sst 2.18.4 → 2.19.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/cdk/asset-publishing.d.ts +74 -0
- package/cdk/asset-publishing.js +147 -0
- package/cdk/deployments.d.ts +1 -1
- package/cdk/deployments.js +1 -3
- package/cdk-assets/private/asset-handler.d.ts +29 -0
- package/cdk-assets/private/asset-handler.js +1 -0
- package/cdk-assets/private/docker.d.ts +94 -0
- package/cdk-assets/private/docker.js +237 -0
- package/cdk-assets/private/handlers/container-images.d.ts +22 -0
- package/cdk-assets/private/handlers/container-images.js +231 -0
- package/cdk-assets/private/handlers/index.d.ts +3 -0
- package/cdk-assets/private/handlers/index.js +18 -0
- package/cdk-assets/publishing.d.ts +113 -0
- package/cdk-assets/publishing.js +194 -0
- package/cli/commands/dev.js +25 -1
- package/constructs/Function.d.ts +4 -0
- package/constructs/Function.js +43 -11
- package/package.json +1 -1
- package/runtime/handlers/container.d.ts +1 -0
- package/runtime/handlers/container.js +124 -0
- package/runtime/handlers.d.ts +4 -0
- package/runtime/handlers.js +1 -0
- package/runtime/workers.js +1 -0
- package/sst.mjs +1218 -318
- package/stacks/synth.js +2 -0
- package/support/bridge/Dockerfile +3 -0
|
@@ -0,0 +1,74 @@
|
|
|
1
|
+
import * as cxapi from "@aws-cdk/cx-api";
|
|
2
|
+
import * as AWS from "aws-sdk";
|
|
3
|
+
import * as cdk_assets from "cdk-assets";
|
|
4
|
+
import { SdkProvider } from "sst-aws-cdk/lib/api/aws-auth/sdk-provider.js";
|
|
5
|
+
export interface PublishAssetsOptions {
|
|
6
|
+
/**
|
|
7
|
+
* Print progress at 'debug' level
|
|
8
|
+
*/
|
|
9
|
+
readonly quiet?: boolean;
|
|
10
|
+
/**
|
|
11
|
+
* Whether to build assets before publishing.
|
|
12
|
+
*
|
|
13
|
+
* @default true To remain backward compatible.
|
|
14
|
+
*/
|
|
15
|
+
readonly buildAssets?: boolean;
|
|
16
|
+
/**
|
|
17
|
+
* Whether to build/publish assets in parallel
|
|
18
|
+
*
|
|
19
|
+
* @default true To remain backward compatible.
|
|
20
|
+
*/
|
|
21
|
+
readonly parallel?: boolean;
|
|
22
|
+
}
|
|
23
|
+
/**
|
|
24
|
+
* Use cdk-assets to publish all assets in the given manifest.
|
|
25
|
+
*/
|
|
26
|
+
export declare function publishAssets(manifest: cdk_assets.AssetManifest, sdk: SdkProvider, targetEnv: cxapi.Environment, options?: PublishAssetsOptions): Promise<void>;
|
|
27
|
+
export interface BuildAssetsOptions {
|
|
28
|
+
/**
|
|
29
|
+
* Print progress at 'debug' level
|
|
30
|
+
*/
|
|
31
|
+
readonly quiet?: boolean;
|
|
32
|
+
/**
|
|
33
|
+
* Build assets in parallel
|
|
34
|
+
*
|
|
35
|
+
* @default true
|
|
36
|
+
*/
|
|
37
|
+
readonly parallel?: boolean;
|
|
38
|
+
}
|
|
39
|
+
/**
|
|
40
|
+
* Use cdk-assets to build all assets in the given manifest.
|
|
41
|
+
*/
|
|
42
|
+
export declare function buildAssets(manifest: cdk_assets.AssetManifest, sdk: SdkProvider, targetEnv: cxapi.Environment, options?: BuildAssetsOptions): Promise<void>;
|
|
43
|
+
export declare class PublishingAws implements cdk_assets.IAws {
|
|
44
|
+
/**
|
|
45
|
+
* The base SDK to work with
|
|
46
|
+
*/
|
|
47
|
+
private readonly aws;
|
|
48
|
+
/**
|
|
49
|
+
* Environment where the stack we're deploying is going
|
|
50
|
+
*/
|
|
51
|
+
private readonly targetEnv;
|
|
52
|
+
private sdkCache;
|
|
53
|
+
constructor(
|
|
54
|
+
/**
|
|
55
|
+
* The base SDK to work with
|
|
56
|
+
*/
|
|
57
|
+
aws: SdkProvider,
|
|
58
|
+
/**
|
|
59
|
+
* Environment where the stack we're deploying is going
|
|
60
|
+
*/
|
|
61
|
+
targetEnv: cxapi.Environment);
|
|
62
|
+
discoverPartition(): Promise<string>;
|
|
63
|
+
discoverDefaultRegion(): Promise<string>;
|
|
64
|
+
discoverCurrentAccount(): Promise<cdk_assets.Account>;
|
|
65
|
+
discoverTargetAccount(options: cdk_assets.ClientOptions): Promise<cdk_assets.Account>;
|
|
66
|
+
s3Client(options: cdk_assets.ClientOptions): Promise<AWS.S3>;
|
|
67
|
+
ecrClient(options: cdk_assets.ClientOptions): Promise<AWS.ECR>;
|
|
68
|
+
secretsManagerClient(options: cdk_assets.ClientOptions): Promise<AWS.SecretsManager>;
|
|
69
|
+
/**
|
|
70
|
+
* Get an SDK appropriate for the given client options
|
|
71
|
+
*/
|
|
72
|
+
private sdk;
|
|
73
|
+
}
|
|
74
|
+
export declare const EVENT_TO_LOGGER: Record<cdk_assets.EventType, (x: string) => void>;
|
|
@@ -0,0 +1,147 @@
|
|
|
1
|
+
import * as cxapi from "@aws-cdk/cx-api";
|
|
2
|
+
import * as cdk_assets from "cdk-assets";
|
|
3
|
+
// TODO: remove after PR is merged
|
|
4
|
+
import { AssetPublishing } from "../cdk-assets/publishing.js";
|
|
5
|
+
import { Mode } from "sst-aws-cdk/lib/api/aws-auth/credentials.js";
|
|
6
|
+
import { debug, error, print } from "sst-aws-cdk/lib/logging.js";
|
|
7
|
+
/**
|
|
8
|
+
* Use cdk-assets to publish all assets in the given manifest.
|
|
9
|
+
*/
|
|
10
|
+
export async function publishAssets(manifest, sdk, targetEnv, options = {}) {
|
|
11
|
+
// This shouldn't really happen (it's a programming error), but we don't have
|
|
12
|
+
// the types here to guide us. Do an runtime validation to be super super sure.
|
|
13
|
+
if (targetEnv.account === undefined ||
|
|
14
|
+
targetEnv.account === cxapi.UNKNOWN_ACCOUNT ||
|
|
15
|
+
targetEnv.region === undefined ||
|
|
16
|
+
targetEnv.account === cxapi.UNKNOWN_REGION) {
|
|
17
|
+
throw new Error(`Asset publishing requires resolved account and region, got ${JSON.stringify(targetEnv)}`);
|
|
18
|
+
}
|
|
19
|
+
const publisher = new AssetPublishing(manifest, {
|
|
20
|
+
aws: new PublishingAws(sdk, targetEnv),
|
|
21
|
+
progressListener: new PublishingProgressListener(options.quiet ?? false),
|
|
22
|
+
throwOnError: false,
|
|
23
|
+
publishInParallel: options.parallel ?? true,
|
|
24
|
+
buildAssets: options.buildAssets ?? true,
|
|
25
|
+
publishAssets: true,
|
|
26
|
+
// TODO: remove after PR is merged
|
|
27
|
+
quiet: options.quiet,
|
|
28
|
+
});
|
|
29
|
+
await publisher.publish();
|
|
30
|
+
if (publisher.hasFailures) {
|
|
31
|
+
console.log(publisher.failures);
|
|
32
|
+
throw new Error("Failed to publish one or more assets. See the error messages above for more information.");
|
|
33
|
+
}
|
|
34
|
+
}
|
|
35
|
+
/**
|
|
36
|
+
* Use cdk-assets to build all assets in the given manifest.
|
|
37
|
+
*/
|
|
38
|
+
export async function buildAssets(manifest, sdk, targetEnv, options = {}) {
|
|
39
|
+
// This shouldn't really happen (it's a programming error), but we don't have
|
|
40
|
+
// the types here to guide us. Do an runtime validation to be super super sure.
|
|
41
|
+
if (targetEnv.account === undefined ||
|
|
42
|
+
targetEnv.account === cxapi.UNKNOWN_ACCOUNT ||
|
|
43
|
+
targetEnv.region === undefined ||
|
|
44
|
+
targetEnv.account === cxapi.UNKNOWN_REGION) {
|
|
45
|
+
throw new Error(`Asset building requires resolved account and region, got ${JSON.stringify(targetEnv)}`);
|
|
46
|
+
}
|
|
47
|
+
const publisher = new cdk_assets.AssetPublishing(manifest, {
|
|
48
|
+
aws: new PublishingAws(sdk, targetEnv),
|
|
49
|
+
progressListener: new PublishingProgressListener(options.quiet ?? false),
|
|
50
|
+
throwOnError: false,
|
|
51
|
+
publishInParallel: options.parallel ?? true,
|
|
52
|
+
buildAssets: true,
|
|
53
|
+
publishAssets: false,
|
|
54
|
+
});
|
|
55
|
+
await publisher.publish();
|
|
56
|
+
if (publisher.hasFailures) {
|
|
57
|
+
throw new Error("Failed to build one or more assets. See the error messages above for more information.");
|
|
58
|
+
}
|
|
59
|
+
}
|
|
60
|
+
export class PublishingAws {
|
|
61
|
+
aws;
|
|
62
|
+
targetEnv;
|
|
63
|
+
sdkCache = new Map();
|
|
64
|
+
constructor(
|
|
65
|
+
/**
|
|
66
|
+
* The base SDK to work with
|
|
67
|
+
*/
|
|
68
|
+
aws,
|
|
69
|
+
/**
|
|
70
|
+
* Environment where the stack we're deploying is going
|
|
71
|
+
*/
|
|
72
|
+
targetEnv) {
|
|
73
|
+
this.aws = aws;
|
|
74
|
+
this.targetEnv = targetEnv;
|
|
75
|
+
}
|
|
76
|
+
async discoverPartition() {
|
|
77
|
+
return ((await this.aws.baseCredentialsPartition(this.targetEnv, Mode.ForWriting)) ?? "aws");
|
|
78
|
+
}
|
|
79
|
+
async discoverDefaultRegion() {
|
|
80
|
+
return this.targetEnv.region;
|
|
81
|
+
}
|
|
82
|
+
async discoverCurrentAccount() {
|
|
83
|
+
const account = await this.aws.defaultAccount();
|
|
84
|
+
return (account ?? {
|
|
85
|
+
accountId: "<unknown account>",
|
|
86
|
+
partition: "aws",
|
|
87
|
+
});
|
|
88
|
+
}
|
|
89
|
+
async discoverTargetAccount(options) {
|
|
90
|
+
return (await this.sdk(options)).currentAccount();
|
|
91
|
+
}
|
|
92
|
+
async s3Client(options) {
|
|
93
|
+
return (await this.sdk(options)).s3();
|
|
94
|
+
}
|
|
95
|
+
async ecrClient(options) {
|
|
96
|
+
return (await this.sdk(options)).ecr();
|
|
97
|
+
}
|
|
98
|
+
async secretsManagerClient(options) {
|
|
99
|
+
return (await this.sdk(options)).secretsManager();
|
|
100
|
+
}
|
|
101
|
+
/**
|
|
102
|
+
* Get an SDK appropriate for the given client options
|
|
103
|
+
*/
|
|
104
|
+
async sdk(options) {
|
|
105
|
+
const env = {
|
|
106
|
+
...this.targetEnv,
|
|
107
|
+
region: options.region ?? this.targetEnv.region, // Default: same region as the stack
|
|
108
|
+
};
|
|
109
|
+
const cacheKey = JSON.stringify({
|
|
110
|
+
env,
|
|
111
|
+
assumeRuleArn: options.assumeRoleArn,
|
|
112
|
+
assumeRoleExternalId: options.assumeRoleExternalId,
|
|
113
|
+
quiet: options.quiet,
|
|
114
|
+
});
|
|
115
|
+
const maybeSdk = this.sdkCache.get(cacheKey);
|
|
116
|
+
if (maybeSdk) {
|
|
117
|
+
return maybeSdk;
|
|
118
|
+
}
|
|
119
|
+
const sdk = (await this.aws.forEnvironment(env, Mode.ForWriting, {
|
|
120
|
+
assumeRoleArn: options.assumeRoleArn,
|
|
121
|
+
assumeRoleExternalId: options.assumeRoleExternalId,
|
|
122
|
+
}, options.quiet)).sdk;
|
|
123
|
+
this.sdkCache.set(cacheKey, sdk);
|
|
124
|
+
return sdk;
|
|
125
|
+
}
|
|
126
|
+
}
|
|
127
|
+
export const EVENT_TO_LOGGER = {
|
|
128
|
+
build: debug,
|
|
129
|
+
cached: debug,
|
|
130
|
+
check: debug,
|
|
131
|
+
debug,
|
|
132
|
+
fail: error,
|
|
133
|
+
found: debug,
|
|
134
|
+
start: print,
|
|
135
|
+
success: print,
|
|
136
|
+
upload: debug,
|
|
137
|
+
};
|
|
138
|
+
class PublishingProgressListener {
|
|
139
|
+
quiet;
|
|
140
|
+
constructor(quiet) {
|
|
141
|
+
this.quiet = quiet;
|
|
142
|
+
}
|
|
143
|
+
onPublishEvent(type, event) {
|
|
144
|
+
const handler = this.quiet && type !== "fail" ? debug : EVENT_TO_LOGGER[type];
|
|
145
|
+
handler(`[${event.percentComplete}%] ${type}: ${event.message}`);
|
|
146
|
+
}
|
|
147
|
+
}
|
package/cdk/deployments.d.ts
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
import * as cxapi from "@aws-cdk/cx-api";
|
|
2
2
|
import { AssetManifest, IManifestEntry } from "cdk-assets";
|
|
3
3
|
import { Tag } from "sst-aws-cdk/lib/cdk-toolkit.js";
|
|
4
|
-
import { BuildAssetsOptions, PublishAssetsOptions } from "
|
|
4
|
+
import { BuildAssetsOptions, PublishAssetsOptions } from "./asset-publishing.js";
|
|
5
5
|
import { Mode } from "sst-aws-cdk/lib/api/aws-auth/credentials.js";
|
|
6
6
|
import { ISDK } from "sst-aws-cdk/lib/api/aws-auth/sdk.js";
|
|
7
7
|
import { SdkProvider } from "sst-aws-cdk/lib/api/aws-auth/sdk-provider.js";
|
package/cdk/deployments.js
CHANGED
|
@@ -3,7 +3,7 @@ import * as cxapi from "@aws-cdk/cx-api";
|
|
|
3
3
|
import * as cdk_assets from "cdk-assets";
|
|
4
4
|
import { AssetManifest } from "cdk-assets";
|
|
5
5
|
import { debug, warning } from "sst-aws-cdk/lib/logging.js";
|
|
6
|
-
import { buildAssets, publishAssets, PublishingAws, EVENT_TO_LOGGER, } from "
|
|
6
|
+
import { buildAssets, publishAssets, PublishingAws, EVENT_TO_LOGGER, } from "./asset-publishing.js";
|
|
7
7
|
import { Mode } from "sst-aws-cdk/lib/api/aws-auth/credentials.js";
|
|
8
8
|
import { deployStack, destroyStack, makeBodyParameterAndUpload, } from "./deploy-stack.js";
|
|
9
9
|
import { loadCurrentTemplateWithNestedStacks, loadCurrentTemplate, } from "sst-aws-cdk/lib/api/nested-stack-helpers.js";
|
|
@@ -72,8 +72,6 @@ export class Deployments {
|
|
|
72
72
|
const assetArtifacts = options.stack.dependencies.filter(cxapi.AssetManifestArtifact.isAssetManifestArtifact);
|
|
73
73
|
for (const asset of assetArtifacts) {
|
|
74
74
|
const manifest = AssetManifest.fromFile(asset.file);
|
|
75
|
-
//await buildAssets(manifest, sdkProvider, resolvedEnvironment, {
|
|
76
|
-
//});
|
|
77
75
|
await publishAssets(manifest, this.sdkProvider, resolvedEnvironment, {
|
|
78
76
|
buildAssets: true,
|
|
79
77
|
quiet: options.quiet,
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
import { DockerFactory } from "./docker.js";
|
|
2
|
+
import { IAws } from "cdk-assets/lib/aws.js";
|
|
3
|
+
import { EventType } from "cdk-assets/lib/progress.js";
|
|
4
|
+
/**
|
|
5
|
+
* Handler for asset building and publishing.
|
|
6
|
+
*/
|
|
7
|
+
export interface IAssetHandler {
|
|
8
|
+
/**
|
|
9
|
+
* Build the asset.
|
|
10
|
+
*/
|
|
11
|
+
build(): Promise<void>;
|
|
12
|
+
/**
|
|
13
|
+
* Publish the asset.
|
|
14
|
+
*/
|
|
15
|
+
publish(): Promise<void>;
|
|
16
|
+
/**
|
|
17
|
+
* Return whether the asset already exists
|
|
18
|
+
*/
|
|
19
|
+
isPublished(): Promise<boolean>;
|
|
20
|
+
}
|
|
21
|
+
export interface IHandlerHost {
|
|
22
|
+
readonly aws: IAws;
|
|
23
|
+
readonly aborted: boolean;
|
|
24
|
+
readonly dockerFactory: DockerFactory;
|
|
25
|
+
emitMessage(type: EventType, m: string): void;
|
|
26
|
+
}
|
|
27
|
+
export interface IHandlerOptions {
|
|
28
|
+
readonly quiet?: boolean;
|
|
29
|
+
}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
export {};
|
|
@@ -0,0 +1,94 @@
|
|
|
1
|
+
import { Logger } from "cdk-assets/lib/private/shell.js";
|
|
2
|
+
interface BuildOptions {
|
|
3
|
+
readonly directory: string;
|
|
4
|
+
/**
|
|
5
|
+
* Tag the image with a given repoName:tag combination
|
|
6
|
+
*/
|
|
7
|
+
readonly tag: string;
|
|
8
|
+
readonly target?: string;
|
|
9
|
+
readonly file?: string;
|
|
10
|
+
readonly buildArgs?: Record<string, string>;
|
|
11
|
+
readonly buildSecrets?: Record<string, string>;
|
|
12
|
+
readonly networkMode?: string;
|
|
13
|
+
readonly platform?: string;
|
|
14
|
+
readonly outputs?: string[];
|
|
15
|
+
readonly cacheFrom?: DockerCacheOption[];
|
|
16
|
+
readonly cacheTo?: DockerCacheOption;
|
|
17
|
+
readonly quiet?: boolean;
|
|
18
|
+
}
|
|
19
|
+
interface PushOptions {
|
|
20
|
+
readonly tag: string;
|
|
21
|
+
readonly quiet?: boolean;
|
|
22
|
+
}
|
|
23
|
+
export interface DockerCredentialsConfig {
|
|
24
|
+
readonly version: string;
|
|
25
|
+
readonly domainCredentials: Record<string, DockerDomainCredentials>;
|
|
26
|
+
}
|
|
27
|
+
export interface DockerDomainCredentials {
|
|
28
|
+
readonly secretsManagerSecretId?: string;
|
|
29
|
+
readonly ecrRepository?: string;
|
|
30
|
+
}
|
|
31
|
+
export interface DockerCacheOption {
|
|
32
|
+
readonly type: string;
|
|
33
|
+
readonly params?: {
|
|
34
|
+
[key: string]: string;
|
|
35
|
+
};
|
|
36
|
+
}
|
|
37
|
+
export declare class Docker {
|
|
38
|
+
private readonly logger?;
|
|
39
|
+
private configDir;
|
|
40
|
+
constructor(logger?: Logger | undefined);
|
|
41
|
+
/**
|
|
42
|
+
* Whether an image with the given tag exists
|
|
43
|
+
*/
|
|
44
|
+
exists(tag: string): Promise<boolean>;
|
|
45
|
+
build(options: BuildOptions): Promise<void>;
|
|
46
|
+
/**
|
|
47
|
+
* Get credentials from ECR and run docker login
|
|
48
|
+
*/
|
|
49
|
+
login(ecr: AWS.ECR): Promise<void>;
|
|
50
|
+
tag(sourceTag: string, targetTag: string): Promise<void>;
|
|
51
|
+
push(options: PushOptions): Promise<void>;
|
|
52
|
+
/**
|
|
53
|
+
* If a CDK Docker Credentials file exists, creates a new Docker config directory.
|
|
54
|
+
* Sets up `docker-credential-cdk-assets` to be the credential helper for each domain in the CDK config.
|
|
55
|
+
* All future commands (e.g., `build`, `push`) will use this config.
|
|
56
|
+
*
|
|
57
|
+
* See https://docs.docker.com/engine/reference/commandline/login/#credential-helpers for more details on cred helpers.
|
|
58
|
+
*
|
|
59
|
+
* @returns true if CDK config was found and configured, false otherwise
|
|
60
|
+
*/
|
|
61
|
+
configureCdkCredentials(): boolean;
|
|
62
|
+
/**
|
|
63
|
+
* Removes any configured Docker config directory.
|
|
64
|
+
* All future commands (e.g., `build`, `push`) will use the default config.
|
|
65
|
+
*
|
|
66
|
+
* This is useful after calling `configureCdkCredentials` to reset to default credentials.
|
|
67
|
+
*/
|
|
68
|
+
resetAuthPlugins(): void;
|
|
69
|
+
private execute;
|
|
70
|
+
private cacheOptionToFlag;
|
|
71
|
+
}
|
|
72
|
+
export interface DockerFactoryOptions {
|
|
73
|
+
readonly repoUri: string;
|
|
74
|
+
readonly ecr: AWS.ECR;
|
|
75
|
+
readonly logger: (m: string) => void;
|
|
76
|
+
}
|
|
77
|
+
/**
|
|
78
|
+
* Helps get appropriately configured Docker instances during the container
|
|
79
|
+
* image publishing process.
|
|
80
|
+
*/
|
|
81
|
+
export declare class DockerFactory {
|
|
82
|
+
private enterLoggedInDestinationsCriticalSection;
|
|
83
|
+
private loggedInDestinations;
|
|
84
|
+
/**
|
|
85
|
+
* Gets a Docker instance for building images.
|
|
86
|
+
*/
|
|
87
|
+
forBuild(options: DockerFactoryOptions): Promise<Docker>;
|
|
88
|
+
/**
|
|
89
|
+
* Gets a Docker instance for pushing images to ECR.
|
|
90
|
+
*/
|
|
91
|
+
forEcrPush(options: DockerFactoryOptions): Promise<Docker>;
|
|
92
|
+
private loginOncePerDestination;
|
|
93
|
+
}
|
|
94
|
+
export {};
|
|
@@ -0,0 +1,237 @@
|
|
|
1
|
+
import * as fs from "fs";
|
|
2
|
+
import * as os from "os";
|
|
3
|
+
import * as path from "path";
|
|
4
|
+
import { cdkCredentialsConfig, obtainEcrCredentials, } from "cdk-assets/lib/private/docker-credentials.js";
|
|
5
|
+
import { shell, } from "cdk-assets/lib/private/shell.js";
|
|
6
|
+
import { createCriticalSection } from "cdk-assets/lib/private/util.js";
|
|
7
|
+
var InspectImageErrorCode;
|
|
8
|
+
(function (InspectImageErrorCode) {
|
|
9
|
+
InspectImageErrorCode[InspectImageErrorCode["Docker"] = 1] = "Docker";
|
|
10
|
+
InspectImageErrorCode[InspectImageErrorCode["Podman"] = 125] = "Podman";
|
|
11
|
+
})(InspectImageErrorCode || (InspectImageErrorCode = {}));
|
|
12
|
+
export class Docker {
|
|
13
|
+
logger;
|
|
14
|
+
configDir = undefined;
|
|
15
|
+
constructor(logger) {
|
|
16
|
+
this.logger = logger;
|
|
17
|
+
}
|
|
18
|
+
/**
|
|
19
|
+
* Whether an image with the given tag exists
|
|
20
|
+
*/
|
|
21
|
+
async exists(tag) {
|
|
22
|
+
try {
|
|
23
|
+
await this.execute(["inspect", tag], { quiet: true });
|
|
24
|
+
return true;
|
|
25
|
+
}
|
|
26
|
+
catch (e) {
|
|
27
|
+
const error = e;
|
|
28
|
+
/**
|
|
29
|
+
* The only error we expect to be thrown will have this property and value.
|
|
30
|
+
* If it doesn't, it's unrecognized so re-throw it.
|
|
31
|
+
*/
|
|
32
|
+
if (error.code !== "PROCESS_FAILED") {
|
|
33
|
+
throw error;
|
|
34
|
+
}
|
|
35
|
+
/**
|
|
36
|
+
* If we know the shell command above returned an error, check to see
|
|
37
|
+
* if the exit code is one we know to actually mean that the image doesn't
|
|
38
|
+
* exist.
|
|
39
|
+
*/
|
|
40
|
+
switch (error.exitCode) {
|
|
41
|
+
case InspectImageErrorCode.Docker:
|
|
42
|
+
case InspectImageErrorCode.Podman:
|
|
43
|
+
// Docker and Podman will return this exit code when an image doesn't exist, return false
|
|
44
|
+
// context: https://github.com/aws/aws-cdk/issues/16209
|
|
45
|
+
return false;
|
|
46
|
+
default:
|
|
47
|
+
// This is an error but it's not an exit code we recognize, throw.
|
|
48
|
+
throw error;
|
|
49
|
+
}
|
|
50
|
+
}
|
|
51
|
+
}
|
|
52
|
+
async build(options) {
|
|
53
|
+
const buildCommand = [
|
|
54
|
+
"build",
|
|
55
|
+
...flatten(Object.entries(options.buildArgs || {}).map(([k, v]) => [
|
|
56
|
+
"--build-arg",
|
|
57
|
+
`${k}=${v}`,
|
|
58
|
+
])),
|
|
59
|
+
...flatten(Object.entries(options.buildSecrets || {}).map(([k, v]) => [
|
|
60
|
+
"--secret",
|
|
61
|
+
`id=${k},${v}`,
|
|
62
|
+
])),
|
|
63
|
+
"--tag",
|
|
64
|
+
options.tag,
|
|
65
|
+
...(options.target ? ["--target", options.target] : []),
|
|
66
|
+
...(options.file ? ["--file", options.file] : []),
|
|
67
|
+
...(options.networkMode ? ["--network", options.networkMode] : []),
|
|
68
|
+
...(options.platform ? ["--platform", options.platform] : []),
|
|
69
|
+
...(options.outputs
|
|
70
|
+
? options.outputs.map((output) => [`--output=${output}`])
|
|
71
|
+
: []),
|
|
72
|
+
...(options.cacheFrom
|
|
73
|
+
? [
|
|
74
|
+
...options.cacheFrom
|
|
75
|
+
.map((cacheFrom) => [
|
|
76
|
+
"--cache-from",
|
|
77
|
+
this.cacheOptionToFlag(cacheFrom),
|
|
78
|
+
])
|
|
79
|
+
.flat(),
|
|
80
|
+
]
|
|
81
|
+
: []),
|
|
82
|
+
...(options.cacheTo
|
|
83
|
+
? ["--cache-to", this.cacheOptionToFlag(options.cacheTo)]
|
|
84
|
+
: []),
|
|
85
|
+
".",
|
|
86
|
+
];
|
|
87
|
+
await this.execute(buildCommand, {
|
|
88
|
+
cwd: options.directory,
|
|
89
|
+
// TODO: remove after PR is merged
|
|
90
|
+
quiet: options.quiet,
|
|
91
|
+
});
|
|
92
|
+
}
|
|
93
|
+
/**
|
|
94
|
+
* Get credentials from ECR and run docker login
|
|
95
|
+
*/
|
|
96
|
+
async login(ecr) {
|
|
97
|
+
const credentials = await obtainEcrCredentials(ecr);
|
|
98
|
+
// Use --password-stdin otherwise docker will complain. Loudly.
|
|
99
|
+
await this.execute([
|
|
100
|
+
"login",
|
|
101
|
+
"--username",
|
|
102
|
+
credentials.username,
|
|
103
|
+
"--password-stdin",
|
|
104
|
+
credentials.endpoint,
|
|
105
|
+
], {
|
|
106
|
+
input: credentials.password,
|
|
107
|
+
// Need to quiet otherwise Docker will complain
|
|
108
|
+
// 'WARNING! Your password will be stored unencrypted'
|
|
109
|
+
// doesn't really matter since it's a token.
|
|
110
|
+
quiet: true,
|
|
111
|
+
});
|
|
112
|
+
}
|
|
113
|
+
async tag(sourceTag, targetTag) {
|
|
114
|
+
await this.execute(["tag", sourceTag, targetTag]);
|
|
115
|
+
}
|
|
116
|
+
// TODO: remove after PR is merged
|
|
117
|
+
async push(options) {
|
|
118
|
+
await this.execute(["push", options.tag], { quiet: options.quiet });
|
|
119
|
+
}
|
|
120
|
+
/**
|
|
121
|
+
* If a CDK Docker Credentials file exists, creates a new Docker config directory.
|
|
122
|
+
* Sets up `docker-credential-cdk-assets` to be the credential helper for each domain in the CDK config.
|
|
123
|
+
* All future commands (e.g., `build`, `push`) will use this config.
|
|
124
|
+
*
|
|
125
|
+
* See https://docs.docker.com/engine/reference/commandline/login/#credential-helpers for more details on cred helpers.
|
|
126
|
+
*
|
|
127
|
+
* @returns true if CDK config was found and configured, false otherwise
|
|
128
|
+
*/
|
|
129
|
+
configureCdkCredentials() {
|
|
130
|
+
const config = cdkCredentialsConfig();
|
|
131
|
+
if (!config) {
|
|
132
|
+
return false;
|
|
133
|
+
}
|
|
134
|
+
this.configDir = fs.mkdtempSync(path.join(os.tmpdir(), "cdkDockerConfig"));
|
|
135
|
+
const domains = Object.keys(config.domainCredentials);
|
|
136
|
+
const credHelpers = domains.reduce((map, domain) => {
|
|
137
|
+
map[domain] = "cdk-assets"; // Use docker-credential-cdk-assets for this domain
|
|
138
|
+
return map;
|
|
139
|
+
}, {});
|
|
140
|
+
fs.writeFileSync(path.join(this.configDir, "config.json"), JSON.stringify({ credHelpers }), { encoding: "utf-8" });
|
|
141
|
+
return true;
|
|
142
|
+
}
|
|
143
|
+
/**
|
|
144
|
+
* Removes any configured Docker config directory.
|
|
145
|
+
* All future commands (e.g., `build`, `push`) will use the default config.
|
|
146
|
+
*
|
|
147
|
+
* This is useful after calling `configureCdkCredentials` to reset to default credentials.
|
|
148
|
+
*/
|
|
149
|
+
resetAuthPlugins() {
|
|
150
|
+
this.configDir = undefined;
|
|
151
|
+
}
|
|
152
|
+
async execute(args, options = {}) {
|
|
153
|
+
const configArgs = this.configDir ? ["--config", this.configDir] : [];
|
|
154
|
+
// TODO: remove after PR is merged
|
|
155
|
+
//const pathToCdkAssets = path.resolve(__dirname, "..", "..", "bin");
|
|
156
|
+
const pathToCdkAssets = "";
|
|
157
|
+
try {
|
|
158
|
+
await shell([getDockerCmd(), ...configArgs, ...args], {
|
|
159
|
+
logger: this.logger,
|
|
160
|
+
...options,
|
|
161
|
+
env: {
|
|
162
|
+
...process.env,
|
|
163
|
+
...options.env,
|
|
164
|
+
PATH: `${pathToCdkAssets}${path.delimiter}${options.env?.PATH ?? process.env.PATH}`,
|
|
165
|
+
},
|
|
166
|
+
});
|
|
167
|
+
}
|
|
168
|
+
catch (e) {
|
|
169
|
+
if (e.code === "ENOENT") {
|
|
170
|
+
throw new Error("Unable to execute 'docker' in order to build a container asset. Please install 'docker' and try again.");
|
|
171
|
+
}
|
|
172
|
+
throw e;
|
|
173
|
+
}
|
|
174
|
+
}
|
|
175
|
+
cacheOptionToFlag(option) {
|
|
176
|
+
let flag = `type=${option.type}`;
|
|
177
|
+
if (option.params) {
|
|
178
|
+
flag +=
|
|
179
|
+
"," +
|
|
180
|
+
Object.entries(option.params)
|
|
181
|
+
.map(([k, v]) => `${k}=${v}`)
|
|
182
|
+
.join(",");
|
|
183
|
+
}
|
|
184
|
+
return flag;
|
|
185
|
+
}
|
|
186
|
+
}
|
|
187
|
+
/**
|
|
188
|
+
* Helps get appropriately configured Docker instances during the container
|
|
189
|
+
* image publishing process.
|
|
190
|
+
*/
|
|
191
|
+
export class DockerFactory {
|
|
192
|
+
enterLoggedInDestinationsCriticalSection = createCriticalSection();
|
|
193
|
+
loggedInDestinations = new Set();
|
|
194
|
+
/**
|
|
195
|
+
* Gets a Docker instance for building images.
|
|
196
|
+
*/
|
|
197
|
+
async forBuild(options) {
|
|
198
|
+
const docker = new Docker(options.logger);
|
|
199
|
+
// Default behavior is to login before build so that the Dockerfile can reference images in the ECR repo
|
|
200
|
+
// However, if we're in a pipelines environment (for example),
|
|
201
|
+
// we may have alternative credentials to the default ones to use for the build itself.
|
|
202
|
+
// If the special config file is present, delay the login to the default credentials until the push.
|
|
203
|
+
// If the config file is present, we will configure and use those credentials for the build.
|
|
204
|
+
let cdkDockerCredentialsConfigured = docker.configureCdkCredentials();
|
|
205
|
+
if (!cdkDockerCredentialsConfigured) {
|
|
206
|
+
await this.loginOncePerDestination(docker, options);
|
|
207
|
+
}
|
|
208
|
+
return docker;
|
|
209
|
+
}
|
|
210
|
+
/**
|
|
211
|
+
* Gets a Docker instance for pushing images to ECR.
|
|
212
|
+
*/
|
|
213
|
+
async forEcrPush(options) {
|
|
214
|
+
const docker = new Docker(options.logger);
|
|
215
|
+
await this.loginOncePerDestination(docker, options);
|
|
216
|
+
return docker;
|
|
217
|
+
}
|
|
218
|
+
async loginOncePerDestination(docker, options) {
|
|
219
|
+
// Changes: 012345678910.dkr.ecr.us-west-2.amazonaws.com/tagging-test
|
|
220
|
+
// To this: 012345678910.dkr.ecr.us-west-2.amazonaws.com
|
|
221
|
+
const repositoryDomain = options.repoUri.split("/")[0];
|
|
222
|
+
// Ensure one-at-a-time access to loggedInDestinations.
|
|
223
|
+
await this.enterLoggedInDestinationsCriticalSection(async () => {
|
|
224
|
+
if (this.loggedInDestinations.has(repositoryDomain)) {
|
|
225
|
+
return;
|
|
226
|
+
}
|
|
227
|
+
await docker.login(options.ecr);
|
|
228
|
+
this.loggedInDestinations.add(repositoryDomain);
|
|
229
|
+
});
|
|
230
|
+
}
|
|
231
|
+
}
|
|
232
|
+
function getDockerCmd() {
|
|
233
|
+
return process.env.CDK_DOCKER ?? "docker";
|
|
234
|
+
}
|
|
235
|
+
function flatten(x) {
|
|
236
|
+
return Array.prototype.concat([], ...x);
|
|
237
|
+
}
|
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
import { DockerImageManifestEntry } from "cdk-assets/lib/asset-manifest.js";
|
|
2
|
+
import { IAssetHandler, IHandlerHost, IHandlerOptions } from "../asset-handler.js";
|
|
3
|
+
export declare class ContainerImageAssetHandler implements IAssetHandler {
|
|
4
|
+
private readonly workDir;
|
|
5
|
+
private readonly asset;
|
|
6
|
+
private readonly host;
|
|
7
|
+
private readonly options;
|
|
8
|
+
private init?;
|
|
9
|
+
constructor(workDir: string, asset: DockerImageManifestEntry, host: IHandlerHost, options: IHandlerOptions);
|
|
10
|
+
build(): Promise<void>;
|
|
11
|
+
isPublished(): Promise<boolean>;
|
|
12
|
+
publish(): Promise<void>;
|
|
13
|
+
private initOnce;
|
|
14
|
+
/**
|
|
15
|
+
* Check whether the image already exists in the ECR repo
|
|
16
|
+
*
|
|
17
|
+
* Use the fields from the destination to do the actual check. The imageUri
|
|
18
|
+
* should correspond to that, but is only used to print Docker image location
|
|
19
|
+
* for user benefit (the format is slightly different).
|
|
20
|
+
*/
|
|
21
|
+
private destinationAlreadyExists;
|
|
22
|
+
}
|