From 69f4b8d6560a293059b9e527be1fac6d1c70c971 Mon Sep 17 00:00:00 2001 From: Michael Sambol Date: Tue, 30 Jan 2024 10:47:08 -0800 Subject: [PATCH] feat(app-staging-synthesizer-alpha): encryption type for staging bucket (#28903) Closes #28815. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../app-staging-synthesizer-alpha/README.md | 16 + .../lib/default-staging-stack.ts | 21 +- .../test/app-staging-synthesizer.test.ts | 53 +- ...-resourcesmax-ACCOUNT-REGION.template.json | 362 +++++++++++++ .../cdk.out | 1 + .../integ.json | 13 + ...efaultTestDeployAssert44C8D370.assets.json | 19 + ...aultTestDeployAssert44C8D370.template.json | 36 ++ .../manifest.json | 148 +++++ .../synthesize-default-encryption.assets.json | 19 + ...ynthesize-default-encryption.template.json | 1 + .../tree.json | 511 ++++++++++++++++++ .../test/integ.synth-default-encryption.ts | 29 + 13 files changed, 1223 insertions(+), 6 deletions(-) create mode 100644 packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json create mode 100644 packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/cdk.out create mode 100644 packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/integ.json create mode 100644 packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.assets.json create mode 100644 packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.template.json create mode 100644 packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/manifest.json create mode 100644 packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/synthesize-default-encryption.assets.json create mode 100644 packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/synthesize-default-encryption.template.json create mode 100644 packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/tree.json create mode 100644 packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.ts diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/README.md b/packages/@aws-cdk/app-staging-synthesizer-alpha/README.md index ab4fca8e865cb..6b430868f9865 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/README.md +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/README.md @@ -265,6 +265,22 @@ const app = new App({ }); ``` +### Staging Bucket Encryption + +By default, the staging resources will be stored in an S3 Bucket with KMS encryption. To use +SSE-S3, set `stagingBucketEncryption` to `BucketEncryption.S3_MANAGED`. + +```ts +import { BucketEncryption } from 'aws-cdk-lib/aws-s3'; + +const app = new App({ + defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ + appId: 'my-app-id', + stagingBucketEncryption: BucketEncryption.S3_MANAGED, + }), +}); +``` + ## Using a Custom Staging Stack per Environment If you want to customize some behavior that is not configurable via properties, diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/lib/default-staging-stack.ts b/packages/@aws-cdk/app-staging-synthesizer-alpha/lib/default-staging-stack.ts index b76b36fee7f5b..70d5cfd65fbe3 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/lib/default-staging-stack.ts +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/lib/default-staging-stack.ts @@ -61,6 +61,13 @@ export interface DefaultStagingStackOptions { */ readonly stagingBucketName?: string; + /** + * Encryption type for staging bucket + * + * @default - s3.BucketEncryption.KMS + */ + readonly stagingBucketEncryption?: s3.BucketEncryption; + /** * Pass in an existing role to be used as the file publishing role. * @@ -219,6 +226,7 @@ export class DefaultStagingStack extends Stack implements IStagingResources { private readonly appId: string; private readonly stagingBucketName?: string; + private stagingBucketEncryption?: s3.BucketEncryption; /** * File publish role ARN in asset manifest format @@ -259,6 +267,7 @@ export class DefaultStagingStack extends Stack implements IStagingResources { this.deployRoleArn = props.deployRoleArn; this.stagingBucketName = props.stagingBucketName; + this.stagingBucketEncryption = props.stagingBucketEncryption; const specializer = new StringSpecializer(this, props.qualifier); this.providedFileRole = props.fileAssetPublishingRole?._specialize(specializer); @@ -358,7 +367,15 @@ export class DefaultStagingStack extends Stack implements IStagingResources { } this.ensureFileRole(); - const key = this.createBucketKey(); + + let key = undefined; + if (this.stagingBucketEncryption === s3.BucketEncryption.KMS || this.stagingBucketEncryption === undefined) { + if (this.stagingBucketEncryption === undefined) { + // default is KMS as an AWS best practice, and for backwards compatibility + this.stagingBucketEncryption = s3.BucketEncryption.KMS; + } + key = this.createBucketKey(); + } // Create the bucket once the dependencies have been created const bucket = new s3.Bucket(this, bucketId, { @@ -369,7 +386,7 @@ export class DefaultStagingStack extends Stack implements IStagingResources { } : { removalPolicy: RemovalPolicy.RETAIN, }), - encryption: s3.BucketEncryption.KMS, + encryption: this.stagingBucketEncryption, encryptionKey: key, // Many AWS account safety checkers will complain when buckets aren't versioned diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/app-staging-synthesizer.test.ts b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/app-staging-synthesizer.test.ts index c3a8d96299b8b..9b0b502a967b1 100644 --- a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/app-staging-synthesizer.test.ts +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/app-staging-synthesizer.test.ts @@ -3,6 +3,7 @@ import * as path from 'path'; import { App, Stack, CfnResource, FileAssetPackaging, Token, Lazy, Duration } from 'aws-cdk-lib'; import { Match, Template } from 'aws-cdk-lib/assertions'; import * as lambda from 'aws-cdk-lib/aws-lambda'; +import { BucketEncryption } from 'aws-cdk-lib/aws-s3'; import * as cxschema from 'aws-cdk-lib/cloud-assembly-schema'; import { CloudAssembly } from 'aws-cdk-lib/cx-api'; import { evaluateCFN } from './evaluate-cfn'; @@ -257,7 +258,7 @@ describe(AppStagingSynthesizer, () => { stack = new Stack(app, 'Stack', { env: { account: '000000000000', - region: 'us-west-2', + region: 'us-east-1', }, }); new CfnResource(stack, 'Resource', { @@ -268,9 +269,7 @@ describe(AppStagingSynthesizer, () => { const asm = app.synth(); // THEN - const stagingStackArtifact = asm.getStackArtifact(`StagingStack-${APP_ID}-000000000000-us-west-2`); - - Template.fromJSON(stagingStackArtifact.template).hasResourceProperties('AWS::S3::Bucket', { + Template.fromJSON(getStagingResourceStack(asm).template).hasResourceProperties('AWS::S3::Bucket', { LifecycleConfiguration: { Rules: Match.arrayWith([{ ExpirationInDays: 1, @@ -278,6 +277,52 @@ describe(AppStagingSynthesizer, () => { Status: 'Enabled', }]), }, + // When stagingBucketEncryption is not specified, it should be KMS for backwards compatibility + BucketEncryption: { + ServerSideEncryptionConfiguration: [ + { + ServerSideEncryptionByDefault: { + SSEAlgorithm: 'aws:kms', + }, + }, + ], + }, + }); + }); + + test('staging bucket with SSE-S3 encryption', () => { + // GIVEN + app = new App({ + defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({ + appId: APP_ID, + deployTimeFileAssetLifetime: Duration.days(1), + stagingBucketEncryption: BucketEncryption.S3_MANAGED, + }), + }); + stack = new Stack(app, 'Stack', { + env: { + account: '000000000000', + region: 'us-east-1', + }, + }); + new CfnResource(stack, 'Resource', { + type: 'Some::Resource', + }); + + // WHEN + const asm = app.synth(); + + // THEN + Template.fromJSON(getStagingResourceStack(asm).template).hasResourceProperties('AWS::S3::Bucket', { + BucketEncryption: { + ServerSideEncryptionConfiguration: [ + { + ServerSideEncryptionByDefault: { + SSEAlgorithm: 'AES256', + }, + }, + ], + }, }); }); }); diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json new file mode 100644 index 0000000000000..94b5eb207a2e0 --- /dev/null +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json @@ -0,0 +1,362 @@ +{ + "Description": "This stack includes resources needed to deploy the AWS CDK app default-resourcesmax into this environment", + "Resources": { + "CdkFileRoleE26CEABA": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + } + } + ], + "Version": "2012-10-17" + }, + "RoleName": { + "Fn::Join": [ + "", + [ + "cdk-default-resourcesmax-file-role-", + { + "Ref": "AWS::Region" + } + ] + ] + } + } + }, + "CdkFileRoleDefaultPolicy621C7E5B": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:Abort*", + "s3:DeleteObject*", + "s3:GetBucket*", + "s3:GetObject*", + "s3:List*", + "s3:PutObject", + "s3:PutObjectLegalHold", + "s3:PutObjectRetention", + "s3:PutObjectTagging", + "s3:PutObjectVersionTagging" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "CdkStagingBucket1636058C", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "CdkStagingBucket1636058C", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "CdkFileRoleDefaultPolicy621C7E5B", + "Roles": [ + { + "Ref": "CdkFileRoleE26CEABA" + } + ] + } + }, + "CdkStagingBucket1636058C": { + "Type": "AWS::S3::Bucket", + "Properties": { + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256" + } + } + ] + }, + "BucketName": { + "Fn::Join": [ + "", + [ + "cdk-default-resourcesmax-staging-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "LifecycleConfiguration": { + "Rules": [ + { + "NoncurrentVersionExpiration": { + "NoncurrentDays": 365 + }, + "Status": "Enabled" + }, + { + "ExpirationInDays": 30, + "Prefix": "deploy-time/", + "Status": "Enabled" + } + ] + }, + "VersioningConfiguration": { + "Status": "Enabled" + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "CdkStagingBucketPolicy42BD1F92": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "CdkStagingBucket1636058C" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": "s3:*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::GetAtt": [ + "CdkStagingBucket1636058C", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "CdkStagingBucket1636058C", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + }, + { + "Action": [ + "s3:DeleteObject*", + "s3:GetBucket*", + "s3:List*", + "s3:PutBucketPolicy" + ], + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", + "Arn" + ] + } + }, + "Resource": [ + { + "Fn::GetAtt": [ + "CdkStagingBucket1636058C", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "CdkStagingBucket1636058C", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + }, + { + "Action": [ + "s3:GetBucket*", + "s3:GetObject*", + "s3:List*" + ], + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + } + }, + "Resource": [ + { + "Fn::GetAtt": [ + "CdkStagingBucket1636058C", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "CdkStagingBucket1636058C", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + } + ], + "Version": "2012-10-17" + } + } + }, + "CdkStagingBucketAutoDeleteObjectsCustomResource800E998D": { + "Type": "Custom::S3AutoDeleteObjects", + "Properties": { + "ServiceToken": { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", + "Arn" + ] + }, + "BucketName": { + "Ref": "CdkStagingBucket1636058C" + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ] + }, + "ManagedPolicyArns": [ + { + "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + } + ] + } + }, + "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "ZipFile": "\"use strict\";var C=Object.create;var i=Object.defineProperty;var I=Object.getOwnPropertyDescriptor;var w=Object.getOwnPropertyNames;var P=Object.getPrototypeOf,A=Object.prototype.hasOwnProperty;var L=(e,t)=>{for(var o in t)i(e,o,{get:t[o],enumerable:!0})},d=(e,t,o,r)=>{if(t&&typeof t==\"object\"||typeof t==\"function\")for(let s of w(t))!A.call(e,s)&&s!==o&&i(e,s,{get:()=>t[s],enumerable:!(r=I(t,s))||r.enumerable});return e};var l=(e,t,o)=>(o=e!=null?C(P(e)):{},d(t||!e||!e.__esModule?i(o,\"default\",{value:e,enumerable:!0}):o,e)),k=e=>d(i({},\"__esModule\",{value:!0}),e);var U={};L(U,{autoDeleteHandler:()=>S,handler:()=>_});module.exports=k(U);var h=require(\"@aws-sdk/client-s3\");var y=l(require(\"https\")),m=l(require(\"url\")),a={sendHttpRequest:T,log:b,includeStackTraces:!0,userHandlerIndex:\"./index\"},p=\"AWSCDK::CustomResourceProviderFramework::CREATE_FAILED\",B=\"AWSCDK::CustomResourceProviderFramework::MISSING_PHYSICAL_ID\";function R(e){return async(t,o)=>{let r={...t,ResponseURL:\"...\"};if(a.log(JSON.stringify(r,void 0,2)),t.RequestType===\"Delete\"&&t.PhysicalResourceId===p){a.log(\"ignoring DELETE event caused by a failed CREATE event\"),await u(\"SUCCESS\",t);return}try{let s=await e(r,o),n=D(t,s);await u(\"SUCCESS\",n)}catch(s){let n={...t,Reason:a.includeStackTraces?s.stack:s.message};n.PhysicalResourceId||(t.RequestType===\"Create\"?(a.log(\"CREATE failed, responding with a marker physical resource id so that the subsequent DELETE will be ignored\"),n.PhysicalResourceId=p):a.log(`ERROR: Malformed event. \"PhysicalResourceId\" is required: ${JSON.stringify(t)}`)),await u(\"FAILED\",n)}}}function D(e,t={}){let o=t.PhysicalResourceId??e.PhysicalResourceId??e.RequestId;if(e.RequestType===\"Delete\"&&o!==e.PhysicalResourceId)throw new Error(`DELETE: cannot change the physical resource ID from \"${e.PhysicalResourceId}\" to \"${t.PhysicalResourceId}\" during deletion`);return{...e,...t,PhysicalResourceId:o}}async function u(e,t){let o={Status:e,Reason:t.Reason??e,StackId:t.StackId,RequestId:t.RequestId,PhysicalResourceId:t.PhysicalResourceId||B,LogicalResourceId:t.LogicalResourceId,NoEcho:t.NoEcho,Data:t.Data};a.log(\"submit response to cloudformation\",o);let r=JSON.stringify(o),s=m.parse(t.ResponseURL),n={hostname:s.hostname,path:s.path,method:\"PUT\",headers:{\"content-type\":\"\",\"content-length\":Buffer.byteLength(r,\"utf8\")}};await O({attempts:5,sleep:1e3},a.sendHttpRequest)(n,r)}async function T(e,t){return new Promise((o,r)=>{try{let s=y.request(e,n=>o());s.on(\"error\",r),s.write(t),s.end()}catch(s){r(s)}})}function b(e,...t){console.log(e,...t)}function O(e,t){return async(...o)=>{let r=e.attempts,s=e.sleep;for(;;)try{return await t(...o)}catch(n){if(r--<=0)throw n;await x(Math.floor(Math.random()*s)),s*=2}}}async function x(e){return new Promise(t=>setTimeout(t,e))}var g=\"aws-cdk:auto-delete-objects\",H=JSON.stringify({Version:\"2012-10-17\",Statement:[]}),c=new h.S3({}),_=R(S);async function S(e){switch(e.RequestType){case\"Create\":return;case\"Update\":return F(e);case\"Delete\":return f(e.ResourceProperties?.BucketName)}}async function F(e){let t=e,o=t.OldResourceProperties?.BucketName,r=t.ResourceProperties?.BucketName;if(r!=null&&o!=null&&r!==o)return f(o)}async function N(e){try{let t=(await c.getBucketPolicy({Bucket:e}))?.Policy??H,o=JSON.parse(t);o.Statement.push({Principal:\"*\",Effect:\"Deny\",Action:[\"s3:PutObject\"],Resource:[`arn:aws:s3:::${e}/*`]}),await c.putBucketPolicy({Bucket:e,Policy:JSON.stringify(o)})}catch(t){if(t.name===\"NoSuchBucket\")throw t;console.log(`Could not set new object deny policy on bucket '${e}' prior to deletion.`)}}async function E(e){let t=await c.listObjectVersions({Bucket:e}),o=[...t.Versions??[],...t.DeleteMarkers??[]];if(o.length===0)return;let r=o.map(s=>({Key:s.Key,VersionId:s.VersionId}));await c.deleteObjects({Bucket:e,Delete:{Objects:r}}),t?.IsTruncated&&await E(e)}async function f(e){if(!e)throw new Error(\"No BucketName was provided.\");try{if(!await W(e)){console.log(`Bucket does not have '${g}' tag, skipping cleaning.`);return}await N(e),await E(e)}catch(t){if(t.name===\"NoSuchBucket\"){console.log(`Bucket '${e}' does not exist.`);return}throw t}}async function W(e){return(await c.getBucketTagging({Bucket:e})).TagSet?.some(o=>o.Key===g&&o.Value===\"true\")}0&&(module.exports={autoDeleteHandler,handler});\n" + }, + "Timeout": 900, + "MemorySize": 128, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", + "Arn" + ] + }, + "Runtime": "nodejs18.x", + "Description": { + "Fn::Join": [ + "", + [ + "Lambda function for auto-deleting objects in ", + { + "Ref": "CdkStagingBucket1636058C" + }, + " S3 bucket." + ] + ] + } + }, + "DependsOn": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092" + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/cdk.out b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/cdk.out new file mode 100644 index 0000000000000..1f0068d32659a --- /dev/null +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/integ.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/integ.json new file mode 100644 index 0000000000000..08ce00fc3f00c --- /dev/null +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/integ.json @@ -0,0 +1,13 @@ +{ + "version": "36.0.0", + "testCases": { + "integ-tests/DefaultTest": { + "stacks": [ + "StagingStack-default-resourcesmax-ACCOUNT-REGION", + "synthesize-default-encryption" + ], + "assertionStack": "integ-tests/DefaultTest/DeployAssert", + "assertionStackName": "integtestsDefaultTestDeployAssert44C8D370" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.assets.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.assets.json new file mode 100644 index 0000000000000..50121024f8d99 --- /dev/null +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.assets.json @@ -0,0 +1,19 @@ +{ + "version": "36.0.0", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "source": { + "path": "integtestsDefaultTestDeployAssert44C8D370.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.template.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/manifest.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/manifest.json new file mode 100644 index 0000000000000..675984ebcad5b --- /dev/null +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/manifest.json @@ -0,0 +1,148 @@ +{ + "version": "36.0.0", + "artifacts": { + "synthesize-default-encryption.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "synthesize-default-encryption.assets.json" + }, + "dependencies": [ + "StagingStack-default-resourcesmax-ACCOUNT-REGION" + ] + }, + "synthesize-default-encryption": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "synthesize-default-encryption.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "additionalDependencies": [ + "synthesize-default-encryption.assets" + ], + "stackTemplateAssetObjectUrl": "s3://cdk-default-resourcesmax-staging-${AWS::AccountId}-${AWS::Region}/deploy-time/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a.json", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}" + } + }, + "dependencies": [ + "StagingStack-default-resourcesmax-ACCOUNT-REGION", + "synthesize-default-encryption.assets" + ], + "displayName": "synthesize-default-encryption" + }, + "StagingStack-default-resourcesmax-ACCOUNT-REGION": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackName": "StagingStack-default-resourcesmax" + }, + "metadata": { + "/StagingStack-default-resourcesmax-ACCOUNT-REGION/CdkFileRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "CdkFileRoleE26CEABA" + } + ], + "/StagingStack-default-resourcesmax-ACCOUNT-REGION/CdkFileRole/DefaultPolicy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "CdkFileRoleDefaultPolicy621C7E5B" + } + ], + "/StagingStack-default-resourcesmax-ACCOUNT-REGION/CdkStagingBucket/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "CdkStagingBucket1636058C" + } + ], + "/StagingStack-default-resourcesmax-ACCOUNT-REGION/CdkStagingBucket/Policy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "CdkStagingBucketPolicy42BD1F92" + } + ], + "/StagingStack-default-resourcesmax-ACCOUNT-REGION/CdkStagingBucket/AutoDeleteObjectsCustomResource/Default": [ + { + "type": "aws:cdk:logicalId", + "data": "CdkStagingBucketAutoDeleteObjectsCustomResource800E998D" + } + ], + "/StagingStack-default-resourcesmax-ACCOUNT-REGION/Custom::S3AutoDeleteObjectsCustomResourceProvider/Role": [ + { + "type": "aws:cdk:logicalId", + "data": "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092" + } + ], + "/StagingStack-default-resourcesmax-ACCOUNT-REGION/Custom::S3AutoDeleteObjectsCustomResourceProvider/Handler": [ + { + "type": "aws:cdk:logicalId", + "data": "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F" + } + ] + }, + "displayName": "StagingStack-default-resourcesmax-ACCOUNT-REGION" + }, + "integtestsDefaultTestDeployAssert44C8D370.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "integtestsDefaultTestDeployAssert44C8D370.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "integtestsDefaultTestDeployAssert44C8D370": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "integtestsDefaultTestDeployAssert44C8D370.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "integtestsDefaultTestDeployAssert44C8D370.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "integtestsDefaultTestDeployAssert44C8D370.assets" + ], + "metadata": { + "/integ-tests/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/integ-tests/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "integ-tests/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/synthesize-default-encryption.assets.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/synthesize-default-encryption.assets.json new file mode 100644 index 0000000000000..9015dadf1bdde --- /dev/null +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/synthesize-default-encryption.assets.json @@ -0,0 +1,19 @@ +{ + "version": "36.0.0", + "files": { + "44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a": { + "source": { + "path": "synthesize-default-encryption.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-default-resourcesmax-staging-${AWS::AccountId}-${AWS::Region}", + "objectKey": "deploy-time/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-default-resourcesmax-file-role-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/synthesize-default-encryption.template.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/synthesize-default-encryption.template.json new file mode 100644 index 0000000000000..9e26dfeeb6e64 --- /dev/null +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/synthesize-default-encryption.template.json @@ -0,0 +1 @@ +{} \ No newline at end of file diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/tree.json b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/tree.json new file mode 100644 index 0000000000000..871e7830afede --- /dev/null +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.js.snapshot/tree.json @@ -0,0 +1,511 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "synthesize-default-encryption": { + "id": "synthesize-default-encryption", + "path": "synthesize-default-encryption", + "children": { + "UsingAppStagingSynthesizer--synthesize-default-encryption": { + "id": "UsingAppStagingSynthesizer--synthesize-default-encryption", + "path": "synthesize-default-encryption/UsingAppStagingSynthesizer--synthesize-default-encryption", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "StagingStack-default-resourcesmax-ACCOUNT-REGION": { + "id": "StagingStack-default-resourcesmax-ACCOUNT-REGION", + "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION", + "children": { + "CdkFileRole": { + "id": "CdkFileRole", + "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/CdkFileRole", + "children": { + "ImportCdkFileRole": { + "id": "ImportCdkFileRole", + "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/CdkFileRole/ImportCdkFileRole", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "Resource": { + "id": "Resource", + "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/CdkFileRole/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:props": { + "assumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + } + } + ], + "Version": "2012-10-17" + }, + "roleName": { + "Fn::Join": [ + "", + [ + "cdk-default-resourcesmax-file-role-", + { + "Ref": "AWS::Region" + } + ] + ] + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "DefaultPolicy": { + "id": "DefaultPolicy", + "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/CdkFileRole/DefaultPolicy", + "children": { + "Resource": { + "id": "Resource", + "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/CdkFileRole/DefaultPolicy/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Policy", + "aws:cdk:cloudformation:props": { + "policyDocument": { + "Statement": [ + { + "Action": [ + "s3:Abort*", + "s3:DeleteObject*", + "s3:GetBucket*", + "s3:GetObject*", + "s3:List*", + "s3:PutObject", + "s3:PutObjectLegalHold", + "s3:PutObjectRetention", + "s3:PutObjectTagging", + "s3:PutObjectVersionTagging" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "CdkStagingBucket1636058C", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "CdkStagingBucket1636058C", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + } + ], + "Version": "2012-10-17" + }, + "policyName": "CdkFileRoleDefaultPolicy621C7E5B", + "roles": [ + { + "Ref": "CdkFileRoleE26CEABA" + } + ] + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "CdkStagingBucket": { + "id": "CdkStagingBucket", + "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/CdkStagingBucket", + "children": { + "Resource": { + "id": "Resource", + "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/CdkStagingBucket/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::S3::Bucket", + "aws:cdk:cloudformation:props": { + "bucketEncryption": { + "serverSideEncryptionConfiguration": [ + { + "serverSideEncryptionByDefault": { + "sseAlgorithm": "AES256" + } + } + ] + }, + "bucketName": { + "Fn::Join": [ + "", + [ + "cdk-default-resourcesmax-staging-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "lifecycleConfiguration": { + "rules": [ + { + "noncurrentVersionExpiration": { + "noncurrentDays": 365 + }, + "status": "Enabled" + }, + { + "expirationInDays": 30, + "prefix": "deploy-time/", + "status": "Enabled" + } + ] + }, + "versioningConfiguration": { + "status": "Enabled" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "Policy": { + "id": "Policy", + "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/CdkStagingBucket/Policy", + "children": { + "Resource": { + "id": "Resource", + "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/CdkStagingBucket/Policy/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::S3::BucketPolicy", + "aws:cdk:cloudformation:props": { + "bucket": { + "Ref": "CdkStagingBucket1636058C" + }, + "policyDocument": { + "Statement": [ + { + "Action": "s3:*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::GetAtt": [ + "CdkStagingBucket1636058C", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "CdkStagingBucket1636058C", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + }, + { + "Action": [ + "s3:DeleteObject*", + "s3:GetBucket*", + "s3:List*", + "s3:PutBucketPolicy" + ], + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", + "Arn" + ] + } + }, + "Resource": [ + { + "Fn::GetAtt": [ + "CdkStagingBucket1636058C", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "CdkStagingBucket1636058C", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + }, + { + "Action": [ + "s3:GetBucket*", + "s3:GetObject*", + "s3:List*" + ], + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + } + }, + "Resource": [ + { + "Fn::GetAtt": [ + "CdkStagingBucket1636058C", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "CdkStagingBucket1636058C", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + } + ], + "Version": "2012-10-17" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "AutoDeleteObjectsCustomResource": { + "id": "AutoDeleteObjectsCustomResource", + "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/CdkStagingBucket/AutoDeleteObjectsCustomResource", + "children": { + "Default": { + "id": "Default", + "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/CdkStagingBucket/AutoDeleteObjectsCustomResource/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "Custom::S3AutoDeleteObjectsCustomResourceProvider": { + "id": "Custom::S3AutoDeleteObjectsCustomResourceProvider", + "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/Custom::S3AutoDeleteObjectsCustomResourceProvider", + "children": { + "Role": { + "id": "Role", + "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/Custom::S3AutoDeleteObjectsCustomResourceProvider/Role", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "Handler": { + "id": "Handler", + "path": "StagingStack-default-resourcesmax-ACCOUNT-REGION/Custom::S3AutoDeleteObjectsCustomResourceProvider/Handler", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "integ-tests": { + "id": "integ-tests", + "path": "integ-tests", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "integ-tests/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "integ-tests/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "integ-tests/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "integ-tests/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "integ-tests/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.ts b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.ts new file mode 100644 index 0000000000000..b094351f94938 --- /dev/null +++ b/packages/@aws-cdk/app-staging-synthesizer-alpha/test/integ.synth-default-encryption.ts @@ -0,0 +1,29 @@ +import * as integ from '@aws-cdk/integ-tests-alpha'; +import { App, Stack } from 'aws-cdk-lib'; +import { BucketEncryption } from 'aws-cdk-lib/aws-s3'; +import { APP_ID_MAX } from './util'; +import { AppStagingSynthesizer } from '../lib'; + +const app = new App({ + context: { + '@aws-cdk/aws-iam:minimizePolicies': true, + }, +}); + +const stackDefaultEncryption = new Stack(app, 'synthesize-default-encryption', { + synthesizer: AppStagingSynthesizer.defaultResources({ + appId: APP_ID_MAX, // this has implications on the overall template size + stagingBucketEncryption: BucketEncryption.S3_MANAGED, + }), +}); + +const defaultStagingStack = app.node.tryFindChild(`StagingStack-${APP_ID_MAX}-ACCOUNT-REGION`) as Stack; +if (!defaultStagingStack) { + throw new Error('Default Staging Stack not found.'); +} + +new integ.IntegTest(app, 'integ-tests', { + testCases: [defaultStagingStack, stackDefaultEncryption], +}); + +app.synth();