage({ stageName }); + + const sharedParent = new GraphNodeCollection(flatten(tranches)).commonAncestor(); + + let runOrder = 1; + for (const tranche of tranches) { + const runOrdersConsumed = [0]; + + for (const node of tranche) { + const factory = this.actionFromNode(node); + + const nodeType = this.nodeTypeFromNode(node); + + const result = factory.produceAction(pipelineStage, { + actionName: actionName(node, sharedParent), + runOrder, + artifacts: this.artifacts, + scope: obtainScope(this.pipeline, stageName), + fallbackArtifact: this._fallbackArtifact, + pipeline: this, + // If this step happens to produce a CodeBuild job, set the default options + codeBuildDefaults: nodeType ? this.codeBuildDefaultsFor(nodeType) : undefined, + beforeSelfMutation, + }); + + if (node.data?.type === 'self-update') { + beforeSelfMutation = false; + } + + this.postProcessNode(node, result); + + runOrdersConsumed.push(result.runOrdersConsumed); + } + + runOrder += Math.max(...runOrdersConsumed); + } + } + } + } + + /** + * Do additional things after the action got added to the pipeline + * + * Some minor state manipulation of CodeBuild projects and pipeline + * artifacts. + */ + private postProcessNode(node: AGraphNode, result: CodePipelineActionFactoryResult) { + const nodeType = this.nodeTypeFromNode(node); + + if (result.project) { + const dockerUsage = dockerUsageFromCodeBuild(nodeType ?? CodeBuildProjectType.STEP); + if (dockerUsage) { + for (const c of this.dockerCredentials) { + c.grantRead(result.project, dockerUsage); + } + } + + if (nodeType === CodeBuildProjectType.SYNTH) { + this._synthProject = result.project; + } + } + + if (node.data?.type === 'step' && node.data.step.primaryOutput?.primaryOutput && !this._fallbackArtifact) { + this._fallbackArtifact = this.artifacts.toCodePipeline(node.data.step.primaryOutput?.primaryOutput); + } + } + + /** + * Make an action from the given node and/or step + */ + private actionFromNode(node: AGraphNode): ICodePipelineActionFactory { + switch (node.data?.type) { + // Nothing for these, they are groupings (shouldn't even have popped up here) + case 'group': + case 'stack-group': + case undefined: + throw new Error(`actionFromNode: did not expect to get group nodes: ${node.data?.type}`); + + case 'self-update': + return this.selfMutateAction(); + + case 'publish-assets': + return this.publishAssetsAction(node, node.data.assets); + + case 'prepare': + return this.createChangeSetAction(node.data.stack); + + case 'execute': + return this.executeChangeSetAction(node.data.stack, node.data.captureOutputs); + + case 'step': + return this.actionFromStep(node, node.data.step); + } + } + + /** + * Take a Step and turn it into a CodePipeline Action + * + * There are only 3 types of Steps we need to support: + * + * - RunScript (generic) + * - ManualApproval (generic) + * - CodePipelineActionFactory (CodePipeline-specific) + * + * The rest is expressed in terms of these 3, or in terms of graph nodes + * which are handled elsewhere. + */ + private actionFromStep(node: AGraphNode, step: Step): ICodePipelineActionFactory { + const nodeType = this.nodeTypeFromNode(node); + + // CodePipeline-specific steps first -- this includes Sources + if (isCodePipelineActionFactory(step)) { + return step; + } + + // Now built-in steps + if (step instanceof ShellStep || step instanceof CodeBuildStep) { + // The 'CdkBuildProject' will be the construct ID of the CodeBuild project, necessary for backwards compat + let constructId = nodeType === CodeBuildProjectType.SYNTH + ? 'CdkBuildProject' + : step.id; + + return step instanceof CodeBuildStep + ? CodeBuildFactory.fromCodeBuildStep(constructId, step) + : CodeBuildFactory.fromShellStep(constructId, step); + } + + if (step instanceof ManualApprovalStep) { + return { + produceAction: (stage, options) => { + stage.addAction(new cpa.ManualApprovalAction({ + actionName: options.actionName, + runOrder: options.runOrder, + additionalInformation: step.comment, + })); + return { runOrdersConsumed: 1 }; + }, + }; + } + + throw new Error(`Deployment step '${step}' is not supported for CodePipeline-backed pipelines`); + } + + private createChangeSetAction(stack: StackDeployment): ICodePipelineActionFactory { + const changeSetName = 'PipelineChange'; + + const templateArtifact = this.artifacts.toCodePipeline(this._cloudAssemblyFileSet!); + const templateConfigurationPath = this.writeTemplateConfiguration(stack); + + const region = stack.region !== Stack.of(this).region ? stack.region : undefined; + const account = stack.account !== Stack.of(this).account ? stack.account : undefined; + + const relativeTemplatePath = path.relative(this.myCxAsmRoot, stack.absoluteTemplatePath); + + return { + produceAction: (stage, options) => { + stage.addAction(new cpa.CloudFormationCreateReplaceChangeSetAction({ + actionName: options.actionName, + runOrder: options.runOrder, + changeSetName, + stackName: stack.stackName, + templatePath: templateArtifact.atPath(toPosixPath(relativeTemplatePath)), + adminPermissions: true, + role: this.roleFromPlaceholderArn(this.pipeline, region, account, stack.assumeRoleArn), + deploymentRole: this.roleFromPlaceholderArn(this.pipeline, region, account, stack.executionRoleArn), + region: region, + templateConfiguration: templateConfigurationPath + ? templateArtifact.atPath(toPosixPath(templateConfigurationPath)) + : undefined, + })); + return { runOrdersConsumed: 1 }; + }, + }; + } + + private executeChangeSetAction(stack: StackDeployment, captureOutputs: boolean): ICodePipelineActionFactory { + const changeSetName = 'PipelineChange'; + + const region = stack.region !== Stack.of(this).region ? stack.region : undefined; + const account = stack.account !== Stack.of(this).account ? stack.account : undefined; + + return { + produceAction: (stage, options) => { + stage.addAction(new cpa.CloudFormationExecuteChangeSetAction({ + actionName: options.actionName, + runOrder: options.runOrder, + changeSetName, + stackName: stack.stackName, + role: this.roleFromPlaceholderArn(this.pipeline, region, account, stack.assumeRoleArn), + region: region, + variablesNamespace: captureOutputs ? stackVariableNamespace(stack) : undefined, + })); + + return { runOrdersConsumed: 1 }; + }, + }; + } + + private selfMutateAction(): ICodePipelineActionFactory { + const installSuffix = this.props.cliVersion ? `@${this.props.cliVersion}` : ''; + + const pipelineStack = Stack.of(this.pipeline); + const pipelineStackIdentifier = pipelineStack.node.path ?? pipelineStack.stackName; + + const step = new CodeBuildStep('SelfMutate', { + projectName: maybeSuffix(this.props.pipelineName, '-selfupdate'), + input: this._cloudAssemblyFileSet, + installCommands: [ + `npm install -g aws-cdk${installSuffix}`, + ], + commands: [ + `cdk -a ${toPosixPath(embeddedAsmPath(this.pipeline))} deploy ${pipelineStackIdentifier} --require-approval=never --verbose`, + ], + + rolePolicyStatements: [ + // allow the self-mutating project permissions to assume the bootstrap Action role + new iam.PolicyStatement({ + actions: ['sts:AssumeRole'], + resources: [`arn:*:iam::${Stack.of(this.pipeline).account}:role/*`], + conditions: { + 'ForAnyValue:StringEquals': { + 'iam:ResourceTag/aws-cdk:bootstrap-role': ['image-publishing', 'file-publishing', 'deploy'], + }, + }, + }), + new iam.PolicyStatement({ + actions: ['cloudformation:DescribeStacks'], + resources: ['*'], // this is needed to check the status of the bootstrap stack when doing `cdk deploy` + }), + // S3 checks for the presence of the ListBucket permission + new iam.PolicyStatement({ + actions: ['s3:ListBucket'], + resources: ['*'], + }), + ], + }); + + // Different on purpose -- id needed for backwards compatible LogicalID + return CodeBuildFactory.fromCodeBuildStep('SelfMutation', step, { + additionalConstructLevel: false, + scope: obtainScope(this, 'UpdatePipeline'), + }); + } + + private publishAssetsAction(node: AGraphNode, assets: StackAsset[]): ICodePipelineActionFactory { + const installSuffix = this.props.cliVersion ? `@${this.props.cliVersion}` : ''; + + const commands = assets.map(asset => { + const relativeAssetManifestPath = path.relative(this.myCxAsmRoot, asset.assetManifestPath); + return `cdk-assets --path "${toPosixPath(relativeAssetManifestPath)}" --verbose publish "${asset.assetSelector}"`; + }); + + const assetType = assets[0].assetType; + if (assets.some(a => a.assetType !== assetType)) { + throw new Error('All assets in a single publishing step must be of the same type'); + } + + const publishingRoles = this.assetPublishingRoles[assetType] = (this.assetPublishingRoles[assetType] ?? new Set()); + for (const asset of assets) { + if (asset.assetPublishingRoleArn) { + publishingRoles.add(asset.assetPublishingRoleArn); + } + } + + const assetBuildConfig = this.obtainAssetCodeBuildRole(assets[0].assetType); + + // The base commands that need to be run + const script = new CodeBuildStep(node.id, { + commands, + installCommands: [ + `npm install -g cdk-assets${installSuffix}`, + ], + input: this._cloudAssemblyFileSet, + buildEnvironment: { + privileged: assets.some(asset => asset.assetType === AssetType.DOCKER_IMAGE), + }, + role: assetBuildConfig.role, + }); + + // Customizations that are not accessible to regular users + return CodeBuildFactory.fromCodeBuildStep(node.id, script, { + additionalConstructLevel: false, + additionalDependable: assetBuildConfig.dependable, + + // If we use a single publisher, pass buildspec via file otherwise it'll + // grow too big. + passBuildSpecViaCloudAssembly: this.singlePublisherPerAssetType, + scope: this.assetsScope, + }); + } + + private nodeTypeFromNode(node: AGraphNode) { + if (node.data?.type === 'step') { + return !!node.data?.isBuildStep ? CodeBuildProjectType.SYNTH : CodeBuildProjectType.STEP; + } + if (node.data?.type === 'publish-assets') { + return CodeBuildProjectType.ASSETS; + } + if (node.data?.type === 'self-update') { + return CodeBuildProjectType.SELF_MUTATE; + } + return undefined; + } + + private codeBuildDefaultsFor(nodeType: CodeBuildProjectType): CodeBuildOptions | undefined { + const defaultOptions: CodeBuildOptions = { + buildEnvironment: { + buildImage: cb.LinuxBuildImage.STANDARD_5_0, + computeType: cb.ComputeType.SMALL, + }, + }; + + const typeBasedCustomizations = { + [CodeBuildProjectType.SYNTH]: this.props.dockerEnabledForSynth + ? { buildEnvironment: { privileged: true } } + : {}, + + [CodeBuildProjectType.ASSETS]: this.props.assetPublishingCodeBuildDefaults, + + [CodeBuildProjectType.SELF_MUTATE]: this.props.dockerEnabledForSelfMutation + ? mergeCodeBuildOptions(this.props.selfMutationCodeBuildDefaults, { buildEnvironment: { privileged: true } }) + : this.props.selfMutationCodeBuildDefaults, + + [CodeBuildProjectType.STEP]: {}, + }; + + const dockerUsage = dockerUsageFromCodeBuild(nodeType); + const dockerCommands = dockerUsage !== undefined + ? dockerCredentialsInstallCommands(dockerUsage, this.dockerCredentials, 'both') + : []; + const typeBasedDockerCommands = dockerCommands.length > 0 ? { + partialBuildSpec: cb.BuildSpec.fromObject({ + version: '0.2', + phases: { + pre_build: { + commands: dockerCommands, + }, + }, + }), + } : {}; + + return mergeCodeBuildOptions( + defaultOptions, + this.props.codeBuildDefaults, + typeBasedCustomizations[nodeType], + typeBasedDockerCommands, + ); + } + + private roleFromPlaceholderArn(scope: Construct, region: string | undefined, + account: string | undefined, arn: string): iam.IRole; + private roleFromPlaceholderArn(scope: Construct, region: string | undefined, + account: string | undefined, arn: string | undefined): iam.IRole | undefined; + private roleFromPlaceholderArn(scope: Construct, region: string | undefined, + account: string | undefined, arn: string | undefined): iam.IRole | undefined { + + if (!arn) { return undefined; } + + // Use placeholdered arn as construct ID. + const id = arn; + + // https://github.com/aws/aws-cdk/issues/7255 + let existingRole = Node.of(scope).tryFindChild(`ImmutableRole${id}`) as iam.IRole; + if (existingRole) { return existingRole; } + // For when #7255 is fixed. + existingRole = Node.of(scope).tryFindChild(id) as iam.IRole; + if (existingRole) { return existingRole; } + + const arnToImport = cxapi.EnvironmentPlaceholders.replace(arn, { + region: region ?? Aws.REGION, + accountId: account ?? Aws.ACCOUNT_ID, + partition: Aws.PARTITION, + }); + return iam.Role.fromRoleArn(scope, id, arnToImport, { mutable: false, addGrantsToResources: true }); + } + + /** + * Non-template config files for CodePipeline actions + * + * Currently only supports tags. + */ + private writeTemplateConfiguration(stack: StackDeployment): string | undefined { + if (Object.keys(stack.tags).length === 0) { return undefined; } + + const absConfigPath = `${stack.absoluteTemplatePath}.config.json`; + const relativeConfigPath = path.relative(this.myCxAsmRoot, absConfigPath); + + // Write the template configuration file (for parameters into CreateChangeSet call that + // cannot be configured any other way). They must come from a file, and there's unfortunately + // no better hook to write this file (`construct.onSynthesize()` would have been the prime candidate + // but that is being deprecated--and DeployCdkStackAction isn't even a construct). + writeTemplateConfiguration(absConfigPath, { + Tags: noUndefined(stack.tags), + }); + + return relativeConfigPath; + } + + /** + * This role is used by both the CodePipeline build action and related CodeBuild project. Consolidating these two + * roles into one, and re-using across all assets, saves significant size of the final synthesized output. + * Modeled after the CodePipeline role and 'CodePipelineActionRole' roles. + * Generates one role per asset type to separate file and Docker/image-based permissions. + */ + private obtainAssetCodeBuildRole(assetType: AssetType): AssetCodeBuildRole { + if (this.assetCodeBuildRoles[assetType]) { + return { + role: this.assetCodeBuildRoles[assetType], + dependable: this.assetAttachedPolicies[assetType], + }; + } + + const stack = Stack.of(this); + + const rolePrefix = assetType === AssetType.DOCKER_IMAGE ? 'Docker' : 'File'; + const assetRole = new iam.Role(this.assetsScope, `${rolePrefix}Role`, { + roleName: PhysicalName.GENERATE_IF_NEEDED, + assumedBy: new iam.CompositePrincipal( + new iam.ServicePrincipal('codebuild.amazonaws.com'), + new iam.AccountPrincipal(stack.account), + ), + }); + + // Logging permissions + const logGroupArn = stack.formatArn({ + service: 'logs', + resource: 'log-group', + sep: ':', + resourceName: '/aws/codebuild/*', + }); + assetRole.addToPolicy(new iam.PolicyStatement({ + resources: [logGroupArn], + actions: ['logs:CreateLogGroup', 'logs:CreateLogStream', 'logs:PutLogEvents'], + })); + + // CodeBuild report groups + const codeBuildArn = stack.formatArn({ + service: 'codebuild', + resource: 'report-group', + resourceName: '*', + }); + assetRole.addToPolicy(new iam.PolicyStatement({ + actions: [ + 'codebuild:CreateReportGroup', + 'codebuild:CreateReport', + 'codebuild:UpdateReport', + 'codebuild:BatchPutTestCases', + 'codebuild:BatchPutCodeCoverages', + ], + resources: [codeBuildArn], + })); + + // CodeBuild start/stop + assetRole.addToPolicy(new iam.PolicyStatement({ + resources: ['*'], + actions: [ + 'codebuild:BatchGetBuilds', + 'codebuild:StartBuild', + 'codebuild:StopBuild', + ], + })); + + // Publishing role access + // The ARNs include raw AWS pseudo parameters (e.g., ${AWS::Partition}), which need to be substituted. + // Lazy-evaluated so all asset publishing roles are included. + assetRole.addToPolicy(new iam.PolicyStatement({ + actions: ['sts:AssumeRole'], + resources: Lazy.list({ produce: () => Array.from(this.assetPublishingRoles[assetType] ?? []).map(arn => Fn.sub(arn)) }), + })); + + // Grant pull access for any ECR registries and secrets that exist + if (assetType === AssetType.DOCKER_IMAGE) { + this.dockerCredentials.forEach(reg => reg.grantRead(assetRole, DockerCredentialUsage.ASSET_PUBLISHING)); + } + + // Artifact access + this.pipeline.artifactBucket.grantRead(assetRole); + + // VPC permissions required for CodeBuild + // Normally CodeBuild itself takes care of this but we're creating a singleton role so now + // we need to do this. + const assetCodeBuildOptions = this.codeBuildDefaultsFor(CodeBuildProjectType.ASSETS); + if (assetCodeBuildOptions?.vpc) { + const vpcPolicy = new iam.Policy(assetRole, 'VpcPolicy', { + statements: [ + new iam.PolicyStatement({ + resources: [`arn:${Aws.PARTITION}:ec2:${Aws.REGION}:${Aws.ACCOUNT_ID}:network-interface/*`], + actions: ['ec2:CreateNetworkInterfacePermission'], + conditions: { + StringEquals: { + 'ec2:Subnet': assetCodeBuildOptions.vpc + .selectSubnets(assetCodeBuildOptions.subnetSelection).subnetIds + .map(si => `arn:${Aws.PARTITION}:ec2:${Aws.REGION}:${Aws.ACCOUNT_ID}:subnet/${si}`), + 'ec2:AuthorizedService': 'codebuild.amazonaws.com', + }, + }, + }), + new iam.PolicyStatement({ + resources: ['*'], + actions: [ + 'ec2:CreateNetworkInterface', + 'ec2:DescribeNetworkInterfaces', + 'ec2:DeleteNetworkInterface', + 'ec2:DescribeSubnets', + 'ec2:DescribeSecurityGroups', + 'ec2:DescribeDhcpOptions', + 'ec2:DescribeVpcs', + ], + }), + ], + }); + assetRole.attachInlinePolicy(vpcPolicy); + this.assetAttachedPolicies[assetType] = vpcPolicy; + } + + this.assetCodeBuildRoles[assetType] = assetRole.withoutPolicyUpdates(); + return { + role: this.assetCodeBuildRoles[assetType], + dependable: this.assetAttachedPolicies[assetType], + }; + } +} + +function dockerUsageFromCodeBuild(cbt: CodeBuildProjectType): DockerCredentialUsage | undefined { + switch (cbt) { + case CodeBuildProjectType.ASSETS: return DockerCredentialUsage.ASSET_PUBLISHING; + case CodeBuildProjectType.SELF_MUTATE: return DockerCredentialUsage.SELF_UPDATE; + case CodeBuildProjectType.SYNTH: return DockerCredentialUsage.SYNTH; + case CodeBuildProjectType.STEP: return undefined; + } +} + +interface AssetCodeBuildRole { + readonly role: iam.IRole; + readonly dependable?: IDependable; +} + +enum CodeBuildProjectType { + SYNTH = 'SYNTH', + ASSETS = 'ASSETS', + SELF_MUTATE = 'SELF_MUTATE', + STEP = 'STEP', +} + +function actionName(node: GraphNode, parent: GraphNode) { + const names = node.ancestorPath(parent).map(n => n.id); + return names.map(sanitizeName).join('.'); +} + +function sanitizeName(x: string): string { + return x.replace(/[^A-Za-z0-9.@\-_]/g, '_'); +} + +/** + * Take a set of tranches and split them up into groups so + * that no set of tranches has more than n items total + */ +function chunkTranches(n: number, xss: A[][]): A[][][] { + const ret: A[][][] = []; + + while (xss.length > 0) { + const tranches: A[][] = []; + let count = 0; + + while (xss.length > 0) { + const xs = xss[0]; + const spaceRemaining = n - count; + if (xs.length <= spaceRemaining) { + tranches.push(xs); + count += xs.length; + xss.shift(); + } else { + tranches.push(xs.splice(0, spaceRemaining)); + count = n; + break; + } + } + + ret.push(tranches); + } + + + return ret; +} + +function isCodePipelineActionFactory(x: any): x is ICodePipelineActionFactory { + return !!(x as ICodePipelineActionFactory).produceAction; +} \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/lib/codepipeline/index.ts b/packages/@aws-cdk/pipelines/lib/codepipeline/index.ts new file mode 100644 index 0000000000000..00e10509bb0df --- /dev/null +++ b/packages/@aws-cdk/pipelines/lib/codepipeline/index.ts @@ -0,0 +1,5 @@ +export * from './artifact-map'; +export * from './codebuild-step'; +export * from './codepipeline'; +export * from './codepipeline-action-factory'; +export * from './codepipeline-source'; \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/lib/docker-credentials.ts b/packages/@aws-cdk/pipelines/lib/docker-credentials.ts index a2a5b2ca39d64..77b7d2c1b4381 100644 --- a/packages/@aws-cdk/pipelines/lib/docker-credentials.ts +++ b/packages/@aws-cdk/pipelines/lib/docker-credentials.ts @@ -104,11 +104,11 @@ export interface EcrDockerCredentialOptions { /** Defines which stages of a pipeline require the specified credentials */ export enum DockerCredentialUsage { /** Synth/Build */ - SYNTH, + SYNTH = 'SYNTH', /** Self-update */ - SELF_UPDATE, + SELF_UPDATE = 'SELF_UPDATE', /** Asset publishing */ - ASSET_PUBLISHING, + ASSET_PUBLISHING = 'ASSET_PUBLISHING', }; /** DockerCredential defined by registry domain and a secret */ @@ -202,7 +202,7 @@ interface DockerCredentialCredentialSource { export function dockerCredentialsInstallCommands( usage: DockerCredentialUsage, registries?: DockerCredential[], - osType?: ec2.OperatingSystemType): string[] { + osType?: ec2.OperatingSystemType | 'both'): string[] { const relevantRegistries = (registries ?? []).filter(reg => reg._applicableForUsage(usage)); if (!relevantRegistries || relevantRegistries.length === 0) { return []; } @@ -216,15 +216,25 @@ export function dockerCredentialsInstallCommands( domainCredentials, }; - if (osType === ec2.OperatingSystemType.WINDOWS) { + const windowsCommands = [ + 'mkdir %USERPROFILE%\\.cdk', + `echo '${JSON.stringify(cdkAssetsConfigFile)}' > %USERPROFILE%\\.cdk\\cdk-docker-creds.json`, + ]; + + const linuxCommands = [ + 'mkdir $HOME/.cdk', + `echo '${JSON.stringify(cdkAssetsConfigFile)}' > $HOME/.cdk/cdk-docker-creds.json`, + ]; + + if (osType === 'both') { return [ - 'mkdir %USERPROFILE%\\.cdk', - `echo '${JSON.stringify(cdkAssetsConfigFile)}' > %USERPROFILE%\\.cdk\\cdk-docker-creds.json`, + // These tags are magic and will be stripped when rendering the project + ...windowsCommands.map(c => `!WINDOWS!${c}`), + ...linuxCommands.map(c => `!LINUX!${c}`), ]; + } else if (osType === ec2.OperatingSystemType.WINDOWS) { + return windowsCommands; } else { - return [ - 'mkdir $HOME/.cdk', - `echo '${JSON.stringify(cdkAssetsConfigFile)}' > $HOME/.cdk/cdk-docker-creds.json`, - ]; + return linuxCommands; } } diff --git a/packages/@aws-cdk/pipelines/lib/helpers-internal/graph.ts b/packages/@aws-cdk/pipelines/lib/helpers-internal/graph.ts new file mode 100644 index 0000000000000..6b1c2d85ee701 --- /dev/null +++ b/packages/@aws-cdk/pipelines/lib/helpers-internal/graph.ts @@ -0,0 +1,385 @@ +/** + * A library for nested graphs + */ +import { addAll, extract, flatMap, isDefined } from '../private/javascript'; +import { topoSort } from './toposort'; + +export interface GraphNodeProps { + readonly data?: A; +} + +export class GraphNode { + public static of(id: string, data: A) { + return new GraphNode(id, { data }); + } + + public readonly dependencies: GraphNode[] = []; + public readonly data?: A; + private _parentGraph?: Graph; + + constructor(public readonly id: string, props: GraphNodeProps = {}) { + this.data = props.data; + } + + /** + * A graph-wide unique identifier for this node. Rendered by joining the IDs + * of all ancestors with hyphens. + */ + public get uniqueId(): string { + return this.ancestorPath(this.root).map(x => x.id).join('-'); + } + + /** + * The union of all dependencies of this node and the dependencies of all + * parent graphs. + */ + public get allDeps(): GraphNode[] { + const fromParent = this.parentGraph?.allDeps ?? []; + return [...this.dependencies, ...fromParent]; + } + + public dependOn(...dependencies: Array | undefined>) { + if (dependencies.includes(this)) { + throw new Error(`Cannot add dependency on self: ${this}`); + } + this.dependencies.push(...dependencies.filter(isDefined)); + } + + public ancestorPath(upTo: GraphNode): GraphNode[] { + let x: GraphNode = this; + const ret = [x]; + while (x.parentGraph && x.parentGraph !== upTo) { + x = x.parentGraph; + ret.unshift(x); + } + return ret; + } + + public rootPath(): GraphNode[] { + let x: GraphNode = this; + const ret = [x]; + while (x.parentGraph) { + x = x.parentGraph; + ret.unshift(x); + } + return ret; + } + + public get root() { + let x: GraphNode = this; + while (x.parentGraph) { + x = x.parentGraph; + } + return x; + } + + public get parentGraph() { + return this._parentGraph; + } + + /** + * @internal + */ + public _setParentGraph(parentGraph: Graph) { + if (this._parentGraph) { + throw new Error('Node already has a parent'); + } + this._parentGraph = parentGraph; + } + + public toString() { + return `${this.constructor.name}(${this.id})`; + } +} + +/** + * A dependency set that can be constructed partially and later finished + * + * It doesn't matter in what order sources and targets for the dependency + * relationship(s) get added. This class can serve as a synchronization + * point if the order in which graph nodes get added to the graph is not + * well-defined. + * + * Useful utility during graph building. + */ +export class DependencyBuilder { + private readonly targets: GraphNode[] = []; + private readonly sources: GraphNode[] = []; + + public dependOn(...targets: GraphNode[]) { + for (const target of targets) { + for (const source of this.sources) { + source.dependOn(target); + } + this.targets.push(target); + } + return this; + } + + public dependBy(...sources: GraphNode[]) { + for (const source of sources) { + for (const target of this.targets) { + source.dependOn(target); + } + this.sources.push(source); + } + return this; + } +} + +export class DependencyBuilders { + private readonly builders = new Map>(); + + public get(key: K) { + const b = this.builders.get(key); + if (b) { return b; } + const ret = new DependencyBuilder(); + this.builders.set(key, ret); + return ret; + } +} + +export interface GraphProps extends GraphNodeProps { + /** + * Initial nodes in the workflow + */ + readonly nodes?: GraphNode[]; +} + +export class Graph extends GraphNode { + public static of(id: string, data: A, nodes?: GraphNode[]) { + return new Graph(id, { data, nodes }); + } + + private readonly children = new Map>(); + + constructor(name: string, props: GraphProps={}) { + super(name, props); + + if (props.nodes) { + this.add(...props.nodes); + } + } + + public get nodes() { + return new Set(this.children.values()); + } + + public tryGetChild(name: string) { + return this.children.get(name); + } + + public contains(node: GraphNode) { + return this.nodes.has(node); + } + + public add(...nodes: Array>) { + for (const node of nodes) { + node._setParentGraph(this); + if (this.children.has(node.id)) { + throw new Error(`Node with duplicate id: ${node.id}`); + } + this.children.set(node.id, node); + } + } + + public absorb(other: Graph) { + this.add(...other.nodes); + } + + /** + * Return topologically sorted tranches of nodes at this graph level + */ + public sortedChildren(): GraphNode[][] { + // Project dependencies to current children + const nodes = this.nodes; + const projectedDependencies = projectDependencies(this.deepDependencies(), (node) => { + while (!nodes.has(node) && node.parentGraph) { + node = node.parentGraph; + } + return nodes.has(node) ? [node] : []; + }); + + return topoSort(nodes, projectedDependencies); + } + + /** + * Return a topologically sorted list of non-Graph nodes in the entire subgraph + */ + public sortedLeaves(): GraphNode[][] { + // Project dependencies to leaf nodes + const descendantsMap = new Map, GraphNode[]>(); + findDescendants(this); + + function findDescendants(node: GraphNode): GraphNode[] { + const ret: GraphNode[] = []; + + if (node instanceof Graph) { + for (const child of node.nodes) { + ret.push(...findDescendants(child)); + } + } else { + ret.push(node); + } + + descendantsMap.set(node, ret); + return ret; + } + + const projectedDependencies = projectDependencies(this.deepDependencies(), (node) => descendantsMap.get(node) ?? []); + return topoSort(new Set(projectedDependencies.keys()), projectedDependencies); + } + + public consoleLog(indent: number = 0) { + process.stdout.write(' '.repeat(indent) + this + depString(this) + '\n'); + for (const node of this.nodes) { + if (node instanceof Graph) { + node.consoleLog(indent + 2); + } else { + process.stdout.write(' '.repeat(indent + 2) + node + depString(node) + '\n'); + } + } + + function depString(node: GraphNode) { + if (node.dependencies.length > 0) { + return ` -> ${Array.from(node.dependencies).join(', ')}`; + } + return ''; + } + } + + /** + * Return the union of all dependencies of the descendants of this graph + */ + private deepDependencies() { + const ret = new Map, Set>>(); + for (const node of this.nodes) { + recurse(node); + } + return ret; + + function recurse(node: GraphNode) { + let deps = ret.get(node); + if (!deps) { + ret.set(node, deps = new Set()); + } + for (let dep of node.dependencies) { + deps.add(dep); + } + if (node instanceof Graph) { + for (const child of node.nodes) { + recurse(child); + } + } + } + } + + /** + * Return all non-Graph nodes + */ + public allLeaves(): GraphNodeCollection { + const ret: GraphNode[] = []; + recurse(this); + return new GraphNodeCollection(ret); + + function recurse(node: GraphNode) { + if (node instanceof Graph) { + for (const child of node.nodes) { + recurse(child); + } + } else { + ret.push(node); + } + } + } +} + +/** + * A collection of graph nodes + */ +export class GraphNodeCollection { + public readonly nodes: GraphNode[]; + + constructor(nodes: Iterable>) { + this.nodes = Array.from(nodes); + } + + public dependOn(...dependencies: Array | undefined>) { + for (const node of this.nodes) { + node.dependOn(...dependencies.filter(isDefined)); + } + } + + /** + * Returns the graph node that's shared between these nodes + */ + public commonAncestor() { + const paths = new Array[]>(); + for (const x of this.nodes) { + paths.push(x.rootPath()); + } + + if (paths.length === 0) { + throw new Error('Cannot find common ancestor between an empty set of nodes'); + } + if (paths.length === 1) { + const path = paths[0]; + + if (path.length < 2) { + throw new Error(`Cannot find ancestor of node without ancestor: ${path[0]}`); + } + return path[path.length - 2]; + } + + const originalPaths = [...paths]; + + // Remove the first element of every path as long as the 2nd elements are all + // the same -- this leaves the shared element in first place. + // + // A, B, C, 1, 2 }---> C + // A, B, C, 3 } + while (paths.every(path => paths[0].length >= 2 && path.length >= 2 && path[1] === paths[0][1])) { + for (const path of paths) { + path.shift(); + } + } + + // If any of the paths are left with 1 element, there's no shared parent. + if (paths.some(path => path.length < 2)) { + throw new Error(`Could not determine a shared parent between nodes: ${originalPaths.map(nodes => nodes.map(n => n.id).join('/'))}`); + } + + return paths[0][0]; + } +} + +/** + * Dependency map of nodes in this graph, taking into account dependencies between nodes in subgraphs + * + * Guaranteed to return an entry in the map for every node in the current graph. + */ +function projectDependencies(dependencies: Map, Set>>, project: (x: GraphNode) => GraphNode[]) { + // Project keys + for (const node of dependencies.keys()) { + const projectedNodes = project(node); + if (projectedNodes.length === 1 && projectedNodes[0] === node) { continue; } // Nothing to do, just for efficiency + + const deps = extract(dependencies, node)!; + for (const projectedNode of projectedNodes) { + addAll(dependencies.get(projectedNode)!, deps); + } + } + + // Project values. Ignore self-dependencies, they were just between nodes that were collapsed into the same node. + for (const [node, deps] of dependencies.entries()) { + const depset = new Set(flatMap(deps, project)); + depset.delete(node); + dependencies.set(node, depset); + } + + return dependencies; +} + +export function isGraph(x: GraphNode): x is Graph { + return x instanceof Graph; +} \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/lib/helpers-internal/index.ts b/packages/@aws-cdk/pipelines/lib/helpers-internal/index.ts new file mode 100644 index 0000000000000..6709f7c84488f --- /dev/null +++ b/packages/@aws-cdk/pipelines/lib/helpers-internal/index.ts @@ -0,0 +1,2 @@ +export * from './pipeline-graph'; +export * from './graph'; \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/lib/helpers-internal/pipeline-graph.ts b/packages/@aws-cdk/pipelines/lib/helpers-internal/pipeline-graph.ts new file mode 100644 index 0000000000000..0adcea551ff32 --- /dev/null +++ b/packages/@aws-cdk/pipelines/lib/helpers-internal/pipeline-graph.ts @@ -0,0 +1,319 @@ +import { AssetType, FileSet, ShellStep, StackAsset, StackDeployment, StageDeployment, Step, Wave } from '../blueprint'; +import { PipelineBase } from '../main/pipeline-base'; +import { DependencyBuilders, Graph, GraphNode, GraphNodeCollection } from './graph'; +import { PipelineQueries } from './pipeline-queries'; + +export interface PipelineGraphProps { + /** + * Add a self-mutation step. + * + * @default false + */ + readonly selfMutation?: boolean; + + /** + * Publishes the template asset to S3. + * + * @default false + */ + readonly publishTemplate?: boolean; + + /** + * Whether to combine asset publishers for the same type into one step + * + * @default false + */ + readonly singlePublisherPerAssetType?: boolean; + + /** + * Add a "prepare" step for each stack which can be used to create the change + * set. If this is disbled, only the "execute" step will be included. + * + * @default true + */ + readonly prepareStep?: boolean; +} + +/** + * Logic to turn the deployment blueprint into a graph + * + * This code makes all the decisions on how to lay out the CodePipeline + */ +export class PipelineGraph { + /** + * A Step object that may be used as the producer of FileSets that should not be represented in the graph + */ + public static readonly NO_STEP: Step = new class extends Step { } ('NO_STEP'); + + public readonly graph: AGraph = Graph.of('', { type: 'group' }); + public readonly cloudAssemblyFileSet: FileSet; + public readonly queries: PipelineQueries; + + private readonly added = new Map(); + private readonly assetNodes = new Map(); + private readonly assetNodesByType = new Map(); + private readonly synthNode?: AGraphNode; + private readonly selfMutateNode?: AGraphNode; + private readonly stackOutputDependencies = new DependencyBuilders(); + private readonly publishTemplate: boolean; + private readonly prepareStep: boolean; + private readonly singlePublisher: boolean; + + private lastPreparationNode?: AGraphNode; + private _fileAssetCtr = 0; + private _dockerAssetCtr = 0; + + constructor(public readonly pipeline: PipelineBase, props: PipelineGraphProps = {}) { + this.publishTemplate = props.publishTemplate ?? false; + this.prepareStep = props.prepareStep ?? true; + this.singlePublisher = props.singlePublisherPerAssetType ?? false; + + this.queries = new PipelineQueries(pipeline); + + if (pipeline.synth instanceof Step) { + this.synthNode = this.addBuildStep(pipeline.synth); + if (this.synthNode?.data?.type === 'step') { + this.synthNode.data.isBuildStep = true; + } + } + this.lastPreparationNode = this.synthNode; + + const cloudAssembly = pipeline.synth.primaryOutput?.primaryOutput; + if (!cloudAssembly) { + throw new Error(`The synth step must produce the cloud assembly artifact, but doesn't: ${pipeline.synth}`); + } + + this.cloudAssemblyFileSet = cloudAssembly; + + if (props.selfMutation) { + const stage: AGraph = Graph.of('UpdatePipeline', { type: 'group' }); + this.graph.add(stage); + this.selfMutateNode = GraphNode.of('SelfMutate', { type: 'self-update' }); + stage.add(this.selfMutateNode); + + this.selfMutateNode.dependOn(this.synthNode); + this.lastPreparationNode = this.selfMutateNode; + } + + const waves = pipeline.waves.map(w => this.addWave(w)); + + // Make sure the waves deploy sequentially + for (let i = 1; i < waves.length; i++) { + waves[i].dependOn(waves[i - 1]); + } + + // Add additional dependencies between steps that depend on stack outputs and the stacks + // that produce them. + } + + public isSynthNode(node: AGraphNode) { + return this.synthNode === node; + } + + private addBuildStep(step: Step) { + return this.addAndRecurse(step, this.topLevelGraph('Build')); + } + + private addWave(wave: Wave): AGraph { + // If the wave only has one Stage in it, don't add an additional Graph around it + const retGraph: AGraph = wave.stages.length === 1 + ? this.addStage(wave.stages[0]) + : Graph.of(wave.id, { type: 'group' }, wave.stages.map(s => this.addStage(s))); + + this.addPrePost(wave.pre, wave.post, retGraph); + retGraph.dependOn(this.lastPreparationNode); + this.graph.add(retGraph); + + return retGraph; + } + + private addStage(stage: StageDeployment): AGraph { + const retGraph: AGraph = Graph.of(stage.stageName, { type: 'group' }); + + const stackGraphs = new Map(); + + for (const stack of stage.stacks) { + const stackGraph: AGraph = Graph.of(this.simpleStackName(stack.stackName, stage.stageName), { type: 'stack-group', stack }); + const prepareNode: AGraphNode | undefined = this.prepareStep ? GraphNode.of('Prepare', { type: 'prepare', stack }) : undefined; + const deployNode: AGraphNode = GraphNode.of('Deploy', { + type: 'execute', + stack, + captureOutputs: this.queries.stackOutputsReferenced(stack).length > 0, + }); + + retGraph.add(stackGraph); + + stackGraph.add(deployNode); + let firstDeployNode; + if (prepareNode) { + stackGraph.add(prepareNode); + deployNode.dependOn(prepareNode); + firstDeployNode = prepareNode; + } else { + firstDeployNode = deployNode; + } + + stackGraphs.set(stack, stackGraph); + + const cloudAssembly = this.cloudAssemblyFileSet; + + firstDeployNode.dependOn(this.addAndRecurse(cloudAssembly.producer, retGraph)); + + // add the template asset + if (this.publishTemplate) { + if (!stack.templateAsset) { + throw new Error(`"publishTemplate" is enabled, but stack ${stack.stackArtifactId} does not have a template asset`); + } + + firstDeployNode.dependOn(this.publishAsset(stack.templateAsset)); + } + + // Depend on Assets + // FIXME: Custom Cloud Assembly currently doesn't actually help separating + // out templates from assets!!! + for (const asset of stack.assets) { + const assetNode = this.publishAsset(asset); + firstDeployNode.dependOn(assetNode); + } + + // Add stack output synchronization point + if (this.queries.stackOutputsReferenced(stack).length > 0) { + this.stackOutputDependencies.get(stack).dependOn(deployNode); + } + } + + for (const stack of stage.stacks) { + for (const dep of stack.stackDependencies) { + const stackNode = stackGraphs.get(stack); + const depNode = stackGraphs.get(dep); + if (!stackNode) { + throw new Error(`cannot find node for ${stack.stackName}`); + } + if (!depNode) { + throw new Error(`cannot find node for ${dep.stackName}`); + } + stackNode.dependOn(depNode); + } + } + + this.addPrePost(stage.pre, stage.post, retGraph); + + return retGraph; + } + + private addPrePost(pre: Step[], post: Step[], parent: AGraph) { + const currentNodes = new GraphNodeCollection(parent.nodes); + for (const p of pre) { + const preNode = this.addAndRecurse(p, parent); + currentNodes.dependOn(preNode); + } + for (const p of post) { + const postNode = this.addAndRecurse(p, parent); + postNode?.dependOn(...currentNodes.nodes); + } + } + + private topLevelGraph(name: string): AGraph { + let ret = this.graph.tryGetChild(name); + if (!ret) { + ret = new Graph(name); + this.graph.add(ret); + } + return ret as AGraph; + } + + private addAndRecurse(step: Step, parent: AGraph) { + if (step === PipelineGraph.NO_STEP) { return undefined; } + + const previous = this.added.get(step); + if (previous) { return previous; } + + const node: AGraphNode = GraphNode.of(step.id, { type: 'step', step }); + + // If the step is a source step, change the parent to a special "Source" stage + // (CodePipeline wants it that way) + if (step.isSource) { + parent = this.topLevelGraph('Source'); + } + + parent.add(node); + this.added.set(step, node); + + for (const dep of step.dependencies) { + const producerNode = this.addAndRecurse(dep, parent); + node.dependOn(producerNode); + } + + // Add stack dependencies (by use of the dependencybuilder this also works + // if we encounter the Step before the Stack has been properly added yet) + if (step instanceof ShellStep) { + for (const output of Object.values(step.envFromCfnOutputs)) { + const stack = this.queries.producingStack(output); + this.stackOutputDependencies.get(stack).dependBy(node); + } + } + + return node; + } + + private publishAsset(stackAsset: StackAsset): AGraphNode { + const assetsGraph = this.topLevelGraph('Assets'); + + let assetNode = this.assetNodes.get(stackAsset.assetId); + if (assetNode) { + // If there's already a node pubishing this asset, add as a new publishing + // destination to the same node. + } else if (this.singlePublisher && this.assetNodesByType.has(stackAsset.assetType)) { + // If we're doing a single node per type, lookup by that + assetNode = this.assetNodesByType.get(stackAsset.assetType)!; + } else { + // Otherwise add a new one + const id = stackAsset.assetType === AssetType.FILE + ? (this.singlePublisher ? 'FileAsset' : `FileAsset${++this._fileAssetCtr}`) + : (this.singlePublisher ? 'DockerAsset' : `DockerAsset${++this._dockerAssetCtr}`); + + assetNode = GraphNode.of(id, { type: 'publish-assets', assets: [] }); + assetsGraph.add(assetNode); + assetNode.dependOn(this.lastPreparationNode); + + this.assetNodesByType.set(stackAsset.assetType, assetNode); + this.assetNodes.set(stackAsset.assetId, assetNode); + } + + const data = assetNode.data; + if (data?.type !== 'publish-assets') { + throw new Error(`${assetNode} has the wrong data.type: ${data?.type}`); + } + if (!data.assets.some(a => a.assetSelector === stackAsset.assetSelector)) { + data.assets.push(stackAsset); + } + + return assetNode; + } + + /** + * Simplify the stack name by removing the `Stage-` prefix if it exists. + */ + private simpleStackName(stackName: string, stageName: string) { + return stripPrefix(stackName, `${stageName}-`); + } +} + +type GraphAnnotation = + { readonly type: 'group' } + | { readonly type: 'stack-group'; readonly stack: StackDeployment } + | { readonly type: 'publish-assets'; readonly assets: StackAsset[] } + | { readonly type: 'step'; readonly step: Step; isBuildStep?: boolean } + | { readonly type: 'self-update' } + | { readonly type: 'prepare'; readonly stack: StackDeployment } + | { readonly type: 'execute'; readonly stack: StackDeployment; readonly captureOutputs: boolean } + ; + +// Type aliases for the graph nodes tagged with our specific annotation type +// (to save on generics in the code above). +export type AGraphNode = GraphNode; +export type AGraph = Graph; + +function stripPrefix(s: string, prefix: string) { + return s.startsWith(prefix) ? s.substr(prefix.length) : s; +} \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/lib/helpers-internal/pipeline-queries.ts b/packages/@aws-cdk/pipelines/lib/helpers-internal/pipeline-queries.ts new file mode 100644 index 0000000000000..d3306e4e0a934 --- /dev/null +++ b/packages/@aws-cdk/pipelines/lib/helpers-internal/pipeline-queries.ts @@ -0,0 +1,67 @@ +import { Step, ShellStep, StackOutputReference, StackDeployment, StackAsset, StageDeployment } from '../blueprint'; +import { PipelineBase } from '../main/pipeline-base'; + +/** + * Answer some questions about a pipeline blueprint + */ +export class PipelineQueries { + constructor(private readonly pipeline: PipelineBase) { + } + + /** + * Return the names of all outputs for the given stack that are referenced in this blueprint + */ + public stackOutputsReferenced(stack: StackDeployment): string[] { + const steps = new Array(); + for (const wave of this.pipeline.waves) { + steps.push(...wave.pre, ...wave.post); + for (const stage of wave.stages) { + steps.push(...stage.pre, ...stage.post); + } + } + + const ret = new Array(); + for (const step of steps) { + if (!(step instanceof ShellStep)) { continue; } + + for (const outputRef of Object.values(step.envFromCfnOutputs)) { + if (outputRef.isProducedBy(stack)) { + ret.push(outputRef.outputName); + } + } + } + return ret; + } + + /** + * Find the stack deployment that is producing the given reference + */ + public producingStack(outputReference: StackOutputReference): StackDeployment { + for (const wave of this.pipeline.waves) { + for (const stage of wave.stages) { + for (const stack of stage.stacks) { + if (outputReference.isProducedBy(stack)) { + return stack; + } + } + } + } + + throw new Error(`Stack '${outputReference.stackDescription}' (producing output '${outputReference.outputName}') is not in the pipeline; call 'addStage()' to add the stack's Stage to the pipeline`); + } + + /** + * All assets referenced in all the Stacks of a StageDeployment + */ + public assetsInStage(stage: StageDeployment): StackAsset[] { + const assets = new Map(); + + for (const stack of stage.stacks) { + for (const asset of stack.assets) { + assets.set(asset.assetSelector, asset); + } + } + + return Array.from(assets.values()); + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/lib/helpers-internal/toposort.ts b/packages/@aws-cdk/pipelines/lib/helpers-internal/toposort.ts new file mode 100644 index 0000000000000..eb5e0cc3483aa --- /dev/null +++ b/packages/@aws-cdk/pipelines/lib/helpers-internal/toposort.ts @@ -0,0 +1,67 @@ +import { GraphNode } from './graph'; + +export function printDependencyMap(dependencies: Map, Set>>) { + const lines = ['---']; + for (const [k, vs] of dependencies.entries()) { + lines.push(`${k} -> ${Array.from(vs)}`); + } + // eslint-disable-next-line no-console + console.log(lines.join('\n')); +} + +export function topoSort(nodes: Set>, dependencies: Map, Set>>): GraphNode[][] { + const remaining = new Set>(nodes); + + const ret: GraphNode[][] = []; + while (remaining.size > 0) { + // All elements with no more deps in the set can be ordered + const selectable = Array.from(remaining.values()).filter(e => { + if (!dependencies.has(e)) { + throw new Error(`No key for ${e}`); + } + return dependencies.get(e)!.size === 0; + }); + selectable.sort((a, b) => a.id < b.id ? -1 : b.id < a.id ? 1 : 0); + + // If we didn't make any progress, we got stuck + if (selectable.length === 0) { + const cycle = findCycle(dependencies); + throw new Error(`Dependency cycle in graph: ${cycle.map(n => n.id).join(' => ')}`); + } + + ret.push(selectable); + + for (const selected of selectable) { + remaining.delete(selected); + for (const depSet of dependencies.values()) { + depSet.delete(selected); + } + } + } + + return ret; +} + +/** + * Find cycles in a graph + * + * Not the fastest, but effective and should be rare + */ +function findCycle(deps: Map, Set>>): GraphNode[] { + for (const node of deps.keys()) { + const cycle = recurse(node, [node]); + if (cycle) { return cycle; } + } + throw new Error('No cycle found. Assertion failure!'); + + function recurse(node: GraphNode, path: GraphNode[]): GraphNode[] | undefined { + for (const dep of deps.get(node) ?? []) { + if (dep === path[0]) { return [...path, dep]; } + + const cycle = recurse(dep, [...path, dep]); + if (cycle) { return cycle; } + } + + return undefined; + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/lib/index.ts b/packages/@aws-cdk/pipelines/lib/index.ts index 2e63ee1d083a9..5f469e9fd5ce6 100644 --- a/packages/@aws-cdk/pipelines/lib/index.ts +++ b/packages/@aws-cdk/pipelines/lib/index.ts @@ -1,6 +1,5 @@ -export * from './pipeline'; -export * from './stage'; -export * from './synths'; -export * from './actions'; -export * from './docker-credentials'; -export * from './validation'; +export * from './legacy'; +export * from './blueprint'; +export * from './codepipeline'; +export * from './main'; +export * from './docker-credentials'; \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/lib/actions/deploy-cdk-stack-action.ts b/packages/@aws-cdk/pipelines/lib/legacy/actions/deploy-cdk-stack-action.ts similarity index 98% rename from packages/@aws-cdk/pipelines/lib/actions/deploy-cdk-stack-action.ts rename to packages/@aws-cdk/pipelines/lib/legacy/actions/deploy-cdk-stack-action.ts index 095ed581302aa..af6b7821a308d 100644 --- a/packages/@aws-cdk/pipelines/lib/actions/deploy-cdk-stack-action.ts +++ b/packages/@aws-cdk/pipelines/lib/legacy/actions/deploy-cdk-stack-action.ts @@ -7,8 +7,8 @@ import * as iam from '@aws-cdk/aws-iam'; import { Aws, CfnCapabilities, Stack } from '@aws-cdk/core'; import * as cxapi from '@aws-cdk/cx-api'; import { Construct, Node } from 'constructs'; -import { appOf, assemblyBuilderOf } from '../private/construct-internals'; -import { toPosixPath } from '../private/fs'; +import { appOf, assemblyBuilderOf } from '../../private/construct-internals'; +import { toPosixPath } from '../../private/fs'; // v2 - keep this import as a separate section to reduce merge conflict when forward merging with the v2 branch. // eslint-disable-next-line diff --git a/packages/@aws-cdk/pipelines/lib/actions/index.ts b/packages/@aws-cdk/pipelines/lib/legacy/actions/index.ts similarity index 100% rename from packages/@aws-cdk/pipelines/lib/actions/index.ts rename to packages/@aws-cdk/pipelines/lib/legacy/actions/index.ts diff --git a/packages/@aws-cdk/pipelines/lib/actions/publish-assets-action.ts b/packages/@aws-cdk/pipelines/lib/legacy/actions/publish-assets-action.ts similarity index 96% rename from packages/@aws-cdk/pipelines/lib/actions/publish-assets-action.ts rename to packages/@aws-cdk/pipelines/lib/legacy/actions/publish-assets-action.ts index a9661da20a9c2..72f2924e1690a 100644 --- a/packages/@aws-cdk/pipelines/lib/actions/publish-assets-action.ts +++ b/packages/@aws-cdk/pipelines/lib/legacy/actions/publish-assets-action.ts @@ -8,27 +8,13 @@ import * as events from '@aws-cdk/aws-events'; import * as iam from '@aws-cdk/aws-iam'; import { IDependable, ISynthesisSession, Lazy, Stack, attachCustomSynthesis } from '@aws-cdk/core'; import { Construct } from 'constructs'; -import { toPosixPath } from '../private/fs'; +import { AssetType } from '../../blueprint/asset-type'; +import { toPosixPath } from '../../private/fs'; // v2 - keep this import as a separate section to reduce merge conflict when forward merging with the v2 branch. // eslint-disable-next-line import { Construct as CoreConstruct } from '@aws-cdk/core'; -/** - * Type of the asset that is being published - */ -export enum AssetType { - /** - * A file - */ - FILE = 'file', - - /** - * A Docker image - */ - DOCKER_IMAGE = 'docker-image', -} - /** * Props for a PublishAssetsAction */ diff --git a/packages/@aws-cdk/pipelines/lib/actions/update-pipeline-action.ts b/packages/@aws-cdk/pipelines/lib/legacy/actions/update-pipeline-action.ts similarity index 97% rename from packages/@aws-cdk/pipelines/lib/actions/update-pipeline-action.ts rename to packages/@aws-cdk/pipelines/lib/legacy/actions/update-pipeline-action.ts index 42b3c51c1da3a..cc866c20e51d8 100644 --- a/packages/@aws-cdk/pipelines/lib/actions/update-pipeline-action.ts +++ b/packages/@aws-cdk/pipelines/lib/legacy/actions/update-pipeline-action.ts @@ -5,8 +5,8 @@ import * as events from '@aws-cdk/aws-events'; import * as iam from '@aws-cdk/aws-iam'; import { Stack } from '@aws-cdk/core'; import { Construct } from 'constructs'; -import { dockerCredentialsInstallCommands, DockerCredential, DockerCredentialUsage } from '../docker-credentials'; -import { embeddedAsmPath } from '../private/construct-internals'; +import { dockerCredentialsInstallCommands, DockerCredential, DockerCredentialUsage } from '../../docker-credentials'; +import { embeddedAsmPath } from '../../private/construct-internals'; // v2 - keep this import as a separate section to reduce merge conflict when forward merging with the v2 branch. // eslint-disable-next-line diff --git a/packages/@aws-cdk/pipelines/lib/legacy/index.ts b/packages/@aws-cdk/pipelines/lib/legacy/index.ts new file mode 100644 index 0000000000000..ca2b108fcb0d8 --- /dev/null +++ b/packages/@aws-cdk/pipelines/lib/legacy/index.ts @@ -0,0 +1,5 @@ +export * from './pipeline'; +export * from './stage'; +export * from './synths'; +export * from './actions'; +export * from './validation'; diff --git a/packages/@aws-cdk/pipelines/lib/pipeline.ts b/packages/@aws-cdk/pipelines/lib/legacy/pipeline.ts similarity index 98% rename from packages/@aws-cdk/pipelines/lib/pipeline.ts rename to packages/@aws-cdk/pipelines/lib/legacy/pipeline.ts index a3084d9f489d7..95a828b981ea1 100644 --- a/packages/@aws-cdk/pipelines/lib/pipeline.ts +++ b/packages/@aws-cdk/pipelines/lib/legacy/pipeline.ts @@ -4,9 +4,10 @@ import * as ec2 from '@aws-cdk/aws-ec2'; import * as iam from '@aws-cdk/aws-iam'; import { Annotations, App, Aws, CfnOutput, Fn, Lazy, PhysicalName, Stack, Stage } from '@aws-cdk/core'; import { Construct } from 'constructs'; -import { AssetType, DeployCdkStackAction, PublishAssetsAction, UpdatePipelineAction } from './actions'; -import { dockerCredentialsInstallCommands, DockerCredential, DockerCredentialUsage } from './docker-credentials'; -import { appOf, assemblyBuilderOf } from './private/construct-internals'; +import { AssetType } from '../blueprint/asset-type'; +import { dockerCredentialsInstallCommands, DockerCredential, DockerCredentialUsage } from '../docker-credentials'; +import { appOf, assemblyBuilderOf } from '../private/construct-internals'; +import { DeployCdkStackAction, PublishAssetsAction, UpdatePipelineAction } from './actions'; import { AddStageOptions, AssetPublishingCommand, CdkStage, StackOutput } from './stage'; // v2 - keep this import as a separate section to reduce merge conflict when forward merging with the v2 branch. diff --git a/packages/@aws-cdk/pipelines/lib/stage.ts b/packages/@aws-cdk/pipelines/lib/legacy/stage.ts similarity index 98% rename from packages/@aws-cdk/pipelines/lib/stage.ts rename to packages/@aws-cdk/pipelines/lib/legacy/stage.ts index 4d5eda62762d3..55c847d984a58 100644 --- a/packages/@aws-cdk/pipelines/lib/stage.ts +++ b/packages/@aws-cdk/pipelines/lib/legacy/stage.ts @@ -3,9 +3,10 @@ import * as cpactions from '@aws-cdk/aws-codepipeline-actions'; import { Stage, Aspects } from '@aws-cdk/core'; import * as cxapi from '@aws-cdk/cx-api'; import { Construct } from 'constructs'; -import { AssetType, DeployCdkStackAction } from './actions'; -import { AssetManifestReader, DockerImageManifestEntry, FileManifestEntry } from './private/asset-manifest'; -import { topologicalSort } from './private/toposort'; +import { AssetType } from '../blueprint/asset-type'; +import { AssetManifestReader, DockerImageManifestEntry, FileManifestEntry } from '../private/asset-manifest'; +import { topologicalSort } from '../private/toposort'; +import { DeployCdkStackAction } from './actions'; // v2 - keep this import as a separate section to reduce merge conflict when forward merging with the v2 branch. // eslint-disable-next-line diff --git a/packages/@aws-cdk/pipelines/lib/synths/_util.ts b/packages/@aws-cdk/pipelines/lib/legacy/synths/_util.ts similarity index 100% rename from packages/@aws-cdk/pipelines/lib/synths/_util.ts rename to packages/@aws-cdk/pipelines/lib/legacy/synths/_util.ts diff --git a/packages/@aws-cdk/pipelines/lib/synths/index.ts b/packages/@aws-cdk/pipelines/lib/legacy/synths/index.ts similarity index 100% rename from packages/@aws-cdk/pipelines/lib/synths/index.ts rename to packages/@aws-cdk/pipelines/lib/legacy/synths/index.ts diff --git a/packages/@aws-cdk/pipelines/lib/synths/simple-synth-action.ts b/packages/@aws-cdk/pipelines/lib/legacy/synths/simple-synth-action.ts similarity index 99% rename from packages/@aws-cdk/pipelines/lib/synths/simple-synth-action.ts rename to packages/@aws-cdk/pipelines/lib/legacy/synths/simple-synth-action.ts index 8380a9c859698..b0fe2bcd466fb 100644 --- a/packages/@aws-cdk/pipelines/lib/synths/simple-synth-action.ts +++ b/packages/@aws-cdk/pipelines/lib/legacy/synths/simple-synth-action.ts @@ -7,8 +7,8 @@ import * as ec2 from '@aws-cdk/aws-ec2'; import * as events from '@aws-cdk/aws-events'; import * as iam from '@aws-cdk/aws-iam'; import { Stack } from '@aws-cdk/core'; -import { dockerCredentialsInstallCommands, DockerCredential, DockerCredentialUsage } from '../docker-credentials'; -import { toPosixPath } from '../private/fs'; +import { dockerCredentialsInstallCommands, DockerCredential, DockerCredentialUsage } from '../../docker-credentials'; +import { toPosixPath } from '../../private/fs'; import { copyEnvironmentVariables, filterEmpty } from './_util'; const DEFAULT_OUTPUT_DIR = 'cdk.out'; diff --git a/packages/@aws-cdk/pipelines/lib/validation/_files.ts b/packages/@aws-cdk/pipelines/lib/legacy/validation/_files.ts similarity index 100% rename from packages/@aws-cdk/pipelines/lib/validation/_files.ts rename to packages/@aws-cdk/pipelines/lib/legacy/validation/_files.ts diff --git a/packages/@aws-cdk/pipelines/lib/validation/index.ts b/packages/@aws-cdk/pipelines/lib/legacy/validation/index.ts similarity index 100% rename from packages/@aws-cdk/pipelines/lib/validation/index.ts rename to packages/@aws-cdk/pipelines/lib/legacy/validation/index.ts diff --git a/packages/@aws-cdk/pipelines/lib/validation/shell-script-action.ts b/packages/@aws-cdk/pipelines/lib/legacy/validation/shell-script-action.ts similarity index 100% rename from packages/@aws-cdk/pipelines/lib/validation/shell-script-action.ts rename to packages/@aws-cdk/pipelines/lib/legacy/validation/shell-script-action.ts diff --git a/packages/@aws-cdk/pipelines/lib/main/index.ts b/packages/@aws-cdk/pipelines/lib/main/index.ts new file mode 100644 index 0000000000000..af40f3df33635 --- /dev/null +++ b/packages/@aws-cdk/pipelines/lib/main/index.ts @@ -0,0 +1 @@ +export * from './pipeline-base'; \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/lib/main/pipeline-base.ts b/packages/@aws-cdk/pipelines/lib/main/pipeline-base.ts new file mode 100644 index 0000000000000..563697746a8cf --- /dev/null +++ b/packages/@aws-cdk/pipelines/lib/main/pipeline-base.ts @@ -0,0 +1,132 @@ +import { Aspects, Stage } from '@aws-cdk/core'; +import { Construct } from 'constructs'; +import { AddStageOpts as StageOptions, WaveOptions, Wave, IFileSetProducer, ShellStep } from '../blueprint'; + +// v2 - keep this import as a separate section to reduce merge conflict when forward merging with the v2 branch. +// eslint-disable-next-line +import { Construct as CoreConstruct } from '@aws-cdk/core'; + +/** + * Properties for a `Pipeline` + */ +export interface PipelineBaseProps { + /** + * The build step that produces the CDK Cloud Assembly + * + * The primary output of this step needs to be the `cdk.out` directory + * generated by the `cdk synth` command. + * + * If you use a `ShellStep` here and you don't configure an output directory, + * the output directory will automatically be assumed to be `cdk.out`. + */ + readonly synth: IFileSetProducer; +} + +/** + * A generic CDK Pipelines pipeline + * + * Different deployment systems will provide subclasses of `Pipeline` that generate + * the deployment infrastructure necessary to deploy CDK apps, specific to that system. + * + * This library comes with the `CodePipeline` class, which uses AWS CodePipeline + * to deploy CDK apps. + * + * The actual pipeline infrastructure is constructed (by invoking the engine) + * when `buildPipeline()` is called, or when `app.synth()` is called (whichever + * happens first). + */ +export abstract class PipelineBase extends CoreConstruct { + /** + * The build step that produces the CDK Cloud Assembly + */ + public readonly synth: IFileSetProducer; + + /** + * The waves in this pipeline + */ + public readonly waves: Wave[]; + + private built = false; + + constructor(scope: Construct, id: string, props: PipelineBaseProps) { + super(scope, id); + + if (props.synth instanceof ShellStep && !props.synth.primaryOutput) { + props.synth.primaryOutputDirectory('cdk.out'); + } + + this.synth = props.synth; + this.waves = []; + + if (!props.synth.primaryOutput) { + throw new Error(`synthStep ${props.synth} must produce a primary output, but is not producing anything. Configure the Step differently or use a different Step type.`); + } + + Aspects.of(this).add({ visit: () => this.buildJustInTime() }); + } + + /** + * Deploy a single Stage by itself + * + * Add a Stage to the pipeline, to be deployed in sequence with other + * Stages added to the pipeline. All Stacks in the stage will be deployed + * in an order automatically determined by their relative dependencies. + */ + public addStage(stage: Stage, options?: StageOptions) { + if (this.built) { + throw new Error('addStage: can\'t add Stages anymore after buildPipeline() has been called'); + } + + return this.addWave(stage.stageName).addStage(stage, options); + } + + /** + * Add a Wave to the pipeline, for deploying multiple Stages in parallel + * + * Use the return object of this method to deploy multiple stages in parallel. + * + * Example: + * + * ```ts + * const wave = pipeline.addWave('MyWave'); + * wave.addStage(new MyStage('Stage1', ...)); + * wave.addStage(new MyStage('Stage2', ...)); + * ``` + */ + public addWave(id: string, options?: WaveOptions) { + if (this.built) { + throw new Error('addWave: can\'t add Waves anymore after buildPipeline() has been called'); + } + + const wave = new Wave(id, options); + this.waves.push(wave); + return wave; + } + + /** + * Send the current pipeline definition to the engine, and construct the pipeline + * + * It is not possible to modify the pipeline after calling this method. + */ + public buildPipeline() { + if (this.built) { + throw new Error('build() has already been called: can only call it once'); + } + this.doBuildPipeline(); + this.built = true; + } + + /** + * Implemented by subclasses to do the actual pipeline construction + */ + protected abstract doBuildPipeline(): void; + + /** + * Automatically call 'build()' just before synthesis if the user hasn't explicitly called it yet + */ + private buildJustInTime() { + if (!this.built) { + this.buildPipeline(); + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/lib/private/cloud-assembly-internals.ts b/packages/@aws-cdk/pipelines/lib/private/cloud-assembly-internals.ts new file mode 100644 index 0000000000000..114ec2e228fbf --- /dev/null +++ b/packages/@aws-cdk/pipelines/lib/private/cloud-assembly-internals.ts @@ -0,0 +1,13 @@ +import * as cxapi from '@aws-cdk/cx-api'; + +export function isAssetManifest(s: cxapi.CloudArtifact): s is cxapi.AssetManifestArtifact { + // instanceof is too risky, and we're at a too late stage to properly fix. + // return s instanceof cxapi.AssetManifestArtifact; + return s.constructor.name === 'AssetManifestArtifact'; +} + +export function isStackArtifact(a: cxapi.CloudArtifact): a is cxapi.CloudFormationStackArtifact { + // instanceof is too risky, and we're at a too late stage to properly fix. + // return a instanceof cxapi.CloudFormationStackArtifact; + return a.constructor.name === 'CloudFormationStackArtifact'; +} \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/lib/private/construct-internals.ts b/packages/@aws-cdk/pipelines/lib/private/construct-internals.ts index 496d33c5a1f7c..fe2ddf1953f64 100644 --- a/packages/@aws-cdk/pipelines/lib/private/construct-internals.ts +++ b/packages/@aws-cdk/pipelines/lib/private/construct-internals.ts @@ -4,7 +4,10 @@ import * as path from 'path'; import { App, Stage } from '@aws-cdk/core'; import * as cxapi from '@aws-cdk/cx-api'; -import { IConstruct, Node } from 'constructs'; +import { Construct, IConstruct, Node } from 'constructs'; + +// eslint-disable-next-line no-duplicate-imports,import/order +import { Construct as CoreConstruct } from '@aws-cdk/core'; export function appOf(construct: IConstruct): App { const root = Node.of(construct).root; @@ -35,4 +38,12 @@ export function embeddedAsmPath(scope: IConstruct) { */ export function cloudAssemblyBuildSpecDir(scope: IConstruct) { return assemblyBuilderOf(appOf(scope)).outdir; +} + +export function obtainScope(parent: Construct, id: string): Construct { + const existing = Node.of(parent).tryFindChild(id); + if (existing) { + return existing as Construct; + } + return new CoreConstruct(parent, id); } \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/lib/private/javascript.ts b/packages/@aws-cdk/pipelines/lib/private/javascript.ts new file mode 100644 index 0000000000000..bed84e5eb3932 --- /dev/null +++ b/packages/@aws-cdk/pipelines/lib/private/javascript.ts @@ -0,0 +1,90 @@ +export function addAll(into: Set, from: Iterable) { + for (const x of from) { + into.add(x); + } +} + +export function extract(from: Map, key: A): B | undefined { + const ret = from.get(key); + from.delete(key); + return ret; +} + +export function* flatMap(xs: Iterable, fn: (x: A) => Iterable): IterableIterator { + for (const x of xs) { + for (const y of fn(x)) { + yield y; + } + } +} + +export function* enumerate(xs: Iterable): IterableIterator<[number, A]> { + let i = 0; + for (const x of xs) { + yield [i++, x]; + } +} + + +export function expectProp(obj: A, key: B): NonNullable { + if (!obj[key]) { throw new Error(`Expecting '${key}' to be set!`); } + return obj[key] as any; +} + +export function* flatten(xs: Iterable): IterableIterator { + for (const x of xs) { + for (const y of x) { + yield y; + } + } +} + +export function filterEmpty(xs: Array): string[] { + return xs.filter(x => x) as any; +} + +export function mapValues(xs: Record, fn: (x: A) => B): Record { + const ret: Record = {}; + for (const [k, v] of Object.entries(xs)) { + ret[k] = fn(v); + } + return ret; +} + +export function mkdict(xs: Array): Record { + const ret: Record = {}; + for (const [k, v] of xs) { + ret[k] = v; + } + return ret; +} + +export function noEmptyObject(xs: Record): Record | undefined { + if (Object.keys(xs).length === 0) { return undefined; } + return xs; +} + +export function noUndefined(xs: Record): Record> { + return mkdict(Object.entries(xs).filter(([_, v]) => isDefined(v))) as any; +} + +export function maybeSuffix(x: string | undefined, suffix: string): string | undefined { + if (x === undefined) { return undefined; } + return `${x}${suffix}`; +} + +/** + * Partition a collection by dividing it into two collections, one that matches the predicate and one that don't + */ +export function partition(xs: T[], pred: (x: T) => boolean): [T[], T[]] { + const yes: T[] = []; + const no: T[] = []; + for (const x of xs) { + (pred(x) ? yes : no).push(x); + } + return [yes, no]; +} + +export function isDefined(x: A): x is NonNullable { + return x !== undefined; +} \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/lib/private/template-configuration.ts b/packages/@aws-cdk/pipelines/lib/private/template-configuration.ts new file mode 100644 index 0000000000000..bc78424ce22a4 --- /dev/null +++ b/packages/@aws-cdk/pipelines/lib/private/template-configuration.ts @@ -0,0 +1,21 @@ +import * as fs from 'fs'; + +/** + * Write template configuration to the given file + */ +export function writeTemplateConfiguration(filename: string, config: TemplateConfiguration) { + fs.writeFileSync(filename, JSON.stringify(config, undefined, 2), { encoding: 'utf-8' }); +} + +/** + * Template configuration in a CodePipeline + * + * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/continuous-delivery-codepipeline-cfn-artifacts.html#w2ab1c13c17c15 + */ +export interface TemplateConfiguration { + readonly Parameters?: Record; + readonly Tags?: Record; + readonly StackPolicy?: { + readonly Statements: Array>; + }; +} \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/package.json b/packages/@aws-cdk/pipelines/package.json index 4963206e1d21f..1db513581a96e 100644 --- a/packages/@aws-cdk/pipelines/package.json +++ b/packages/@aws-cdk/pipelines/package.json @@ -38,12 +38,15 @@ "cfn2ts": "0.0.0", "pkglint": "0.0.0", "@aws-cdk/aws-s3": "0.0.0", + "@aws-cdk/aws-sqs": "0.0.0", + "@aws-cdk/aws-ecr": "0.0.0", "@aws-cdk/aws-ecr-assets": "0.0.0", "@aws-cdk/assert-internal": "0.0.0" }, "peerDependencies": { "constructs": "^3.3.69", "@aws-cdk/core": "0.0.0", + "@aws-cdk/aws-codecommit": "0.0.0", "@aws-cdk/aws-codebuild": "0.0.0", "@aws-cdk/aws-codepipeline": "0.0.0", "@aws-cdk/aws-codepipeline-actions": "0.0.0", @@ -53,12 +56,14 @@ "@aws-cdk/aws-ec2": "0.0.0", "@aws-cdk/aws-secretsmanager": "0.0.0", "@aws-cdk/cloud-assembly-schema": "0.0.0", + "@aws-cdk/aws-s3": "0.0.0", "@aws-cdk/aws-s3-assets": "0.0.0", "@aws-cdk/cx-api": "0.0.0" }, "dependencies": { "constructs": "^3.3.69", "@aws-cdk/core": "0.0.0", + "@aws-cdk/aws-codecommit": "0.0.0", "@aws-cdk/aws-codebuild": "0.0.0", "@aws-cdk/aws-codepipeline": "0.0.0", "@aws-cdk/aws-codepipeline-actions": "0.0.0", @@ -68,6 +73,7 @@ "@aws-cdk/aws-iam": "0.0.0", "@aws-cdk/aws-ec2": "0.0.0", "@aws-cdk/aws-secretsmanager": "0.0.0", + "@aws-cdk/aws-s3": "0.0.0", "@aws-cdk/aws-s3-assets": "0.0.0", "@aws-cdk/cx-api": "0.0.0" }, diff --git a/packages/@aws-cdk/pipelines/test/actions/update-pipeline-action.test.ts b/packages/@aws-cdk/pipelines/test/actions/update-pipeline-action.test.ts deleted file mode 100644 index d47167d6a7e6e..0000000000000 --- a/packages/@aws-cdk/pipelines/test/actions/update-pipeline-action.test.ts +++ /dev/null @@ -1,52 +0,0 @@ -import { - arrayWith, -} from '@aws-cdk/assert-internal'; -import '@aws-cdk/assert-internal/jest'; -import * as cp from '@aws-cdk/aws-codepipeline'; -import { Stack } from '@aws-cdk/core'; -import * as cdkp from '../../lib'; -import { behavior } from '../helpers/compliance'; -import { TestApp } from '../testutil'; - -let app: TestApp; -let pipelineStack: Stack; - -behavior('self-update project role has proper permissions', (suite) => { - suite.legacy(() => { - app = new TestApp(); - pipelineStack = new Stack(app, 'PipelineStack'); - - new cdkp.UpdatePipelineAction(pipelineStack, 'Update', { - cloudAssemblyInput: new cp.Artifact(), - pipelineStackHierarchicalId: pipelineStack.node.path, - projectName: 'pipeline-selfupdate', - }); - - expect(pipelineStack).toHaveResourceLike('AWS::IAM::Policy', { - PolicyDocument: { - Statement: arrayWith( - { - Action: 'sts:AssumeRole', - Effect: 'Allow', - Resource: { 'Fn::Join': ['', ['arn:*:iam::', { Ref: 'AWS::AccountId' }, ':role/*']] }, - Condition: { - 'ForAnyValue:StringEquals': { - 'iam:ResourceTag/aws-cdk:bootstrap-role': ['image-publishing', 'file-publishing', 'deploy'], - }, - }, - }, - { - Action: 'cloudformation:DescribeStacks', - Effect: 'Allow', - Resource: '*', - }, - { - Action: 's3:ListBucket', - Effect: 'Allow', - Resource: '*', - }, - ), - }, - }); - }); -}); diff --git a/packages/@aws-cdk/pipelines/test/blueprint/fixtures/file-asset1.txt b/packages/@aws-cdk/pipelines/test/blueprint/fixtures/file-asset1.txt new file mode 100644 index 0000000000000..6765125a23c6b --- /dev/null +++ b/packages/@aws-cdk/pipelines/test/blueprint/fixtures/file-asset1.txt @@ -0,0 +1 @@ +Hello, file! \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/test/blueprint/helpers-internal/dependencies.test.ts b/packages/@aws-cdk/pipelines/test/blueprint/helpers-internal/dependencies.test.ts new file mode 100644 index 0000000000000..f577ffae4f80c --- /dev/null +++ b/packages/@aws-cdk/pipelines/test/blueprint/helpers-internal/dependencies.test.ts @@ -0,0 +1,52 @@ +import { GraphNode } from '../../../lib/helpers-internal'; +import { mkGraph, nodeNames } from './util'; + +describe('with nested graphs', () => { + const graph = mkGraph('G', G => { + let aa: GraphNode; + + const A = G.graph('A', [], GA => { + aa = GA.node('aa'); + }); + + // B -> A, (same-level dependency) + G.graph('B', [A], B => { + // bbb -> bb + const bb = B.node('bb'); + B.node('bbb', [bb]); + }); + + // cc -> aa (cross-subgraph dependency) + G.graph('C', [], C => { + C.node('cc', [aa]); + }); + + // D -> aa (down-dependency) + G.graph('D', [aa!], C => { + C.node('dd', [aa]); + }); + + // ee -> A (up-dependency) + G.graph('E', [], C => { + C.node('ee', [A]); + }); + }); + + test('can get up-projected dependency list from graph', () => { + const sorted = graph.sortedChildren(); + + expect(nodeNames(sorted)).toEqual([ + ['A'], + ['B', 'C', 'D', 'E'], + ]); + }); + + test('can get down-projected dependency list from graph', () => { + const sorted = graph.sortedLeaves(); + expect(nodeNames(sorted)).toEqual([ + ['aa'], + ['bb', 'cc', 'dd', 'ee'], + ['bbb'], + ]); + }); +}); diff --git a/packages/@aws-cdk/pipelines/test/blueprint/helpers-internal/graph.test.ts b/packages/@aws-cdk/pipelines/test/blueprint/helpers-internal/graph.test.ts new file mode 100644 index 0000000000000..30a022e347932 --- /dev/null +++ b/packages/@aws-cdk/pipelines/test/blueprint/helpers-internal/graph.test.ts @@ -0,0 +1,40 @@ +import { GraphNode } from '../../../lib/helpers-internal'; +import { flatten } from '../../../lib/private/javascript'; +import { mkGraph } from './util'; + + +test('"uniqueId" renders a graph-wide unique id for each node', () => { + const g = mkGraph('MyGraph', G => { + G.graph('g1', [], G1 => { + G1.node('n1'); + G1.node('n2'); + G1.graph('g2', [], G2 => { + G2.node('n3'); + }); + }); + G.node('n4'); + }); + + expect(Array.from(flatten(g.sortedLeaves())).map(n => n.uniqueId)).toStrictEqual([ + 'g1-n1', + 'g1-n2', + 'g1-g2-n3', + 'n4', + ]); +}); + +test('"allDeps" combines node deps and parent deps', () => { + let n4: any; + mkGraph('MyGraph', G => { + G.graph('g1', [], G1 => { + G1.node('n1'); + const n2 = G1.node('n2'); + G1.graph('g2', [n2], G2 => { + const n3 = G2.node('n3'); + n4 = G2.node('n4', [n3]); + }); + }); + }); + + expect((n4 as GraphNode).allDeps.map(x => x.uniqueId)).toStrictEqual(['g1-g2-n3', 'g1-n2']); +}); \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/test/blueprint/helpers-internal/pipeline-graph.test.ts b/packages/@aws-cdk/pipelines/test/blueprint/helpers-internal/pipeline-graph.test.ts new file mode 100644 index 0000000000000..3b28d4f410a61 --- /dev/null +++ b/packages/@aws-cdk/pipelines/test/blueprint/helpers-internal/pipeline-graph.test.ts @@ -0,0 +1,264 @@ +/* eslint-disable import/no-extraneous-dependencies */ +import '@aws-cdk/assert-internal/jest'; +import * as cdkp from '../../../lib'; +import { Graph, GraphNode, PipelineGraph } from '../../../lib/helpers-internal'; +import { flatten } from '../../../lib/private/javascript'; +import { AppWithOutput, OneStackApp, TestApp } from '../../testhelpers/test-app'; + +let app: TestApp; + +beforeEach(() => { + app = new TestApp(); +}); + +afterEach(() => { + app.cleanup(); +}); + +describe('blueprint with one stage', () => { + let blueprint: Blueprint; + beforeEach(() => { + blueprint = new Blueprint(app, 'Bp', { + synth: new cdkp.ShellStep('Synth', { + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + commands: ['build'], + }), + }); + blueprint.addStage(new OneStackApp(app, 'CrossAccount', { env: { account: 'you' } })); + }); + + test('simple app gets graphed correctly', () => { + // WHEN + const graph = new PipelineGraph(blueprint).graph; + + // THEN + expect(childrenAt(graph)).toEqual([ + 'Source', + 'Build', + 'CrossAccount', + ]); + + expect(childrenAt(graph, 'CrossAccount')).toEqual([ + 'Stack', + ]); + + expect(childrenAt(graph, 'CrossAccount', 'Stack')).toEqual([ + 'Prepare', + 'Deploy', + ]); + }); + + test('self mutation gets inserted at the right place', () => { + // WHEN + const graph = new PipelineGraph(blueprint, { selfMutation: true }).graph; + + // THEN + expect(childrenAt(graph)).toEqual([ + 'Source', + 'Build', + 'UpdatePipeline', + 'CrossAccount', + ]); + + expect(childrenAt(graph, 'UpdatePipeline')).toEqual([ + 'SelfMutate', + ]); + }); +}); + +describe('blueprint with wave and stage', () => { + let blueprint: Blueprint; + beforeEach(() => { + blueprint = new Blueprint(app, 'Bp', { + synth: new cdkp.ShellStep('Synth', { + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + commands: ['build'], + }), + }); + + const wave = blueprint.addWave('Wave'); + wave.addStage(new OneStackApp(app, 'Alpha')); + wave.addStage(new OneStackApp(app, 'Beta')); + }); + + test('post-action gets added inside stage graph', () => { + // GIVEN + blueprint.waves[0].stages[0].addPost(new cdkp.ManualApprovalStep('Approve')); + + // WHEN + const graph = new PipelineGraph(blueprint).graph; + + // THEN + expect(childrenAt(graph, 'Wave')).toEqual([ + 'Alpha', + 'Beta', + ]); + + expect(childrenAt(graph, 'Wave', 'Alpha')).toEqual([ + 'Stack', + 'Approve', + ]); + }); + + test('pre-action gets added inside stage graph', () => { + // GIVEN + blueprint.waves[0].stages[0].addPre(new cdkp.ManualApprovalStep('Gogogo')); + + // WHEN + const graph = new PipelineGraph(blueprint).graph; + + // THEN + expect(childrenAt(graph, 'Wave', 'Alpha')).toEqual([ + 'Gogogo', + 'Stack', + ]); + }); +}); + +describe('options for other engines', () => { + test('"publishTemplate" will add steps to publish CFN templates as assets', () => { + // GIVEN + const blueprint = new Blueprint(app, 'Bp', { + synth: new cdkp.ShellStep('Synth', { + commands: ['build'], + }), + }); + blueprint.addStage(new OneStackApp(app, 'Alpha')); + + // WHEN + const graph = new PipelineGraph(blueprint, { + publishTemplate: true, + }); + + // THEN + expect(childrenAt(graph.graph, 'Assets')).toStrictEqual(['FileAsset1']); + }); + + test('"prepareStep: false" can be used to disable the "prepare" step for stack deployments', () => { + // GIVEN + const blueprint = new Blueprint(app, 'Bp', { + synth: new cdkp.ShellStep('Synth', { + commands: ['build'], + }), + }); + blueprint.addStage(new OneStackApp(app, 'Alpha')); + + // WHEN + const graph = new PipelineGraph(blueprint, { + prepareStep: false, + }); + + // THEN + // if "prepareStep" was true (default), the "Stack" node would have "Prepare" and "Deploy" + // since "prepareStep" is false, it only has "Deploy". + expect(childrenAt(graph.graph, 'Alpha', 'Stack')).toStrictEqual(['Deploy']); + }); +}); + + +describe('with app with output', () => { + let blueprint: Blueprint; + let myApp: AppWithOutput; + let scriptStep: cdkp.ShellStep; + beforeEach(() => { + blueprint = new Blueprint(app, 'Bp', { + synth: new cdkp.ShellStep('Synth', { + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + commands: ['build'], + }), + }); + + myApp = new AppWithOutput(app, 'Alpha'); + scriptStep = new cdkp.ShellStep('PrintBucketName', { + envFromCfnOutputs: { + BUCKET_NAME: myApp.theOutput, + }, + commands: ['echo $BUCKET_NAME'], + }); + }); + + test('post-action using stack output has dependency on execute node', () => { + // GIVEN + blueprint.addStage(myApp, { + post: [scriptStep], + }); + + // WHEN + const graph = new PipelineGraph(blueprint).graph; + + // THEN + expect(childrenAt(graph, 'Alpha')).toEqual([ + 'Stack', + 'PrintBucketName', + ]); + + expect(nodeAt(graph, 'Alpha', 'PrintBucketName').dependencies).toContain( + nodeAt(graph, 'Alpha', 'Stack', 'Deploy')); + }); + + test('pre-action cannot use stack output', () => { + // GIVEN + blueprint.addStage(myApp, { + pre: [scriptStep], + }); + + // WHEN + const graph = new PipelineGraph(blueprint).graph; + expect(() => { + assertGraph(nodeAt(graph, 'Alpha')).sortedLeaves(); + }).toThrow(/Dependency cycle/); + }); + + test('cannot use output from stack not in the pipeline', () => { + // GIVEN + blueprint.addStage(new AppWithOutput(app, 'OtherApp'), { + pre: [scriptStep], + }); + + // WHEN + expect(() => { + new PipelineGraph(blueprint).graph; + }).toThrow(/is not in the pipeline/); + }); +}); + +function childrenAt(g: Graph, ...descend: string[]) { + for (const d of descend) { + const child = g.tryGetChild(d); + if (!child) { + throw new Error(`No node named '${d}' in ${g}`); + } + g = assertGraph(child); + } + return childNames(g); +} + +function nodeAt(g: Graph, ...descend: string[]) { + for (const d of descend.slice(0, descend.length - 1)) { + const child = g.tryGetChild(d); + if (!child) { + throw new Error(`No node named '${d}' in ${g}`); + } + g = assertGraph(child); + } + const child = g.tryGetChild(descend[descend.length - 1]); + if (!child) { + throw new Error(`No node named '${descend[descend.length - 1]}' in ${g}`); + } + return child; +} + +function childNames(g: Graph) { + return Array.from(flatten(g.sortedChildren())).map(n => n.id); +} + +function assertGraph(g: GraphNode | undefined): Graph { + if (!g) { throw new Error('Expected a graph node, got undefined'); } + if (!(g instanceof Graph)) { throw new Error(`Expected a Graph, got: ${g}`); } + return g; +} + +class Blueprint extends cdkp.PipelineBase { + protected doBuildPipeline(): void { + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/test/blueprint/helpers-internal/util.ts b/packages/@aws-cdk/pipelines/test/blueprint/helpers-internal/util.ts new file mode 100644 index 0000000000000..61e899aef71ce --- /dev/null +++ b/packages/@aws-cdk/pipelines/test/blueprint/helpers-internal/util.ts @@ -0,0 +1,38 @@ +import { Graph, GraphNode } from '../../../lib/helpers-internal'; + +class PlainNode extends GraphNode { } + +export function mkGraph(name: string, block: (b: GraphBuilder) => void) { + const graph = new Graph(name); + block({ + graph(name2, deps, block2) { + const innerG = mkGraph(name2, block2); + innerG.dependOn(...deps); + graph.add(innerG); + return innerG; + }, + node(name2, deps) { + const innerN = new PlainNode(name2); + innerN.dependOn(...deps ?? []); + graph.add(innerN); + return innerN; + }, + }); + return graph; +} + + +interface GraphBuilder { + graph(name: string, deps: GraphNode[], block: (b: GraphBuilder) => void): Graph; + node(name: string, deps?: GraphNode[]): GraphNode; +} + + +export function nodeNames(n: GraphNode): string; +export function nodeNames(ns: GraphNode[]): string[]; +export function nodeNames(ns: GraphNode[][]): string[][]; +export function nodeNames(n: any): any { + if (n instanceof GraphNode) { return n.id; } + if (Array.isArray(n)) { return n.map(nodeNames); } + throw new Error('oh no'); +} \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/test/blueprint/logicalid-stability.test.ts b/packages/@aws-cdk/pipelines/test/blueprint/logicalid-stability.test.ts new file mode 100644 index 0000000000000..319d25203c92b --- /dev/null +++ b/packages/@aws-cdk/pipelines/test/blueprint/logicalid-stability.test.ts @@ -0,0 +1,122 @@ +import '@aws-cdk/assert-internal/jest'; +import { Stack } from '@aws-cdk/core'; +import { mkdict } from '../../lib/private/javascript'; +import { PIPELINE_ENV, TestApp, LegacyTestGitHubNpmPipeline, ModernTestGitHubNpmPipeline, MegaAssetsApp, stackTemplate } from '../testhelpers'; + +let legacyApp: TestApp; +let modernApp: TestApp; + +let legacyPipelineStack: Stack; +let modernPipelineStack: Stack; + +beforeEach(() => { + legacyApp = new TestApp({ + context: { + '@aws-cdk/core:newStyleStackSynthesis': '1', + 'aws:cdk:enable-path-metadata': true, + }, + }); + modernApp = new TestApp({ + context: { + '@aws-cdk/core:newStyleStackSynthesis': '1', + 'aws:cdk:enable-path-metadata': true, + }, + }); + legacyPipelineStack = new Stack(legacyApp, 'PipelineStack', { env: PIPELINE_ENV }); + modernPipelineStack = new Stack(modernApp, 'PipelineStack', { env: PIPELINE_ENV }); +}); + +afterEach(() => { + legacyApp.cleanup(); + modernApp.cleanup(); +}); + +test('stateful or nameable resources have the same logicalID between old and new API', () => { + const legacyPipe = new LegacyTestGitHubNpmPipeline(legacyPipelineStack, 'Cdk'); + legacyPipe.addApplicationStage(new MegaAssetsApp(legacyPipelineStack, 'MyApp', { + numAssets: 2, + })); + + const modernPipe = new ModernTestGitHubNpmPipeline(modernPipelineStack, 'Cdk', { + crossAccountKeys: true, + }); + modernPipe.addStage(new MegaAssetsApp(modernPipelineStack, 'MyApp', { + numAssets: 2, + })); + + const legacyTemplate = stackTemplate(legacyPipelineStack).template; + const modernTemplate = stackTemplate(modernPipelineStack).template; + + const legacyStateful = filterR(legacyTemplate.Resources, isStateful); + const modernStateful = filterR(modernTemplate.Resources, isStateful); + + expect(mapR(modernStateful, typeOfRes)).toEqual(mapR(legacyStateful, typeOfRes)); +}); + +test('nameable resources have the same names between old and new API', () => { + const legacyPipe = new LegacyTestGitHubNpmPipeline(legacyPipelineStack, 'Cdk', { + pipelineName: 'asdf', + }); + legacyPipe.addApplicationStage(new MegaAssetsApp(legacyPipelineStack, 'MyApp', { + numAssets: 2, + })); + + const modernPipe = new ModernTestGitHubNpmPipeline(modernPipelineStack, 'Cdk', { + pipelineName: 'asdf', + crossAccountKeys: true, + }); + modernPipe.addStage(new MegaAssetsApp(modernPipelineStack, 'MyApp', { + numAssets: 2, + })); + + const legacyTemplate = stackTemplate(legacyPipelineStack).template; + const modernTemplate = stackTemplate(modernPipelineStack).template; + + const legacyNamed = filterR(legacyTemplate.Resources, hasName); + const modernNamed = filterR(modernTemplate.Resources, hasName); + + expect(mapR(modernNamed, nameProps)).toEqual(mapR(legacyNamed, nameProps)); +}); + + +const STATEFUL_TYPES = [ + // Holds state + 'AWS::S3::Bucket', + 'AWS::KMS::Key', + 'AWS::KMS::Alias', + // Can be physical-named so will be impossible to replace + 'AWS::CodePipeline::Pipeline', + 'AWS::CodeBuild::Project', +]; + +function filterR(resources: Record, fn: (x: Resource) => boolean): Record { + return mkdict(Object.entries(resources).filter(([, resource]) => fn(resource))); +} + +function mapR(resources: Record, fn: (x: Resource) => A): Record { + return mkdict(Object.entries(resources).map(([lid, resource]) => [lid, fn(resource)] as const)); +} + +function typeOfRes(r: Resource) { + return r.Type; +} + +function isStateful(r: Resource) { + return STATEFUL_TYPES.includes(r.Type); +} + +function nameProps(r: Resource) { + return Object.entries(r.Properties).filter(([prop, _]) => + // Don't care about policy names + prop.endsWith('Name') && prop !== 'PolicyName'); +} + +function hasName(r: Resource) { + return nameProps(r).length > 0; +} + +interface Resource { + readonly Type: string; + readonly Properties: Record; + readonly Metadata?: Record; +} \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/test/blueprint/stack-deployment.test.ts b/packages/@aws-cdk/pipelines/test/blueprint/stack-deployment.test.ts new file mode 100644 index 0000000000000..ee9d5b29240ce --- /dev/null +++ b/packages/@aws-cdk/pipelines/test/blueprint/stack-deployment.test.ts @@ -0,0 +1,66 @@ +import * as path from 'path'; +import * as assets from '@aws-cdk/aws-s3-assets'; +import { Stack, Stage } from '@aws-cdk/core'; +import { StageDeployment } from '../../lib'; +import { TestApp } from '../testhelpers/test-app'; + +test('"templateAsset" represents the CFN template of the stack', () => { + // GIVEN + const stage = new Stage(new TestApp(), 'MyStage'); + new Stack(stage, 'MyStack'); + + // WHEN + const sd = StageDeployment.fromStage(stage); + + // THEN + expect(sd.stacks[0].templateAsset).not.toBeUndefined(); + expect(sd.stacks[0].templateAsset?.assetId).not.toBeUndefined(); + expect(sd.stacks[0].templateAsset?.assetManifestPath).not.toBeUndefined(); + expect(sd.stacks[0].templateAsset?.assetSelector).not.toBeUndefined(); + expect(sd.stacks[0].templateAsset?.assetType).toBe('file'); + expect(sd.stacks[0].templateAsset?.isTemplate).toBeTruthy(); +}); + +describe('templateUrl', () => { + test('includes the https:// s3 URL of the template file', () => { + // GIVEN + const stage = new Stage(new TestApp(), 'MyStage', { env: { account: '111', region: 'us-east-1' } }); + new Stack(stage, 'MyStack'); + + // WHEN + const sd = StageDeployment.fromStage(stage); + + // THEN + expect(sd.stacks[0].templateUrl).toBe('https://cdk-hnb659fds-assets-111-us-east-1.s3.us-east-1.amazonaws.com/4ef627170a212f66f5d1d9240d967ef306f4820ff9cb05b3a7ec703df6af6c3e.json'); + }); + + test('without region', () => { + // GIVEN + const stage = new Stage(new TestApp(), 'MyStage', { env: { account: '111' } }); + new Stack(stage, 'MyStack'); + + // WHEN + const sd = StageDeployment.fromStage(stage); + + // THEN + expect(sd.stacks[0].templateUrl).toBe('https://cdk-hnb659fds-assets-111-.s3.amazonaws.com/$%7BAWS::Region%7D/4ef627170a212f66f5d1d9240d967ef306f4820ff9cb05b3a7ec703df6af6c3e.json'); + }); + +}); + + +test('"requiredAssets" contain only assets that are not the template', () => { + // GIVEN + const stage = new Stage(new TestApp(), 'MyStage'); + const stack = new Stack(stage, 'MyStack'); + new assets.Asset(stack, 'Asset', { path: path.join(__dirname, 'fixtures') }); + + // WHEN + const sd = StageDeployment.fromStage(stage); + + // THEN + expect(sd.stacks[0].assets.length).toBe(1); + expect(sd.stacks[0].assets[0].assetType).toBe('file'); + expect(sd.stacks[0].assets[0].isTemplate).toBeFalsy(); +}); + diff --git a/packages/@aws-cdk/pipelines/test/build-role-policy-statements.test.ts b/packages/@aws-cdk/pipelines/test/build-role-policy-statements.test.ts deleted file mode 100644 index 01650e730d53e..0000000000000 --- a/packages/@aws-cdk/pipelines/test/build-role-policy-statements.test.ts +++ /dev/null @@ -1,57 +0,0 @@ -import { arrayWith, deepObjectLike } from '@aws-cdk/assert-internal'; -import '@aws-cdk/assert-internal/jest'; -import * as codepipeline from '@aws-cdk/aws-codepipeline'; -import { PolicyStatement } from '@aws-cdk/aws-iam'; -import { Stack } from '@aws-cdk/core'; -import * as cdkp from '../lib'; -import { behavior } from './helpers/compliance'; -import { PIPELINE_ENV, TestApp, TestGitHubNpmPipeline } from './testutil'; - -let app: TestApp; -let pipelineStack: Stack; -let sourceArtifact: codepipeline.Artifact; -let cloudAssemblyArtifact: codepipeline.Artifact; - -beforeEach(() => { - app = new TestApp(); - pipelineStack = new Stack(app, 'PipelineStackPolicy', { env: PIPELINE_ENV }); - sourceArtifact = new codepipeline.Artifact(); - cloudAssemblyArtifact = new codepipeline.Artifact('CloudAsm'); -}); - -afterEach(() => { - app.cleanup(); -}); - -behavior('Build project includes codeartifact policy statements for role', (suite) => { - suite.legacy(() => { - // WHEN - new TestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - rolePolicyStatements: [ - new PolicyStatement({ - actions: ['codeartifact:*', 'sts:GetServiceBearerToken'], - resources: ['arn:my:arn'], - }), - ], - }), - }); - - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::IAM::Policy', { - PolicyDocument: { - Statement: arrayWith(deepObjectLike({ - Action: [ - 'codeartifact:*', - 'sts:GetServiceBearerToken', - ], - Resource: 'arn:my:arn', - })), - }, - }); - }); -}); diff --git a/packages/@aws-cdk/pipelines/test/builds.test.ts b/packages/@aws-cdk/pipelines/test/builds.test.ts deleted file mode 100644 index 70c4d31a18907..0000000000000 --- a/packages/@aws-cdk/pipelines/test/builds.test.ts +++ /dev/null @@ -1,621 +0,0 @@ -import { arrayWith, deepObjectLike, encodedJson, objectLike, Capture } from '@aws-cdk/assert-internal'; -import '@aws-cdk/assert-internal/jest'; -import * as cbuild from '@aws-cdk/aws-codebuild'; -import * as codepipeline from '@aws-cdk/aws-codepipeline'; -import * as ec2 from '@aws-cdk/aws-ec2'; -import * as ecr from '@aws-cdk/aws-ecr'; -import * as s3 from '@aws-cdk/aws-s3'; -import { Stack } from '@aws-cdk/core'; -import * as cdkp from '../lib'; -import { behavior } from './helpers/compliance'; -import { PIPELINE_ENV, TestApp, TestGitHubNpmPipeline } from './testutil'; - -let app: TestApp; -let pipelineStack: Stack; -let sourceArtifact: codepipeline.Artifact; -let cloudAssemblyArtifact: codepipeline.Artifact; - -beforeEach(() => { - app = new TestApp({ outdir: 'testcdk.out' }); - pipelineStack = new Stack(app, 'PipelineStack', { env: PIPELINE_ENV }); - sourceArtifact = new codepipeline.Artifact(); - cloudAssemblyArtifact = new codepipeline.Artifact('CloudAsm'); -}); - -afterEach(() => { - app.cleanup(); -}); - -behavior('SimpleSynthAction takes arrays of commands', (suite) => { - suite.legacy(() => { - // WHEN - new TestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: new cdkp.SimpleSynthAction({ - sourceArtifact, - cloudAssemblyArtifact, - installCommands: ['install1', 'install2'], - buildCommands: ['build1', 'build2'], - testCommands: ['test1', 'test2'], - synthCommand: 'cdk synth', - }), - }); - - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { - Environment: { - Image: 'aws/codebuild/standard:5.0', - }, - Source: { - BuildSpec: encodedJson(deepObjectLike({ - phases: { - pre_build: { - commands: [ - 'install1', - 'install2', - ], - }, - build: { - commands: [ - 'build1', - 'build2', - 'test1', - 'test2', - 'cdk synth', - ], - }, - }, - })), - }, - }); - }); -}); - -behavior('%s build automatically determines artifact base-directory', (suite) => { - suite.each(['npm', 'yarn']).legacy((npmYarn) => { - // WHEN - new TestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: npmYarnBuild(npmYarn)({ sourceArtifact, cloudAssemblyArtifact }), - }); - - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { - Environment: { - Image: 'aws/codebuild/standard:5.0', - }, - Source: { - BuildSpec: encodedJson(deepObjectLike({ - artifacts: { - 'base-directory': 'cdk.out', - }, - })), - }, - }); - }); -}); - -behavior('%s build respects subdirectory', (suite) => { - suite.each(['npm', 'yarn']).legacy((npmYarn) => { - // WHEN - new TestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: npmYarnBuild(npmYarn)({ - sourceArtifact, - cloudAssemblyArtifact, - subdirectory: 'subdir', - }), - }); - - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { - Environment: { - Image: 'aws/codebuild/standard:5.0', - }, - Source: { - BuildSpec: encodedJson(deepObjectLike({ - phases: { - pre_build: { - commands: arrayWith('cd subdir'), - }, - }, - artifacts: { - 'base-directory': 'subdir/cdk.out', - }, - })), - }, - }); - }); -}); - -behavior('%s build sets UNSAFE_PERM=true', (suite) => { - suite.each(['npm', 'yarn']).legacy((npmYarn) => { - // WHEN - new TestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: npmYarnBuild(npmYarn)({ - sourceArtifact, - cloudAssemblyArtifact, - }), - }); - - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { - Environment: { - EnvironmentVariables: [ - { - Name: 'NPM_CONFIG_UNSAFE_PERM', - Type: 'PLAINTEXT', - Value: 'true', - }, - ], - }, - }); - }); -}); - -behavior('%s assumes no build step by default', (suite) => { - suite.each(['npm', 'yarn']).legacy((npmYarn) => { - // WHEN - new TestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: npmYarnBuild(npmYarn)({ sourceArtifact, cloudAssemblyArtifact }), - }); - - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { - Environment: { - Image: 'aws/codebuild/standard:5.0', - }, - Source: { - BuildSpec: encodedJson(deepObjectLike({ - phases: { - build: { - commands: ['npx cdk synth'], - }, - }, - })), - }, - }); - }); -}); - -behavior('environmentVariables must be rendered in the action', (suite) => { - suite.legacy(() => { - // WHEN - new TestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: new cdkp.SimpleSynthAction({ - sourceArtifact, - cloudAssemblyArtifact, - environmentVariables: { - VERSION: { value: codepipeline.GlobalVariables.executionId }, - }, - synthCommand: 'synth', - }), - }); - - // THEN - const theHash = Capture.aString(); - expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { - Stages: arrayWith({ - Name: 'Build', - Actions: [ - objectLike({ - Name: 'Synth', - Configuration: objectLike({ - EnvironmentVariables: encodedJson([ - { - name: 'VERSION', - type: 'PLAINTEXT', - value: '#{codepipeline.PipelineExecutionId}', - }, - { - name: '_PROJECT_CONFIG_HASH', - type: 'PLAINTEXT', - value: theHash.capture(), - }, - ]), - }), - }), - ], - }), - }); - }); -}); - -behavior('complex setup with environment variables still renders correct project', (suite) => { - suite.legacy(() => { - // WHEN - new TestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: new cdkp.SimpleSynthAction({ - sourceArtifact, - cloudAssemblyArtifact, - environmentVariables: { - SOME_ENV_VAR: { value: 'SomeValue' }, - }, - environment: { - environmentVariables: { - INNER_VAR: { value: 'InnerValue' }, - }, - privileged: true, - }, - installCommands: [ - 'install1', - 'install2', - ], - synthCommand: 'synth', - }), - }); - - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { - Environment: objectLike({ - PrivilegedMode: true, - EnvironmentVariables: [ - { - Name: 'INNER_VAR', - Type: 'PLAINTEXT', - Value: 'InnerValue', - }, - ], - }), - Source: { - BuildSpec: encodedJson(deepObjectLike({ - phases: { - pre_build: { - commands: ['install1', 'install2'], - }, - build: { - commands: ['synth'], - }, - }, - })), - }, - }); - }); -}); - -behavior('%s can have its install command overridden', (suite) => { - suite.each(['npm', 'yarn']).legacy((npmYarn) => { - // WHEN - new TestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: npmYarnBuild(npmYarn)({ - sourceArtifact, - cloudAssemblyArtifact, - installCommand: '/bin/true', - }), - }); - - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { - Environment: { - Image: 'aws/codebuild/standard:5.0', - }, - Source: { - BuildSpec: encodedJson(deepObjectLike({ - phases: { - pre_build: { - commands: ['/bin/true'], - }, - }, - })), - }, - }); - }); -}); - -behavior('%s can have its test commands set', (suite) => { - suite.each(['npm', 'yarn']).legacy((npmYarn) => { - // WHEN - new TestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: npmYarnBuild(npmYarn)({ - sourceArtifact, - cloudAssemblyArtifact, - installCommand: '/bin/true', - testCommands: ['echo "Running tests"'], - }), - }); - - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { - Environment: { - Image: 'aws/codebuild/standard:5.0', - }, - Source: { - BuildSpec: encodedJson(objectLike({ - phases: { - pre_build: { - commands: ['/bin/true'], - }, - build: { - commands: ['echo "Running tests"', 'npx cdk synth'], - }, - }, - })), - }, - }); - }); -}); - -behavior('Standard (NPM) synth can output additional artifacts', (suite) => { - suite.legacy(() => { - // WHEN - const addlArtifact = new codepipeline.Artifact('IntegTest'); - new TestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - additionalArtifacts: [ - { - artifact: addlArtifact, - directory: 'test', - }, - ], - }), - }); - - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { - Environment: { - Image: 'aws/codebuild/standard:5.0', - }, - Source: { - BuildSpec: encodedJson(deepObjectLike({ - artifacts: { - 'secondary-artifacts': { - CloudAsm: { - 'base-directory': 'cdk.out', - 'files': '**/*', - }, - IntegTest: { - 'base-directory': 'test', - 'files': '**/*', - }, - }, - }, - })), - }, - }); - }); -}); - -behavior('Standard (NPM) synth can run in a VPC', (suite) => { - suite.legacy(() => { - // WHEN - new TestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - vpc: new ec2.Vpc(pipelineStack, 'NpmSynthTestVpc'), - sourceArtifact, - cloudAssemblyArtifact, - }), - }); - - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { - VpcConfig: { - SecurityGroupIds: [ - { 'Fn::GetAtt': ['CdkPipelineBuildSynthCdkBuildProjectSecurityGroupEA44D7C2', 'GroupId'] }, - ], - Subnets: [ - { Ref: 'NpmSynthTestVpcPrivateSubnet1Subnet81E3AA56' }, - { Ref: 'NpmSynthTestVpcPrivateSubnet2SubnetC1CA3EF0' }, - { Ref: 'NpmSynthTestVpcPrivateSubnet3SubnetA04163EE' }, - ], - VpcId: { Ref: 'NpmSynthTestVpc5E703F25' }, - }, - }); - - expect(pipelineStack).toHaveResourceLike('AWS::IAM::Policy', { - Roles: [ - { Ref: 'CdkPipelineBuildSynthCdkBuildProjectRole5E173C62' }, - ], - PolicyDocument: { - Statement: arrayWith({ - Action: arrayWith('ec2:DescribeSecurityGroups'), - Effect: 'Allow', - Resource: '*', - }), - }, - }); - }); -}); - -behavior('Standard (Yarn) synth can run in a VPC', (suite) => { - suite.legacy(() => { - // WHEN - new TestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardYarnSynth({ - vpc: new ec2.Vpc(pipelineStack, 'YarnSynthTestVpc'), - sourceArtifact, - cloudAssemblyArtifact, - }), - }); - - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { - VpcConfig: { - SecurityGroupIds: [ - { - 'Fn::GetAtt': [ - 'CdkPipelineBuildSynthCdkBuildProjectSecurityGroupEA44D7C2', - 'GroupId', - ], - }, - ], - Subnets: [ - { - Ref: 'YarnSynthTestVpcPrivateSubnet1Subnet2805334B', - }, - { - Ref: 'YarnSynthTestVpcPrivateSubnet2SubnetDCFBF596', - }, - { - Ref: 'YarnSynthTestVpcPrivateSubnet3SubnetE11E0C86', - }, - ], - VpcId: { - Ref: 'YarnSynthTestVpc5F654735', - }, - }, - }); - }); -}); - -behavior('Pipeline action contains a hash that changes as the buildspec changes', (suite) => { - suite.legacy(() => { - const hash1 = synthWithAction((sa, cxa) => cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact: sa, - cloudAssemblyArtifact: cxa, - })); - - // To make sure the hash is not just random :) - const hash1prime = synthWithAction((sa, cxa) => cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact: sa, - cloudAssemblyArtifact: cxa, - })); - - const hash2 = synthWithAction((sa, cxa) => cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact: sa, - cloudAssemblyArtifact: cxa, - installCommand: 'do install', - })); - const hash3 = synthWithAction((sa, cxa) => cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact: sa, - cloudAssemblyArtifact: cxa, - environment: { - computeType: cbuild.ComputeType.LARGE, - }, - })); - const hash4 = synthWithAction((sa, cxa) => cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact: sa, - cloudAssemblyArtifact: cxa, - environment: { - environmentVariables: { - xyz: { value: 'SOME-VALUE' }, - }, - }, - })); - - expect(hash1).toEqual(hash1prime); - - expect(hash1).not.toEqual(hash2); - expect(hash1).not.toEqual(hash3); - expect(hash1).not.toEqual(hash4); - expect(hash2).not.toEqual(hash3); - expect(hash2).not.toEqual(hash4); - expect(hash3).not.toEqual(hash4); - - function synthWithAction(cb: (sourceArtifact: codepipeline.Artifact, cloudAssemblyArtifact: codepipeline.Artifact) => codepipeline.IAction) { - const _app = new TestApp({ outdir: 'testcdk.out' }); - const _pipelineStack = new Stack(_app, 'PipelineStack', { env: PIPELINE_ENV }); - const _sourceArtifact = new codepipeline.Artifact(); - const _cloudAssemblyArtifact = new codepipeline.Artifact('CloudAsm'); - - new TestGitHubNpmPipeline(_pipelineStack, 'Cdk', { - sourceArtifact: _sourceArtifact, - cloudAssemblyArtifact: _cloudAssemblyArtifact, - synthAction: cb(_sourceArtifact, _cloudAssemblyArtifact), - }); - - const theHash = Capture.aString(); - expect(_pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { - Stages: arrayWith({ - Name: 'Build', - Actions: [ - objectLike({ - Name: 'Synth', - Configuration: objectLike({ - EnvironmentVariables: encodedJson([ - { - name: '_PROJECT_CONFIG_HASH', - type: 'PLAINTEXT', - value: theHash.capture(), - }, - ]), - }), - }), - ], - }), - }); - - return theHash.capturedValue; - } - }); -}); - -behavior('SimpleSynthAction is IGrantable', (suite) => { - suite.legacy(() => { - // GIVEN - const synthAction = cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - }); - new TestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction, - }); - const bucket = new s3.Bucket(pipelineStack, 'Bucket'); - - // WHEN - bucket.grantRead(synthAction); - - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::IAM::Policy', { - PolicyDocument: { - Statement: arrayWith(deepObjectLike({ - Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], - })), - }, - }); - }); -}); - -behavior('SimpleSynthAction can reference an imported ECR repo', (suite) => { - suite.legacy(() => { - // Repro from https://github.com/aws/aws-cdk/issues/10535 - - // WHEN - new TestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - environment: { - buildImage: cbuild.LinuxBuildImage.fromEcrRepository( - ecr.Repository.fromRepositoryName(pipelineStack, 'ECRImage', 'my-repo-name'), - ), - }, - }), - }); - - // THEN -- no exception (necessary for linter) - expect(true).toBeTruthy(); - }); -}); - -function npmYarnBuild(npmYarn: string) { - if (npmYarn === 'npm') { return cdkp.SimpleSynthAction.standardNpmSynth; } - if (npmYarn === 'yarn') { return cdkp.SimpleSynthAction.standardYarnSynth; } - throw new Error(`Expecting npm|yarn: ${npmYarn}`); -} \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/test/pipeline-assets.test.ts b/packages/@aws-cdk/pipelines/test/compliance/assets.test.ts similarity index 56% rename from packages/@aws-cdk/pipelines/test/pipeline-assets.test.ts rename to packages/@aws-cdk/pipelines/test/compliance/assets.test.ts index 55e45d1808476..0f71dbde34650 100644 --- a/packages/@aws-cdk/pipelines/test/pipeline-assets.test.ts +++ b/packages/@aws-cdk/pipelines/test/compliance/assets.test.ts @@ -1,18 +1,11 @@ import * as fs from 'fs'; import * as path from 'path'; -import { arrayWith, deepObjectLike, encodedJson, notMatching, objectLike, ResourcePart, stringLike, SynthUtils } from '@aws-cdk/assert-internal'; +import { arrayWith, Capture, deepObjectLike, encodedJson, notMatching, objectLike, ResourcePart, stringLike, SynthUtils } from '@aws-cdk/assert-internal'; import '@aws-cdk/assert-internal/jest'; import * as cb from '@aws-cdk/aws-codebuild'; -import * as cp from '@aws-cdk/aws-codepipeline'; import * as ec2 from '@aws-cdk/aws-ec2'; -import * as ecr_assets from '@aws-cdk/aws-ecr-assets'; -import * as s3_assets from '@aws-cdk/aws-s3-assets'; -import * as secretsmanager from '@aws-cdk/aws-secretsmanager'; -import { Stack, Stage, StageProps } from '@aws-cdk/core'; -import { Construct } from 'constructs'; -import * as cdkp from '../lib'; -import { behavior } from './helpers/compliance'; -import { BucketStack, PIPELINE_ENV, TestApp, TestGitHubAction, TestGitHubNpmPipeline } from './testutil'; +import { Stack } from '@aws-cdk/core'; +import { behavior, PIPELINE_ENV, TestApp, LegacyTestGitHubNpmPipeline, ModernTestGitHubNpmPipeline, FileAssetApp, MegaAssetsApp, TwoFileAssetsApp, DockerAssetApp, PlainStackApp } from '../testhelpers'; const FILE_ASSET_SOURCE_HASH = '8289faf53c7da377bb2b90615999171adef5e1d8f6b88810e5fef75e6ca09ba5'; const FILE_ASSET_SOURCE_HASH2 = 'ac76997971c3f6ddf37120660003f1ced72b4fc58c498dfd99c78fa77e721e0e'; @@ -22,40 +15,58 @@ const IMAGE_PUBLISHING_ROLE = 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role let app: TestApp; let pipelineStack: Stack; -let pipeline: cdkp.CdkPipeline; + +beforeEach(() => { + app = new TestApp(); + pipelineStack = new Stack(app, 'PipelineStack', { env: PIPELINE_ENV }); +}); afterEach(() => { app.cleanup(); }); describe('basic pipeline', () => { - beforeEach(() => { - app = new TestApp(); - pipelineStack = new Stack(app, 'PipelineStack', { env: PIPELINE_ENV }); - pipeline = new TestGitHubNpmPipeline(pipelineStack, 'Cdk'); - }); - behavior('no assets stage if the application has no assets', (suite) => { suite.legacy(() => { - // WHEN + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); pipeline.addApplicationStage(new PlainStackApp(app, 'App')); + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new PlainStackApp(app, 'App')); + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { // THEN expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { Stages: notMatching(arrayWith(objectLike({ Name: 'Assets', }))), }); - }); + } }); describe('asset stage placement', () => { behavior('assets stage comes before any user-defined stages', (suite) => { suite.legacy(() => { - // WHEN + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); pipeline.addApplicationStage(new FileAssetApp(app, 'App')); - // THEN + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new FileAssetApp(app, 'App')); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { Stages: [ objectLike({ Name: 'Source' }), @@ -65,52 +76,26 @@ describe('basic pipeline', () => { objectLike({ Name: 'App' }), ], }); - }); + } }); - behavior('assets stage inserted after existing pipeline actions', (suite) => { + behavior('up to 50 assets fit in a single stage', (suite) => { suite.legacy(() => { // WHEN - const sourceArtifact = new cp.Artifact(); - const cloudAssemblyArtifact = new cp.Artifact(); - const existingCodePipeline = new cp.Pipeline(pipelineStack, 'CodePipeline', { - stages: [ - { - stageName: 'CustomSource', - actions: [new TestGitHubAction(sourceArtifact)], - }, - { - stageName: 'CustomBuild', - actions: [cdkp.SimpleSynthAction.standardNpmSynth({ sourceArtifact, cloudAssemblyArtifact })], - }, - ], - }); - pipeline = new cdkp.CdkPipeline(pipelineStack, 'CdkEmptyPipeline', { - cloudAssemblyArtifact: cloudAssemblyArtifact, - selfMutating: false, - codePipeline: existingCodePipeline, - // No source/build actions - }); - pipeline.addApplicationStage(new FileAssetApp(app, 'App')); + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addApplicationStage(new MegaAssetsApp(app, 'App', { numAssets: 50 })); - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { - Stages: [ - objectLike({ Name: 'CustomSource' }), - objectLike({ Name: 'CustomBuild' }), - objectLike({ Name: 'Assets' }), - objectLike({ Name: 'App' }), - ], - }); + THEN_codePipelineExpectation(); }); - }); - behavior('up to 50 assets fit in a single stage', (suite) => { - suite.legacy(() => { - // WHEN - pipeline.addApplicationStage(new MegaAssetsApp(app, 'App', { numAssets: 50 })); + suite.modern(() => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new MegaAssetsApp(app, 'App', { numAssets: 50 })); + + THEN_codePipelineExpectation(); + }); - // THEN + function THEN_codePipelineExpectation() { expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { Stages: [ objectLike({ Name: 'Source' }), @@ -120,55 +105,87 @@ describe('basic pipeline', () => { objectLike({ Name: 'App' }), ], }); - }); + } }); behavior('51 assets triggers a second stage', (suite) => { suite.legacy(() => { // WHEN + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); pipeline.addApplicationStage(new MegaAssetsApp(app, 'App', { numAssets: 51 })); - // THEN + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + // WHEN + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new MegaAssetsApp(app, 'App', { numAssets: 51 })); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { Stages: [ objectLike({ Name: 'Source' }), objectLike({ Name: 'Build' }), objectLike({ Name: 'UpdatePipeline' }), - objectLike({ Name: 'Assets' }), - objectLike({ Name: 'Assets2' }), + objectLike({ Name: stringLike('Assets*') }), + objectLike({ Name: stringLike('Assets*2') }), objectLike({ Name: 'App' }), ], }); - }); + } }); behavior('101 assets triggers a third stage', (suite) => { suite.legacy(() => { - // WHEN + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); pipeline.addApplicationStage(new MegaAssetsApp(app, 'App', { numAssets: 101 })); - // THEN + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new MegaAssetsApp(app, 'App', { numAssets: 101 })); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { Stages: [ objectLike({ Name: 'Source' }), objectLike({ Name: 'Build' }), objectLike({ Name: 'UpdatePipeline' }), - objectLike({ Name: 'Assets' }), - objectLike({ Name: 'Assets2' }), - objectLike({ Name: 'Assets3' }), + objectLike({ Name: stringLike('Assets*') }), // 'Assets' vs 'Assets.1' + objectLike({ Name: stringLike('Assets*2') }), + objectLike({ Name: stringLike('Assets*3') }), objectLike({ Name: 'App' }), ], }); - }); + } }); }); behavior('command line properly locates assets in subassembly', (suite) => { suite.legacy(() => { - // WHEN + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); pipeline.addApplicationStage(new FileAssetApp(app, 'FileAssetApp')); - // THEN + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new FileAssetApp(app, 'FileAssetApp')); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { Environment: { Image: 'aws/codebuild/standard:5.0', @@ -183,15 +200,26 @@ describe('basic pipeline', () => { })), }, }); - }); + } }); behavior('multiple assets are published in parallel', (suite) => { suite.legacy(() => { // WHEN + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); pipeline.addApplicationStage(new TwoFileAssetsApp(app, 'FileAssetApp')); - // THEN + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new TwoFileAssetsApp(app, 'FileAssetApp')); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { Stages: arrayWith({ Name: 'Assets', @@ -201,7 +229,7 @@ describe('basic pipeline', () => { ], }), }); - }); + } }); behavior('assets are also published when using the lower-level addStackArtifactDeployment', (suite) => { @@ -210,6 +238,7 @@ describe('basic pipeline', () => { const asm = new FileAssetApp(app, 'FileAssetApp').synth(); // WHEN + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); pipeline.addStage('SomeStage').addStackArtifactDeployment(asm.getStackByName('FileAssetApp-Stack')); // THEN @@ -225,14 +254,29 @@ describe('basic pipeline', () => { }), }); }); + + // This function does not exist in the modern API + suite.doesNotApply.modern(); }); behavior('file image asset publishers do not use privilegedmode', (suite) => { suite.legacy(() => { // WHEN + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); pipeline.addApplicationStage(new FileAssetApp(app, 'FileAssetApp')); - // THEN + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + // WHEN + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new FileAssetApp(app, 'FileAssetApp')); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { Source: { BuildSpec: encodedJson(deepObjectLike({ @@ -248,15 +292,25 @@ describe('basic pipeline', () => { Image: 'aws/codebuild/standard:5.0', }), }); - }); + } }); behavior('docker image asset publishers use privilegedmode', (suite) => { suite.legacy(() => { - // WHEN + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); pipeline.addApplicationStage(new DockerAssetApp(app, 'DockerAssetApp')); - // THEN + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new DockerAssetApp(app, 'DockerAssetApp')); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { Source: { BuildSpec: encodedJson(deepObjectLike({ @@ -272,20 +326,30 @@ describe('basic pipeline', () => { PrivilegedMode: true, }), }); - }); + } }); - behavior('can control fix/CLI version used in pipeline selfupdate', (suite) => { + behavior('can control fix/CLI version used in asset publishing', (suite) => { suite.legacy(() => { - // WHEN - const stack2 = new Stack(app, 'Stack2', { env: PIPELINE_ENV }); - const pipeline2 = new TestGitHubNpmPipeline(stack2, 'Cdk2', { + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { cdkCliVersion: '1.2.3', }); - pipeline2.addApplicationStage(new FileAssetApp(stack2, 'FileAssetApp')); + pipeline.addApplicationStage(new FileAssetApp(pipelineStack, 'FileAssetApp')); - // THEN - expect(stack2).toHaveResourceLike('AWS::CodeBuild::Project', { + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + cliVersion: '1.2.3', + }); + pipeline.addStage(new FileAssetApp(pipelineStack, 'FileAssetApp')); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { + expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { Environment: { Image: 'aws/codebuild/standard:5.0', }, @@ -299,14 +363,29 @@ describe('basic pipeline', () => { })), }, }); - }); + } }); describe('asset roles and policies', () => { behavior('includes file publishing assets role for apps with file assets', (suite) => { suite.legacy(() => { + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); pipeline.addApplicationStage(new FileAssetApp(app, 'App1')); + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + // Expectation expects to see KMS key policy permissions + crossAccountKeys: true, + }); + pipeline.addStage(new FileAssetApp(app, 'App1')); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { expect(pipelineStack).toHaveResourceLike('AWS::IAM::Role', { AssumeRolePolicyDocument: { Statement: [{ @@ -325,11 +404,12 @@ describe('basic pipeline', () => { }); expect(pipelineStack).toHaveResourceLike('AWS::IAM::Policy', expectedAssetRolePolicy(FILE_PUBLISHING_ROLE, 'CdkAssetsFileRole6BE17A07')); - }); + } }); behavior('publishing assets role may assume roles from multiple environments', (suite) => { suite.legacy(() => { + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); pipeline.addApplicationStage(new FileAssetApp(app, 'App1')); pipeline.addApplicationStage(new FileAssetApp(app, 'App2', { env: { @@ -338,27 +418,80 @@ describe('basic pipeline', () => { }, })); + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + // Expectation expects to see KMS key policy permissions + crossAccountKeys: true, + }); + + pipeline.addStage(new FileAssetApp(app, 'App1')); + pipeline.addStage(new FileAssetApp(app, 'App2', { + env: { + account: '0123456789012', + region: 'eu-west-1', + }, + })); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { expect(pipelineStack).toHaveResourceLike('AWS::IAM::Policy', expectedAssetRolePolicy([FILE_PUBLISHING_ROLE, 'arn:${AWS::Partition}:iam::0123456789012:role/cdk-hnb659fds-file-publishing-role-0123456789012-eu-west-1'], 'CdkAssetsFileRole6BE17A07')); - }); + } }); behavior('publishing assets role de-dupes assumed roles', (suite) => { suite.legacy(() => { + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); pipeline.addApplicationStage(new FileAssetApp(app, 'App1')); pipeline.addApplicationStage(new FileAssetApp(app, 'App2')); pipeline.addApplicationStage(new FileAssetApp(app, 'App3')); + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + // Expectation expects to see KMS key policy permissions + crossAccountKeys: true, + }); + pipeline.addStage(new FileAssetApp(app, 'App1')); + pipeline.addStage(new FileAssetApp(app, 'App2')); + pipeline.addStage(new FileAssetApp(app, 'App3')); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { expect(pipelineStack).toHaveResourceLike('AWS::IAM::Policy', expectedAssetRolePolicy(FILE_PUBLISHING_ROLE, 'CdkAssetsFileRole6BE17A07')); - }); + } }); behavior('includes image publishing assets role for apps with Docker assets', (suite) => { suite.legacy(() => { + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); pipeline.addApplicationStage(new DockerAssetApp(app, 'App1')); + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + // Expectation expects to see KMS key policy permissions + crossAccountKeys: true, + }); + pipeline.addStage(new DockerAssetApp(app, 'App1')); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { expect(pipelineStack).toHaveResourceLike('AWS::IAM::Role', { AssumeRolePolicyDocument: { Statement: [{ @@ -377,37 +510,72 @@ describe('basic pipeline', () => { }); expect(pipelineStack).toHaveResourceLike('AWS::IAM::Policy', expectedAssetRolePolicy(IMAGE_PUBLISHING_ROLE, 'CdkAssetsDockerRole484B6DD3')); - }); + } }); behavior('includes both roles for apps with both file and Docker assets', (suite) => { suite.legacy(() => { + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); pipeline.addApplicationStage(new FileAssetApp(app, 'App1')); pipeline.addApplicationStage(new DockerAssetApp(app, 'App2')); + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + // Expectation expects to see KMS key policy permissions + crossAccountKeys: true, + }); + pipeline.addStage(new FileAssetApp(app, 'App1')); + pipeline.addStage(new DockerAssetApp(app, 'App2')); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { expect(pipelineStack).toHaveResourceLike('AWS::IAM::Policy', expectedAssetRolePolicy(FILE_PUBLISHING_ROLE, 'CdkAssetsFileRole6BE17A07')); expect(pipelineStack).toHaveResourceLike('AWS::IAM::Policy', expectedAssetRolePolicy(IMAGE_PUBLISHING_ROLE, 'CdkAssetsDockerRole484B6DD3')); - }); + } }); }); }); - behavior('can supply pre-install scripts to asset upload', (suite) => { suite.legacy(() => { - // WHEN - app = new TestApp(); - pipelineStack = new Stack(app, 'PipelineStack', { env: PIPELINE_ENV }); - pipeline = new TestGitHubNpmPipeline(pipelineStack, 'Cdk', { + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { assetPreInstallCommands: [ 'npm config set registry https://registry.com', ], }); pipeline.addApplicationStage(new FileAssetApp(app, 'FileAssetApp')); - // THEN + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + assetPublishingCodeBuildDefaults: { + partialBuildSpec: cb.BuildSpec.fromObject({ + version: '0.2', + phases: { + install: { + commands: [ + 'npm config set registry https://registry.com', + ], + }, + }, + }), + }, + }); + pipeline.addStage(new FileAssetApp(app, 'FileAssetApp')); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { Environment: { Image: 'aws/codebuild/standard:5.0', @@ -422,27 +590,35 @@ behavior('can supply pre-install scripts to asset upload', (suite) => { })), }, }); - - app.cleanup(); - }); + } }); describe('pipeline with VPC', () => { let vpc: ec2.Vpc; beforeEach(() => { - app = new TestApp(); - pipelineStack = new Stack(app, 'PipelineStack', { env: PIPELINE_ENV }); vpc = new ec2.Vpc(pipelineStack, 'Vpc'); - pipeline = new TestGitHubNpmPipeline(pipelineStack, 'Cdk', { - vpc, - }); }); behavior('asset CodeBuild Project uses VPC subnets', (suite) => { suite.legacy(() => { - // WHEN + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + vpc, + }); pipeline.addApplicationStage(new DockerAssetApp(app, 'DockerAssetApp')); + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + codeBuildDefaults: { vpc }, + }); + pipeline.addStage(new DockerAssetApp(app, 'DockerAssetApp')); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { // THEN expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { VpcConfig: objectLike({ @@ -457,16 +633,27 @@ describe('pipeline with VPC', () => { VpcId: { Ref: 'Vpc8378EB38' }, }), }); - }); + } }); behavior('Pipeline-generated CodeBuild Projects have appropriate execution role permissions', (suite) => { suite.legacy(() => { - // WHEN + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + vpc, + }); pipeline.addApplicationStage(new DockerAssetApp(app, 'DockerAssetApp')); + THEN_codePipelineExpectation(); + }); - // THEN + suite.modern(() => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + codeBuildDefaults: { vpc }, + }); + pipeline.addStage(new DockerAssetApp(app, 'DockerAssetApp')); + THEN_codePipelineExpectation(); + }); + function THEN_codePipelineExpectation() { // Assets Project expect(pipelineStack).toHaveResourceLike('AWS::IAM::Policy', { Roles: [ @@ -480,13 +667,28 @@ describe('pipeline with VPC', () => { }), }, }); - }); + } }); behavior('Asset publishing CodeBuild Projects have a dependency on attached policies to the role', (suite) => { suite.legacy(() => { + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + vpc, + }); pipeline.addApplicationStage(new DockerAssetApp(app, 'DockerAssetApp')); + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + codeBuildDefaults: { vpc }, + }); + pipeline.addStage(new DockerAssetApp(app, 'DockerAssetApp')); + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { // Assets Project expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { Properties: { @@ -501,32 +703,33 @@ describe('pipeline with VPC', () => { 'CdkAssetsDockerRoleVpcPolicy86CA024B', ], }, ResourcePart.CompleteDefinition); - }); + } }); }); describe('pipeline with single asset publisher', () => { - let otherPipelineStack: Stack; - let otherPipeline: cdkp.CdkPipeline; - - beforeEach(() => { - app = new TestApp(); - pipelineStack = new Stack(app, 'PipelineStack', { env: PIPELINE_ENV }); - pipeline = new TestGitHubNpmPipeline(pipelineStack, 'Cdk', { - singlePublisherPerType: true, - }); - otherPipelineStack = new Stack(app, 'OtherPipelineStack', { env: PIPELINE_ENV }); - otherPipeline = new TestGitHubNpmPipeline(otherPipelineStack, 'Cdk', { - singlePublisherPerType: true, - }); - }); - behavior('multiple assets are using the same job in singlePublisherMode', (suite) => { suite.legacy(() => { - // WHEN + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + singlePublisherPerType: true, + }); pipeline.addApplicationStage(new TwoFileAssetsApp(app, 'FileAssetApp')); + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + publishAssetsInParallel: false, + }); + pipeline.addStage(new TwoFileAssetsApp(app, 'FileAssetApp')); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { // THEN + const buildSpecName = Capture.aString(); expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { Stages: arrayWith({ Name: 'Assets', @@ -541,306 +744,69 @@ describe('pipeline with single asset publisher', () => { Image: 'aws/codebuild/standard:5.0', }, Source: { - BuildSpec: 'buildspec-assets-PipelineStack-Cdk-Assets-FileAsset.yaml', + BuildSpec: buildSpecName.capture(stringLike('buildspec-*.yaml')), }, }); const assembly = SynthUtils.synthesize(pipelineStack, { skipValidation: true }).assembly; - const buildSpec = JSON.parse(fs.readFileSync(path.join(assembly.directory, 'buildspec-assets-PipelineStack-Cdk-Assets-FileAsset.yaml')).toString()); + + const actualFileName = buildSpecName.capturedValue; + + const buildSpec = JSON.parse(fs.readFileSync(path.join(assembly.directory, actualFileName), { encoding: 'utf-8' })); expect(buildSpec.phases.build.commands).toContain(`cdk-assets --path "assembly-FileAssetApp/FileAssetAppStackEADD68C5.assets.json" --verbose publish "${FILE_ASSET_SOURCE_HASH}:current_account-current_region"`); expect(buildSpec.phases.build.commands).toContain(`cdk-assets --path "assembly-FileAssetApp/FileAssetAppStackEADD68C5.assets.json" --verbose publish "${FILE_ASSET_SOURCE_HASH2}:current_account-current_region"`); - }); + } }); behavior('other pipeline writes to separate assets build spec file', (suite) => { suite.legacy(() => { - // WHEN + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + singlePublisherPerType: true, + }); pipeline.addApplicationStage(new TwoFileAssetsApp(app, 'FileAssetApp')); - otherPipeline.addApplicationStage(new TwoFileAssetsApp(app, 'OtherFileAssetApp')); - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { - Source: { - BuildSpec: 'buildspec-assets-PipelineStack-Cdk-Assets-FileAsset.yaml', - }, + const pipelineStack2 = new Stack(app, 'PipelineStack2', { env: PIPELINE_ENV }); + const otherPipeline = new LegacyTestGitHubNpmPipeline(pipelineStack2, 'Cdk', { + singlePublisherPerType: true, }); - expect(otherPipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { - Source: { - BuildSpec: 'buildspec-assets-OtherPipelineStack-Cdk-Assets-FileAsset.yaml', - }, - }); - }); - }); -}); - -describe('pipeline with Docker credentials', () => { - const secretSynthArn = 'arn:aws:secretsmanager:eu-west-1:0123456789012:secret:synth-012345'; - const secretUpdateArn = 'arn:aws:secretsmanager:eu-west-1:0123456789012:secret:update-012345'; - const secretPublishArn = 'arn:aws:secretsmanager:eu-west-1:0123456789012:secret:publish-012345'; - let secretSynth: secretsmanager.ISecret; - let secretUpdate: secretsmanager.ISecret; - let secretPublish: secretsmanager.ISecret; + otherPipeline.addApplicationStage(new TwoFileAssetsApp(app, 'OtherFileAssetApp')); - beforeEach(() => { - app = new TestApp(); - pipelineStack = new Stack(app, 'PipelineStack', { env: PIPELINE_ENV }); - - secretSynth = secretsmanager.Secret.fromSecretCompleteArn(pipelineStack, 'Secret1', secretSynthArn); - secretUpdate = secretsmanager.Secret.fromSecretCompleteArn(pipelineStack, 'Secret2', secretUpdateArn); - secretPublish = secretsmanager.Secret.fromSecretCompleteArn(pipelineStack, 'Secret3', secretPublishArn); - pipeline = new TestGitHubNpmPipeline(pipelineStack, 'Cdk', { - dockerCredentials: [ - cdkp.DockerCredential.customRegistry('synth.example.com', secretSynth, { - usages: [cdkp.DockerCredentialUsage.SYNTH], - }), - cdkp.DockerCredential.customRegistry('selfupdate.example.com', secretUpdate, { - usages: [cdkp.DockerCredentialUsage.SELF_UPDATE], - }), - cdkp.DockerCredential.customRegistry('publish.example.com', secretPublish, { - usages: [cdkp.DockerCredentialUsage.ASSET_PUBLISHING], - }), - ], + THEN_codePipelineExpectation(pipelineStack2); }); - }); - behavior('synth action receives install commands and access to relevant credentials', (suite) => { - suite.legacy(() => { - pipeline.addApplicationStage(new DockerAssetApp(app, 'App1')); - - const expectedCredsConfig = JSON.stringify({ - version: '1.0', - domainCredentials: { 'synth.example.com': { secretsManagerSecretId: secretSynthArn } }, + suite.modern(() => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + publishAssetsInParallel: false, }); + pipeline.addStage(new TwoFileAssetsApp(app, 'FileAssetApp')); - expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { - Environment: { Image: 'aws/codebuild/standard:5.0' }, - // Prove we're looking at the Synth project - ServiceRole: { 'Fn::GetAtt': ['CdkPipelineBuildSynthCdkBuildProjectRole5E173C62', 'Arn'] }, - Source: { - BuildSpec: encodedJson(deepObjectLike({ - phases: { - pre_build: { - commands: [ - 'npm ci', - 'mkdir $HOME/.cdk', - `echo '${expectedCredsConfig}' > $HOME/.cdk/cdk-docker-creds.json`, - ], - }, - }, - })), - }, + const pipelineStack2 = new Stack(app, 'PipelineStack2', { env: PIPELINE_ENV }); + const otherPipeline = new ModernTestGitHubNpmPipeline(pipelineStack2, 'Cdk', { + publishAssetsInParallel: false, }); - expect(pipelineStack).toHaveResource('AWS::IAM::Policy', { - PolicyDocument: { - Statement: arrayWith({ - Action: ['secretsmanager:GetSecretValue', 'secretsmanager:DescribeSecret'], - Effect: 'Allow', - Resource: secretSynthArn, - }), - Version: '2012-10-17', - }, - Roles: [{ Ref: 'CdkPipelineBuildSynthCdkBuildProjectRole5E173C62' }], - }); - }); - }); + otherPipeline.addStage(new TwoFileAssetsApp(app, 'OtherFileAssetApp')); - behavior('synth action receives Windows install commands if a Windows image is detected', (suite) => { - suite.legacy(() => { - pipeline = new TestGitHubNpmPipeline(pipelineStack, 'Cdk2', { - dockerCredentials: [ - cdkp.DockerCredential.customRegistry('synth.example.com', secretSynth, { - usages: [cdkp.DockerCredentialUsage.SYNTH], - }), - cdkp.DockerCredential.customRegistry('selfupdate.example.com', secretUpdate, { - usages: [cdkp.DockerCredentialUsage.SELF_UPDATE], - }), - cdkp.DockerCredential.customRegistry('publish.example.com', secretPublish, { - usages: [cdkp.DockerCredentialUsage.ASSET_PUBLISHING], - }), - ], - npmSynthOptions: { - environment: { - buildImage: cb.WindowsBuildImage.WINDOWS_BASE_2_0, - }, - }, - }); - pipeline.addApplicationStage(new DockerAssetApp(app, 'App1')); - - const expectedCredsConfig = JSON.stringify({ - version: '1.0', - domainCredentials: { 'synth.example.com': { secretsManagerSecretId: secretSynthArn } }, - }); - - expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { - Environment: { Image: 'aws/codebuild/windows-base:2.0' }, - // Prove we're looking at the Synth project - ServiceRole: { 'Fn::GetAtt': ['Cdk2PipelineBuildSynthCdkBuildProjectRole9869128F', 'Arn'] }, - Source: { - BuildSpec: encodedJson(deepObjectLike({ - phases: { - pre_build: { - commands: [ - 'npm ci', - 'mkdir %USERPROFILE%\\.cdk', - `echo '${expectedCredsConfig}' > %USERPROFILE%\\.cdk\\cdk-docker-creds.json`, - ], - }, - }, - })), - }, - }); + THEN_codePipelineExpectation(pipelineStack2); }); - }); - - behavior('self-update receives install commands and access to relevant credentials', (suite) => { - suite.legacy(() => { - pipeline.addApplicationStage(new DockerAssetApp(app, 'App1')); - - const expectedCredsConfig = JSON.stringify({ - version: '1.0', - domainCredentials: { 'selfupdate.example.com': { secretsManagerSecretId: secretUpdateArn } }, - }); + function THEN_codePipelineExpectation(pipelineStack2: Stack) { + // THEN + const buildSpecName1 = Capture.aString(); + const buildSpecName2 = Capture.aString(); expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { - Environment: { Image: 'aws/codebuild/standard:5.0' }, - // Prove we're looking at the SelfMutate project - ServiceRole: { 'Fn::GetAtt': ['CdkUpdatePipelineSelfMutationRoleAAF1B580', 'Arn'] }, Source: { - BuildSpec: encodedJson(deepObjectLike({ - phases: { - install: { - commands: [ - 'npm install -g aws-cdk', - 'mkdir $HOME/.cdk', - `echo '${expectedCredsConfig}' > $HOME/.cdk/cdk-docker-creds.json`, - ], - }, - }, - })), - }, - }); - expect(pipelineStack).toHaveResource('AWS::IAM::Policy', { - PolicyDocument: { - Statement: arrayWith({ - Action: ['secretsmanager:GetSecretValue', 'secretsmanager:DescribeSecret'], - Effect: 'Allow', - Resource: secretUpdateArn, - }), - Version: '2012-10-17', + BuildSpec: buildSpecName1.capture(stringLike('buildspec-*.yaml')), }, - Roles: [{ Ref: 'CdkUpdatePipelineSelfMutationRoleAAF1B580' }], }); - }); - }); - - behavior('asset publishing receives install commands and access to relevant credentials', (suite) => { - suite.legacy(() => { - pipeline.addApplicationStage(new DockerAssetApp(app, 'App1')); - - const expectedCredsConfig = JSON.stringify({ - version: '1.0', - domainCredentials: { 'publish.example.com': { secretsManagerSecretId: secretPublishArn } }, - }); - - expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { - Environment: { Image: 'aws/codebuild/standard:5.0' }, - // Prove we're looking at the Publishing project - ServiceRole: { 'Fn::GetAtt': ['CdkAssetsDockerRole484B6DD3', 'Arn'] }, + expect(pipelineStack2).toHaveResourceLike('AWS::CodeBuild::Project', { Source: { - BuildSpec: encodedJson(deepObjectLike({ - phases: { - install: { - commands: [ - 'mkdir $HOME/.cdk', - `echo '${expectedCredsConfig}' > $HOME/.cdk/cdk-docker-creds.json`, - 'npm install -g cdk-assets', - ], - }, - }, - })), + BuildSpec: buildSpecName2.capture(stringLike('buildspec-*.yaml')), }, }); - expect(pipelineStack).toHaveResource('AWS::IAM::Policy', { - PolicyDocument: { - Statement: arrayWith({ - Action: ['secretsmanager:GetSecretValue', 'secretsmanager:DescribeSecret'], - Effect: 'Allow', - Resource: secretPublishArn, - }), - Version: '2012-10-17', - }, - Roles: [{ Ref: 'CdkAssetsDockerRole484B6DD3' }], - }); - }); - }); - -}); - -class PlainStackApp extends Stage { - constructor(scope: Construct, id: string, props?: StageProps) { - super(scope, id, props); - new BucketStack(this, 'Stack'); - } -} - -class FileAssetApp extends Stage { - constructor(scope: Construct, id: string, props?: StageProps) { - super(scope, id, props); - const stack = new Stack(this, 'Stack'); - new s3_assets.Asset(stack, 'Asset', { - path: path.join(__dirname, 'test-file-asset.txt'), - }); - } -} -class TwoFileAssetsApp extends Stage { - constructor(scope: Construct, id: string, props?: StageProps) { - super(scope, id, props); - const stack = new Stack(this, 'Stack'); - new s3_assets.Asset(stack, 'Asset1', { - path: path.join(__dirname, 'test-file-asset.txt'), - }); - new s3_assets.Asset(stack, 'Asset2', { - path: path.join(__dirname, 'test-file-asset-two.txt'), - }); - } -} - -class DockerAssetApp extends Stage { - constructor(scope: Construct, id: string, props?: StageProps) { - super(scope, id, props); - const stack = new Stack(this, 'Stack'); - new ecr_assets.DockerImageAsset(stack, 'Asset', { - directory: path.join(__dirname, 'test-docker-asset'), - }); - } -} - -interface MegaAssetsAppProps extends StageProps { - readonly numAssets: number; -} - -// Creates a mix of file and image assets, up to a specified count -class MegaAssetsApp extends Stage { - constructor(scope: Construct, id: string, props: MegaAssetsAppProps) { - super(scope, id, props); - const stack = new Stack(this, 'Stack'); - - let assetCount = 0; - for (; assetCount < props.numAssets / 2; assetCount++) { - new s3_assets.Asset(stack, `Asset${assetCount}`, { - path: path.join(__dirname, 'test-file-asset.txt'), - assetHash: `FileAsset${assetCount}`, - }); - } - for (; assetCount < props.numAssets; assetCount++) { - new ecr_assets.DockerImageAsset(stack, `Asset${assetCount}`, { - directory: path.join(__dirname, 'test-docker-asset'), - extraHash: `FileAsset${assetCount}`, - }); + expect(buildSpecName1.capturedValue).not.toEqual(buildSpecName2.capturedValue); } - } -} - + }); +}); function expectedAssetRolePolicy(assumeRolePattern: string | string[], attachedRole: string) { if (typeof assumeRolePattern === 'string') { assumeRolePattern = [assumeRolePattern]; } diff --git a/packages/@aws-cdk/pipelines/test/compliance/basic-behavior.test.ts b/packages/@aws-cdk/pipelines/test/compliance/basic-behavior.test.ts new file mode 100644 index 0000000000000..1248831737bdf --- /dev/null +++ b/packages/@aws-cdk/pipelines/test/compliance/basic-behavior.test.ts @@ -0,0 +1,228 @@ +/* eslint-disable import/no-extraneous-dependencies */ +import * as fs from 'fs'; +import * as path from 'path'; +import { arrayWith, Capture, objectLike, stringLike } from '@aws-cdk/assert-internal'; +import '@aws-cdk/assert-internal/jest'; +import { Stack, Stage, StageProps, Tags } from '@aws-cdk/core'; +import { Construct } from 'constructs'; +import { behavior, LegacyTestGitHubNpmPipeline, OneStackApp, BucketStack, PIPELINE_ENV, TestApp, ModernTestGitHubNpmPipeline } from '../testhelpers'; + +let app: TestApp; +let pipelineStack: Stack; + +beforeEach(() => { + app = new TestApp(); + pipelineStack = new Stack(app, 'PipelineStack', { env: PIPELINE_ENV }); +}); + +afterEach(() => { + app.cleanup(); +}); + +behavior('stack templates in nested assemblies are correctly addressed', (suite) => { + suite.legacy(() => { + // WHEN + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addApplicationStage(new OneStackApp(app, 'App')); + + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + // WHEN + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new OneStackApp(app, 'App')); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { + expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { + Stages: arrayWith({ + Name: 'App', + Actions: arrayWith( + objectLike({ + Name: stringLike('*Prepare'), + InputArtifacts: [objectLike({})], + Configuration: objectLike({ + StackName: 'App-Stack', + TemplatePath: stringLike('*::assembly-App/*.template.json'), + }), + }), + ), + }), + }); + } +}); + +behavior('obvious error is thrown when stage contains no stacks', (suite) => { + suite.legacy(() => { + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + + // WHEN + expect(() => { + pipeline.addApplicationStage(new Stage(app, 'EmptyStage')); + }).toThrow(/should contain at least one Stack/); + }); + + suite.modern(() => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + + // WHEN + expect(() => { + pipeline.addStage(new Stage(app, 'EmptyStage')); + }).toThrow(/should contain at least one Stack/); + }); +}); + +behavior('overridden stack names are respected', (suite) => { + suite.legacy(() => { + // WHEN + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addApplicationStage(new OneStackAppWithCustomName(app, 'App1')); + pipeline.addApplicationStage(new OneStackAppWithCustomName(app, 'App2')); + + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new OneStackAppWithCustomName(app, 'App1')); + pipeline.addStage(new OneStackAppWithCustomName(app, 'App2')); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { + expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { + Stages: arrayWith( + { + Name: 'App1', + Actions: arrayWith(objectLike({ + Name: stringLike('*Prepare'), + Configuration: objectLike({ + StackName: 'MyFancyStack', + }), + })), + }, + { + Name: 'App2', + Actions: arrayWith(objectLike({ + Name: stringLike('*Prepare'), + Configuration: objectLike({ + StackName: 'MyFancyStack', + }), + })), + }, + ), + }); + } +}); + +behavior('changing CLI version leads to a different pipeline structure (restarting it)', (suite) => { + suite.legacy(() => { + // GIVEN + const stack2 = new Stack(app, 'Stack2', { env: PIPELINE_ENV }); + const stack3 = new Stack(app, 'Stack3', { env: PIPELINE_ENV }); + + // WHEN + new LegacyTestGitHubNpmPipeline(stack2, 'Cdk', { + cdkCliVersion: '1.2.3', + }); + new LegacyTestGitHubNpmPipeline(stack3, 'Cdk', { + cdkCliVersion: '4.5.6', + }); + + THEN_codePipelineExpectation(stack2, stack3); + }); + + suite.modern(() => { + // GIVEN + const stack2 = new Stack(app, 'Stack2', { env: PIPELINE_ENV }); + const stack3 = new Stack(app, 'Stack3', { env: PIPELINE_ENV }); + + // WHEN + new ModernTestGitHubNpmPipeline(stack2, 'Cdk', { + cliVersion: '1.2.3', + }); + new ModernTestGitHubNpmPipeline(stack3, 'Cdk', { + cliVersion: '4.5.6', + }); + + THEN_codePipelineExpectation(stack2, stack3); + }); + + function THEN_codePipelineExpectation(stack2: Stack, stack3: Stack) { + // THEN + const structure2 = Capture.anyType(); + const structure3 = Capture.anyType(); + + expect(stack2).toHaveResourceLike('AWS::CodePipeline::Pipeline', { + Stages: structure2.capture(), + }); + expect(stack3).toHaveResourceLike('AWS::CodePipeline::Pipeline', { + Stages: structure3.capture(), + }); + + expect(JSON.stringify(structure2.capturedValue)).not.toEqual(JSON.stringify(structure3.capturedValue)); + } +}); + +behavior('tags get reflected in pipeline', (suite) => { + suite.legacy(() => { + // WHEN + const stage = new OneStackApp(app, 'App'); + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + Tags.of(stage).add('CostCenter', 'F00B4R'); + pipeline.addApplicationStage(stage); + + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + // WHEN + const stage = new OneStackApp(app, 'App'); + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + Tags.of(stage).add('CostCenter', 'F00B4R'); + pipeline.addStage(stage); + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { + // THEN + const templateConfig = Capture.aString(); + expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { + Stages: arrayWith({ + Name: 'App', + Actions: arrayWith( + objectLike({ + Name: stringLike('*Prepare'), + InputArtifacts: [objectLike({})], + Configuration: objectLike({ + StackName: 'App-Stack', + TemplateConfiguration: templateConfig.capture(stringLike('*::assembly-App/*.template.*json')), + }), + }), + ), + }), + }); + + const [, relConfigFile] = templateConfig.capturedValue.split('::'); + const absConfigFile = path.join(app.outdir, relConfigFile); + const configFile = JSON.parse(fs.readFileSync(absConfigFile, { encoding: 'utf-8' })); + expect(configFile).toEqual(expect.objectContaining({ + Tags: { + CostCenter: 'F00B4R', + }, + })); + } +}); + +class OneStackAppWithCustomName extends Stage { + constructor(scope: Construct, id: string, props?: StageProps) { + super(scope, id, props); + new BucketStack(this, 'Stack', { + stackName: 'MyFancyStack', + }); + } +} diff --git a/packages/@aws-cdk/pipelines/test/compliance/docker-credentials.test.ts b/packages/@aws-cdk/pipelines/test/compliance/docker-credentials.test.ts new file mode 100644 index 0000000000000..5ada88b49b937 --- /dev/null +++ b/packages/@aws-cdk/pipelines/test/compliance/docker-credentials.test.ts @@ -0,0 +1,292 @@ +import { arrayWith, deepObjectLike, encodedJson, stringLike } from '@aws-cdk/assert-internal'; +import '@aws-cdk/assert-internal/jest'; +import * as cb from '@aws-cdk/aws-codebuild'; +import * as secretsmanager from '@aws-cdk/aws-secretsmanager'; +import { Stack } from '@aws-cdk/core'; +import { Construct } from 'constructs'; +import * as cdkp from '../../lib'; +import { CodeBuildStep } from '../../lib'; +import { behavior, PIPELINE_ENV, TestApp, LegacyTestGitHubNpmPipeline, ModernTestGitHubNpmPipeline, DockerAssetApp } from '../testhelpers'; + +const secretSynthArn = 'arn:aws:secretsmanager:eu-west-1:0123456789012:secret:synth-012345'; +const secretUpdateArn = 'arn:aws:secretsmanager:eu-west-1:0123456789012:secret:update-012345'; +const secretPublishArn = 'arn:aws:secretsmanager:eu-west-1:0123456789012:secret:publish-012345'; + +let app: TestApp; +let pipelineStack: Stack; +let secretSynth: secretsmanager.ISecret; +let secretUpdate: secretsmanager.ISecret; +let secretPublish: secretsmanager.ISecret; + +beforeEach(() => { + app = new TestApp(); + pipelineStack = new Stack(app, 'PipelineStack', { env: PIPELINE_ENV }); + secretSynth = secretsmanager.Secret.fromSecretCompleteArn(pipelineStack, 'Secret1', secretSynthArn); + secretUpdate = secretsmanager.Secret.fromSecretCompleteArn(pipelineStack, 'Secret2', secretUpdateArn); + secretPublish = secretsmanager.Secret.fromSecretCompleteArn(pipelineStack, 'Secret3', secretPublishArn); +}); + +afterEach(() => { + app.cleanup(); +}); + +behavior('synth action receives install commands and access to relevant credentials', (suite) => { + suite.legacy(() => { + const pipeline = new LegacyPipelineWithCreds(pipelineStack, 'Cdk'); + pipeline.addApplicationStage(new DockerAssetApp(app, 'App1')); + + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + const pipeline = new ModernPipelineWithCreds(pipelineStack, 'Cdk'); + pipeline.addStage(new DockerAssetApp(app, 'App1')); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { + const expectedCredsConfig = JSON.stringify({ + version: '1.0', + domainCredentials: { 'synth.example.com': { secretsManagerSecretId: secretSynthArn } }, + }); + + expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { + Environment: { Image: 'aws/codebuild/standard:5.0' }, + Source: { + BuildSpec: encodedJson(deepObjectLike({ + phases: { + pre_build: { + commands: arrayWith( + 'mkdir $HOME/.cdk', + `echo '${expectedCredsConfig}' > $HOME/.cdk/cdk-docker-creds.json`, + ), + }, + // Prove we're looking at the Synth project + build: { + commands: arrayWith(stringLike('*cdk*synth*')), + }, + }, + })), + }, + }); + expect(pipelineStack).toHaveResource('AWS::IAM::Policy', { + PolicyDocument: { + Statement: arrayWith({ + Action: ['secretsmanager:GetSecretValue', 'secretsmanager:DescribeSecret'], + Effect: 'Allow', + Resource: secretSynthArn, + }), + Version: '2012-10-17', + }, + Roles: [{ Ref: stringLike('Cdk*BuildProjectRole*') }], + }); + } +}); + +behavior('synth action receives Windows install commands if a Windows image is detected', (suite) => { + suite.legacy(() => { + const pipeline = new LegacyPipelineWithCreds(pipelineStack, 'Cdk2', { + npmSynthOptions: { + environment: { + buildImage: cb.WindowsBuildImage.WINDOWS_BASE_2_0, + }, + }, + }); + pipeline.addApplicationStage(new DockerAssetApp(app, 'App1')); + + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + const pipeline = new ModernPipelineWithCreds(pipelineStack, 'Cdk2', { + synth: new CodeBuildStep('Synth', { + commands: ['cdk synth'], + primaryOutputDirectory: 'cdk.out', + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + buildEnvironment: { + buildImage: cb.WindowsBuildImage.WINDOWS_BASE_2_0, + computeType: cb.ComputeType.MEDIUM, + }, + }), + }); + pipeline.addStage(new DockerAssetApp(app, 'App1')); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { + const expectedCredsConfig = JSON.stringify({ + version: '1.0', + domainCredentials: { 'synth.example.com': { secretsManagerSecretId: secretSynthArn } }, + }); + + expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { + Environment: { Image: 'aws/codebuild/windows-base:2.0' }, + Source: { + BuildSpec: encodedJson(deepObjectLike({ + phases: { + pre_build: { + commands: arrayWith( + 'mkdir %USERPROFILE%\\.cdk', + `echo '${expectedCredsConfig}' > %USERPROFILE%\\.cdk\\cdk-docker-creds.json`, + ), + }, + // Prove we're looking at the Synth project + build: { + commands: arrayWith(stringLike('*cdk*synth*')), + }, + }, + })), + }, + }); + } +}); + +behavior('self-update receives install commands and access to relevant credentials', (suite) => { + suite.legacy(() => { + const pipeline = new LegacyPipelineWithCreds(pipelineStack, 'Cdk'); + pipeline.addApplicationStage(new DockerAssetApp(app, 'App1')); + + THEN_codePipelineExpectation('install'); + }); + + suite.modern(() => { + const pipeline = new ModernPipelineWithCreds(pipelineStack, 'Cdk'); + pipeline.addStage(new DockerAssetApp(app, 'App1')); + + THEN_codePipelineExpectation('pre_build'); + }); + + function THEN_codePipelineExpectation(expectedPhase: string) { + const expectedCredsConfig = JSON.stringify({ + version: '1.0', + domainCredentials: { 'selfupdate.example.com': { secretsManagerSecretId: secretUpdateArn } }, + }); + + expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { + Environment: { Image: 'aws/codebuild/standard:5.0' }, + Source: { + BuildSpec: encodedJson(deepObjectLike({ + phases: { + [expectedPhase]: { + commands: arrayWith( + 'mkdir $HOME/.cdk', + `echo '${expectedCredsConfig}' > $HOME/.cdk/cdk-docker-creds.json`, + ), + }, + // Prove we're looking at the SelfMutate project + build: { + commands: arrayWith( + stringLike('cdk * deploy PipelineStack*'), + ), + }, + }, + })), + }, + }); + expect(pipelineStack).toHaveResource('AWS::IAM::Policy', { + PolicyDocument: { + Statement: arrayWith({ + Action: ['secretsmanager:GetSecretValue', 'secretsmanager:DescribeSecret'], + Effect: 'Allow', + Resource: secretUpdateArn, + }), + Version: '2012-10-17', + }, + Roles: [{ Ref: stringLike('*SelfMutat*Role*') }], + }); + } +}); + +behavior('asset publishing receives install commands and access to relevant credentials', (suite) => { + suite.legacy(() => { + const pipeline = new LegacyPipelineWithCreds(pipelineStack, 'Cdk'); + pipeline.addApplicationStage(new DockerAssetApp(app, 'App1')); + + THEN_codePipelineExpectation('install'); + }); + + suite.modern(() => { + const pipeline = new ModernPipelineWithCreds(pipelineStack, 'Cdk'); + pipeline.addStage(new DockerAssetApp(app, 'App1')); + + THEN_codePipelineExpectation('pre_build'); + }); + + function THEN_codePipelineExpectation(expectedPhase: string) { + const expectedCredsConfig = JSON.stringify({ + version: '1.0', + domainCredentials: { 'publish.example.com': { secretsManagerSecretId: secretPublishArn } }, + }); + + expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { + Environment: { Image: 'aws/codebuild/standard:5.0' }, + Source: { + BuildSpec: encodedJson(deepObjectLike({ + phases: { + [expectedPhase]: { + commands: arrayWith( + 'mkdir $HOME/.cdk', + `echo '${expectedCredsConfig}' > $HOME/.cdk/cdk-docker-creds.json`, + ), + }, + // Prove we're looking at the Publishing project + build: { + commands: arrayWith(stringLike('cdk-assets*')), + }, + }, + })), + }, + }); + expect(pipelineStack).toHaveResource('AWS::IAM::Policy', { + PolicyDocument: { + Statement: arrayWith({ + Action: ['secretsmanager:GetSecretValue', 'secretsmanager:DescribeSecret'], + Effect: 'Allow', + Resource: secretPublishArn, + }), + Version: '2012-10-17', + }, + Roles: [{ Ref: 'CdkAssetsDockerRole484B6DD3' }], + }); + } +}); + +class LegacyPipelineWithCreds extends LegacyTestGitHubNpmPipeline { + constructor(scope: Construct, id: string, props?: ConstructorParameters[2]) { + super(scope, id, { + dockerCredentials: [ + cdkp.DockerCredential.customRegistry('synth.example.com', secretSynth, { + usages: [cdkp.DockerCredentialUsage.SYNTH], + }), + cdkp.DockerCredential.customRegistry('selfupdate.example.com', secretUpdate, { + usages: [cdkp.DockerCredentialUsage.SELF_UPDATE], + }), + cdkp.DockerCredential.customRegistry('publish.example.com', secretPublish, { + usages: [cdkp.DockerCredentialUsage.ASSET_PUBLISHING], + }), + ], + ...props, + }); + } +} + +class ModernPipelineWithCreds extends ModernTestGitHubNpmPipeline { + constructor(scope: Construct, id: string, props?: ConstructorParameters[2]) { + super(scope, id, { + dockerCredentials: [ + cdkp.DockerCredential.customRegistry('synth.example.com', secretSynth, { + usages: [cdkp.DockerCredentialUsage.SYNTH], + }), + cdkp.DockerCredential.customRegistry('selfupdate.example.com', secretUpdate, { + usages: [cdkp.DockerCredentialUsage.SELF_UPDATE], + }), + cdkp.DockerCredential.customRegistry('publish.example.com', secretPublish, { + usages: [cdkp.DockerCredentialUsage.ASSET_PUBLISHING], + }), + ], + ...props, + }); + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/test/compliance/environments.test.ts b/packages/@aws-cdk/pipelines/test/compliance/environments.test.ts new file mode 100644 index 0000000000000..d30e5a423fcb3 --- /dev/null +++ b/packages/@aws-cdk/pipelines/test/compliance/environments.test.ts @@ -0,0 +1,391 @@ +/* eslint-disable import/no-extraneous-dependencies */ +import { arrayWith, objectLike, stringLike } from '@aws-cdk/assert-internal'; +import '@aws-cdk/assert-internal/jest'; +import { Stack } from '@aws-cdk/core'; +import { behavior, LegacyTestGitHubNpmPipeline, OneStackApp, PIPELINE_ENV, TestApp, ModernTestGitHubNpmPipeline } from '../testhelpers'; + +let app: TestApp; +let pipelineStack: Stack; + +beforeEach(() => { + app = new TestApp(); + pipelineStack = new Stack(app, 'PipelineStack', { env: PIPELINE_ENV }); +}); + +afterEach(() => { + app.cleanup(); +}); + +behavior('action has right settings for same-env deployment', (suite) => { + suite.legacy(() => { + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addApplicationStage(new OneStackApp(app, 'Same')); + + THEN_codePipelineExpection(agnosticRole); + }); + + suite.additional('legacy: even if env is specified but the same as the pipeline', () => { + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addApplicationStage(new OneStackApp(app, 'Same', { + env: PIPELINE_ENV, + })); + + THEN_codePipelineExpection(pipelineEnvRole); + }); + + suite.modern(() => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new OneStackApp(app, 'Same')); + + THEN_codePipelineExpection(agnosticRole); + }); + + suite.additional('modern: even if env is specified but the same as the pipeline', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new OneStackApp(app, 'Same', { + env: PIPELINE_ENV, + })); + + THEN_codePipelineExpection(pipelineEnvRole); + }); + + function THEN_codePipelineExpection(roleArn: (x: string) => any) { + // THEN: pipeline structure is correct + expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { + Stages: arrayWith({ + Name: 'Same', + Actions: [ + objectLike({ + Name: stringLike('*Prepare'), + RoleArn: roleArn('deploy-role'), + Configuration: objectLike({ + StackName: 'Same-Stack', + RoleArn: roleArn('cfn-exec-role'), + }), + }), + objectLike({ + Name: stringLike('*Deploy'), + RoleArn: roleArn('deploy-role'), + Configuration: objectLike({ + StackName: 'Same-Stack', + }), + }), + ], + }), + }); + + // THEN: artifact bucket can be read by deploy role + expect(pipelineStack).toHaveResourceLike('AWS::S3::BucketPolicy', { + PolicyDocument: { + Statement: arrayWith(objectLike({ + Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], + Principal: { + AWS: roleArn('deploy-role'), + }, + })), + }, + }); + } +}); + +behavior('action has right settings for cross-account deployment', (suite) => { + suite.legacy(() => { + // WHEN + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addApplicationStage(new OneStackApp(app, 'CrossAccount', { env: { account: 'you' } })); + + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + // WHEN + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + crossAccountKeys: true, + }); + pipeline.addStage(new OneStackApp(app, 'CrossAccount', { env: { account: 'you' } })); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { + // THEN: Pipelien structure is correct + expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { + Stages: arrayWith({ + Name: 'CrossAccount', + Actions: [ + objectLike({ + Name: stringLike('*Prepare'), + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':iam::you:role/cdk-hnb659fds-deploy-role-you-', + { Ref: 'AWS::Region' }, + ]], + }, + Configuration: objectLike({ + StackName: 'CrossAccount-Stack', + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':iam::you:role/cdk-hnb659fds-cfn-exec-role-you-', + { Ref: 'AWS::Region' }, + ]], + }, + }), + }), + objectLike({ + Name: stringLike('*Deploy'), + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':iam::you:role/cdk-hnb659fds-deploy-role-you-', + { Ref: 'AWS::Region' }, + ]], + }, + Configuration: objectLike({ + StackName: 'CrossAccount-Stack', + }), + }), + ], + }), + }); + + // THEN: Artifact bucket can be read by deploy role + expect(pipelineStack).toHaveResourceLike('AWS::S3::BucketPolicy', { + PolicyDocument: { + Statement: arrayWith(objectLike({ + Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], + Principal: { + AWS: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + stringLike('*-deploy-role-*'), + { Ref: 'AWS::Region' }, + ]], + }, + }, + })), + }, + }); + } +}); + +behavior('action has right settings for cross-region deployment', (suite) => { + suite.legacy(() => { + // WHEN + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addApplicationStage(new OneStackApp(app, 'CrossRegion', { env: { region: 'elsewhere' } })); + + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + crossAccountKeys: true, + }); + pipeline.addStage(new OneStackApp(app, 'CrossRegion', { env: { region: 'elsewhere' } })); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { + // THEN + expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { + Stages: arrayWith({ + Name: 'CrossRegion', + Actions: [ + objectLike({ + Name: stringLike('*Prepare'), + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':iam::', + { Ref: 'AWS::AccountId' }, + ':role/cdk-hnb659fds-deploy-role-', + { Ref: 'AWS::AccountId' }, + '-elsewhere', + ]], + }, + Region: 'elsewhere', + Configuration: objectLike({ + StackName: 'CrossRegion-Stack', + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':iam::', + { Ref: 'AWS::AccountId' }, + ':role/cdk-hnb659fds-cfn-exec-role-', + { Ref: 'AWS::AccountId' }, + '-elsewhere', + ]], + }, + }), + }), + objectLike({ + Name: stringLike('*Deploy'), + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':iam::', + { Ref: 'AWS::AccountId' }, + ':role/cdk-hnb659fds-deploy-role-', + { Ref: 'AWS::AccountId' }, + '-elsewhere', + ]], + }, + Region: 'elsewhere', + Configuration: objectLike({ + StackName: 'CrossRegion-Stack', + }), + }), + ], + }), + }); + } +}); + +behavior('action has right settings for cross-account/cross-region deployment', (suite) => { + suite.legacy(() => { + // WHEN + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addApplicationStage(new OneStackApp(app, 'CrossBoth', { + env: { + account: 'you', + region: 'elsewhere', + }, + })); + + THEN_codePipelineExpectations(); + }); + + suite.modern(() => { + // WHEN + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + crossAccountKeys: true, + }); + pipeline.addStage(new OneStackApp(app, 'CrossBoth', { + env: { + account: 'you', + region: 'elsewhere', + }, + })); + + THEN_codePipelineExpectations(); + }); + + function THEN_codePipelineExpectations() { + // THEN: pipeline structure must be correct + expect(app.stackArtifact(pipelineStack)).toHaveResourceLike('AWS::CodePipeline::Pipeline', { + Stages: arrayWith({ + Name: 'CrossBoth', + Actions: [ + objectLike({ + Name: stringLike('*Prepare'), + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':iam::you:role/cdk-hnb659fds-deploy-role-you-elsewhere', + ]], + }, + Region: 'elsewhere', + Configuration: objectLike({ + StackName: 'CrossBoth-Stack', + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':iam::you:role/cdk-hnb659fds-cfn-exec-role-you-elsewhere', + ]], + }, + }), + }), + objectLike({ + Name: stringLike('*Deploy'), + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':iam::you:role/cdk-hnb659fds-deploy-role-you-elsewhere', + ]], + }, + Region: 'elsewhere', + Configuration: objectLike({ + StackName: 'CrossBoth-Stack', + }), + }), + ], + }), + }); + + // THEN: artifact bucket can be read by deploy role + const supportStack = 'PipelineStack-support-elsewhere'; + expect(app.stackArtifact(supportStack)).toHaveResourceLike('AWS::S3::BucketPolicy', { + PolicyDocument: { + Statement: arrayWith(objectLike({ + Action: arrayWith('s3:GetObject*', 's3:GetBucket*', 's3:List*'), + Principal: { + AWS: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + stringLike('*-deploy-role-*'), + ]], + }, + }, + })), + }, + }); + + // And the key to go along with it + expect(app.stackArtifact(supportStack)).toHaveResourceLike('AWS::KMS::Key', { + KeyPolicy: { + Statement: arrayWith(objectLike({ + Action: arrayWith('kms:Decrypt', 'kms:DescribeKey'), + Principal: { + AWS: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + stringLike('*-deploy-role-*'), + ]], + }, + }, + })), + }, + }); + } +}); + + +function agnosticRole(roleName: string) { + return { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':iam::', + { Ref: 'AWS::AccountId' }, + `:role/cdk-hnb659fds-${roleName}-`, + { Ref: 'AWS::AccountId' }, + '-', + { Ref: 'AWS::Region' }, + ]], + }; +} + +function pipelineEnvRole(roleName: string) { + return { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + `:iam::${PIPELINE_ENV.account}:role/cdk-hnb659fds-${roleName}-${PIPELINE_ENV.account}-${PIPELINE_ENV.region}`, + ]], + }; +} \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/test/compliance/escape-hatching.test.ts b/packages/@aws-cdk/pipelines/test/compliance/escape-hatching.test.ts new file mode 100644 index 0000000000000..82754f52d5cba --- /dev/null +++ b/packages/@aws-cdk/pipelines/test/compliance/escape-hatching.test.ts @@ -0,0 +1,274 @@ +import { arrayWith, objectLike } from '@aws-cdk/assert-internal'; +import '@aws-cdk/assert-internal/jest'; +import * as cp from '@aws-cdk/aws-codepipeline'; +import * as cpa from '@aws-cdk/aws-codepipeline-actions'; +import { SecretValue, Stack } from '@aws-cdk/core'; +import * as cdkp from '../../lib'; +import { CodePipelineFileSet } from '../../lib'; +import { behavior, FileAssetApp, LegacyTestGitHubNpmPipeline, ModernTestGitHubNpmPipeline, PIPELINE_ENV, TestApp, TestGitHubAction } from '../testhelpers'; + +let app: TestApp; +let pipelineStack: Stack; +let sourceArtifact: cp.Artifact; +let cloudAssemblyArtifact: cp.Artifact; +let codePipeline: cp.Pipeline; + +beforeEach(() => { + app = new TestApp(); + pipelineStack = new Stack(app, 'PipelineStack', { env: PIPELINE_ENV }); + sourceArtifact = new cp.Artifact(); + cloudAssemblyArtifact = new cp.Artifact(); +}); + +afterEach(() => { + app.cleanup(); +}); + +describe('with empty existing CodePipeline', () => { + beforeEach(() => { + codePipeline = new cp.Pipeline(pipelineStack, 'CodePipeline'); + }); + + behavior('both actions are required', (suite) => { + suite.legacy(() => { + // WHEN + expect(() => { + new cdkp.CdkPipeline(pipelineStack, 'Cdk', { cloudAssemblyArtifact, codePipeline }); + }).toThrow(/You must pass a 'sourceAction'/); + }); + + // 'synth' is not optional so this doesn't apply + suite.doesNotApply.modern(); + }); + + behavior('can give both actions', (suite) => { + suite.legacy(() => { + // WHEN + new cdkp.CdkPipeline(pipelineStack, 'Cdk', { + cloudAssemblyArtifact, + codePipeline, + sourceAction: new TestGitHubAction(sourceArtifact), + synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ sourceArtifact, cloudAssemblyArtifact }), + }); + + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + // WHEN + new cdkp.CodePipeline(pipelineStack, 'Cdk', { + codePipeline, + synth: new cdkp.ShellStep('Synth', { + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + commands: ['true'], + }), + }); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { + // THEN + expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { + Stages: [ + objectLike({ Name: 'Source' }), + objectLike({ Name: 'Build' }), + objectLike({ Name: 'UpdatePipeline' }), + ], + }); + } + }); +}); + +describe('with custom Source stage in existing Pipeline', () => { + beforeEach(() => { + codePipeline = new cp.Pipeline(pipelineStack, 'CodePipeline', { + stages: [ + { + stageName: 'CustomSource', + actions: [new TestGitHubAction(sourceArtifact)], + }, + ], + }); + }); + + behavior('Work with synthAction', (suite) => { + suite.legacy(() => { + // WHEN + new cdkp.CdkPipeline(pipelineStack, 'Cdk', { + codePipeline, + cloudAssemblyArtifact, + synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ sourceArtifact, cloudAssemblyArtifact }), + }); + + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + new cdkp.CodePipeline(pipelineStack, 'Cdk', { + codePipeline, + synth: new cdkp.ShellStep('Synth', { + input: cdkp.CodePipelineFileSet.fromArtifact(sourceArtifact), + commands: ['true'], + }), + }); + }); + + function THEN_codePipelineExpectation() { + // THEN + expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { + Stages: [ + objectLike({ Name: 'CustomSource' }), + objectLike({ Name: 'Build' }), + objectLike({ Name: 'UpdatePipeline' }), + ], + }); + } + }); +}); + +describe('with Source and Build stages in existing Pipeline', () => { + beforeEach(() => { + codePipeline = new cp.Pipeline(pipelineStack, 'CodePipeline', { + stages: [ + { + stageName: 'CustomSource', + actions: [new TestGitHubAction(sourceArtifact)], + }, + { + stageName: 'CustomBuild', + actions: [cdkp.SimpleSynthAction.standardNpmSynth({ sourceArtifact, cloudAssemblyArtifact })], + }, + ], + }); + }); + + behavior('can supply no actions', (suite) => { + suite.legacy(() => { + // WHEN + new cdkp.CdkPipeline(pipelineStack, 'Cdk', { + codePipeline, + cloudAssemblyArtifact, + }); + + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + new cdkp.CodePipeline(pipelineStack, 'Cdk', { + codePipeline, + synth: cdkp.CodePipelineFileSet.fromArtifact(cloudAssemblyArtifact), + }); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { + // THEN + expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { + Stages: [ + objectLike({ Name: 'CustomSource' }), + objectLike({ Name: 'CustomBuild' }), + objectLike({ Name: 'UpdatePipeline' }), + ], + }); + } + }); +}); + +behavior('can add another action to an existing stage', (suite) => { + suite.legacy(() => { + // WHEN + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.stage('Source').addAction(new cpa.GitHubSourceAction({ + actionName: 'GitHub2', + oauthToken: SecretValue.plainText('oops'), + output: new cp.Artifact(), + owner: 'OWNER', + repo: 'REPO', + })); + + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.buildPipeline(); + + pipeline.pipeline.stages[0].addAction(new cpa.GitHubSourceAction({ + actionName: 'GitHub2', + oauthToken: SecretValue.plainText('oops'), + output: new cp.Artifact(), + owner: 'OWNER', + repo: 'REPO', + })); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { + expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { + Stages: arrayWith({ + Name: 'Source', + Actions: [ + objectLike({ ActionTypeId: objectLike({ Provider: 'GitHub' }) }), + objectLike({ ActionTypeId: objectLike({ Provider: 'GitHub' }), Name: 'GitHub2' }), + ], + }), + }); + } +}); + + +behavior('assets stage inserted after existing pipeline actions', (suite) => { + let existingCodePipeline: cp.Pipeline; + beforeEach(() => { + existingCodePipeline = new cp.Pipeline(pipelineStack, 'CodePipeline', { + stages: [ + { + stageName: 'CustomSource', + actions: [new TestGitHubAction(sourceArtifact)], + }, + { + stageName: 'CustomBuild', + actions: [cdkp.SimpleSynthAction.standardNpmSynth({ sourceArtifact, cloudAssemblyArtifact })], + }, + ], + }); + }); + + suite.legacy(() => { + const pipeline = new cdkp.CdkPipeline(pipelineStack, 'CdkEmptyPipeline', { + cloudAssemblyArtifact: cloudAssemblyArtifact, + selfMutating: false, + codePipeline: existingCodePipeline, + // No source/build actions + }); + pipeline.addApplicationStage(new FileAssetApp(app, 'App')); + + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + const pipeline = new cdkp.CodePipeline(pipelineStack, 'CdkEmptyPipeline', { + codePipeline: existingCodePipeline, + selfMutation: false, + synth: CodePipelineFileSet.fromArtifact(cloudAssemblyArtifact), + // No source/build actions + }); + pipeline.addStage(new FileAssetApp(app, 'App')); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { + expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { + Stages: [ + objectLike({ Name: 'CustomSource' }), + objectLike({ Name: 'CustomBuild' }), + objectLike({ Name: 'Assets' }), + objectLike({ Name: 'App' }), + ], + }); + } +}); \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/test/compliance/self-mutation.test.ts b/packages/@aws-cdk/pipelines/test/compliance/self-mutation.test.ts new file mode 100644 index 0000000000000..8aa1ed8293c30 --- /dev/null +++ b/packages/@aws-cdk/pipelines/test/compliance/self-mutation.test.ts @@ -0,0 +1,241 @@ +/* eslint-disable import/no-extraneous-dependencies */ +import { anything, arrayWith, deepObjectLike, encodedJson, notMatching, objectLike } from '@aws-cdk/assert-internal'; +import '@aws-cdk/assert-internal/jest'; +import * as cp from '@aws-cdk/aws-codepipeline'; +import { Stack, Stage } from '@aws-cdk/core'; +import { behavior, LegacyTestGitHubNpmPipeline, PIPELINE_ENV, stackTemplate, TestApp, ModernTestGitHubNpmPipeline } from '../testhelpers'; + +let app: TestApp; +let pipelineStack: Stack; + +beforeEach(() => { + app = new TestApp(); + pipelineStack = new Stack(app, 'PipelineStack', { env: PIPELINE_ENV }); +}); + +afterEach(() => { + app.cleanup(); +}); + +behavior('CodePipeline has self-mutation stage', (suite) => { + suite.legacy(() => { + new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { + // THEN + expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { + Stages: arrayWith({ + Name: 'UpdatePipeline', + Actions: [ + objectLike({ + Name: 'SelfMutate', + Configuration: objectLike({ + ProjectName: { Ref: anything() }, + }), + }), + ], + }), + }); + + expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { + Environment: { + Image: 'aws/codebuild/standard:5.0', + }, + Source: { + BuildSpec: encodedJson(deepObjectLike({ + phases: { + install: { + commands: ['npm install -g aws-cdk'], + }, + build: { + commands: arrayWith('cdk -a . deploy PipelineStack --require-approval=never --verbose'), + }, + }, + })), + Type: 'CODEPIPELINE', + }, + }); + } +}); + +behavior('selfmutation stage correctly identifies nested assembly of pipeline stack', (suite) => { + suite.legacy(() => { + const pipelineStage = new Stage(app, 'PipelineStage'); + const nestedPipelineStack = new Stack(pipelineStage, 'PipelineStack', { env: PIPELINE_ENV }); + new LegacyTestGitHubNpmPipeline(nestedPipelineStack, 'Cdk'); + + THEN_codePipelineExpectation(nestedPipelineStack); + }); + + suite.modern(() => { + const pipelineStage = new Stage(app, 'PipelineStage'); + const nestedPipelineStack = new Stack(pipelineStage, 'PipelineStack', { env: PIPELINE_ENV }); + new ModernTestGitHubNpmPipeline(nestedPipelineStack, 'Cdk'); + + THEN_codePipelineExpectation(nestedPipelineStack); + }); + + function THEN_codePipelineExpectation(nestedPipelineStack: Stack) { + expect(stackTemplate(nestedPipelineStack)).toHaveResourceLike('AWS::CodeBuild::Project', { + Environment: { + Image: 'aws/codebuild/standard:5.0', + }, + Source: { + BuildSpec: encodedJson(deepObjectLike({ + phases: { + build: { + commands: arrayWith('cdk -a assembly-PipelineStage deploy PipelineStage/PipelineStack --require-approval=never --verbose'), + }, + }, + })), + }, + }); + } +}); + +behavior('selfmutation feature can be turned off', (suite) => { + suite.legacy(() => { + const cloudAssemblyArtifact = new cp.Artifact(); + // WHEN + new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + cloudAssemblyArtifact, + selfMutating: false, + }); + + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + // WHEN + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + selfMutation: false, + }); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { + expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { + Stages: notMatching(arrayWith({ + Name: 'UpdatePipeline', + Actions: anything(), + })), + }); + } +}); + +behavior('can control fix/CLI version used in pipeline selfupdate', (suite) => { + suite.legacy(() => { + // WHEN + new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + pipelineName: 'vpipe', + cdkCliVersion: '1.2.3', + }); + + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + pipelineName: 'vpipe', + cliVersion: '1.2.3', + }); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { + // THEN + expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { + Name: 'vpipe-selfupdate', + Source: { + BuildSpec: encodedJson(deepObjectLike({ + phases: { + install: { + commands: ['npm install -g aws-cdk@1.2.3'], + }, + }, + })), + }, + }); + } +}); + +behavior('Pipeline stack itself can use assets (has implications for selfupdate)', (suite) => { + suite.legacy(() => { + // WHEN + new LegacyTestGitHubNpmPipeline(pipelineStack, 'PrivilegedPipeline', { + supportDockerAssets: true, + }); + + // THEN + expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { + Environment: { + PrivilegedMode: true, + }, + }); + }); + + suite.modern(() => { + // WHEN + new ModernTestGitHubNpmPipeline(pipelineStack, 'PrivilegedPipeline', { + dockerEnabledForSelfMutation: true, + }); + + // THEN + expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { + Environment: { + PrivilegedMode: true, + }, + }); + }); +}); + +behavior('self-update project role uses tagged bootstrap-role permissions', (suite) => { + suite.legacy(() => { + new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + + THEN_codePipelineExpectations(); + }); + + suite.modern(() => { + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + THEN_codePipelineExpectations(); + }); + + function THEN_codePipelineExpectations() { + expect(pipelineStack).toHaveResourceLike('AWS::IAM::Policy', { + PolicyDocument: { + Statement: arrayWith( + { + Action: 'sts:AssumeRole', + Effect: 'Allow', + Resource: 'arn:*:iam::123pipeline:role/*', + Condition: { + 'ForAnyValue:StringEquals': { + 'iam:ResourceTag/aws-cdk:bootstrap-role': ['image-publishing', 'file-publishing', 'deploy'], + }, + }, + }, + { + Action: 'cloudformation:DescribeStacks', + Effect: 'Allow', + Resource: '*', + }, + { + Action: 's3:ListBucket', + Effect: 'Allow', + Resource: '*', + }, + ), + }, + }); + } +}); \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/test/stack-ordering.test.ts b/packages/@aws-cdk/pipelines/test/compliance/stack-ordering.test.ts similarity index 67% rename from packages/@aws-cdk/pipelines/test/stack-ordering.test.ts rename to packages/@aws-cdk/pipelines/test/compliance/stack-ordering.test.ts index 50d1b892cc5cb..cb21139b16364 100644 --- a/packages/@aws-cdk/pipelines/test/stack-ordering.test.ts +++ b/packages/@aws-cdk/pipelines/test/compliance/stack-ordering.test.ts @@ -1,27 +1,32 @@ import { arrayWith, objectLike } from '@aws-cdk/assert-internal'; import '@aws-cdk/assert-internal/jest'; -import { App, Stack, Stage, StageProps } from '@aws-cdk/core'; -import { Construct } from 'constructs'; -import * as cdkp from '../lib'; -import { behavior } from './helpers/compliance'; -import { sortedByRunOrder } from './testmatchers'; -import { BucketStack, PIPELINE_ENV, TestApp, TestGitHubNpmPipeline } from './testutil'; +import { App, Stack } from '@aws-cdk/core'; +import { behavior, LegacyTestGitHubNpmPipeline, ModernTestGitHubNpmPipeline, OneStackApp, PIPELINE_ENV, sortedByRunOrder, TestApp, ThreeStackApp, TwoStackApp } from '../testhelpers'; let app: App; let pipelineStack: Stack; -let pipeline: cdkp.CdkPipeline; beforeEach(() => { app = new TestApp(); pipelineStack = new Stack(app, 'PipelineStack', { env: PIPELINE_ENV }); - pipeline = new TestGitHubNpmPipeline(pipelineStack, 'Cdk'); }); behavior('interdependent stacks are in the right order', (suite) => { suite.legacy(() => { - // WHEN + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); pipeline.addApplicationStage(new TwoStackApp(app, 'MyApp')); + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new TwoStackApp(app, 'MyApp')); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { // THEN expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { Stages: arrayWith({ @@ -34,15 +39,26 @@ behavior('interdependent stacks are in the right order', (suite) => { ]), }), }); - }); + } }); behavior('multiple independent stacks go in parallel', (suite) => { suite.legacy(() => { // WHEN + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); pipeline.addApplicationStage(new ThreeStackApp(app, 'MyApp')); - // THEN + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new ThreeStackApp(app, 'MyApp')); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { Stages: arrayWith({ Name: 'MyApp', @@ -58,12 +74,13 @@ behavior('multiple independent stacks go in parallel', (suite) => { ]), }), }); - }); + } }); -behavior('manual approval is inserted in correct location', (suite) => { +behavior('user can request manual change set approvals', (suite) => { suite.legacy(() => { // WHEN + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); pipeline.addApplicationStage(new TwoStackApp(app, 'MyApp'), { manualApprovals: true, }); @@ -83,11 +100,15 @@ behavior('manual approval is inserted in correct location', (suite) => { }), }); }); + + // No change set approvals in Modern API for now. + suite.doesNotApply.modern(); }); -behavior('extra space for sequential intermediary actions is reserved', (suite) => { +behavior('user can request extra runorder space between prepare and deploy', (suite) => { suite.legacy(() => { // WHEN + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); pipeline.addApplicationStage(new TwoStackApp(app, 'MyApp'), { extraRunOrderSpace: 1, }); @@ -117,11 +138,15 @@ behavior('extra space for sequential intermediary actions is reserved', (suite) }), }); }); + + // No change set approvals in Modern API for now. + suite.doesNotApply.modern(); }); -behavior('combination of manual approval and extraRunOrderSpace', (suite) => { +behavior('user can request both manual change set approval and extraRunOrderSpace', (suite) => { suite.legacy(() => { // WHEN + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); pipeline.addApplicationStage(new OneStackApp(app, 'MyApp'), { extraRunOrderSpace: 1, manualApprovals: true, @@ -133,7 +158,7 @@ behavior('combination of manual approval and extraRunOrderSpace', (suite) => { Name: 'MyApp', Actions: sortedByRunOrder([ objectLike({ - Name: 'Stack1.Prepare', + Name: 'Stack.Prepare', RunOrder: 1, }), objectLike({ @@ -141,46 +166,14 @@ behavior('combination of manual approval and extraRunOrderSpace', (suite) => { RunOrder: 2, }), objectLike({ - Name: 'Stack1.Deploy', + Name: 'Stack.Deploy', RunOrder: 4, }), ]), }), }); }); -}); - -class OneStackApp extends Stage { - constructor(scope: Construct, id: string, props?: StageProps) { - super(scope, id, props); - - new BucketStack(this, 'Stack1'); - } -} -class TwoStackApp extends Stage { - constructor(scope: Construct, id: string, props?: StageProps) { - super(scope, id, props); - - const stack2 = new BucketStack(this, 'Stack2'); - const stack1 = new BucketStack(this, 'Stack1'); - - stack2.addDependency(stack1); - } -} - -/** - * Three stacks where the last one depends on the earlier 2 - */ -class ThreeStackApp extends Stage { - constructor(scope: Construct, id: string, props?: StageProps) { - super(scope, id, props); - - const stack1 = new BucketStack(this, 'Stack1'); - const stack2 = new BucketStack(this, 'Stack2'); - const stack3 = new BucketStack(this, 'Stack3'); - - stack3.addDependency(stack1); - stack3.addDependency(stack2); - } -} + // No change set approvals in Modern API for now. + suite.doesNotApply.modern(); +}); diff --git a/packages/@aws-cdk/pipelines/test/compliance/synths.test.ts b/packages/@aws-cdk/pipelines/test/compliance/synths.test.ts new file mode 100644 index 0000000000000..92d1c9164fcba --- /dev/null +++ b/packages/@aws-cdk/pipelines/test/compliance/synths.test.ts @@ -0,0 +1,981 @@ +import { arrayWith, deepObjectLike, encodedJson, objectLike, Capture, anything } from '@aws-cdk/assert-internal'; +import '@aws-cdk/assert-internal/jest'; +import * as cbuild from '@aws-cdk/aws-codebuild'; +import * as codepipeline from '@aws-cdk/aws-codepipeline'; +import * as ec2 from '@aws-cdk/aws-ec2'; +import * as ecr from '@aws-cdk/aws-ecr'; +import * as iam from '@aws-cdk/aws-iam'; +import * as s3 from '@aws-cdk/aws-s3'; +import { Stack } from '@aws-cdk/core'; +import * as cdkp from '../../lib'; +import { CodeBuildStep } from '../../lib'; +import { behavior, PIPELINE_ENV, TestApp, LegacyTestGitHubNpmPipeline, ModernTestGitHubNpmPipeline, ModernTestGitHubNpmPipelineProps } from '../testhelpers'; + +let app: TestApp; +let pipelineStack: Stack; +let sourceArtifact: codepipeline.Artifact; +let cloudAssemblyArtifact: codepipeline.Artifact; + +// Must be unique across all test files, but preferably also consistent +const OUTDIR = 'testcdk0.out'; + +// What phase install commands get rendered to +const LEGACY_INSTALLS = 'pre_build'; +const MODERN_INSTALLS = 'install'; + +beforeEach(() => { + app = new TestApp({ outdir: OUTDIR }); + pipelineStack = new Stack(app, 'PipelineStack', { env: PIPELINE_ENV }); + sourceArtifact = new codepipeline.Artifact(); + cloudAssemblyArtifact = new codepipeline.Artifact('CloudAsm'); +}); + +afterEach(() => { + app.cleanup(); +}); + +behavior('synth takes arrays of commands', (suite) => { + suite.legacy(() => { + // WHEN + new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + sourceArtifact, + cloudAssemblyArtifact, + synthAction: new cdkp.SimpleSynthAction({ + sourceArtifact, + cloudAssemblyArtifact, + installCommands: ['install1', 'install2'], + buildCommands: ['build1', 'build2'], + testCommands: ['test1', 'test2'], + synthCommand: 'cdk synth', + }), + }); + + THEN_codePipelineExpectation(LEGACY_INSTALLS); + }); + + suite.modern(() => { + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + installCommands: ['install1', 'install2'], + commands: ['build1', 'build2', 'test1', 'test2', 'cdk synth'], + }); + + THEN_codePipelineExpectation(MODERN_INSTALLS); + }); + + function THEN_codePipelineExpectation(installPhase: string) { + // THEN + expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { + Environment: { + Image: 'aws/codebuild/standard:5.0', + }, + Source: { + BuildSpec: encodedJson(deepObjectLike({ + phases: { + [installPhase]: { + commands: [ + 'install1', + 'install2', + ], + }, + build: { + commands: [ + 'build1', + 'build2', + 'test1', + 'test2', + 'cdk synth', + ], + }, + }, + })), + }, + }); + } +}); + +behavior('synth sets artifact base-directory to cdk.out', (suite) => { + suite.legacy(() => { + // WHEN + new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + sourceArtifact, + cloudAssemblyArtifact, + synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ sourceArtifact, cloudAssemblyArtifact }), + }); + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { + // THEN + expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { + Environment: { + Image: 'aws/codebuild/standard:5.0', + }, + Source: { + BuildSpec: encodedJson(deepObjectLike({ + artifacts: { + 'base-directory': 'cdk.out', + }, + })), + }, + }); + } +}); + +behavior('synth supports setting subdirectory', (suite) => { + suite.legacy(() => { + // WHEN + new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + sourceArtifact, + cloudAssemblyArtifact, + synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ + sourceArtifact, + cloudAssemblyArtifact, + subdirectory: 'subdir', + }), + }); + + THEN_codePipelineExpectation(LEGACY_INSTALLS); + }); + + suite.modern(() => { + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + installCommands: ['cd subdir'], + commands: ['true'], + primaryOutputDirectory: 'subdir/cdk.out', + }); + THEN_codePipelineExpectation(MODERN_INSTALLS); + }); + + function THEN_codePipelineExpectation(installPhase: string) { + // THEN + expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { + Environment: { + Image: 'aws/codebuild/standard:5.0', + }, + Source: { + BuildSpec: encodedJson(deepObjectLike({ + phases: { + [installPhase]: { + commands: arrayWith('cd subdir'), + }, + }, + artifacts: { + 'base-directory': 'subdir/cdk.out', + }, + })), + }, + }); + } +}); + +behavior('npm synth sets, or allows setting, UNSAFE_PERM=true', (suite) => { + suite.legacy(() => { + // WHEN + new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + sourceArtifact, + cloudAssemblyArtifact, + synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ + sourceArtifact, + cloudAssemblyArtifact, + }), + }); + + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + env: { + NPM_CONFIG_UNSAFE_PERM: 'true', + }, + }); + }); + + function THEN_codePipelineExpectation() { + // THEN + expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { + Environment: { + EnvironmentVariables: [ + { + Name: 'NPM_CONFIG_UNSAFE_PERM', + Type: 'PLAINTEXT', + Value: 'true', + }, + ], + }, + }); + } +}); + +behavior('synth assumes a JavaScript project by default (no build, yes synth)', (suite) => { + suite.legacy(() => { + // WHEN + new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + sourceArtifact, + cloudAssemblyArtifact, + synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ sourceArtifact, cloudAssemblyArtifact }), + }); + + // THEN + expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { + Environment: { + Image: 'aws/codebuild/standard:5.0', + }, + Source: { + BuildSpec: encodedJson(deepObjectLike({ + phases: { + pre_build: { + commands: ['npm ci'], + }, + build: { + commands: ['npx cdk synth'], + }, + }, + })), + }, + }); + }); + + // Modern pipeline does not assume anything anymore + suite.doesNotApply.modern(); +}); + +behavior('Magic CodePipeline variables passed to synth envvars must be rendered in the action', (suite) => { + suite.legacy(() => { + // WHEN + new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + sourceArtifact, + cloudAssemblyArtifact, + synthAction: new cdkp.SimpleSynthAction({ + sourceArtifact, + cloudAssemblyArtifact, + environmentVariables: { + VERSION: { value: codepipeline.GlobalVariables.executionId }, + }, + synthCommand: 'synth', + }), + }); + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + env: { + VERSION: codepipeline.GlobalVariables.executionId, + }, + }); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { + // THEN + expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { + Stages: arrayWith({ + Name: 'Build', + Actions: [ + objectLike({ + Name: 'Synth', + Configuration: objectLike({ + EnvironmentVariables: encodedJson(arrayWith( + { + name: 'VERSION', + type: 'PLAINTEXT', + value: '#{codepipeline.PipelineExecutionId}', + }, + )), + }), + }), + ], + }), + }); + } +}); + +behavior('CodeBuild: environment variables specified in multiple places are correctly merged', (suite) => { + // We don't support merging environment variables in this way in the legacy API + suite.doesNotApply.legacy(); + + suite.modern(() => { + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + synth: new CodeBuildStep('Synth', { + env: { + SOME_ENV_VAR: 'SomeValue', + }, + installCommands: [ + 'install1', + 'install2', + ], + commands: ['synth'], + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + primaryOutputDirectory: 'cdk.out', + buildEnvironment: { + environmentVariables: { + INNER_VAR: { value: 'InnerValue' }, + }, + privileged: true, + }, + }), + }); + THEN_codePipelineExpectation(MODERN_INSTALLS); + }); + + suite.additional('modern2, using the specific CodeBuild action', () => { + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + synth: new cdkp.CodeBuildStep('Synth', { + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + primaryOutputDirectory: '.', + env: { + SOME_ENV_VAR: 'SomeValue', + }, + installCommands: [ + 'install1', + 'install2', + ], + commands: ['synth'], + buildEnvironment: { + environmentVariables: { + INNER_VAR: { value: 'InnerValue' }, + }, + privileged: true, + }, + }), + }); + THEN_codePipelineExpectation(MODERN_INSTALLS); + }); + + function THEN_codePipelineExpectation(installPhase: string) { + // THEN + expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { + Environment: objectLike({ + PrivilegedMode: true, + EnvironmentVariables: arrayWith( + { + Name: 'SOME_ENV_VAR', + Type: 'PLAINTEXT', + Value: 'SomeValue', + }, + { + Name: 'INNER_VAR', + Type: 'PLAINTEXT', + Value: 'InnerValue', + }, + ), + }), + Source: { + BuildSpec: encodedJson(deepObjectLike({ + phases: { + [installPhase]: { + commands: ['install1', 'install2'], + }, + build: { + commands: ['synth'], + }, + }, + })), + }, + }); + } +}); + +behavior('install command can be overridden/specified', (suite) => { + suite.legacy(() => { + // WHEN + new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + sourceArtifact, + cloudAssemblyArtifact, + synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ + sourceArtifact, + cloudAssemblyArtifact, + installCommand: '/bin/true', + }), + }); + + THEN_codePipelineExpectation(LEGACY_INSTALLS); + }); + + suite.modern(() => { + // WHEN + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + installCommands: ['/bin/true'], + }); + + THEN_codePipelineExpectation(MODERN_INSTALLS); + }); + + function THEN_codePipelineExpectation(installPhase: string) { + // THEN + expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { + Environment: { + Image: 'aws/codebuild/standard:5.0', + }, + Source: { + BuildSpec: encodedJson(deepObjectLike({ + phases: { + [installPhase]: { + commands: ['/bin/true'], + }, + }, + })), + }, + }); + } +}); + +behavior('synth can have its test commands set', (suite) => { + suite.legacy(() => { + // WHEN + new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + sourceArtifact, + cloudAssemblyArtifact, + synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ + sourceArtifact, + cloudAssemblyArtifact, + installCommand: '/bin/true', + testCommands: ['echo "Running tests"'], + }), + }); + + // THEN + expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { + Environment: { + Image: 'aws/codebuild/standard:5.0', + }, + Source: { + BuildSpec: encodedJson(objectLike({ + phases: { + pre_build: { + commands: ['/bin/true'], + }, + build: { + commands: ['echo "Running tests"', 'npx cdk synth'], + }, + }, + })), + }, + }); + }); + + // There are no implicit commands in modern synth + suite.doesNotApply.modern(); +}); + +behavior('Synth can output additional artifacts', (suite) => { + suite.legacy(() => { + // WHEN + const addlArtifact = new codepipeline.Artifact('IntegTest'); + new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + sourceArtifact, + cloudAssemblyArtifact, + synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ + sourceArtifact, + cloudAssemblyArtifact, + additionalArtifacts: [ + { + artifact: addlArtifact, + directory: 'test', + }, + ], + }), + }); + + THEN_codePipelineExpectation('CloudAsm', 'IntegTest'); + }); + + suite.modern(() => { + // WHEN + const synth = new cdkp.ShellStep('Synth', { + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + commands: ['cdk synth'], + }); + synth.addOutputDirectory('test'); + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + synth: synth, + }); + + THEN_codePipelineExpectation('Synth_Output', 'Synth_test'); + }); + + function THEN_codePipelineExpectation(asmArtifact: string, testArtifact: string) { + // THEN + expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { + Environment: { + Image: 'aws/codebuild/standard:5.0', + }, + Source: { + BuildSpec: encodedJson(deepObjectLike({ + artifacts: { + 'secondary-artifacts': { + [asmArtifact]: { + 'base-directory': 'cdk.out', + 'files': '**/*', + }, + [testArtifact]: { + 'base-directory': 'test', + 'files': '**/*', + }, + }, + }, + })), + }, + }); + } +}); + +behavior('Synth can be made to run in a VPC', (suite) => { + let vpc: ec2.Vpc; + beforeEach(() => { + vpc = new ec2.Vpc(pipelineStack, 'NpmSynthTestVpc'); + }); + + suite.legacy(() => { + // WHEN + new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + sourceArtifact, + cloudAssemblyArtifact, + synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ + vpc, + sourceArtifact, + cloudAssemblyArtifact, + }), + }); + + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + codeBuildDefaults: { vpc }, + }); + }); + + suite.additional('Modern, using CodeBuildStep', () => { + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + synth: new CodeBuildStep('Synth', { + commands: ['asdf'], + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + primaryOutputDirectory: 'cdk.out', + buildEnvironment: { + computeType: cbuild.ComputeType.LARGE, + }, + }), + codeBuildDefaults: { vpc }, + }); + }); + + function THEN_codePipelineExpectation() { + // THEN + expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { + VpcConfig: { + SecurityGroupIds: [ + { 'Fn::GetAtt': ['CdkPipelineBuildSynthCdkBuildProjectSecurityGroupEA44D7C2', 'GroupId'] }, + ], + Subnets: [ + { Ref: 'NpmSynthTestVpcPrivateSubnet1Subnet81E3AA56' }, + { Ref: 'NpmSynthTestVpcPrivateSubnet2SubnetC1CA3EF0' }, + { Ref: 'NpmSynthTestVpcPrivateSubnet3SubnetA04163EE' }, + ], + VpcId: { Ref: 'NpmSynthTestVpc5E703F25' }, + }, + }); + + expect(pipelineStack).toHaveResourceLike('AWS::IAM::Policy', { + Roles: [ + { Ref: 'CdkPipelineBuildSynthCdkBuildProjectRole5E173C62' }, + ], + PolicyDocument: { + Statement: arrayWith({ + Action: arrayWith('ec2:DescribeSecurityGroups'), + Effect: 'Allow', + Resource: '*', + }), + }, + }); + } +}); + +behavior('Pipeline action contains a hash that changes as the buildspec changes', (suite) => { + suite.legacy(() => { + const hash1 = legacySynthWithAction((sa, cxa) => cdkp.SimpleSynthAction.standardNpmSynth({ + sourceArtifact: sa, + cloudAssemblyArtifact: cxa, + })); + + // To make sure the hash is not just random :) + const hash1prime = legacySynthWithAction((sa, cxa) => cdkp.SimpleSynthAction.standardNpmSynth({ + sourceArtifact: sa, + cloudAssemblyArtifact: cxa, + })); + + const hash2 = legacySynthWithAction((sa, cxa) => cdkp.SimpleSynthAction.standardNpmSynth({ + sourceArtifact: sa, + cloudAssemblyArtifact: cxa, + installCommand: 'do install', + })); + const hash3 = legacySynthWithAction((sa, cxa) => cdkp.SimpleSynthAction.standardNpmSynth({ + sourceArtifact: sa, + cloudAssemblyArtifact: cxa, + environment: { + computeType: cbuild.ComputeType.LARGE, + }, + })); + const hash4 = legacySynthWithAction((sa, cxa) => cdkp.SimpleSynthAction.standardNpmSynth({ + sourceArtifact: sa, + cloudAssemblyArtifact: cxa, + environment: { + environmentVariables: { + xyz: { value: 'SOME-VALUE' }, + }, + }, + })); + + expect(hash1).toEqual(hash1prime); + + expect(hash1).not.toEqual(hash2); + expect(hash1).not.toEqual(hash3); + expect(hash1).not.toEqual(hash4); + expect(hash2).not.toEqual(hash3); + expect(hash2).not.toEqual(hash4); + expect(hash3).not.toEqual(hash4); + }); + + suite.modern(() => { + const hash1 = modernSynthWithAction(() => ({ commands: ['asdf'] })); + + // To make sure the hash is not just random :) + const hash1prime = modernSynthWithAction(() => ({ commands: ['asdf'] })); + + const hash2 = modernSynthWithAction(() => ({ + installCommands: ['do install'], + })); + const hash3 = modernSynthWithAction(() => ({ + synth: new CodeBuildStep('Synth', { + commands: ['asdf'], + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + primaryOutputDirectory: 'cdk.out', + buildEnvironment: { + computeType: cbuild.ComputeType.LARGE, + }, + }), + })); + + const hash4 = modernSynthWithAction(() => ({ + env: { + xyz: 'SOME-VALUE', + }, + })); + + expect(hash1).toEqual(hash1prime); + + expect(hash1).not.toEqual(hash2); + expect(hash1).not.toEqual(hash3); + expect(hash1).not.toEqual(hash4); + expect(hash2).not.toEqual(hash3); + expect(hash2).not.toEqual(hash4); + expect(hash3).not.toEqual(hash4); + }); + + // eslint-disable-next-line max-len + function legacySynthWithAction(cb: (sourceArtifact: codepipeline.Artifact, cloudAssemblyArtifact: codepipeline.Artifact) => codepipeline.IAction) { + const _app = new TestApp({ outdir: OUTDIR }); + const _pipelineStack = new Stack(_app, 'PipelineStack', { env: PIPELINE_ENV }); + const _sourceArtifact = new codepipeline.Artifact(); + const _cloudAssemblyArtifact = new codepipeline.Artifact('CloudAsm'); + + new LegacyTestGitHubNpmPipeline(_pipelineStack, 'Cdk', { + sourceArtifact: _sourceArtifact, + cloudAssemblyArtifact: _cloudAssemblyArtifact, + synthAction: cb(_sourceArtifact, _cloudAssemblyArtifact), + }); + + return captureProjectConfigHash(_pipelineStack); + } + + function modernSynthWithAction(cb: () => ModernTestGitHubNpmPipelineProps) { + const _app = new TestApp({ outdir: OUTDIR }); + const _pipelineStack = new Stack(_app, 'PipelineStack', { env: PIPELINE_ENV }); + + new ModernTestGitHubNpmPipeline(_pipelineStack, 'Cdk', cb()); + + return captureProjectConfigHash(_pipelineStack); + } + + function captureProjectConfigHash(_pipelineStack: Stack) { + const theHash = Capture.aString(); + expect(_pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { + Stages: arrayWith({ + Name: 'Build', + Actions: [ + objectLike({ + Name: 'Synth', + Configuration: objectLike({ + EnvironmentVariables: encodedJson([ + { + name: '_PROJECT_CONFIG_HASH', + type: 'PLAINTEXT', + value: theHash.capture(), + }, + ]), + }), + }), + ], + }), + }); + + return theHash.capturedValue; + } +}); + +behavior('Synth CodeBuild project role can be granted permissions', (suite) => { + let bucket: s3.IBucket; + beforeEach(() => { + bucket = s3.Bucket.fromBucketArn(pipelineStack, 'Bucket', 'arn:aws:s3:::ThisParticularBucket'); + }); + + + suite.legacy(() => { + // GIVEN + const synthAction = cdkp.SimpleSynthAction.standardNpmSynth({ + sourceArtifact, + cloudAssemblyArtifact, + }); + new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + sourceArtifact, + cloudAssemblyArtifact, + synthAction, + }); + + // WHEN + bucket.grantRead(synthAction); + + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + // GIVEN + const pipe = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipe.buildPipeline(); + + // WHEN + bucket.grantRead(pipe.synthProject); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { + // THEN + expect(pipelineStack).toHaveResourceLike('AWS::IAM::Policy', { + PolicyDocument: { + Statement: arrayWith(deepObjectLike({ + Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], + Resource: ['arn:aws:s3:::ThisParticularBucket', 'arn:aws:s3:::ThisParticularBucket/*'], + })), + }, + }); + } +}); + +behavior('Synth can reference an imported ECR repo', (suite) => { + // Repro from https://github.com/aws/aws-cdk/issues/10535 + + suite.legacy(() => { + // WHEN + new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + sourceArtifact, + cloudAssemblyArtifact, + synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ + sourceArtifact, + cloudAssemblyArtifact, + environment: { + buildImage: cbuild.LinuxBuildImage.fromEcrRepository( + ecr.Repository.fromRepositoryName(pipelineStack, 'ECRImage', 'my-repo-name'), + ), + }, + }), + }); + + // THEN -- no exception (necessary for linter) + expect(true).toBeTruthy(); + }); + + suite.modern(() => { + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + synth: new cdkp.CodeBuildStep('Synth', { + commands: ['build'], + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + primaryOutputDirectory: 'cdk.out', + buildEnvironment: { + buildImage: cbuild.LinuxBuildImage.fromEcrRepository( + ecr.Repository.fromRepositoryName(pipelineStack, 'ECRImage', 'my-repo-name'), + ), + }, + }), + }); + + // THEN -- no exception (necessary for linter) + expect(true).toBeTruthy(); + }); +}); + +behavior('CodeBuild: Can specify additional policy statements', (suite) => { + suite.legacy(() => { + // WHEN + new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + sourceArtifact, + cloudAssemblyArtifact, + synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ + sourceArtifact, + cloudAssemblyArtifact, + rolePolicyStatements: [ + new iam.PolicyStatement({ + actions: ['codeartifact:*', 'sts:GetServiceBearerToken'], + resources: ['arn:my:arn'], + }), + ], + }), + }); + + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + // WHEN + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + synth: new cdkp.CodeBuildStep('Synth', { + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + primaryOutputDirectory: '.', + commands: ['synth'], + rolePolicyStatements: [ + new iam.PolicyStatement({ + actions: ['codeartifact:*', 'sts:GetServiceBearerToken'], + resources: ['arn:my:arn'], + }), + ], + }), + }); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { + expect(pipelineStack).toHaveResourceLike('AWS::IAM::Policy', { + PolicyDocument: { + Statement: arrayWith(deepObjectLike({ + Action: [ + 'codeartifact:*', + 'sts:GetServiceBearerToken', + ], + Resource: 'arn:my:arn', + })), + }, + }); + } +}); + +behavior('Multiple input sources in side-by-side directories', (suite) => { + // Legacy API does not support this + suite.doesNotApply.legacy(); + + suite.modern(() => { + // WHEN + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + synth: new cdkp.ShellStep('Synth', { + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + commands: ['false'], + additionalInputs: { + '../sibling': cdkp.CodePipelineSource.gitHub('foo/bar', 'main'), + 'sub': new cdkp.ShellStep('Prebuild', { + input: cdkp.CodePipelineSource.gitHub('pre/build', 'main'), + commands: ['true'], + primaryOutputDirectory: 'built', + }), + }, + }), + }); + + expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { + Stages: arrayWith( + { + Name: 'Source', + Actions: [ + objectLike({ Configuration: objectLike({ Repo: 'bar' }) }), + objectLike({ Configuration: objectLike({ Repo: 'build' }) }), + objectLike({ Configuration: objectLike({ Repo: 'test' }) }), + ], + }, + { + Name: 'Build', + Actions: [ + objectLike({ Name: 'Prebuild', RunOrder: 1 }), + objectLike({ + Name: 'Synth', + RunOrder: 2, + InputArtifacts: [ + // 3 input artifacts + anything(), + anything(), + anything(), + ], + }), + ], + }, + ), + }); + + expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { + Source: { + BuildSpec: encodedJson(deepObjectLike({ + phases: { + install: { + commands: [ + 'ln -s "$CODEBUILD_SRC_DIR_foo_bar_Source" "../sibling"', + 'ln -s "$CODEBUILD_SRC_DIR_Prebuild_Output" "sub"', + ], + }, + build: { + commands: [ + 'false', + ], + }, + }, + })), + }, + }); + }); +}); + +behavior('Can easily switch on privileged mode for synth', (suite) => { + // Legacy API does not support this + suite.doesNotApply.legacy(); + + suite.modern(() => { + // WHEN + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + dockerEnabledForSynth: true, + commands: ['LookAtMe'], + }); + + expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { + Environment: objectLike({ + PrivilegedMode: true, + }), + Source: { + BuildSpec: encodedJson(deepObjectLike({ + phases: { + build: { + commands: [ + 'LookAtMe', + ], + }, + }, + })), + }, + }); + }); +}); \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/test/compliance/validations.test.ts b/packages/@aws-cdk/pipelines/test/compliance/validations.test.ts new file mode 100644 index 0000000000000..447e22da59124 --- /dev/null +++ b/packages/@aws-cdk/pipelines/test/compliance/validations.test.ts @@ -0,0 +1,799 @@ +/* eslint-disable import/no-extraneous-dependencies */ +import { anything, arrayWith, Capture, deepObjectLike, encodedJson, objectLike } from '@aws-cdk/assert-internal'; +import '@aws-cdk/assert-internal/jest'; +import * as codebuild from '@aws-cdk/aws-codebuild'; +import * as codepipeline from '@aws-cdk/aws-codepipeline'; +import * as ec2 from '@aws-cdk/aws-ec2'; +import * as iam from '@aws-cdk/aws-iam'; +import * as s3 from '@aws-cdk/aws-s3'; +import { Stack } from '@aws-cdk/core'; +import * as cdkp from '../../lib'; +import { CodePipelineSource, ShellStep } from '../../lib'; +import { AppWithOutput, behavior, LegacyTestGitHubNpmPipeline, ModernTestGitHubNpmPipeline, OneStackApp, PIPELINE_ENV, sortedByRunOrder, StageWithStackOutput, stringNoLongerThan, TestApp, TwoStackApp } from '../testhelpers'; + +let app: TestApp; +let pipelineStack: Stack; + +beforeEach(() => { + app = new TestApp(); + pipelineStack = new Stack(app, 'PipelineStack', { env: PIPELINE_ENV }); +}); + +afterEach(() => { + app.cleanup(); +}); + +behavior('can add manual approval after app', (suite) => { + // No need to be backwards compatible + suite.doesNotApply.legacy(); + + suite.modern(() => { + // WHEN + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new TwoStackApp(app, 'MyApp'), { + post: [ + new cdkp.ManualApprovalStep('Approve'), + ], + }); + + // THEN + expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { + Stages: arrayWith({ + Name: 'MyApp', + Actions: sortedByRunOrder([ + objectLike({ Name: 'Stack1.Prepare' }), + objectLike({ Name: 'Stack1.Deploy' }), + objectLike({ Name: 'Stack2.Prepare' }), + objectLike({ Name: 'Stack2.Deploy' }), + objectLike({ Name: 'Approve' }), + ]), + }), + }); + }); +}); + +behavior('can add steps to wave', (suite) => { + // No need to be backwards compatible + suite.doesNotApply.legacy(); + + suite.modern(() => { + // WHEN + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + const wave = pipeline.addWave('MyWave', { + post: [ + new cdkp.ManualApprovalStep('Approve'), + ], + }); + wave.addStage(new OneStackApp(pipelineStack, 'Stage1')); + wave.addStage(new OneStackApp(pipelineStack, 'Stage2')); + wave.addStage(new OneStackApp(pipelineStack, 'Stage3')); + + // THEN + expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { + Stages: arrayWith({ + Name: 'MyWave', + Actions: sortedByRunOrder([ + objectLike({ Name: 'Stage1.Stack.Prepare' }), + objectLike({ Name: 'Stage2.Stack.Prepare' }), + objectLike({ Name: 'Stage3.Stack.Prepare' }), + objectLike({ Name: 'Stage1.Stack.Deploy' }), + objectLike({ Name: 'Stage2.Stack.Deploy' }), + objectLike({ Name: 'Stage3.Stack.Deploy' }), + objectLike({ Name: 'Approve' }), + ]), + }), + }); + }); +}); + + +behavior('script validation steps can use stack outputs as environment variables', (suite) => { + suite.legacy(() => { + // GIVEN + const { pipeline } = legacySetup(); + const stage = new StageWithStackOutput(app, 'MyApp'); + + // WHEN + const pipeStage = pipeline.addApplicationStage(stage); + pipeStage.addActions(new cdkp.ShellScriptAction({ + actionName: 'TestOutput', + useOutputs: { + BUCKET_NAME: pipeline.stackOutput(stage.output), + }, + commands: ['echo $BUCKET_NAME'], + })); + + // THEN + expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { + Stages: arrayWith({ + Name: 'MyApp', + Actions: arrayWith( + deepObjectLike({ + Name: 'Stack.Deploy', + OutputArtifacts: [{ Name: anything() }], + Configuration: { + OutputFileName: 'outputs.json', + }, + }), + deepObjectLike({ + ActionTypeId: { + Provider: 'CodeBuild', + }, + Configuration: { + ProjectName: anything(), + }, + InputArtifacts: [{ Name: anything() }], + Name: 'TestOutput', + }), + ), + }), + }); + + expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { + Environment: { + Image: 'aws/codebuild/standard:5.0', + }, + Source: { + BuildSpec: encodedJson(deepObjectLike({ + phases: { + build: { + commands: [ + 'set -eu', + 'export BUCKET_NAME="$(node -pe \'require(process.env.CODEBUILD_SRC_DIR + "/outputs.json")["BucketName"]\')"', + 'echo $BUCKET_NAME', + ], + }, + }, + })), + Type: 'CODEPIPELINE', + }, + }); + }); + suite.modern(() => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + const myApp = new AppWithOutput(app, 'Alpha'); + pipeline.addStage(myApp, { + post: [ + new cdkp.ShellStep('Approve', { + commands: ['/bin/true'], + envFromCfnOutputs: { + THE_OUTPUT: myApp.theOutput, + }, + }), + ], + }); + + // THEN + expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { + Stages: arrayWith({ + Name: 'Alpha', + Actions: arrayWith( + objectLike({ + Name: 'Stack.Deploy', + Namespace: 'AlphaStack6B3389FA', + }), + objectLike({ + Name: 'Approve', + Configuration: objectLike({ + EnvironmentVariables: encodedJson([ + { name: 'THE_OUTPUT', value: '#{AlphaStack6B3389FA.MyOutput}', type: 'PLAINTEXT' }, + ]), + }), + }), + ), + }), + }); + }); +}); + +behavior('stackOutput generates names limited to 100 characters', (suite) => { + suite.legacy(() => { + const { pipeline } = legacySetup(); + const stage = new StageWithStackOutput(app, 'APreposterouslyLongAndComplicatedNameMadeUpJustToMakeItExceedTheLimitDefinedByCodeBuild'); + const pipeStage = pipeline.addApplicationStage(stage); + pipeStage.addActions(new cdkp.ShellScriptAction({ + actionName: 'TestOutput', + useOutputs: { + BUCKET_NAME: pipeline.stackOutput(stage.output), + }, + commands: ['echo $BUCKET_NAME'], + })); + + // THEN + expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { + Stages: arrayWith({ + Name: 'APreposterouslyLongAndComplicatedNameMadeUpJustToMakeItExceedTheLimitDefinedByCodeBuild', + Actions: arrayWith( + deepObjectLike({ + Name: 'Stack.Deploy', + OutputArtifacts: [{ Name: stringNoLongerThan(100) }], + Configuration: { + OutputFileName: 'outputs.json', + }, + }), + deepObjectLike({ + ActionTypeId: { + Provider: 'CodeBuild', + }, + Configuration: { + ProjectName: anything(), + }, + InputArtifacts: [{ Name: stringNoLongerThan(100) }], + Name: 'TestOutput', + }), + ), + }), + }); + }); + + suite.modern(() => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + const stage = new StageWithStackOutput(app, 'APreposterouslyLongAndComplicatedNameMadeUpJustToMakeItExceedTheLimitDefinedByCodeBuild'); + pipeline.addStage(stage, { + post: [ + new cdkp.ShellStep('TestOutput', { + commands: ['echo $BUCKET_NAME'], + envFromCfnOutputs: { + BUCKET_NAME: stage.output, + }, + }), + ], + }); + + expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { + Stages: arrayWith({ + Name: 'APreposterouslyLongAndComplicatedNameMadeUpJustToMakeItExceedTheLimitDefinedByCodeBuild', + Actions: arrayWith( + deepObjectLike({ + Name: 'Stack.Deploy', + Namespace: stringNoLongerThan(100), + }), + ), + }), + }); + }); +}); + +behavior('validation step can run from scripts in source', (suite) => { + suite.legacy(() => { + const { pipeline, sourceArtifact } = legacySetup(); + + // WHEN + pipeline.addStage('Test').addActions(new cdkp.ShellScriptAction({ + actionName: 'UseSources', + additionalArtifacts: [sourceArtifact], + commands: ['true'], + })); + + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new TwoStackApp(app, 'Test'), { + post: [ + new cdkp.ShellStep('UseSources', { + input: pipeline.gitHubSource, + commands: ['set -eu', 'true'], + }), + ], + }); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { + const sourceArtifact = Capture.aString(); + + expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { + Stages: arrayWith({ + Name: 'Source', + Actions: [ + deepObjectLike({ + OutputArtifacts: [{ Name: sourceArtifact.capture() }], + }), + ], + }), + }); + expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { + Stages: arrayWith({ + Name: 'Test', + Actions: arrayWith( + deepObjectLike({ + Name: 'UseSources', + InputArtifacts: [{ Name: sourceArtifact.capturedValue }], + }), + ), + }), + }); + expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { + Environment: { + Image: 'aws/codebuild/standard:5.0', + }, + Source: { + BuildSpec: encodedJson(deepObjectLike({ + phases: { + build: { + commands: [ + 'set -eu', + 'true', + ], + }, + }, + })), + }, + }); + } +}); + +behavior('can use additional output artifacts from build', (suite) => { + suite.legacy(() => { + // WHEN + const { pipeline, integTestArtifact } = legacySetup(); + pipeline.addStage('Test').addActions(new cdkp.ShellScriptAction({ + actionName: 'UseBuildArtifact', + additionalArtifacts: [integTestArtifact], + commands: ['true'], + })); + + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + const synth = new ShellStep('Synth', { + input: CodePipelineSource.gitHub('test/test', 'main'), + commands: ['synth'], + }); + + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + synth, + }); + pipeline.addStage(new TwoStackApp(app, 'Test'), { + post: [ + new cdkp.ShellStep('UseBuildArtifact', { + input: synth.addOutputDirectory('test'), + commands: ['set -eu', 'true'], + }), + ], + }); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { + const integArtifact = Capture.aString(); + + expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { + Stages: arrayWith({ + Name: 'Build', + Actions: [ + deepObjectLike({ + Name: 'Synth', + OutputArtifacts: [ + { Name: anything() }, // It's not the first output + { Name: integArtifact.capture() }, + ], + }), + ], + }), + }); + + expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { + Stages: arrayWith({ + Name: 'Test', + Actions: arrayWith( + deepObjectLike({ + Name: 'UseBuildArtifact', + InputArtifacts: [{ Name: integArtifact.capturedValue }], + }), + ), + }), + }); + expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { + Environment: { + Image: 'aws/codebuild/standard:5.0', + }, + Source: { + BuildSpec: encodedJson(deepObjectLike({ + phases: { + build: { + commands: [ + 'set -eu', + 'true', + ], + }, + }, + })), + }, + }); + } +}); + +behavior('can add policy statements to shell script action', (suite) => { + suite.legacy(() => { + // WHEN + const { pipeline, integTestArtifact } = legacySetup(); + pipeline.addStage('Test').addActions(new cdkp.ShellScriptAction({ + actionName: 'Boop', + additionalArtifacts: [integTestArtifact], + commands: ['true'], + rolePolicyStatements: [ + new iam.PolicyStatement({ + actions: ['s3:Banana'], + resources: ['*'], + }), + ], + })); + + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + // WHEN + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new TwoStackApp(app, 'Test'), { + post: [ + new cdkp.CodeBuildStep('Boop', { + commands: ['true'], + rolePolicyStatements: [ + new iam.PolicyStatement({ + actions: ['s3:Banana'], + resources: ['*'], + }), + ], + }), + ], + }); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { + // THEN + expect(pipelineStack).toHaveResourceLike('AWS::IAM::Policy', { + PolicyDocument: { + Statement: arrayWith(deepObjectLike({ + Action: 's3:Banana', + Resource: '*', + })), + }, + }); + } +}); + +behavior('can grant permissions to shell script action', (suite) => { + let bucket: s3.IBucket; + beforeEach(() => { + bucket = s3.Bucket.fromBucketArn(pipelineStack, 'Bucket', 'arn:aws:s3:::ThisParticularBucket'); + }); + + suite.legacy(() => { + const { pipeline, integTestArtifact } = legacySetup(); + const action = new cdkp.ShellScriptAction({ + actionName: 'Boop', + additionalArtifacts: [integTestArtifact], + commands: ['true'], + }); + pipeline.addStage('Test').addActions(action); + + // WHEN + bucket.grantRead(action); + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + + const codeBuildStep = new cdkp.CodeBuildStep('Boop', { + commands: ['true'], + }); + + pipeline.addStage(new TwoStackApp(app, 'Test'), { + post: [codeBuildStep], + }); + + pipeline.buildPipeline(); + + // WHEN + bucket.grantRead(codeBuildStep.project); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { + // THEN + expect(pipelineStack).toHaveResourceLike('AWS::IAM::Policy', { + PolicyDocument: { + Statement: arrayWith(deepObjectLike({ + Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], + Resource: ['arn:aws:s3:::ThisParticularBucket', 'arn:aws:s3:::ThisParticularBucket/*'], + })), + }, + }); + } +}); + +behavior('can run shell script actions in a VPC', (suite) => { + let vpc: ec2.Vpc; + beforeEach(() => { + vpc = new ec2.Vpc(pipelineStack, 'VPC'); + }); + + suite.legacy(() => { + const { pipeline, integTestArtifact } = legacySetup(); + + pipeline.addStage('Test').addActions(new cdkp.ShellScriptAction({ + vpc, + actionName: 'VpcAction', + additionalArtifacts: [integTestArtifact], + commands: ['true'], + })); + + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + // All CodeBuild jobs automatically go into the VPC + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + codeBuildDefaults: { vpc }, + }); + + pipeline.addStage(new TwoStackApp(app, 'MyApp'), { + post: [new cdkp.ShellStep('VpcAction', { + commands: ['set -eu', 'true'], + })], + }); + + THEN_codePipelineExpectation(); + }); + + suite.additional('modern, alternate API', () => { + // Can also explicitly specify a VPC when going to the "full config" class + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + + pipeline.addStage(new TwoStackApp(app, 'MyApp'), { + post: [new cdkp.CodeBuildStep('VpcAction', { + commands: ['set -eu', 'true'], + vpc, + })], + }); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { + expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { + Environment: { + Image: 'aws/codebuild/standard:5.0', + }, + VpcConfig: { + Subnets: [ + { + Ref: 'VPCPrivateSubnet1Subnet8BCA10E0', + }, + { + Ref: 'VPCPrivateSubnet2SubnetCFCDAA7A', + }, + { + Ref: 'VPCPrivateSubnet3Subnet3EDCD457', + }, + ], + VpcId: { + Ref: 'VPCB9E5F0B4', + }, + }, + Source: { + BuildSpec: encodedJson(deepObjectLike({ + phases: { + build: { + commands: [ + 'set -eu', + 'true', + ], + }, + }, + })), + }, + }); + } +}); + +behavior('can run shell script actions with a specific SecurityGroup', (suite) => { + let vpc: ec2.Vpc; + let sg: ec2.SecurityGroup; + beforeEach(() => { + vpc = new ec2.Vpc(pipelineStack, 'VPC'); + sg = new ec2.SecurityGroup(pipelineStack, 'SG', { vpc }); + }); + + suite.legacy(() => { + // WHEN + const { pipeline, integTestArtifact } = legacySetup(); + pipeline.addStage('Test').addActions(new cdkp.ShellScriptAction({ + vpc, + securityGroups: [sg], + actionName: 'sgAction', + additionalArtifacts: [integTestArtifact], + commands: ['true'], + })); + + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + // All CodeBuild jobs automatically go into the VPC + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + + pipeline.addStage(new TwoStackApp(app, 'Test'), { + post: [new cdkp.CodeBuildStep('sgAction', { + commands: ['set -eu', 'true'], + vpc, + securityGroups: [sg], + })], + }); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { + expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { + Stages: arrayWith({ + Name: 'Test', + Actions: arrayWith( + deepObjectLike({ + Name: 'sgAction', + }), + ), + }), + }); + expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { + VpcConfig: { + SecurityGroupIds: [ + { + 'Fn::GetAtt': [ + 'SGADB53937', + 'GroupId', + ], + }, + ], + VpcId: { + Ref: 'VPCB9E5F0B4', + }, + }, + }); + } +}); + +behavior('can run scripts with specified BuildEnvironment', (suite) => { + suite.legacy(() => { + let { pipeline, integTestArtifact } = legacySetup(); + + // WHEN + pipeline.addStage('Test').addActions(new cdkp.ShellScriptAction({ + actionName: 'imageAction', + additionalArtifacts: [integTestArtifact], + commands: ['true'], + environment: { buildImage: codebuild.LinuxBuildImage.STANDARD_2_0 }, + })); + + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + // Run all Build jobs with the given image + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + codeBuildDefaults: { + buildEnvironment: { + buildImage: codebuild.LinuxBuildImage.STANDARD_2_0, + }, + }, + }); + + pipeline.addStage(new TwoStackApp(app, 'Test'), { + post: [new cdkp.ShellStep('imageAction', { + commands: ['true'], + })], + }); + + THEN_codePipelineExpectation(); + }); + + suite.additional('modern, alternative API', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + + pipeline.addStage(new TwoStackApp(app, 'Test'), { + post: [new cdkp.CodeBuildStep('imageAction', { + commands: ['true'], + buildEnvironment: { + buildImage: codebuild.LinuxBuildImage.STANDARD_2_0, + }, + })], + }); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { + expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { + Environment: { + Image: 'aws/codebuild/standard:2.0', + }, + }); + } +}); + +behavior('can run scripts with magic environment variables', (suite) => { + suite.legacy(() => { + const { pipeline, integTestArtifact } = legacySetup(); + pipeline.addStage('Test').addActions(new cdkp.ShellScriptAction({ + actionName: 'imageAction', + additionalArtifacts: [integTestArtifact], + commands: ['true'], + environmentVariables: { + VERSION: { value: codepipeline.GlobalVariables.executionId }, + }, + })); + + THEN_codePipelineExpectation(); + }); + + suite.modern(() => { + // Run all Build jobs with the given image + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + + pipeline.addStage(new TwoStackApp(app, 'Test'), { + post: [new cdkp.ShellStep('imageAction', { + commands: ['true'], + env: { + VERSION: codepipeline.GlobalVariables.executionId, + }, + })], + }); + + THEN_codePipelineExpectation(); + }); + + function THEN_codePipelineExpectation() { + // THEN + expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { + Stages: arrayWith({ + Name: 'Test', + Actions: arrayWith( + objectLike({ + Name: 'imageAction', + Configuration: objectLike({ + EnvironmentVariables: encodedJson([ + { + name: 'VERSION', + type: 'PLAINTEXT', + value: '#{codepipeline.PipelineExecutionId}', + }, + ]), + }), + }), + ), + }), + }); + } +}); + + +/** + * Some shared setup for legacy API tests + */ +function legacySetup() { + const sourceArtifact = new codepipeline.Artifact(); + const cloudAssemblyArtifact = new codepipeline.Artifact('CloudAsm'); + const integTestArtifact = new codepipeline.Artifact('IntegTests'); + const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + sourceArtifact, + cloudAssemblyArtifact, + synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ + sourceArtifact, + cloudAssemblyArtifact, + additionalArtifacts: [{ directory: 'test', artifact: integTestArtifact }], + }), + }); + + return { sourceArtifact, cloudAssemblyArtifact, integTestArtifact, pipeline }; +} \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/test/cross-environment-infra.test.ts b/packages/@aws-cdk/pipelines/test/cross-environment-infra.test.ts deleted file mode 100644 index e442e540b1ac9..0000000000000 --- a/packages/@aws-cdk/pipelines/test/cross-environment-infra.test.ts +++ /dev/null @@ -1,161 +0,0 @@ -import { arrayWith, objectLike, stringLike } from '@aws-cdk/assert-internal'; -import '@aws-cdk/assert-internal/jest'; -import { Stack, Stage, StageProps } from '@aws-cdk/core'; -import { Construct } from 'constructs'; -import * as cdkp from '../lib'; -import { behavior } from './helpers/compliance'; -import { BucketStack, PIPELINE_ENV, TestApp, TestGitHubNpmPipeline } from './testutil'; - -let app: TestApp; -let pipelineStack: Stack; -let pipeline: cdkp.CdkPipeline; - -beforeEach(() => { - app = new TestApp(); - pipelineStack = new Stack(app, 'PipelineStack', { env: PIPELINE_ENV }); - pipeline = new TestGitHubNpmPipeline(pipelineStack, 'Cdk'); -}); - -afterEach(() => { - app.cleanup(); -}); - -behavior('in a cross-account/cross-region setup, artifact bucket can be read by deploy role', (suite) => { - suite.legacy(() => { - // WHEN - pipeline.addApplicationStage(new TestApplication(app, 'MyApp', { - env: { account: '321elsewhere', region: 'us-elsewhere' }, - })); - - // THEN - app.synth(); - const supportStack = app.node.findAll().filter(Stack.isStack).find(s => s.stackName === 'PipelineStack-support-us-elsewhere'); - expect(supportStack).not.toBeUndefined(); - - expect(supportStack).toHaveResourceLike('AWS::S3::BucketPolicy', { - PolicyDocument: { - Statement: arrayWith(objectLike({ - Action: arrayWith('s3:GetObject*', 's3:GetBucket*', 's3:List*'), - Principal: { - AWS: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - stringLike('*-deploy-role-*'), - ]], - }, - }, - })), - }, - }); - - // And the key to go along with it - expect(supportStack).toHaveResourceLike('AWS::KMS::Key', { - KeyPolicy: { - Statement: arrayWith(objectLike({ - Action: arrayWith('kms:Decrypt', 'kms:DescribeKey'), - Principal: { - AWS: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - stringLike('*-deploy-role-*'), - ]], - }, - }, - })), - }, - }); - }); -}); - -behavior('in a cross-account/same-region setup, artifact bucket can be read by deploy role', (suite) => { - suite.legacy(() => { - // WHEN - pipeline.addApplicationStage(new TestApplication(app, 'MyApp', { - env: { account: '321elsewhere', region: PIPELINE_ENV.region }, - })); - - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::S3::BucketPolicy', { - PolicyDocument: { - Statement: arrayWith(objectLike({ - Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], - Principal: { - AWS: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - stringLike('*-deploy-role-*'), - ]], - }, - }, - })), - }, - }); - }); -}); - -behavior('in an unspecified-account setup, artifact bucket can be read by deploy role', (suite) => { - suite.legacy(() => { - // WHEN - pipeline.addApplicationStage(new TestApplication(app, 'MyApp', {})); - - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::S3::BucketPolicy', { - PolicyDocument: { - Statement: arrayWith(objectLike({ - Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], - Principal: { - AWS: { - 'Fn::Join': ['', arrayWith( - 'arn:', - { Ref: 'AWS::Partition' }, - ':iam::', - { Ref: 'AWS::AccountId' }, - stringLike('*-deploy-role-*'), - )], - }, - }, - })), - }, - }); - }); -}); - -behavior('in a same-account setup, artifact bucket can be read by deploy role', (suite) => { - suite.legacy(() => { - // WHEN - pipeline.addApplicationStage(new TestApplication(app, 'MyApp', { - env: PIPELINE_ENV, - })); - - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::S3::BucketPolicy', { - PolicyDocument: { - Statement: arrayWith(objectLike({ - Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], - Principal: { - AWS: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - stringLike('*-deploy-role-*'), - ]], - }, - }, - })), - }, - }); - }); -}); - -/** - * Our application - */ -class TestApplication extends Stage { - constructor(scope: Construct, id: string, props: StageProps) { - super(scope, id, props); - new BucketStack(this, 'Stack'); - } -} diff --git a/packages/@aws-cdk/pipelines/test/existing-pipeline.test.ts b/packages/@aws-cdk/pipelines/test/existing-pipeline.test.ts deleted file mode 100644 index b5ad74c799b77..0000000000000 --- a/packages/@aws-cdk/pipelines/test/existing-pipeline.test.ts +++ /dev/null @@ -1,129 +0,0 @@ -import { objectLike } from '@aws-cdk/assert-internal'; -import '@aws-cdk/assert-internal/jest'; -import * as cp from '@aws-cdk/aws-codepipeline'; -import { Stack } from '@aws-cdk/core'; -import * as cdkp from '../lib'; -import { behavior } from './helpers/compliance'; -import { PIPELINE_ENV, TestApp, TestGitHubAction } from './testutil'; - -let app: TestApp; -let pipelineStack: Stack; -let sourceArtifact: cp.Artifact; -let cloudAssemblyArtifact: cp.Artifact; -let codePipeline: cp.Pipeline; - -beforeEach(() => { - app = new TestApp(); - pipelineStack = new Stack(app, 'PipelineStack', { env: PIPELINE_ENV }); - sourceArtifact = new cp.Artifact(); - cloudAssemblyArtifact = new cp.Artifact(); -}); - -afterEach(() => { - app.cleanup(); -}); - -describe('with empty existing CodePipeline', () => { - beforeEach(() => { - codePipeline = new cp.Pipeline(pipelineStack, 'CodePipeline'); - }); - - behavior('both actions are required', (suite) => { - suite.legacy(() => { - // WHEN - expect(() => { - new cdkp.CdkPipeline(pipelineStack, 'Cdk', { cloudAssemblyArtifact, codePipeline }); - }).toThrow(/You must pass a 'sourceAction'/); - }); - }); - - behavior('can give both actions', (suite) => { - suite.legacy(() => { - // WHEN - new cdkp.CdkPipeline(pipelineStack, 'Cdk', { - cloudAssemblyArtifact, - codePipeline, - sourceAction: new TestGitHubAction(sourceArtifact), - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ sourceArtifact, cloudAssemblyArtifact }), - }); - - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { - Stages: [ - objectLike({ Name: 'Source' }), - objectLike({ Name: 'Build' }), - objectLike({ Name: 'UpdatePipeline' }), - ], - }); - }); - }); -}); - -describe('with custom Source stage in existing Pipeline', () => { - beforeEach(() => { - codePipeline = new cp.Pipeline(pipelineStack, 'CodePipeline', { - stages: [ - { - stageName: 'CustomSource', - actions: [new TestGitHubAction(sourceArtifact)], - }, - ], - }); - }); - - behavior('Work with synthAction', (suite) => { - suite.legacy(() => { - // WHEN - new cdkp.CdkPipeline(pipelineStack, 'Cdk', { - codePipeline, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ sourceArtifact, cloudAssemblyArtifact }), - }); - - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { - Stages: [ - objectLike({ Name: 'CustomSource' }), - objectLike({ Name: 'Build' }), - objectLike({ Name: 'UpdatePipeline' }), - ], - }); - }); - }); -}); - -describe('with Source and Build stages in existing Pipeline', () => { - beforeEach(() => { - codePipeline = new cp.Pipeline(pipelineStack, 'CodePipeline', { - stages: [ - { - stageName: 'CustomSource', - actions: [new TestGitHubAction(sourceArtifact)], - }, - { - stageName: 'CustomBuild', - actions: [cdkp.SimpleSynthAction.standardNpmSynth({ sourceArtifact, cloudAssemblyArtifact })], - }, - ], - }); - }); - - behavior('can supply no actions', (suite) => { - suite.legacy(() => { - // WHEN - new cdkp.CdkPipeline(pipelineStack, 'Cdk', { - codePipeline, - cloudAssemblyArtifact, - }); - - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { - Stages: [ - objectLike({ Name: 'CustomSource' }), - objectLike({ Name: 'CustomBuild' }), - objectLike({ Name: 'UpdatePipeline' }), - ], - }); - }); - }); -}); \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/test/integ.newpipeline.expected.json b/packages/@aws-cdk/pipelines/test/integ.newpipeline.expected.json new file mode 100644 index 0000000000000..27f47b7a985a2 --- /dev/null +++ b/packages/@aws-cdk/pipelines/test/integ.newpipeline.expected.json @@ -0,0 +1,2336 @@ +{ + "Resources": { + "PipelineArtifactsBucketAEA9A052": { + "Type": "AWS::S3::Bucket", + "Properties": { + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "aws:kms" + } + } + ] + }, + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + } + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" + }, + "PipelineArtifactsBucketPolicyF53CCC52": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "PipelineArtifactsBucketAEA9A052" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*" + ], + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + } + }, + "Resource": [ + { + "Fn::GetAtt": [ + "PipelineArtifactsBucketAEA9A052", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "PipelineArtifactsBucketAEA9A052", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + } + ], + "Version": "2012-10-17" + } + } + }, + "PipelineRoleB27FAA37": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "codepipeline.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + } + } + }, + "PipelineRoleDefaultPolicy7BDC1ABB": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*", + "s3:DeleteObject*", + "s3:PutObject", + "s3:Abort*" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "PipelineArtifactsBucketAEA9A052", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "PipelineArtifactsBucketAEA9A052", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + }, + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "PipelineBuildSynthCodePipelineActionRole4E7A6C97", + "Arn" + ] + } + }, + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF", + "Arn" + ] + } + }, + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "PipelineRoleDefaultPolicy7BDC1ABB", + "Roles": [ + { + "Ref": "PipelineRoleB27FAA37" + } + ] + } + }, + "Pipeline9850B417": { + "Type": "AWS::CodePipeline::Pipeline", + "Properties": { + "RoleArn": { + "Fn::GetAtt": [ + "PipelineRoleB27FAA37", + "Arn" + ] + }, + "Stages": [ + { + "Actions": [ + { + "ActionTypeId": { + "Category": "Source", + "Owner": "ThirdParty", + "Provider": "GitHub", + "Version": "1" + }, + "Configuration": { + "Owner": "rix0rrr", + "Repo": "cdk-pipelines-demo", + "Branch": "main", + "OAuthToken": "{{resolve:secretsmanager:github-token:SecretString:::}}", + "PollForSourceChanges": false + }, + "Name": "rix0rrr_cdk-pipelines-demo", + "OutputArtifacts": [ + { + "Name": "rix0rrr_cdk-pipelines-demo_Source" + } + ], + "RunOrder": 1 + } + ], + "Name": "Source" + }, + { + "Actions": [ + { + "ActionTypeId": { + "Category": "Build", + "Owner": "AWS", + "Provider": "CodeBuild", + "Version": "1" + }, + "Configuration": { + "ProjectName": { + "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" + }, + "EnvironmentVariables": "[{\"name\":\"_PROJECT_CONFIG_HASH\",\"type\":\"PLAINTEXT\",\"value\":\"00ebacfb32b1bde8d3638577308e7b7144dfa3b0a58a83bc6ff38a3b1f26951c\"}]" + }, + "InputArtifacts": [ + { + "Name": "rix0rrr_cdk-pipelines-demo_Source" + } + ], + "Name": "Synth", + "OutputArtifacts": [ + { + "Name": "Synth_Output" + } + ], + "RoleArn": { + "Fn::GetAtt": [ + "PipelineBuildSynthCodePipelineActionRole4E7A6C97", + "Arn" + ] + }, + "RunOrder": 1 + } + ], + "Name": "Build" + }, + { + "Actions": [ + { + "ActionTypeId": { + "Category": "Build", + "Owner": "AWS", + "Provider": "CodeBuild", + "Version": "1" + }, + "Configuration": { + "ProjectName": { + "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" + }, + "EnvironmentVariables": "[{\"name\":\"_PROJECT_CONFIG_HASH\",\"type\":\"PLAINTEXT\",\"value\":\"9eda7f97d24aac861052bb47a41b80eecdd56096bf9a88a27c88d94c463785c8\"}]" + }, + "InputArtifacts": [ + { + "Name": "Synth_Output" + } + ], + "Name": "SelfMutate", + "RoleArn": { + "Fn::GetAtt": [ + "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF", + "Arn" + ] + }, + "RunOrder": 1 + } + ], + "Name": "UpdatePipeline" + }, + { + "Actions": [ + { + "ActionTypeId": { + "Category": "Deploy", + "Owner": "AWS", + "Provider": "CloudFormation", + "Version": "1" + }, + "Configuration": { + "StackName": "Beta-Stack1", + "Capabilities": "CAPABILITY_NAMED_IAM", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-cfn-exec-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "ActionMode": "CHANGE_SET_REPLACE", + "ChangeSetName": "PipelineChange", + "TemplatePath": "Synth_Output::assembly-PipelineStack-Beta/PipelineStackBetaStack1E6541489.template.json" + }, + "InputArtifacts": [ + { + "Name": "Synth_Output" + } + ], + "Name": "Stack1.Prepare", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "RunOrder": 1 + }, + { + "ActionTypeId": { + "Category": "Deploy", + "Owner": "AWS", + "Provider": "CloudFormation", + "Version": "1" + }, + "Configuration": { + "StackName": "Beta-Stack1", + "ActionMode": "CHANGE_SET_EXECUTE", + "ChangeSetName": "PipelineChange" + }, + "Name": "Stack1.Deploy", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "RunOrder": 2 + }, + { + "ActionTypeId": { + "Category": "Deploy", + "Owner": "AWS", + "Provider": "CloudFormation", + "Version": "1" + }, + "Configuration": { + "StackName": "Beta-Stack2", + "Capabilities": "CAPABILITY_NAMED_IAM", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-cfn-exec-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "ActionMode": "CHANGE_SET_REPLACE", + "ChangeSetName": "PipelineChange", + "TemplatePath": "Synth_Output::assembly-PipelineStack-Beta/PipelineStackBetaStack2C79AD00A.template.json" + }, + "InputArtifacts": [ + { + "Name": "Synth_Output" + } + ], + "Name": "Stack2.Prepare", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "RunOrder": 3 + }, + { + "ActionTypeId": { + "Category": "Deploy", + "Owner": "AWS", + "Provider": "CloudFormation", + "Version": "1" + }, + "Configuration": { + "StackName": "Beta-Stack2", + "ActionMode": "CHANGE_SET_EXECUTE", + "ChangeSetName": "PipelineChange" + }, + "Name": "Stack2.Deploy", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "RunOrder": 4 + } + ], + "Name": "Beta" + }, + { + "Actions": [ + { + "ActionTypeId": { + "Category": "Deploy", + "Owner": "AWS", + "Provider": "CloudFormation", + "Version": "1" + }, + "Configuration": { + "StackName": "Prod1-Stack1", + "Capabilities": "CAPABILITY_NAMED_IAM", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-cfn-exec-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "ActionMode": "CHANGE_SET_REPLACE", + "ChangeSetName": "PipelineChange", + "TemplatePath": "Synth_Output::assembly-PipelineStack-Prod1/PipelineStackProd1Stack14013D698.template.json" + }, + "InputArtifacts": [ + { + "Name": "Synth_Output" + } + ], + "Name": "Prod1.Stack1.Prepare", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "RunOrder": 1 + }, + { + "ActionTypeId": { + "Category": "Deploy", + "Owner": "AWS", + "Provider": "CloudFormation", + "Version": "1" + }, + "Configuration": { + "StackName": "Prod2-Stack1", + "Capabilities": "CAPABILITY_NAMED_IAM", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-cfn-exec-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "ActionMode": "CHANGE_SET_REPLACE", + "ChangeSetName": "PipelineChange", + "TemplatePath": "Synth_Output::assembly-PipelineStack-Prod2/PipelineStackProd2Stack1FD464162.template.json" + }, + "InputArtifacts": [ + { + "Name": "Synth_Output" + } + ], + "Name": "Prod2.Stack1.Prepare", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "RunOrder": 1 + }, + { + "ActionTypeId": { + "Category": "Deploy", + "Owner": "AWS", + "Provider": "CloudFormation", + "Version": "1" + }, + "Configuration": { + "StackName": "Prod1-Stack1", + "ActionMode": "CHANGE_SET_EXECUTE", + "ChangeSetName": "PipelineChange" + }, + "Name": "Prod1.Stack1.Deploy", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "RunOrder": 2 + }, + { + "ActionTypeId": { + "Category": "Deploy", + "Owner": "AWS", + "Provider": "CloudFormation", + "Version": "1" + }, + "Configuration": { + "StackName": "Prod2-Stack1", + "ActionMode": "CHANGE_SET_EXECUTE", + "ChangeSetName": "PipelineChange" + }, + "Name": "Prod2.Stack1.Deploy", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "RunOrder": 2 + }, + { + "ActionTypeId": { + "Category": "Deploy", + "Owner": "AWS", + "Provider": "CloudFormation", + "Version": "1" + }, + "Configuration": { + "StackName": "Prod1-Stack2", + "Capabilities": "CAPABILITY_NAMED_IAM", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-cfn-exec-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "ActionMode": "CHANGE_SET_REPLACE", + "ChangeSetName": "PipelineChange", + "TemplatePath": "Synth_Output::assembly-PipelineStack-Prod1/PipelineStackProd1Stack2F0681AFF.template.json" + }, + "InputArtifacts": [ + { + "Name": "Synth_Output" + } + ], + "Name": "Prod1.Stack2.Prepare", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "RunOrder": 3 + }, + { + "ActionTypeId": { + "Category": "Deploy", + "Owner": "AWS", + "Provider": "CloudFormation", + "Version": "1" + }, + "Configuration": { + "StackName": "Prod2-Stack2", + "Capabilities": "CAPABILITY_NAMED_IAM", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-cfn-exec-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "ActionMode": "CHANGE_SET_REPLACE", + "ChangeSetName": "PipelineChange", + "TemplatePath": "Synth_Output::assembly-PipelineStack-Prod2/PipelineStackProd2Stack2176123EB.template.json" + }, + "InputArtifacts": [ + { + "Name": "Synth_Output" + } + ], + "Name": "Prod2.Stack2.Prepare", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "RunOrder": 3 + }, + { + "ActionTypeId": { + "Category": "Deploy", + "Owner": "AWS", + "Provider": "CloudFormation", + "Version": "1" + }, + "Configuration": { + "StackName": "Prod1-Stack2", + "ActionMode": "CHANGE_SET_EXECUTE", + "ChangeSetName": "PipelineChange" + }, + "Name": "Prod1.Stack2.Deploy", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "RunOrder": 4 + }, + { + "ActionTypeId": { + "Category": "Deploy", + "Owner": "AWS", + "Provider": "CloudFormation", + "Version": "1" + }, + "Configuration": { + "StackName": "Prod2-Stack2", + "ActionMode": "CHANGE_SET_EXECUTE", + "ChangeSetName": "PipelineChange" + }, + "Name": "Prod2.Stack2.Deploy", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "RunOrder": 4 + } + ], + "Name": "Wave1" + }, + { + "Actions": [ + { + "ActionTypeId": { + "Category": "Deploy", + "Owner": "AWS", + "Provider": "CloudFormation", + "Version": "1" + }, + "Configuration": { + "StackName": "Prod3-Stack1", + "Capabilities": "CAPABILITY_NAMED_IAM", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-cfn-exec-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "ActionMode": "CHANGE_SET_REPLACE", + "ChangeSetName": "PipelineChange", + "TemplatePath": "Synth_Output::assembly-PipelineStack-Prod3/PipelineStackProd3Stack1795F3D43.template.json" + }, + "InputArtifacts": [ + { + "Name": "Synth_Output" + } + ], + "Name": "Prod3.Stack1.Prepare", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "RunOrder": 1 + }, + { + "ActionTypeId": { + "Category": "Deploy", + "Owner": "AWS", + "Provider": "CloudFormation", + "Version": "1" + }, + "Configuration": { + "StackName": "Prod4-Stack1", + "Capabilities": "CAPABILITY_NAMED_IAM", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-cfn-exec-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "ActionMode": "CHANGE_SET_REPLACE", + "ChangeSetName": "PipelineChange", + "TemplatePath": "Synth_Output::assembly-PipelineStack-Prod4/PipelineStackProd4Stack118F74ADB.template.json" + }, + "InputArtifacts": [ + { + "Name": "Synth_Output" + } + ], + "Name": "Prod4.Stack1.Prepare", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "RunOrder": 1 + }, + { + "ActionTypeId": { + "Category": "Deploy", + "Owner": "AWS", + "Provider": "CloudFormation", + "Version": "1" + }, + "Configuration": { + "StackName": "Prod5-Stack1", + "Capabilities": "CAPABILITY_NAMED_IAM", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-cfn-exec-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "ActionMode": "CHANGE_SET_REPLACE", + "ChangeSetName": "PipelineChange", + "TemplatePath": "Synth_Output::assembly-PipelineStack-Prod5/PipelineStackProd5Stack1E7E4E4C6.template.json" + }, + "InputArtifacts": [ + { + "Name": "Synth_Output" + } + ], + "Name": "Prod5.Stack1.Prepare", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "RunOrder": 1 + }, + { + "ActionTypeId": { + "Category": "Deploy", + "Owner": "AWS", + "Provider": "CloudFormation", + "Version": "1" + }, + "Configuration": { + "StackName": "Prod6-Stack1", + "Capabilities": "CAPABILITY_NAMED_IAM", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-cfn-exec-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "ActionMode": "CHANGE_SET_REPLACE", + "ChangeSetName": "PipelineChange", + "TemplatePath": "Synth_Output::assembly-PipelineStack-Prod6/PipelineStackProd6Stack1E7C34314.template.json" + }, + "InputArtifacts": [ + { + "Name": "Synth_Output" + } + ], + "Name": "Prod6.Stack1.Prepare", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "RunOrder": 1 + }, + { + "ActionTypeId": { + "Category": "Deploy", + "Owner": "AWS", + "Provider": "CloudFormation", + "Version": "1" + }, + "Configuration": { + "StackName": "Prod3-Stack1", + "ActionMode": "CHANGE_SET_EXECUTE", + "ChangeSetName": "PipelineChange" + }, + "Name": "Prod3.Stack1.Deploy", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "RunOrder": 2 + }, + { + "ActionTypeId": { + "Category": "Deploy", + "Owner": "AWS", + "Provider": "CloudFormation", + "Version": "1" + }, + "Configuration": { + "StackName": "Prod4-Stack1", + "ActionMode": "CHANGE_SET_EXECUTE", + "ChangeSetName": "PipelineChange" + }, + "Name": "Prod4.Stack1.Deploy", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "RunOrder": 2 + }, + { + "ActionTypeId": { + "Category": "Deploy", + "Owner": "AWS", + "Provider": "CloudFormation", + "Version": "1" + }, + "Configuration": { + "StackName": "Prod5-Stack1", + "ActionMode": "CHANGE_SET_EXECUTE", + "ChangeSetName": "PipelineChange" + }, + "Name": "Prod5.Stack1.Deploy", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "RunOrder": 2 + }, + { + "ActionTypeId": { + "Category": "Deploy", + "Owner": "AWS", + "Provider": "CloudFormation", + "Version": "1" + }, + "Configuration": { + "StackName": "Prod6-Stack1", + "ActionMode": "CHANGE_SET_EXECUTE", + "ChangeSetName": "PipelineChange" + }, + "Name": "Prod6.Stack1.Deploy", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "RunOrder": 2 + }, + { + "ActionTypeId": { + "Category": "Deploy", + "Owner": "AWS", + "Provider": "CloudFormation", + "Version": "1" + }, + "Configuration": { + "StackName": "Prod3-Stack2", + "Capabilities": "CAPABILITY_NAMED_IAM", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-cfn-exec-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "ActionMode": "CHANGE_SET_REPLACE", + "ChangeSetName": "PipelineChange", + "TemplatePath": "Synth_Output::assembly-PipelineStack-Prod3/PipelineStackProd3Stack2DFBBA0B2.template.json" + }, + "InputArtifacts": [ + { + "Name": "Synth_Output" + } + ], + "Name": "Prod3.Stack2.Prepare", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "RunOrder": 3 + }, + { + "ActionTypeId": { + "Category": "Deploy", + "Owner": "AWS", + "Provider": "CloudFormation", + "Version": "1" + }, + "Configuration": { + "StackName": "Prod4-Stack2", + "Capabilities": "CAPABILITY_NAMED_IAM", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-cfn-exec-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "ActionMode": "CHANGE_SET_REPLACE", + "ChangeSetName": "PipelineChange", + "TemplatePath": "Synth_Output::assembly-PipelineStack-Prod4/PipelineStackProd4Stack2E2CB4ED3.template.json" + }, + "InputArtifacts": [ + { + "Name": "Synth_Output" + } + ], + "Name": "Prod4.Stack2.Prepare", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "RunOrder": 3 + }, + { + "ActionTypeId": { + "Category": "Deploy", + "Owner": "AWS", + "Provider": "CloudFormation", + "Version": "1" + }, + "Configuration": { + "StackName": "Prod5-Stack2", + "Capabilities": "CAPABILITY_NAMED_IAM", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-cfn-exec-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "ActionMode": "CHANGE_SET_REPLACE", + "ChangeSetName": "PipelineChange", + "TemplatePath": "Synth_Output::assembly-PipelineStack-Prod5/PipelineStackProd5Stack2C39BEE5B.template.json" + }, + "InputArtifacts": [ + { + "Name": "Synth_Output" + } + ], + "Name": "Prod5.Stack2.Prepare", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "RunOrder": 3 + }, + { + "ActionTypeId": { + "Category": "Deploy", + "Owner": "AWS", + "Provider": "CloudFormation", + "Version": "1" + }, + "Configuration": { + "StackName": "Prod6-Stack2", + "Capabilities": "CAPABILITY_NAMED_IAM", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-cfn-exec-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "ActionMode": "CHANGE_SET_REPLACE", + "ChangeSetName": "PipelineChange", + "TemplatePath": "Synth_Output::assembly-PipelineStack-Prod6/PipelineStackProd6Stack2BED1BBCE.template.json" + }, + "InputArtifacts": [ + { + "Name": "Synth_Output" + } + ], + "Name": "Prod6.Stack2.Prepare", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "RunOrder": 3 + }, + { + "ActionTypeId": { + "Category": "Deploy", + "Owner": "AWS", + "Provider": "CloudFormation", + "Version": "1" + }, + "Configuration": { + "StackName": "Prod3-Stack2", + "ActionMode": "CHANGE_SET_EXECUTE", + "ChangeSetName": "PipelineChange" + }, + "Name": "Prod3.Stack2.Deploy", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "RunOrder": 4 + }, + { + "ActionTypeId": { + "Category": "Deploy", + "Owner": "AWS", + "Provider": "CloudFormation", + "Version": "1" + }, + "Configuration": { + "StackName": "Prod4-Stack2", + "ActionMode": "CHANGE_SET_EXECUTE", + "ChangeSetName": "PipelineChange" + }, + "Name": "Prod4.Stack2.Deploy", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "RunOrder": 4 + }, + { + "ActionTypeId": { + "Category": "Deploy", + "Owner": "AWS", + "Provider": "CloudFormation", + "Version": "1" + }, + "Configuration": { + "StackName": "Prod5-Stack2", + "ActionMode": "CHANGE_SET_EXECUTE", + "ChangeSetName": "PipelineChange" + }, + "Name": "Prod5.Stack2.Deploy", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "RunOrder": 4 + }, + { + "ActionTypeId": { + "Category": "Deploy", + "Owner": "AWS", + "Provider": "CloudFormation", + "Version": "1" + }, + "Configuration": { + "StackName": "Prod6-Stack2", + "ActionMode": "CHANGE_SET_EXECUTE", + "ChangeSetName": "PipelineChange" + }, + "Name": "Prod6.Stack2.Deploy", + "RoleArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "RunOrder": 4 + } + ], + "Name": "Wave2" + } + ], + "ArtifactStore": { + "Location": { + "Ref": "PipelineArtifactsBucketAEA9A052" + }, + "Type": "S3" + }, + "RestartExecutionOnUpdate": true + }, + "DependsOn": [ + "PipelineRoleDefaultPolicy7BDC1ABB", + "PipelineRoleB27FAA37" + ] + }, + "PipelineSourcerix0rrrcdkpipelinesdemoWebhookResourceDB0C1BCA": { + "Type": "AWS::CodePipeline::Webhook", + "Properties": { + "Authentication": "GITHUB_HMAC", + "AuthenticationConfiguration": { + "SecretToken": "{{resolve:secretsmanager:github-token:SecretString:::}}" + }, + "Filters": [ + { + "JsonPath": "$.ref", + "MatchEquals": "refs/heads/{Branch}" + } + ], + "TargetAction": "rix0rrr_cdk-pipelines-demo", + "TargetPipeline": { + "Ref": "Pipeline9850B417" + }, + "TargetPipelineVersion": 1, + "RegisterWithThirdParty": true + } + }, + "PipelineBuildSynthCdkBuildProjectRole231EEA2A": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "codebuild.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + } + } + }, + "PipelineBuildSynthCdkBuildProjectRoleDefaultPolicyFB6C941C": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:test-region:12345678:log-group:/aws/codebuild/", + { + "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" + } + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:test-region:12345678:log-group:/aws/codebuild/", + { + "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" + }, + ":*" + ] + ] + } + ] + }, + { + "Action": [ + "codebuild:CreateReportGroup", + "codebuild:CreateReport", + "codebuild:UpdateReport", + "codebuild:BatchPutTestCases", + "codebuild:BatchPutCodeCoverages" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":codebuild:test-region:12345678:report-group/", + { + "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" + }, + "-*" + ] + ] + } + }, + { + "Action": [ + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*", + "s3:DeleteObject*", + "s3:PutObject", + "s3:Abort*" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "PipelineArtifactsBucketAEA9A052", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "PipelineArtifactsBucketAEA9A052", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "PipelineBuildSynthCdkBuildProjectRoleDefaultPolicyFB6C941C", + "Roles": [ + { + "Ref": "PipelineBuildSynthCdkBuildProjectRole231EEA2A" + } + ] + } + }, + "PipelineBuildSynthCdkBuildProject6BEFA8E6": { + "Type": "AWS::CodeBuild::Project", + "Properties": { + "Artifacts": { + "Type": "CODEPIPELINE" + }, + "Environment": { + "ComputeType": "BUILD_GENERAL1_SMALL", + "Image": "aws/codebuild/standard:5.0", + "ImagePullCredentialsType": "CODEBUILD", + "PrivilegedMode": false, + "Type": "LINUX_CONTAINER" + }, + "ServiceRole": { + "Fn::GetAtt": [ + "PipelineBuildSynthCdkBuildProjectRole231EEA2A", + "Arn" + ] + }, + "Source": { + "BuildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"build\": {\n \"commands\": [\n \"npm ci\",\n \"npm run build\",\n \"npx cdk synth\"\n ]\n }\n },\n \"artifacts\": {\n \"base-directory\": \"cdk.out\",\n \"files\": \"**/*\"\n }\n}", + "Type": "CODEPIPELINE" + }, + "EncryptionKey": "alias/aws/s3" + } + }, + "PipelineBuildSynthCodePipelineActionRole4E7A6C97": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::12345678:root" + ] + ] + } + } + } + ], + "Version": "2012-10-17" + } + } + }, + "PipelineBuildSynthCodePipelineActionRoleDefaultPolicy92C90290": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "codebuild:BatchGetBuilds", + "codebuild:StartBuild", + "codebuild:StopBuild" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "PipelineBuildSynthCdkBuildProject6BEFA8E6", + "Arn" + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "PipelineBuildSynthCodePipelineActionRoleDefaultPolicy92C90290", + "Roles": [ + { + "Ref": "PipelineBuildSynthCodePipelineActionRole4E7A6C97" + } + ] + } + }, + "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::12345678:root" + ] + ] + } + } + } + ], + "Version": "2012-10-17" + } + } + }, + "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleDefaultPolicyE626265B": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "codebuild:BatchGetBuilds", + "codebuild:StartBuild", + "codebuild:StopBuild" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "PipelineUpdatePipelineSelfMutationDAA41400", + "Arn" + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleDefaultPolicyE626265B", + "Roles": [ + { + "Ref": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF" + } + ] + } + }, + "PipelineUpdatePipelineSelfMutationRole57E559E8": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "codebuild.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + } + } + }, + "PipelineUpdatePipelineSelfMutationRoleDefaultPolicyA225DA4E": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:test-region:12345678:log-group:/aws/codebuild/", + { + "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" + } + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:test-region:12345678:log-group:/aws/codebuild/", + { + "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" + }, + ":*" + ] + ] + } + ] + }, + { + "Action": [ + "codebuild:CreateReportGroup", + "codebuild:CreateReport", + "codebuild:UpdateReport", + "codebuild:BatchPutTestCases", + "codebuild:BatchPutCodeCoverages" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":codebuild:test-region:12345678:report-group/", + { + "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" + }, + "-*" + ] + ] + } + }, + { + "Action": "sts:AssumeRole", + "Condition": { + "ForAnyValue:StringEquals": { + "iam:ResourceTag/aws-cdk:bootstrap-role": [ + "image-publishing", + "file-publishing", + "deploy" + ] + } + }, + "Effect": "Allow", + "Resource": "arn:*:iam::12345678:role/*" + }, + { + "Action": "cloudformation:DescribeStacks", + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": "s3:ListBucket", + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "PipelineArtifactsBucketAEA9A052", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "PipelineArtifactsBucketAEA9A052", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "PipelineUpdatePipelineSelfMutationRoleDefaultPolicyA225DA4E", + "Roles": [ + { + "Ref": "PipelineUpdatePipelineSelfMutationRole57E559E8" + } + ] + } + }, + "PipelineUpdatePipelineSelfMutationDAA41400": { + "Type": "AWS::CodeBuild::Project", + "Properties": { + "Artifacts": { + "Type": "CODEPIPELINE" + }, + "Environment": { + "ComputeType": "BUILD_GENERAL1_SMALL", + "Image": "aws/codebuild/standard:5.0", + "ImagePullCredentialsType": "CODEBUILD", + "PrivilegedMode": false, + "Type": "LINUX_CONTAINER" + }, + "ServiceRole": { + "Fn::GetAtt": [ + "PipelineUpdatePipelineSelfMutationRole57E559E8", + "Arn" + ] + }, + "Source": { + "BuildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"install\": {\n \"commands\": [\n \"npm install -g aws-cdk\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"cdk -a . deploy PipelineStack --require-approval=never --verbose\"\n ]\n }\n }\n}", + "Type": "CODEPIPELINE" + }, + "EncryptionKey": "alias/aws/s3" + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store." + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/test/integ.newpipeline.ts b/packages/@aws-cdk/pipelines/test/integ.newpipeline.ts new file mode 100644 index 0000000000000..b777b61a23e09 --- /dev/null +++ b/packages/@aws-cdk/pipelines/test/integ.newpipeline.ts @@ -0,0 +1,62 @@ +// eslint-disable-next-line import/no-extraneous-dependencies +/// !cdk-integ PipelineStack +import * as sqs from '@aws-cdk/aws-sqs'; +import { App, Stack, StackProps, Stage, StageProps } from '@aws-cdk/core'; +import { Construct } from 'constructs'; +import * as pipelines from '../lib'; + +class PipelineStack extends Stack { + constructor(scope: Construct, id: string, props?: StackProps) { + super(scope, id, props); + + const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { + synth: new pipelines.ShellStep('Synth', { + input: pipelines.CodePipelineSource.gitHub('rix0rrr/cdk-pipelines-demo', 'main'), + commands: [ + 'npm ci', + 'npm run build', + 'npx cdk synth', + ], + }), + }); + + pipeline.addStage(new AppStage(this, 'Beta')); + + const group = pipeline.addWave('Wave1'); + group.addStage(new AppStage(this, 'Prod1')); + group.addStage(new AppStage(this, 'Prod2')); + + const group2 = pipeline.addWave('Wave2'); + group2.addStage(new AppStage(this, 'Prod3')); + group2.addStage(new AppStage(this, 'Prod4')); + group2.addStage(new AppStage(this, 'Prod5')); + group2.addStage(new AppStage(this, 'Prod6')); + } +} + +class AppStage extends Stage { + constructor(scope: Construct, id: string, props?: StageProps) { + super(scope, id, props); + + const stack1 = new Stack(this, 'Stack1'); + const queue1 = new sqs.Queue(stack1, 'Queue'); + + const stack2 = new Stack(this, 'Stack2'); + new sqs.Queue(stack2, 'OtherQueue', { + deadLetterQueue: { + queue: queue1, + maxReceiveCount: 5, + }, + }); + } +} + +const app = new App({ + context: { + '@aws-cdk/core:newStyleStackSynthesis': '1', + }, +}); +new PipelineStack(app, 'PipelineStack', { + env: { account: process.env.CDK_DEFAULT_ACCOUNT, region: process.env.CDK_DEFAULT_REGION }, +}); +app.synth(); \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/test/integ.pipeline-with-assets-single-upload.ts b/packages/@aws-cdk/pipelines/test/integ.pipeline-with-assets-single-upload.ts index a4f35010a10b7..e5461ebe6efe1 100644 --- a/packages/@aws-cdk/pipelines/test/integ.pipeline-with-assets-single-upload.ts +++ b/packages/@aws-cdk/pipelines/test/integ.pipeline-with-assets-single-upload.ts @@ -14,10 +14,10 @@ class MyStage extends Stage { const stack = new Stack(this, 'Stack', props); new s3_assets.Asset(stack, 'Asset', { - path: path.join(__dirname, 'test-file-asset.txt'), + path: path.join(__dirname, 'testhelpers/assets/test-file-asset.txt'), }); new s3_assets.Asset(stack, 'Asset2', { - path: path.join(__dirname, 'test-file-asset-two.txt'), + path: path.join(__dirname, 'testhelpers/assets/test-file-asset-two.txt'), }); new CfnResource(stack, 'Resource', { diff --git a/packages/@aws-cdk/pipelines/test/integ.pipeline-with-assets.ts b/packages/@aws-cdk/pipelines/test/integ.pipeline-with-assets.ts index ae9f5046137d4..41b2e6ae0cdc2 100644 --- a/packages/@aws-cdk/pipelines/test/integ.pipeline-with-assets.ts +++ b/packages/@aws-cdk/pipelines/test/integ.pipeline-with-assets.ts @@ -14,10 +14,10 @@ class MyStage extends Stage { const stack = new Stack(this, 'Stack', props); new s3_assets.Asset(stack, 'Asset', { - path: path.join(__dirname, 'test-file-asset.txt'), + path: path.join(__dirname, 'testhelpers/assets/test-file-asset.txt'), }); new s3_assets.Asset(stack, 'Asset2', { - path: path.join(__dirname, 'test-file-asset-two.txt'), + path: path.join(__dirname, 'testhelpers/assets/test-file-asset-two.txt'), }); new CfnResource(stack, 'Resource', { diff --git a/packages/@aws-cdk/pipelines/test/integ.pipeline.ts b/packages/@aws-cdk/pipelines/test/integ.pipeline.ts index b79dd24841472..f263e65a7f09c 100644 --- a/packages/@aws-cdk/pipelines/test/integ.pipeline.ts +++ b/packages/@aws-cdk/pipelines/test/integ.pipeline.ts @@ -80,4 +80,4 @@ const app = new App({ new CdkpipelinesDemoPipelineStack(app, 'PipelineStack', { env: { account: process.env.CDK_DEFAULT_ACCOUNT, region: process.env.CDK_DEFAULT_REGION }, }); -app.synth(); +app.synth(); \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/test/fs.test.ts b/packages/@aws-cdk/pipelines/test/legacy/fs.test.ts similarity index 85% rename from packages/@aws-cdk/pipelines/test/fs.test.ts rename to packages/@aws-cdk/pipelines/test/legacy/fs.test.ts index 49cbe2458e64a..da49fa9cf2986 100644 --- a/packages/@aws-cdk/pipelines/test/fs.test.ts +++ b/packages/@aws-cdk/pipelines/test/legacy/fs.test.ts @@ -1,5 +1,5 @@ import * as path from 'path'; -import { toPosixPath } from '../lib/private/fs'; +import { toPosixPath } from '../../lib/private/fs'; test('translate path.sep', () => { expect(toPosixPath(`a${path.sep}b${path.sep}c`)).toEqual('a/b/c'); diff --git a/packages/@aws-cdk/pipelines/test/pipeline.test.ts b/packages/@aws-cdk/pipelines/test/pipeline.test.ts deleted file mode 100644 index fdb20d19ae396..0000000000000 --- a/packages/@aws-cdk/pipelines/test/pipeline.test.ts +++ /dev/null @@ -1,563 +0,0 @@ -import * as fs from 'fs'; -import * as path from 'path'; -import { - anything, - arrayWith, - Capture, - deepObjectLike, - encodedJson, - notMatching, - objectLike, - stringLike, -} from '@aws-cdk/assert-internal'; -import '@aws-cdk/assert-internal/jest'; -import * as cp from '@aws-cdk/aws-codepipeline'; -import * as cpa from '@aws-cdk/aws-codepipeline-actions'; -import { Stack, Stage, StageProps, SecretValue, Tags } from '@aws-cdk/core'; -import { Construct } from 'constructs'; -import * as cdkp from '../lib'; -import { behavior } from './helpers/compliance'; -import { BucketStack, PIPELINE_ENV, stackTemplate, TestApp, TestGitHubNpmPipeline } from './testutil'; - -let app: TestApp; -let pipelineStack: Stack; -let pipeline: cdkp.CdkPipeline; - -beforeEach(() => { - app = new TestApp(); - pipelineStack = new Stack(app, 'PipelineStack', { env: PIPELINE_ENV }); - pipeline = new TestGitHubNpmPipeline(pipelineStack, 'Cdk'); -}); - -afterEach(() => { - app.cleanup(); -}); - -behavior('references stack template in subassembly', (suite) => { - suite.legacy(() => { - // WHEN - pipeline.addApplicationStage(new OneStackApp(app, 'App')); - - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { - Stages: arrayWith({ - Name: 'App', - Actions: arrayWith( - objectLike({ - Name: 'Stack.Prepare', - InputArtifacts: [objectLike({})], - Configuration: objectLike({ - StackName: 'App-Stack', - TemplatePath: stringLike('*::assembly-App/*.template.json'), - }), - }), - ), - }), - }); - }); - -}); - -behavior('obvious error is thrown when stage contains no stacks', (suite) => { - suite.legacy(() => { - // WHEN - expect(() => { - pipeline.addApplicationStage(new Stage(app, 'EmptyStage')); - }).toThrow(/should contain at least one Stack/); - }); -}); - -behavior('action has right settings for same-env deployment', (suite) => { - suite.legacy(() => { - // WHEN - pipeline.addApplicationStage(new OneStackApp(app, 'Same')); - - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { - Stages: arrayWith({ - Name: 'Same', - Actions: [ - objectLike({ - Name: 'Stack.Prepare', - RoleArn: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':iam::', - { Ref: 'AWS::AccountId' }, - ':role/cdk-hnb659fds-deploy-role-', - { Ref: 'AWS::AccountId' }, - '-', - { Ref: 'AWS::Region' }, - ]], - }, - Configuration: objectLike({ - StackName: 'Same-Stack', - RoleArn: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':iam::', - { Ref: 'AWS::AccountId' }, - ':role/cdk-hnb659fds-cfn-exec-role-', - { Ref: 'AWS::AccountId' }, - '-', - { Ref: 'AWS::Region' }, - ]], - }, - }), - }), - objectLike({ - Name: 'Stack.Deploy', - RoleArn: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':iam::', - { Ref: 'AWS::AccountId' }, - ':role/cdk-hnb659fds-deploy-role-', - { Ref: 'AWS::AccountId' }, - '-', - { Ref: 'AWS::Region' }, - ]], - }, - Configuration: objectLike({ - StackName: 'Same-Stack', - }), - }), - ], - }), - }); - }); -}); - -behavior('action has right settings for cross-account deployment', (suite) => { - suite.legacy(() => { - // WHEN - pipeline.addApplicationStage(new OneStackApp(app, 'CrossAccount', { env: { account: 'you' } })); - - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { - Stages: arrayWith({ - Name: 'CrossAccount', - Actions: [ - objectLike({ - Name: 'Stack.Prepare', - RoleArn: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':iam::you:role/cdk-hnb659fds-deploy-role-you-', - { Ref: 'AWS::Region' }, - ]], - }, - Configuration: objectLike({ - StackName: 'CrossAccount-Stack', - RoleArn: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':iam::you:role/cdk-hnb659fds-cfn-exec-role-you-', - { Ref: 'AWS::Region' }, - ]], - }, - }), - }), - objectLike({ - Name: 'Stack.Deploy', - RoleArn: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':iam::you:role/cdk-hnb659fds-deploy-role-you-', - { Ref: 'AWS::Region' }, - ]], - }, - Configuration: objectLike({ - StackName: 'CrossAccount-Stack', - }), - }), - ], - }), - }); - }); -}); - -behavior('action has right settings for cross-region deployment', (suite) => { - suite.legacy(() => { - // WHEN - pipeline.addApplicationStage(new OneStackApp(app, 'CrossRegion', { env: { region: 'elsewhere' } })); - - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { - Stages: arrayWith({ - Name: 'CrossRegion', - Actions: [ - objectLike({ - Name: 'Stack.Prepare', - RoleArn: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':iam::', - { Ref: 'AWS::AccountId' }, - ':role/cdk-hnb659fds-deploy-role-', - { Ref: 'AWS::AccountId' }, - '-elsewhere', - ]], - }, - Region: 'elsewhere', - Configuration: objectLike({ - StackName: 'CrossRegion-Stack', - RoleArn: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':iam::', - { Ref: 'AWS::AccountId' }, - ':role/cdk-hnb659fds-cfn-exec-role-', - { Ref: 'AWS::AccountId' }, - '-elsewhere', - ]], - }, - }), - }), - objectLike({ - Name: 'Stack.Deploy', - RoleArn: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':iam::', - { Ref: 'AWS::AccountId' }, - ':role/cdk-hnb659fds-deploy-role-', - { Ref: 'AWS::AccountId' }, - '-elsewhere', - ]], - }, - Region: 'elsewhere', - Configuration: objectLike({ - StackName: 'CrossRegion-Stack', - }), - }), - ], - }), - }); - }); -}); - -behavior('action has right settings for cross-account/cross-region deployment', (suite) => { - suite.legacy(() => { - // WHEN - pipeline.addApplicationStage(new OneStackApp(app, 'CrossBoth', { - env: { - account: 'you', - region: 'elsewhere', - }, - })); - - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { - Stages: arrayWith({ - Name: 'CrossBoth', - Actions: [ - objectLike({ - Name: 'Stack.Prepare', - RoleArn: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':iam::you:role/cdk-hnb659fds-deploy-role-you-elsewhere', - ]], - }, - Region: 'elsewhere', - Configuration: objectLike({ - StackName: 'CrossBoth-Stack', - RoleArn: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':iam::you:role/cdk-hnb659fds-cfn-exec-role-you-elsewhere', - ]], - }, - }), - }), - objectLike({ - Name: 'Stack.Deploy', - RoleArn: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':iam::you:role/cdk-hnb659fds-deploy-role-you-elsewhere', - ]], - }, - Region: 'elsewhere', - Configuration: objectLike({ - StackName: 'CrossBoth-Stack', - }), - }), - ], - }), - }); - }); -}); - -behavior('pipeline has self-mutation stage', (suite) => { - suite.legacy(() => { - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { - Stages: arrayWith({ - Name: 'UpdatePipeline', - Actions: [ - objectLike({ - Name: 'SelfMutate', - Configuration: objectLike({ - ProjectName: { Ref: anything() }, - }), - }), - ], - }), - }); - - expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { - Environment: { - Image: 'aws/codebuild/standard:5.0', - PrivilegedMode: false, - }, - Source: { - BuildSpec: encodedJson(deepObjectLike({ - phases: { - install: { - commands: ['npm install -g aws-cdk'], - }, - build: { - commands: arrayWith('cdk -a . deploy PipelineStack --require-approval=never --verbose'), - }, - }, - })), - Type: 'CODEPIPELINE', - }, - }); - }); -}); - -behavior('selfmutation stage correctly identifies nested assembly of pipeline stack', (suite) => { - suite.legacy(() => { - const pipelineStage = new Stage(app, 'PipelineStage'); - const nestedPipelineStack = new Stack(pipelineStage, 'PipelineStack', { env: PIPELINE_ENV }); - new TestGitHubNpmPipeline(nestedPipelineStack, 'Cdk'); - - // THEN - expect(stackTemplate(nestedPipelineStack)).toHaveResourceLike('AWS::CodeBuild::Project', { - Environment: { - Image: 'aws/codebuild/standard:5.0', - }, - Source: { - BuildSpec: encodedJson(deepObjectLike({ - phases: { - build: { - commands: arrayWith('cdk -a assembly-PipelineStage deploy PipelineStage/PipelineStack --require-approval=never --verbose'), - }, - }, - })), - }, - }); - }); -}); - -behavior('selfmutation feature can be turned off', (suite) => { - suite.legacy(() => { - const stack = new Stack(); - const cloudAssemblyArtifact = new cp.Artifact(); - // WHEN - new TestGitHubNpmPipeline(stack, 'Cdk', { - cloudAssemblyArtifact, - selfMutating: false, - }); - // THEN - expect(stack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { - Stages: notMatching(arrayWith({ - Name: 'UpdatePipeline', - Actions: anything(), - })), - }); - }); -}); - -behavior('generates CodeBuild project in privileged mode', (suite) => { - suite.legacy(() => { - // WHEN - const stack = new Stack(app, 'PrivilegedPipelineStack', { env: PIPELINE_ENV }); - new TestGitHubNpmPipeline(stack, 'PrivilegedPipeline', { - supportDockerAssets: true, - }); - - // THEN - expect(stack).toHaveResourceLike('AWS::CodeBuild::Project', { - Environment: { - PrivilegedMode: true, - }, - }); - }); -}); - -behavior('overridden stack names are respected', (suite) => { - suite.legacy(() => { - // WHEN - pipeline.addApplicationStage(new OneStackAppWithCustomName(app, 'App1')); - pipeline.addApplicationStage(new OneStackAppWithCustomName(app, 'App2')); - - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { - Stages: arrayWith( - { - Name: 'App1', - Actions: arrayWith(objectLike({ - Name: 'MyFancyStack.Prepare', - Configuration: objectLike({ - StackName: 'MyFancyStack', - }), - })), - }, - { - Name: 'App2', - Actions: arrayWith(objectLike({ - Name: 'MyFancyStack.Prepare', - Configuration: objectLike({ - StackName: 'MyFancyStack', - }), - })), - }, - ), - }); - }); -}); - -behavior('can control fix/CLI version used in pipeline selfupdate', (suite) => { - suite.legacy(() => { - // WHEN - const stack2 = new Stack(app, 'Stack2', { env: PIPELINE_ENV }); - new TestGitHubNpmPipeline(stack2, 'Cdk2', { - pipelineName: 'vpipe', - cdkCliVersion: '1.2.3', - }); - - // THEN - expect(stack2).toHaveResourceLike('AWS::CodeBuild::Project', { - Name: 'vpipe-selfupdate', - Source: { - BuildSpec: encodedJson(deepObjectLike({ - phases: { - install: { - commands: ['npm install -g aws-cdk@1.2.3'], - }, - }, - })), - }, - }); - }); -}); - -behavior('changing CLI version leads to a different pipeline structure (restarting it)', (suite) => { - suite.legacy(() => { - // GIVEN - const stack2 = new Stack(app, 'Stack2', { env: PIPELINE_ENV }); - const stack3 = new Stack(app, 'Stack3', { env: PIPELINE_ENV }); - const structure2 = Capture.anyType(); - const structure3 = Capture.anyType(); - - // WHEN - new TestGitHubNpmPipeline(stack2, 'Cdk', { - cdkCliVersion: '1.2.3', - }); - new TestGitHubNpmPipeline(stack3, 'Cdk', { - cdkCliVersion: '4.5.6', - }); - - // THEN - expect(stack2).toHaveResourceLike('AWS::CodePipeline::Pipeline', { - Stages: structure2.capture(), - }); - expect(stack3).toHaveResourceLike('AWS::CodePipeline::Pipeline', { - Stages: structure3.capture(), - }); - - expect(JSON.stringify(structure2.capturedValue)).not.toEqual(JSON.stringify(structure3.capturedValue)); - }); -}); - -behavior('add another action to an existing stage', (suite) => { - suite.legacy(() => { - // WHEN - pipeline.stage('Source').addAction(new cpa.GitHubSourceAction({ - actionName: 'GitHub2', - oauthToken: SecretValue.plainText('oops'), - output: new cp.Artifact(), - owner: 'OWNER', - repo: 'REPO', - })); - - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { - Stages: arrayWith({ - Name: 'Source', - Actions: [ - objectLike({ Name: 'GitHub' }), - objectLike({ Name: 'GitHub2' }), - ], - }), - }); - }); -}); - -behavior('tags get reflected in pipeline', (suite) => { - suite.legacy(() => { - // WHEN - const stage = new OneStackApp(app, 'App'); - Tags.of(stage).add('CostCenter', 'F00B4R'); - pipeline.addApplicationStage(stage); - - // THEN - const templateConfig = Capture.aString(); - expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { - Stages: arrayWith({ - Name: 'App', - Actions: arrayWith( - objectLike({ - Name: 'Stack.Prepare', - InputArtifacts: [objectLike({})], - Configuration: objectLike({ - StackName: 'App-Stack', - TemplateConfiguration: templateConfig.capture(stringLike('*::assembly-App/*.template.*json')), - }), - }), - ), - }), - }); - - const [, relConfigFile] = templateConfig.capturedValue.split('::'); - const absConfigFile = path.join(app.outdir, relConfigFile); - const configFile = JSON.parse(fs.readFileSync(absConfigFile, { encoding: 'utf-8' })); - expect(configFile).toEqual(expect.objectContaining({ - Tags: { - CostCenter: 'F00B4R', - }, - })); - }); -}); - -class OneStackApp extends Stage { - constructor(scope: Construct, id: string, props?: StageProps) { - super(scope, id, props); - new BucketStack(this, 'Stack'); - } -} - -class OneStackAppWithCustomName extends Stage { - constructor(scope: Construct, id: string, props?: StageProps) { - super(scope, id, props); - new BucketStack(this, 'Stack', { - stackName: 'MyFancyStack', - }); - } -} diff --git a/packages/@aws-cdk/pipelines/test/test-docker-asset/Dockerfile b/packages/@aws-cdk/pipelines/test/testhelpers/assets/test-docker-asset/Dockerfile similarity index 100% rename from packages/@aws-cdk/pipelines/test/test-docker-asset/Dockerfile rename to packages/@aws-cdk/pipelines/test/testhelpers/assets/test-docker-asset/Dockerfile diff --git a/packages/@aws-cdk/pipelines/test/test-file-asset-two.txt b/packages/@aws-cdk/pipelines/test/testhelpers/assets/test-file-asset-two.txt similarity index 100% rename from packages/@aws-cdk/pipelines/test/test-file-asset-two.txt rename to packages/@aws-cdk/pipelines/test/testhelpers/assets/test-file-asset-two.txt diff --git a/packages/@aws-cdk/pipelines/test/test-file-asset.txt b/packages/@aws-cdk/pipelines/test/testhelpers/assets/test-file-asset.txt similarity index 100% rename from packages/@aws-cdk/pipelines/test/test-file-asset.txt rename to packages/@aws-cdk/pipelines/test/testhelpers/assets/test-file-asset.txt diff --git a/packages/@aws-cdk/pipelines/test/helpers/compliance.ts b/packages/@aws-cdk/pipelines/test/testhelpers/compliance.ts similarity index 62% rename from packages/@aws-cdk/pipelines/test/helpers/compliance.ts rename to packages/@aws-cdk/pipelines/test/testhelpers/compliance.ts index a152c1ef87b10..bf6603d4753cb 100644 --- a/packages/@aws-cdk/pipelines/test/helpers/compliance.ts +++ b/packages/@aws-cdk/pipelines/test/testhelpers/compliance.ts @@ -4,54 +4,43 @@ interface SkippedSuite { modern(reason?: string): void; } -interface ParameterizedSuite { - legacy(fn: (arg: any) => void): void; - - modern(fn: (arg: any) => void): void; -} - interface Suite { readonly doesNotApply: SkippedSuite; - each(cases: any[]): ParameterizedSuite; - legacy(fn: () => void): void; modern(fn: () => void): void; + + additional(description: string, fn: () => void): void; } // eslint-disable-next-line jest/no-export export function behavior(name: string, cb: (suite: Suite) => void) { // 'describe()' adds a nice grouping in Jest describe(name, () => { - const unwritten = new Set(['modern', 'legacy']); + + function scratchOff(flavor: string) { + if (!unwritten.has(flavor)) { + throw new Error(`Already had test for ${flavor}. Use .additional() to add more tests.`); + } + unwritten.delete(flavor); + } + + cb({ - each: (cases: any[]) => { - return { - legacy: (testFn) => { - unwritten.delete('legacy'); - describe('legacy', () => { - test.each(cases)(name, testFn); - }); - }, - modern: (testFn) => { - unwritten.delete('modern'); - test.each(cases)('modern', testFn); - }, - }; - }, legacy: (testFn) => { - unwritten.delete('legacy'); + scratchOff('legacy'); test('legacy', testFn); }, modern: (testFn) => { - unwritten.delete('modern'); + scratchOff('modern'); test('modern', testFn); }, + additional: test, doesNotApply: { modern: (reason?: string) => { - unwritten.delete('modern'); + scratchOff('modern'); if (reason != null) { // eslint-disable-next-line jest/no-disabled-tests @@ -60,7 +49,7 @@ export function behavior(name: string, cb: (suite: Suite) => void) { }, legacy: (reason?: string) => { - unwritten.delete('legacy'); + scratchOff('legacy'); if (reason != null) { // eslint-disable-next-line jest/no-disabled-tests diff --git a/packages/@aws-cdk/pipelines/test/testhelpers/index.ts b/packages/@aws-cdk/pipelines/test/testhelpers/index.ts new file mode 100644 index 0000000000000..21ca108240f27 --- /dev/null +++ b/packages/@aws-cdk/pipelines/test/testhelpers/index.ts @@ -0,0 +1,5 @@ +export * from './compliance'; +export * from './legacy-pipeline'; +export * from './modern-pipeline'; +export * from './test-app'; +export * from './testmatchers'; \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/test/testhelpers/legacy-pipeline.ts b/packages/@aws-cdk/pipelines/test/testhelpers/legacy-pipeline.ts new file mode 100644 index 0000000000000..63ffec75b7188 --- /dev/null +++ b/packages/@aws-cdk/pipelines/test/testhelpers/legacy-pipeline.ts @@ -0,0 +1,48 @@ +import * as codepipeline from '@aws-cdk/aws-codepipeline'; +import * as codepipeline_actions from '@aws-cdk/aws-codepipeline-actions'; +import { SecretValue } from '@aws-cdk/core'; +import { Construct } from 'constructs'; +import * as cdkp from '../../lib'; + +export interface LegacyTestGitHubNpmPipelineExtraProps { + readonly sourceArtifact?: codepipeline.Artifact; + readonly npmSynthOptions?: Partial; +} + +export class LegacyTestGitHubNpmPipeline extends cdkp.CdkPipeline { + public readonly sourceArtifact: codepipeline.Artifact; + public readonly cloudAssemblyArtifact: codepipeline.Artifact; + + constructor(scope: Construct, id: string, props?: Partial & LegacyTestGitHubNpmPipelineExtraProps) { + const sourceArtifact = props?.sourceArtifact ?? new codepipeline.Artifact(); + const cloudAssemblyArtifact = props?.cloudAssemblyArtifact ?? new codepipeline.Artifact(); + + super(scope, id, { + sourceAction: new TestGitHubAction(sourceArtifact), + synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ + sourceArtifact, + cloudAssemblyArtifact, + ...props?.npmSynthOptions, + }), + cloudAssemblyArtifact, + ...props, + }); + + this.sourceArtifact = sourceArtifact; + this.cloudAssemblyArtifact = cloudAssemblyArtifact; + } +} + + +export class TestGitHubAction extends codepipeline_actions.GitHubSourceAction { + constructor(sourceArtifact: codepipeline.Artifact) { + super({ + actionName: 'GitHub', + output: sourceArtifact, + oauthToken: SecretValue.plainText('$3kr1t'), + owner: 'test', + repo: 'test', + trigger: codepipeline_actions.GitHubTrigger.POLL, + }); + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/test/testhelpers/modern-pipeline.ts b/packages/@aws-cdk/pipelines/test/testhelpers/modern-pipeline.ts new file mode 100644 index 0000000000000..b3e783ea8f569 --- /dev/null +++ b/packages/@aws-cdk/pipelines/test/testhelpers/modern-pipeline.ts @@ -0,0 +1,26 @@ +/* eslint-disable import/no-extraneous-dependencies */ +import { Construct } from 'constructs'; +import * as cdkp from '../../lib'; + +export type ModernTestGitHubNpmPipelineProps = Partial & Partial; + +export class ModernTestGitHubNpmPipeline extends cdkp.CodePipeline { + public readonly gitHubSource: cdkp.CodePipelineSource; + + constructor(scope: Construct, id: string, props?: ModernTestGitHubNpmPipelineProps) { + const source = cdkp.CodePipelineSource.gitHub('test/test', 'main'); + const synth = props?.synth ?? new cdkp.ShellStep('Synth', { + input: source, + installCommands: ['npm ci'], + commands: ['npx cdk synth'], + ...props, + }); + + super(scope, id, { + synth: synth, + ...props, + }); + + this.gitHubSource = source; + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/test/testhelpers/test-app.ts b/packages/@aws-cdk/pipelines/test/testhelpers/test-app.ts new file mode 100644 index 0000000000000..1f554b75e2623 --- /dev/null +++ b/packages/@aws-cdk/pipelines/test/testhelpers/test-app.ts @@ -0,0 +1,214 @@ +/* eslint-disable import/no-extraneous-dependencies */ +import '@aws-cdk/assert-internal/jest'; +import * as fs from 'fs'; +import * as path from 'path'; +import * as ecr_assets from '@aws-cdk/aws-ecr-assets'; +import * as s3 from '@aws-cdk/aws-s3'; +import * as s3_assets from '@aws-cdk/aws-s3-assets'; +import { App, AppProps, Environment, CfnOutput, Stage, StageProps, Stack, StackProps } from '@aws-cdk/core'; +import { Construct } from 'constructs'; +import { assemblyBuilderOf } from '../../lib/private/construct-internals'; + +export const PIPELINE_ENV: Environment = { + account: '123pipeline', + region: 'us-pipeline', +}; + +export class TestApp extends App { + constructor(props?: Partial) { + super({ + context: { + '@aws-cdk/core:newStyleStackSynthesis': '1', + }, + stackTraces: false, + autoSynth: false, + treeMetadata: false, + ...props, + }); + } + + public stackArtifact(stackName: string | Stack) { + if (typeof stackName !== 'string') { + stackName = stackName.stackName; + } + + this.synth(); + const supportStack = this.node.findAll().filter(Stack.isStack).find(s => s.stackName === stackName); + expect(supportStack).not.toBeUndefined(); + return supportStack; + } + + public cleanup() { + rimraf(assemblyBuilderOf(this).outdir); + } +} + + +export class OneStackApp extends Stage { + constructor(scope: Construct, id: string, props?: StageProps) { + super(scope, id, props); + + new BucketStack(this, 'Stack'); + } +} + +export class AppWithOutput extends Stage { + public readonly theOutput: CfnOutput; + + constructor(scope: Construct, id: string, props?: StageProps) { + super(scope, id, props); + + const stack = new BucketStack(this, 'Stack'); + this.theOutput = new CfnOutput(stack, 'MyOutput', { value: stack.bucket.bucketName }); + } +} + +export class TwoStackApp extends Stage { + constructor(scope: Construct, id: string, props?: StageProps) { + super(scope, id, props); + + const stack2 = new BucketStack(this, 'Stack2'); + const stack1 = new BucketStack(this, 'Stack1'); + + stack2.addDependency(stack1); + } +} + +/** + * Three stacks where the last one depends on the earlier 2 + */ +export class ThreeStackApp extends Stage { + constructor(scope: Construct, id: string, props?: StageProps) { + super(scope, id, props); + + const stack1 = new BucketStack(this, 'Stack1'); + const stack2 = new BucketStack(this, 'Stack2'); + const stack3 = new BucketStack(this, 'Stack3'); + + stack3.addDependency(stack1); + stack3.addDependency(stack2); + } +} + +/** + * A test stack + * + * It contains a single Bucket. Such robust. Much uptime. + */ +export class BucketStack extends Stack { + public readonly bucket: s3.IBucket; + + constructor(scope: Construct, id: string, props?: StackProps) { + super(scope, id, props); + this.bucket = new s3.Bucket(this, 'Bucket'); + } +} + + +/** + * rm -rf reimplementation, don't want to depend on an NPM package for this + */ +export function rimraf(fsPath: string) { + try { + const isDir = fs.lstatSync(fsPath).isDirectory(); + + if (isDir) { + for (const file of fs.readdirSync(fsPath)) { + rimraf(path.join(fsPath, file)); + } + fs.rmdirSync(fsPath); + } else { + fs.unlinkSync(fsPath); + } + } catch (e) { + // We will survive ENOENT + if (e.code !== 'ENOENT') { throw e; } + } +} + +export function stackTemplate(stack: Stack) { + const stage = Stage.of(stack); + if (!stage) { throw new Error('stack not in a Stage'); } + return stage.synth().getStackArtifact(stack.artifactId); +} + +export class StageWithStackOutput extends Stage { + public readonly output: CfnOutput; + + constructor(scope: Construct, id: string, props?: StageProps) { + super(scope, id, props); + const stack = new BucketStack(this, 'Stack'); + + this.output = new CfnOutput(stack, 'BucketName', { + value: stack.bucket.bucketName, + }); + } +} + +export class FileAssetApp extends Stage { + constructor(scope: Construct, id: string, props?: StageProps) { + super(scope, id, props); + const stack = new Stack(this, 'Stack'); + new s3_assets.Asset(stack, 'Asset', { + path: path.join(__dirname, 'assets', 'test-file-asset.txt'), + }); + } +} + +export class TwoFileAssetsApp extends Stage { + constructor(scope: Construct, id: string, props?: StageProps) { + super(scope, id, props); + const stack = new Stack(this, 'Stack'); + new s3_assets.Asset(stack, 'Asset1', { + path: path.join(__dirname, 'assets', 'test-file-asset.txt'), + }); + new s3_assets.Asset(stack, 'Asset2', { + path: path.join(__dirname, 'assets', 'test-file-asset-two.txt'), + }); + } +} + +export class DockerAssetApp extends Stage { + constructor(scope: Construct, id: string, props?: StageProps) { + super(scope, id, props); + const stack = new Stack(this, 'Stack'); + new ecr_assets.DockerImageAsset(stack, 'Asset', { + directory: path.join(__dirname, 'assets', 'test-docker-asset'), + }); + } +} + +export interface MegaAssetsAppProps extends StageProps { + readonly numAssets: number; +} + +// Creates a mix of file and image assets, up to a specified count +export class MegaAssetsApp extends Stage { + constructor(scope: Construct, id: string, props: MegaAssetsAppProps) { + super(scope, id, props); + const stack = new Stack(this, 'Stack'); + + let assetCount = 0; + for (; assetCount < props.numAssets / 2; assetCount++) { + new s3_assets.Asset(stack, `Asset${assetCount}`, { + path: path.join(__dirname, 'assets', 'test-file-asset.txt'), + assetHash: `FileAsset${assetCount}`, + }); + } + for (; assetCount < props.numAssets; assetCount++) { + new ecr_assets.DockerImageAsset(stack, `Asset${assetCount}`, { + directory: path.join(__dirname, 'assets', 'test-docker-asset'), + extraHash: `FileAsset${assetCount}`, + }); + } + } +} + +export class PlainStackApp extends Stage { + constructor(scope: Construct, id: string, props?: StageProps) { + super(scope, id, props); + new BucketStack(this, 'Stack'); + } +} + + diff --git a/packages/@aws-cdk/pipelines/test/testmatchers.ts b/packages/@aws-cdk/pipelines/test/testhelpers/testmatchers.ts similarity index 61% rename from packages/@aws-cdk/pipelines/test/testmatchers.ts rename to packages/@aws-cdk/pipelines/test/testhelpers/testmatchers.ts index 90b31fb133fd4..8faa855b71abf 100644 --- a/packages/@aws-cdk/pipelines/test/testmatchers.ts +++ b/packages/@aws-cdk/pipelines/test/testhelpers/testmatchers.ts @@ -1,3 +1,4 @@ +/* eslint-disable import/no-extraneous-dependencies */ import { annotateMatcher, InspectionFailure, matcherFrom, PropertyMatcher } from '@aws-cdk/assert-internal'; /** @@ -22,4 +23,20 @@ export function sortedByRunOrder(matcher: any): PropertyMatcher { return matcherFrom(matcher)(value, failure); }); +} + +export function stringNoLongerThan(length: number): PropertyMatcher { + return annotateMatcher({ $stringIsNoLongerThan: length }, (value: any, failure: InspectionFailure) => { + if (typeof value !== 'string') { + failure.failureReason = `Expected a string, but got '${typeof value}'`; + return false; + } + + if (value.length > length) { + failure.failureReason = `String is ${value.length} characters long. Expected at most ${length} characters`; + return false; + } + + return true; + }); } \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/test/testutil.ts b/packages/@aws-cdk/pipelines/test/testutil.ts deleted file mode 100644 index e654299d85182..0000000000000 --- a/packages/@aws-cdk/pipelines/test/testutil.ts +++ /dev/null @@ -1,136 +0,0 @@ -import * as fs from 'fs'; -import * as path from 'path'; -import { annotateMatcher, InspectionFailure, PropertyMatcher } from '@aws-cdk/assert-internal'; -import * as codepipeline from '@aws-cdk/aws-codepipeline'; -import * as codepipeline_actions from '@aws-cdk/aws-codepipeline-actions'; -import * as s3 from '@aws-cdk/aws-s3'; -import { App, AppProps, Environment, SecretValue, Stack, StackProps, Stage } from '@aws-cdk/core'; -import { Construct } from 'constructs'; -import * as cdkp from '../lib'; -import { assemblyBuilderOf } from '../lib/private/construct-internals'; - -export const PIPELINE_ENV: Environment = { - account: '123pipeline', - region: 'us-pipeline', -}; - -export class TestApp extends App { - constructor(props?: Partial) { - super({ - context: { - '@aws-cdk/core:newStyleStackSynthesis': '1', - }, - stackTraces: false, - autoSynth: false, - treeMetadata: false, - ...props, - }); - } - - public cleanup() { - rimraf(assemblyBuilderOf(this).outdir); - } -} - -export interface TestGitHubNpmPipelineExtraProps { - readonly sourceArtifact?: codepipeline.Artifact; - readonly npmSynthOptions?: Partial; -} - -export class TestGitHubNpmPipeline extends cdkp.CdkPipeline { - public readonly sourceArtifact: codepipeline.Artifact; - public readonly cloudAssemblyArtifact: codepipeline.Artifact; - - constructor(scope: Construct, id: string, props?: Partial & TestGitHubNpmPipelineExtraProps ) { - const sourceArtifact = props?.sourceArtifact ?? new codepipeline.Artifact(); - const cloudAssemblyArtifact = props?.cloudAssemblyArtifact ?? new codepipeline.Artifact(); - - super(scope, id, { - sourceAction: new TestGitHubAction(sourceArtifact), - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - ...props?.npmSynthOptions, - }), - cloudAssemblyArtifact, - ...props, - }); - - this.sourceArtifact = sourceArtifact; - this.cloudAssemblyArtifact = cloudAssemblyArtifact; - } -} - - -export class TestGitHubAction extends codepipeline_actions.GitHubSourceAction { - constructor(sourceArtifact: codepipeline.Artifact) { - super({ - actionName: 'GitHub', - output: sourceArtifact, - oauthToken: SecretValue.plainText('$3kr1t'), - owner: 'test', - repo: 'test', - trigger: codepipeline_actions.GitHubTrigger.POLL, - }); - } -} - -/** - * A test stack - * - * It contains a single Bucket. Such robust. Much uptime. - */ -export class BucketStack extends Stack { - public readonly bucket: s3.IBucket; - - constructor(scope: Construct, id: string, props?: StackProps) { - super(scope, id, props); - this.bucket = new s3.Bucket(this, 'Bucket'); - } -} - -/** - * rm -rf reimplementation, don't want to depend on an NPM package for this - */ -export function rimraf(fsPath: string) { - try { - const isDir = fs.lstatSync(fsPath).isDirectory(); - - if (isDir) { - for (const file of fs.readdirSync(fsPath)) { - rimraf(path.join(fsPath, file)); - } - fs.rmdirSync(fsPath); - } else { - fs.unlinkSync(fsPath); - } - } catch (e) { - // We will survive ENOENT - if (e.code !== 'ENOENT') { throw e; } - } -} - -/** - * Because 'expect(stack)' doesn't work correctly for stacks in nested assemblies - */ -export function stackTemplate(stack: Stack) { - const stage = Stage.of(stack); - if (!stage) { throw new Error('stack not in a Stage'); } - return stage.synth().getStackArtifact(stack.artifactId); -} - -export function stringNoLongerThan(length: number): PropertyMatcher { - return annotateMatcher({ $stringIsNoLongerThan: length }, (value: any, failure: InspectionFailure) => { - if (typeof value !== 'string') { - failure.failureReason = `Expected a string, but got '${typeof value}'`; - return false; - } - - if (value.length > length) { - failure.failureReason = `String is ${value.length} characters long. Expected at most ${length} characters`; - return false; - } - - return true; - }); -} diff --git a/packages/@aws-cdk/pipelines/test/validation.test.ts b/packages/@aws-cdk/pipelines/test/validation.test.ts deleted file mode 100644 index a75431e63266a..0000000000000 --- a/packages/@aws-cdk/pipelines/test/validation.test.ts +++ /dev/null @@ -1,497 +0,0 @@ -import { anything, arrayWith, deepObjectLike, encodedJson, objectLike } from '@aws-cdk/assert-internal'; -import '@aws-cdk/assert-internal/jest'; -import * as codebuild from '@aws-cdk/aws-codebuild'; -import * as codepipeline from '@aws-cdk/aws-codepipeline'; -import * as ec2 from '@aws-cdk/aws-ec2'; -import * as iam from '@aws-cdk/aws-iam'; -import * as s3 from '@aws-cdk/aws-s3'; -import { CfnOutput, Stack, Stage, StageProps } from '@aws-cdk/core'; -import { Construct } from 'constructs'; -import * as cdkp from '../lib'; -import { } from './testmatchers'; -import { behavior } from './helpers/compliance'; -import { BucketStack, PIPELINE_ENV, stringNoLongerThan, TestApp, TestGitHubNpmPipeline } from './testutil'; - -let app: TestApp; -let pipelineStack: Stack; -let pipeline: cdkp.CdkPipeline; -let sourceArtifact: codepipeline.Artifact; -let cloudAssemblyArtifact: codepipeline.Artifact; -let integTestArtifact: codepipeline.Artifact; - -beforeEach(() => { - app = new TestApp(); - pipelineStack = new Stack(app, 'PipelineStack', { env: PIPELINE_ENV }); - sourceArtifact = new codepipeline.Artifact(); - cloudAssemblyArtifact = new codepipeline.Artifact('CloudAsm'); - integTestArtifact = new codepipeline.Artifact('IntegTests'); - pipeline = new TestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - additionalArtifacts: [{ directory: 'test', artifact: integTestArtifact }], - }), - }); -}); - -afterEach(() => { - app.cleanup(); -}); - -behavior('stackOutput generates names limited to 100 characters', (suite) => { - suite.legacy(() => { - const stage = new AppWithStackOutput(app, 'APreposterouslyLongAndComplicatedNameMadeUpJustToMakeItExceedTheLimitDefinedByCodeBuild'); - const pipeStage = pipeline.addApplicationStage(stage); - pipeStage.addActions(new cdkp.ShellScriptAction({ - actionName: 'TestOutput', - useOutputs: { - BUCKET_NAME: pipeline.stackOutput(stage.output), - }, - commands: ['echo $BUCKET_NAME'], - })); - - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { - Stages: arrayWith({ - Name: 'APreposterouslyLongAndComplicatedNameMadeUpJustToMakeItExceedTheLimitDefinedByCodeBuild', - Actions: arrayWith( - deepObjectLike({ - Name: 'Stack.Deploy', - OutputArtifacts: [{ Name: stringNoLongerThan(100) }], - Configuration: { - OutputFileName: 'outputs.json', - }, - }), - deepObjectLike({ - ActionTypeId: { - Provider: 'CodeBuild', - }, - Configuration: { - ProjectName: anything(), - }, - InputArtifacts: [{ Name: stringNoLongerThan(100) }], - Name: 'TestOutput', - }), - ), - }), - }); - }); -}); - -behavior('can use stack outputs as validation inputs', (suite) => { - suite.legacy(() => { - // GIVEN - const stage = new AppWithStackOutput(app, 'MyApp'); - - // WHEN - const pipeStage = pipeline.addApplicationStage(stage); - pipeStage.addActions(new cdkp.ShellScriptAction({ - actionName: 'TestOutput', - useOutputs: { - BUCKET_NAME: pipeline.stackOutput(stage.output), - }, - commands: ['echo $BUCKET_NAME'], - })); - - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { - Stages: arrayWith({ - Name: 'MyApp', - Actions: arrayWith( - deepObjectLike({ - Name: 'Stack.Deploy', - OutputArtifacts: [{ Name: anything() }], - Configuration: { - OutputFileName: 'outputs.json', - }, - }), - deepObjectLike({ - ActionTypeId: { - Provider: 'CodeBuild', - }, - Configuration: { - ProjectName: anything(), - }, - InputArtifacts: [{ Name: anything() }], - Name: 'TestOutput', - }), - ), - }), - }); - - expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { - Environment: { - Image: 'aws/codebuild/standard:5.0', - }, - Source: { - BuildSpec: encodedJson(deepObjectLike({ - phases: { - build: { - commands: [ - 'set -eu', - 'export BUCKET_NAME="$(node -pe \'require(process.env.CODEBUILD_SRC_DIR + "/outputs.json")["BucketName"]\')"', - 'echo $BUCKET_NAME', - ], - }, - }, - })), - Type: 'CODEPIPELINE', - }, - }); - }); -}); - -behavior('can use additional files from source', (suite) => { - suite.legacy(() => { - // WHEN - pipeline.addStage('Test').addActions(new cdkp.ShellScriptAction({ - actionName: 'UseSources', - additionalArtifacts: [sourceArtifact], - commands: ['true'], - })); - - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { - Stages: arrayWith({ - Name: 'Test', - Actions: [ - deepObjectLike({ - Name: 'UseSources', - InputArtifacts: [{ Name: 'Artifact_Source_GitHub' }], - }), - ], - }), - }); - expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { - Environment: { - Image: 'aws/codebuild/standard:5.0', - }, - Source: { - BuildSpec: encodedJson(deepObjectLike({ - phases: { - build: { - commands: [ - 'set -eu', - 'true', - ], - }, - }, - })), - }, - }); - }); -}); - -behavior('can use additional files from build', (suite) => { - suite.legacy(() => { - // WHEN - pipeline.addStage('Test').addActions(new cdkp.ShellScriptAction({ - actionName: 'UseBuildArtifact', - additionalArtifacts: [integTestArtifact], - commands: ['true'], - })); - - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { - Stages: arrayWith({ - Name: 'Test', - Actions: [ - deepObjectLike({ - Name: 'UseBuildArtifact', - InputArtifacts: [{ Name: 'IntegTests' }], - }), - ], - }), - }); - expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { - Environment: { - Image: 'aws/codebuild/standard:5.0', - }, - Source: { - BuildSpec: encodedJson(deepObjectLike({ - phases: { - build: { - commands: [ - 'set -eu', - 'true', - ], - }, - }, - })), - }, - }); - }); -}); - -behavior('add policy statements to ShellScriptAction', (suite) => { - suite.legacy(() => { - // WHEN - pipeline.addStage('Test').addActions(new cdkp.ShellScriptAction({ - actionName: 'Boop', - additionalArtifacts: [integTestArtifact], - commands: ['true'], - rolePolicyStatements: [ - new iam.PolicyStatement({ - actions: ['s3:Banana'], - resources: ['*'], - }), - ], - })); - - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::IAM::Policy', { - PolicyDocument: { - Statement: arrayWith(deepObjectLike({ - Action: 's3:Banana', - Resource: '*', - })), - }, - }); - }); -}); - -behavior('ShellScriptAction is IGrantable', (suite) => { - suite.legacy(() => { - // GIVEN - const action = new cdkp.ShellScriptAction({ - actionName: 'Boop', - additionalArtifacts: [integTestArtifact], - commands: ['true'], - }); - pipeline.addStage('Test').addActions(action); - const bucket = new s3.Bucket(pipelineStack, 'Bucket'); - - // WHEN - bucket.grantRead(action); - - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::IAM::Policy', { - PolicyDocument: { - Statement: arrayWith(deepObjectLike({ - Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], - })), - }, - }); - }); -}); - -behavior('run ShellScriptAction in a VPC', (suite) => { - suite.legacy(() => { - // WHEN - const vpc = new ec2.Vpc(pipelineStack, 'VPC'); - pipeline.addStage('Test').addActions(new cdkp.ShellScriptAction({ - vpc, - actionName: 'VpcAction', - additionalArtifacts: [integTestArtifact], - commands: ['true'], - })); - - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { - Stages: arrayWith({ - Name: 'Test', - Actions: [ - deepObjectLike({ - Name: 'VpcAction', - InputArtifacts: [{ Name: 'IntegTests' }], - }), - ], - }), - }); - expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { - Environment: { - Image: 'aws/codebuild/standard:5.0', - }, - VpcConfig: { - SecurityGroupIds: [ - { - 'Fn::GetAtt': [ - 'CdkPipelineTestVpcActionProjectSecurityGroupBA94D315', - 'GroupId', - ], - }, - ], - Subnets: [ - { - Ref: 'VPCPrivateSubnet1Subnet8BCA10E0', - }, - { - Ref: 'VPCPrivateSubnet2SubnetCFCDAA7A', - }, - { - Ref: 'VPCPrivateSubnet3Subnet3EDCD457', - }, - ], - VpcId: { - Ref: 'VPCB9E5F0B4', - }, - }, - Source: { - BuildSpec: encodedJson(deepObjectLike({ - phases: { - build: { - commands: [ - 'set -eu', - 'true', - ], - }, - }, - })), - }, - }); - }); -}); - -behavior('run ShellScriptAction with Security Group', (suite) => { - suite.legacy(() => { - // WHEN - const vpc = new ec2.Vpc(pipelineStack, 'VPC'); - const sg = new ec2.SecurityGroup(pipelineStack, 'SG', { vpc }); - pipeline.addStage('Test').addActions(new cdkp.ShellScriptAction({ - vpc, - securityGroups: [sg], - actionName: 'sgAction', - additionalArtifacts: [integTestArtifact], - commands: ['true'], - })); - - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { - Stages: arrayWith({ - Name: 'Test', - Actions: [ - deepObjectLike({ - Name: 'sgAction', - }), - ], - }), - }); - expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { - VpcConfig: { - SecurityGroupIds: [ - { - 'Fn::GetAtt': [ - 'SGADB53937', - 'GroupId', - ], - }, - ], - VpcId: { - Ref: 'VPCB9E5F0B4', - }, - }, - }); - }); -}); - -behavior('run ShellScriptAction with specified codebuild image', (suite) => { - suite.legacy(() => { - // WHEN - pipeline.addStage('Test').addActions(new cdkp.ShellScriptAction({ - actionName: 'imageAction', - additionalArtifacts: [integTestArtifact], - commands: ['true'], - environment: { buildImage: codebuild.LinuxBuildImage.STANDARD_2_0 }, - })); - - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { - Stages: arrayWith({ - Name: 'Test', - Actions: [ - deepObjectLike({ - Name: 'imageAction', - }), - ], - }), - }); - expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { - Environment: { - Image: 'aws/codebuild/standard:2.0', - }, - }); - }); -}); - -behavior('run ShellScriptAction with specified BuildEnvironment', (suite) => { - suite.legacy(() => { - // WHEN - pipeline.addStage('Test').addActions(new cdkp.ShellScriptAction({ - actionName: 'imageAction', - additionalArtifacts: [integTestArtifact], - commands: ['true'], - environment: { - buildImage: codebuild.LinuxBuildImage.STANDARD_2_0, - computeType: codebuild.ComputeType.LARGE, - environmentVariables: { FOO: { value: 'BAR', type: codebuild.BuildEnvironmentVariableType.PLAINTEXT } }, - privileged: true, - }, - })); - - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', { - Environment: { - Image: 'aws/codebuild/standard:2.0', - PrivilegedMode: true, - ComputeType: 'BUILD_GENERAL1_LARGE', - EnvironmentVariables: [ - { - Type: 'PLAINTEXT', - Value: 'BAR', - Name: 'FOO', - }, - ], - }, - }); - }); -}); - -behavior('run ShellScriptAction with specified environment variables', (suite) => { - suite.legacy(() => { - // WHEN - pipeline.addStage('Test').addActions(new cdkp.ShellScriptAction({ - actionName: 'imageAction', - additionalArtifacts: [integTestArtifact], - commands: ['true'], - environmentVariables: { - VERSION: { value: codepipeline.GlobalVariables.executionId }, - }, - })); - - // THEN - expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', { - Stages: arrayWith({ - Name: 'Test', - Actions: [ - objectLike({ - Name: 'imageAction', - Configuration: objectLike({ - EnvironmentVariables: encodedJson([ - { - name: 'VERSION', - type: 'PLAINTEXT', - value: '#{codepipeline.PipelineExecutionId}', - }, - ]), - }), - }), - ], - }), - }); - }); -}); - -class AppWithStackOutput extends Stage { - public readonly output: CfnOutput; - - constructor(scope: Construct, id: string, props?: StageProps) { - super(scope, id, props); - const stack = new BucketStack(this, 'Stack'); - - this.output = new CfnOutput(stack, 'BucketName', { - value: stack.bucket.bucketName, - }); - } -} \ No newline at end of file diff --git a/scripts/best b/scripts/best new file mode 100755 index 0000000000000..e0d540a96a28f --- /dev/null +++ b/scripts/best @@ -0,0 +1,4 @@ +#!/bin/bash +# Run jest with the fail-fast plugin +scriptdir=$(cd $(dirname $0) && pwd) +exec $scriptdir/../tools/cdk-build-tools/node_modules/.bin/jest --setupFilesAfterEnv $scriptdir/jest-fail-fast-setup.js -- "$@" \ No newline at end of file diff --git a/scripts/jest-fail-fast-setup.js b/scripts/jest-fail-fast-setup.js new file mode 100644 index 0000000000000..85a77dd84ff74 --- /dev/null +++ b/scripts/jest-fail-fast-setup.js @@ -0,0 +1,4 @@ +// Run `jest --setupFilesAfterEnv path/to/jest-fail-fast-setup.js --` to stop after the first failing test +// Use the `best` script in this directory for convenience. +const failFast = require('jasmine-fail-fast'); +jasmine.getEnv().addReporter(failFast.init()); \ No newline at end of file diff --git a/scripts/print-construct-tree.py b/scripts/print-construct-tree.py new file mode 100755 index 0000000000000..447c3e66f60e9 --- /dev/null +++ b/scripts/print-construct-tree.py @@ -0,0 +1,45 @@ +#!/usr/bin/env python +"""Print the construct tree from a cdk.out directory.""" +import sys +import argparse +from os import path +import json + + +def main(): + dirname = sys.argv[1] + parser = argparse.ArgumentParser(description='Print the construct tree from a cdk.out directory') + parser.add_argument('dir', metavar='DIR', type=str, nargs=1, default='cdk.out', + help='cdk.out directory') + + args = parser.parse_args() + print_tree_file(path.join(args.dir[0], 'tree.json')) + + +def print_tree_file(tree_file_name): + with open(tree_file_name, 'r') as f: + contents = json.load(f) + print_tree(contents) + + +def print_tree(tree_file): + print_node(tree_file['tree']) + + +def print_node(node, prefix_here='', prefix_children=''): + info = [] + cfn_type = node.get('attributes', {}).get('aws:cdk:cloudformation:type') + if cfn_type: + info.append(cfn_type) + + print(prefix_here + node['id'] + ((' (' + ', '.join(info) + ')') if info else '')) + children = list(node.get('children', {}).values()) + for i, child in enumerate(children): + if i < len(children) - 1: + print_node(child, prefix_children + ' ├─ ', prefix_children + ' │ ') + else: + print_node(child, prefix_children + ' └─ ', prefix_children + ' ') + + +if __name__ == '__main__': + main()