@flit/cdk-pipeline 2.4.0 → 2.5.1

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@flit/cdk-pipeline",
-	"version": "2.4.0",
+	"version": "2.5.1",
 	"description": "A highly customizable and extensible CI/CD pipeline intended as alternative to CDK's native CodePipeline",
 	"keywords": [
 		"aws",
@@ -51,18 +51,18 @@
 		"useTabs": true
 	},
 	"devDependencies": {
-		"@types/node": "^25.0.3",
-		"aws-cdk-lib": "^2.232.0",
-		"constructs": "^10.4.0",
-		"jsii": "^5.9.22",
-		"jsii-pacmak": "^1.125.0",
-		"prettier": "^3.7.4",
-		"prettier-plugin-packagejson": "^2.5.20",
+		"@types/node": "^25.5.0",
+		"aws-cdk-lib": "^2.244.0",
+		"constructs": "^10.6.0",
+		"jsii": "^5.9.34",
+		"jsii-pacmak": "^1.127.0",
+		"prettier": "^3.8.1",
+		"prettier-plugin-packagejson": "^3.0.2",
 		"typescript": "^5.9.3"
 	},
 	"peerDependencies": {
-		"aws-cdk-lib": "^2.232.0",
-		"constructs": "^10.4.0"
+		"aws-cdk-lib": "^2.244.0",
+		"constructs": "^10.6.0"
 	},
 	"publishConfig": {
 		"access": "public"

package/src/pipeline-segment.ts

@@ -1,6 +1,8 @@
 import {
 	BuildEnvironmentVariable,
 	BuildSpec,
+	ComputeType,
+	LinuxBuildImage,
 	mergeBuildSpecs,
 	Project,
 	ProjectProps,
@@ -8,17 +10,15 @@ import {
 import { Stack } from "aws-cdk-lib";
 import { IAction } from "aws-cdk-lib/aws-codepipeline";
 import {
-	CloudFormationCreateReplaceChangeSetAction,
 	CloudFormationExecuteChangeSetAction,
 	CodeBuildAction,
 	ManualApprovalAction,
 } from "aws-cdk-lib/aws-codepipeline-actions";
-import * as path from "path";
 
 import { Artifact } from "./artifact";
 import { Segment, SegmentConstructed } from "./segment";
 import { Pipeline } from "./pipeline";
-import { PublishAssetsAction } from "./publish-assets-action";
+import { PolicyStatement } from "aws-cdk-lib/aws-iam";
 
 export interface PipelineSegmentProps {
 	/**
@@ -34,11 +34,6 @@ export interface PipelineSegmentProps {
 	 * The environmental variables for the build stage.
 	 */
 	readonly environmentVariables?: { [key: string]: BuildEnvironmentVariable };
-	/**
-	 * The name of the stack to apply this action to.
-	 * @default The name of the given stack.
-	 */
-	readonly stackName?: string;
 	/**
 	 * The artifact to hold the stack deployment output file.
 	 * @default no output artifact
@@ -82,7 +77,6 @@ export interface PipelineSegmentConstructedProps {
 	readonly stack: Stack;
 	readonly project: ProjectProps;
 	readonly environmentVariables?: { [key: string]: BuildEnvironmentVariable };
-	readonly stackName?: string;
 	readonly input: Artifact;
 	readonly extraInputs?: Artifact[];
 	readonly output?: Artifact;
@@ -105,6 +99,61 @@ export class PipelineSegmentConstructed extends SegmentConstructed {
 
 		const buildArtifact = props.output || new Artifact();
 
+		const prepareChangesProject = new Project(this, "PrepareChanges", {
+			environment: {
+				computeType: ComputeType.MEDIUM,
+				buildImage: LinuxBuildImage.AMAZON_LINUX_2_ARM_3,
+			},
+			buildSpec: BuildSpec.fromObject({
+				version: 0.2,
+				phases: {
+					install: {
+						"runtime-versions": {
+							nodejs: "24",
+						},
+						commands: "npm install -g aws-cdk",
+					},
+					build: {
+						commands: `npx cdk deploy ${props.stack.stackId} --app ./ --method prepare-change-set --change-set-name pipeline-${props.stack.stackId}-${this.name} --require-approval never`,
+					},
+				},
+				cache: {
+					paths: ["/root/.npm/**/*"],
+				},
+			}),
+		});
+
+		prepareChangesProject.addToRolePolicy(
+			new PolicyStatement({
+				actions: [
+					"ssm:GetParameter",
+					"cloudformation:CreateChangeSet",
+					"cloudformation:DescribeChangeSet",
+					"cloudformation:DescribeStacks",
+					"cloudformation:GetTemplate",
+					"cloudformation:DeleteChangeSet",
+					"iam:PassRole",
+				],
+				resources: ["*"],
+			}),
+		);
+
+		prepareChangesProject.addToRolePolicy(
+			new PolicyStatement({
+				actions: ["sts:AssumeRole"],
+				resources: [`arn:*:iam::${Stack.of(this).account}:role/*`],
+				conditions: {
+					"ForAnyValue:StringEquals": {
+						"iam:ResourceTag/aws-cdk:bootstrap-role": [
+							"image-publishing",
+							"file-publishing",
+							"deploy",
+						],
+					},
+				},
+			}),
+		);
+
 		this.actions = [
 			new CodeBuildAction({
 				actionName: "Build",
@@ -120,50 +169,40 @@ export class PipelineSegmentConstructed extends SegmentConstructed {
 								props.project.buildSpec,
 								BuildSpec.fromObject({
 									artifacts: {
-										files: [path.join(scope.buildDir, "**/*")],
+										"base-directory": scope.buildDir,
+										files: ["**/*"],
 									},
 								}),
-						  )
+							)
 						: BuildSpec.fromObject({
 								artifacts: {
-									files: [path.join(scope.buildDir, "**/*")],
+									"base-directory": scope.buildDir,
+									files: ["**/*"],
 								},
-						  }),
+							}),
 				}),
 			}),
-			new PublishAssetsAction(this, "PublishAssets", {
-				actionName: "PublishAssets",
+			new CodeBuildAction({
+				actionName: "PrepareChanges",
 				runOrder: 2,
 				input: buildArtifact,
-				manifestPath: scope.buildDir,
-			}),
-			new CloudFormationCreateReplaceChangeSetAction({
-				actionName: "PrepareChanges",
-				runOrder: 3,
-				stackName: props.stackName ? props.stackName : props.stack.stackName,
-				account: props.stack.account,
-				region: props.stack.region,
-				changeSetName: `${this.name}Changes`,
-				adminPermissions: true,
-				templatePath: buildArtifact.atPath(
-					path.join(scope.buildDir, props.stack.templateFile),
-				),
+				project: prepareChangesProject,
 			}),
 			...(props.manualApproval
 				? [
 						new ManualApprovalAction({
 							actionName: "ApproveChanges",
-							runOrder: 4,
+							runOrder: 3,
 						}),
-				  ]
+					]
 				: []),
 			new CloudFormationExecuteChangeSetAction({
 				actionName: "ExecuteChanges",
-				runOrder: props.manualApproval ? 5 : 4,
-				stackName: props.stackName ? props.stackName : props.stack.stackName,
+				runOrder: props.manualApproval ? 3 : 4,
+				stackName: props.stack.stackName,
 				account: props.stack.account,
 				region: props.stack.region,
-				changeSetName: `${this.name}Changes`,
+				changeSetName: `pipeline-${props.stack.stackId}-${this.name}`,
 			}),
 		];
 	}

package/src/stack-segment.ts

@@ -3,13 +3,14 @@ import {
 	BuildEnvironmentVariable,
 	BuildEnvironmentVariableType,
 	BuildSpec,
+	ComputeType,
+	LinuxBuildImage,
 	mergeBuildSpecs,
 	Project,
 	ProjectProps,
 } from "aws-cdk-lib/aws-codebuild";
 import { IAction } from "aws-cdk-lib/aws-codepipeline";
 import {
-	CloudFormationCreateReplaceChangeSetAction,
 	CloudFormationExecuteChangeSetAction,
 	CodeBuildAction,
 	ManualApprovalAction,
@@ -20,7 +21,6 @@ import * as path from "path";
 import { Artifact } from "./artifact";
 import { Segment, SegmentConstructed } from "./segment";
 import { Pipeline } from "./pipeline";
-import { PublishAssetsAction } from "./publish-assets-action";
 
 export interface StackSegmentProps {
 	/**
@@ -44,11 +44,6 @@ export interface StackSegmentProps {
 	 * The environmental variables for the build stage.
 	 */
 	readonly environmentVariables?: { [key: string]: BuildEnvironmentVariable };
-	/**
-	 * The name of the stack to deploy the changes to.
-	 * @default The name of the given stack.
-	 */
-	readonly stackName?: string;
 	/**
 	 * The artifact to hold the output of the build if this stack includes a build.
 	 */
@@ -100,7 +95,6 @@ export interface StackSegmentConstructedProps {
 	readonly stack: Stack;
 	readonly project?: ProjectProps;
 	readonly environmentVariables?: { [key: string]: BuildEnvironmentVariable };
-	readonly stackName?: string;
 	readonly input: Artifact;
 	readonly extraInputs?: Artifact[];
 	readonly buildOutput?: Artifact;
@@ -136,12 +130,12 @@ export class StackSegmentConstructed extends SegmentConstructed {
 								files: [path.join(scope.buildDir, "**/*")],
 							},
 						}),
-				  )
+					)
 				: BuildSpec.fromObject({
 						artifacts: {
 							files: [path.join(scope.buildDir, "**/*")],
 						},
-				  }),
+					}),
 		});
 
 		Object.entries(
@@ -174,7 +168,7 @@ export class StackSegmentConstructed extends SegmentConstructed {
 									? v.value.split(":").slice(0, 7).join(":")
 									: `arn:aws:secretsmanager:*:${
 											Stack.of(this).account
-									  }:secret:${v.value}-*`,
+										}:secret:${v.value}-*`,
 							],
 						}),
 					);
@@ -182,6 +176,61 @@ export class StackSegmentConstructed extends SegmentConstructed {
 			}
 		});
 
+		const prepareChangesProject = new Project(this, "PrepareChanges", {
+			environment: {
+				computeType: ComputeType.MEDIUM,
+				buildImage: LinuxBuildImage.AMAZON_LINUX_2_ARM_3,
+			},
+			buildSpec: BuildSpec.fromObject({
+				version: 0.2,
+				phases: {
+					install: {
+						"runtime-versions": {
+							nodejs: "24",
+						},
+						commands: "npm install -g aws-cdk",
+					},
+					build: {
+						commands: `npx cdk deploy ${props.stack.stackId} --app ./ --method prepare-change-set --change-set-name pipeline-${props.stack.stackId}-${this.name} --require-approval never`,
+					},
+				},
+				cache: {
+					paths: ["/root/.npm/**/*"],
+				},
+			}),
+		});
+
+		prepareChangesProject.addToRolePolicy(
+			new PolicyStatement({
+				actions: [
+					"ssm:GetParameter",
+					"cloudformation:CreateChangeSet",
+					"cloudformation:DescribeChangeSet",
+					"cloudformation:DescribeStacks",
+					"cloudformation:GetTemplate",
+					"cloudformation:DeleteChangeSet",
+					"iam:PassRole",
+				],
+				resources: ["*"],
+			}),
+		);
+
+		prepareChangesProject.addToRolePolicy(
+			new PolicyStatement({
+				actions: ["sts:AssumeRole"],
+				resources: [`arn:*:iam::${Stack.of(this).account}:role/*`],
+				conditions: {
+					"ForAnyValue:StringEquals": {
+						"iam:ResourceTag/aws-cdk:bootstrap-role": [
+							"image-publishing",
+							"file-publishing",
+							"deploy",
+						],
+					},
+				},
+			}),
+		);
+
 		this.actions = [
 			...(buildArtifact
 				? [
@@ -194,53 +243,41 @@ export class StackSegmentConstructed extends SegmentConstructed {
 							environmentVariables: props.environmentVariables,
 							project: codeBuildProject,
 						}),
-						new PublishAssetsAction(this, "PublishAssets", {
-							actionName: `${this.name}PublishAssets`,
-							runOrder: 2,
-							input: buildArtifact,
-							manifestPath: scope.buildDir,
-						}),
-				  ]
+					]
 				: []),
-			new CloudFormationCreateReplaceChangeSetAction({
+			new CodeBuildAction({
 				actionName: `${this.name}PrepareChanges`,
-				runOrder: buildArtifact ? 3 : 1,
-				stackName: props.stackName ? props.stackName : props.stack.stackName,
-				account: props.stack.account,
-				region: props.stack.region,
-				changeSetName: `${this.name}Changes`,
-				adminPermissions: true,
-				templatePath: (buildArtifact ? buildArtifact : props.input).atPath(
-					path.join(scope.buildDir, props.stack.templateFile),
-				),
+				runOrder: buildArtifact ? 2 : 1,
+				input: buildArtifact ? buildArtifact : props.input,
+				project: prepareChangesProject,
 			}),
 			...(props.manualApproval
 				? [
 						new ManualApprovalAction({
 							actionName: `${this.name}ApproveChanges`,
-							runOrder: buildArtifact ? 4 : 2,
+							runOrder: buildArtifact ? 3 : 2,
 						}),
-				  ]
+					]
 				: []),
 			new CloudFormationExecuteChangeSetAction({
 				actionName: `${this.name}ExecuteChanges`,
 				runOrder: props.manualApproval
 					? buildArtifact
-						? 5
+						? 4
 						: 3
 					: buildArtifact
-					  ? 4
-					  : 2,
-				stackName: props.stackName ? props.stackName : props.stack.stackName,
+						? 3
+						: 2,
+				stackName: props.stack.stackName,
 				account: props.stack.account,
 				region: props.stack.region,
-				changeSetName: `${this.name}Changes`,
+				changeSetName: `pipeline-${props.stack.stackId}-${this.name}`,
 				output: props.stackOutput,
 				outputFileName: props.outputFileName
 					? props.outputFileName
 					: props.stackOutput
-					  ? "artifact.json"
-					  : undefined,
+						? "artifact.json"
+						: undefined,
 			}),
 		];
 	}