aws-cdk-lib 2.136.1__py3-none-any.whl → 2.137.0__py3-none-any.whl

aws_cdk/aws_ec2/__init__.py

@@ -196,6 +196,12 @@ The construct will automatically selects the latest version of Amazon Linux 2023
 If you prefer to use a custom AMI, use `machineImage: MachineImage.genericLinux({ ... })` and configure the right AMI ID for the
 regions you want to deploy to.
 
+> **Warning**
+> The NAT instances created using this method will be **unmonitored**.
+> They are not part of an Auto Scaling Group,
+> and if they become unavailable or are terminated for any reason,
+> will not be restarted or replaced.
+
 By default, the NAT instances will route all traffic. To control what traffic
 gets routed, pass a custom value for `defaultAllowedTraffic` and access the
 `NatInstanceProvider.connections` member after having passed the NAT provider to
@@ -215,6 +221,31 @@ ec2.Vpc(self, "TheVPC",
 provider.connections.allow_from(ec2.Peer.ipv4("1.2.3.4/8"), ec2.Port.tcp(80))
 ```
 
+You can also customize the characteristics of your NAT instances, as well as their initialization scripts:
+
+```python
+# bucket: s3.Bucket
+
+
+user_data = ec2.UserData.for_linux()
+user_data.add_commands(
+    (SpreadElement ...ec2.NatInstanceProviderV2.DEFAULT_USER_DATA_COMMANDS
+      ec2.NatInstanceProviderV2.DEFAULT_USER_DATA_COMMANDS), "echo \"hello world!\" > hello.txt", f"aws s3 cp hello.txt s3://{bucket.bucketName}")
+
+provider = ec2.NatProvider.instance_v2(
+    instance_type=ec2.InstanceType("t3.small"),
+    credit_specification=ec2.CpuCredits.UNLIMITED
+)
+
+ec2.Vpc(self, "TheVPC",
+    nat_gateway_provider=provider,
+    nat_gateways=2
+)
+
+for gateway in provider.gateway_instances:
+    bucket.grant_write(gateway)
+```
+
 ```python
 # Configure the `natGatewayProvider` when defining a Vpc
 nat_gateway_provider = ec2.NatProvider.instance(
@@ -229,7 +260,7 @@ vpc = ec2.Vpc(self, "MyVpc",
 )
 ```
 
-The construct will use the AWS official NAT instance AMI, which has already
+The V1 `NatProvider.instance` construct will use the AWS official NAT instance AMI, which has already
 reached EOL on Dec 31, 2023. For more information, see the following blog post:
 [Amazon Linux AMI end of life](https://aws.amazon.com/blogs/aws/update-on-amazon-linux-ami-end-of-life/).
 
@@ -73441,7 +73472,8 @@ class InstanceType(
                 subnet_type=ec2.SubnetType.PUBLIC
             ),
             vpc=vpc,
-            removal_policy=RemovalPolicy.SNAPSHOT
+            removal_policy=RemovalPolicy.SNAPSHOT,
+            instance_removal_policy=RemovalPolicy.RETAIN
         )
     '''
 
@@ -78835,6 +78867,7 @@ class NatInstanceImage(
         "key_pair": "keyPair",
         "machine_image": "machineImage",
         "security_group": "securityGroup",
+        "user_data": "userData",
     },
 )
 class NatInstanceProps:
@@ -78848,6 +78881,7 @@ class NatInstanceProps:
         key_pair: typing.Optional[IKeyPair] = None,
         machine_image: typing.Optional[IMachineImage] = None,
         security_group: typing.Optional[ISecurityGroup] = None,
+        user_data: typing.Optional["UserData"] = None,
     ) -> None:
         '''Properties for a NAT instance.
 
@@ -78858,19 +78892,23 @@ class NatInstanceProps:
         :param key_pair: The SSH keypair to grant access to the instance. Default: - No SSH access will be possible.
         :param machine_image: The machine image (AMI) to use. By default, will do an AMI lookup for the latest NAT instance image. If you have a specific AMI ID you want to use, pass a ``GenericLinuxImage``. For example:: ec2.NatProvider.instance({ instanceType: new ec2.InstanceType('t3.micro'), machineImage: new ec2.GenericLinuxImage({ 'us-east-2': 'ami-0f9c61b5a562a16af' }) }) Default: - Latest NAT instance image
         :param security_group: Security Group for NAT instances. Default: - A new security group will be created
+        :param user_data: Custom user data to run on the NAT instances. Default: UserData.forLinux().addCommands(...NatInstanceProviderV2.DEFAULT_USER_DATA_COMMANDS); - Appropriate user data commands to initialize and configure the NAT instances
 
         :exampleMetadata: infused
 
         Example::
 
-            nat_instance_provider = ec2.NatProvider.instance(
-                instance_type=ec2.InstanceType.of(ec2.InstanceClass.T4G, ec2.InstanceSize.LARGE),
-                machine_image=ec2.AmazonLinuxImage(),
-                credit_specification=ec2.CpuCredits.UNLIMITED
+            # instance_type: ec2.InstanceType
+            
+            
+            provider = ec2.NatProvider.instance_v2(
+                instance_type=instance_type,
+                default_allowed_traffic=ec2.NatTrafficDirection.OUTBOUND_ONLY
             )
-            ec2.Vpc(self, "VPC",
-                nat_gateway_provider=nat_instance_provider
+            ec2.Vpc(self, "TheVPC",
+                nat_gateway_provider=provider
             )
+            provider.connections.allow_from(ec2.Peer.ipv4("1.2.3.4/8"), ec2.Port.tcp(80))
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__d7c7c717447859e1ccc181bc97f7752cc3f7fa7afaee4c3a4266eeac32c08643)
@@ -78881,6 +78919,7 @@ class NatInstanceProps:
             check_type(argname="argument key_pair", value=key_pair, expected_type=type_hints["key_pair"])
             check_type(argname="argument machine_image", value=machine_image, expected_type=type_hints["machine_image"])
             check_type(argname="argument security_group", value=security_group, expected_type=type_hints["security_group"])
+            check_type(argname="argument user_data", value=user_data, expected_type=type_hints["user_data"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "instance_type": instance_type,
         }
@@ -78896,6 +78935,8 @@ class NatInstanceProps:
             self._values["machine_image"] = machine_image
         if security_group is not None:
             self._values["security_group"] = security_group
+        if user_data is not None:
+            self._values["user_data"] = user_data
 
     @builtins.property
     def instance_type(self) -> InstanceType:
@@ -78983,6 +79024,17 @@ class NatInstanceProps:
         result = self._values.get("security_group")
         return typing.cast(typing.Optional[ISecurityGroup], result)
 
+    @builtins.property
+    def user_data(self) -> typing.Optional["UserData"]:
+        '''Custom user data to run on the NAT instances.
+
+        :default: UserData.forLinux().addCommands(...NatInstanceProviderV2.DEFAULT_USER_DATA_COMMANDS);  - Appropriate user data commands to initialize and configure the NAT instances
+
+        :see: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#create-nat-ami
+        '''
+        result = self._values.get("user_data")
+        return typing.cast(typing.Optional["UserData"], result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -79055,6 +79107,7 @@ class NatProvider(
         key_pair: typing.Optional[IKeyPair] = None,
         machine_image: typing.Optional[IMachineImage] = None,
         security_group: typing.Optional[ISecurityGroup] = None,
+        user_data: typing.Optional["UserData"] = None,
     ) -> "NatInstanceProvider":
         '''(deprecated) Use NAT instances to provide NAT services for your VPC.
 
@@ -79071,6 +79124,7 @@ class NatProvider(
         :param key_pair: The SSH keypair to grant access to the instance. Default: - No SSH access will be possible.
         :param machine_image: The machine image (AMI) to use. By default, will do an AMI lookup for the latest NAT instance image. If you have a specific AMI ID you want to use, pass a ``GenericLinuxImage``. For example:: ec2.NatProvider.instance({ instanceType: new ec2.InstanceType('t3.micro'), machineImage: new ec2.GenericLinuxImage({ 'us-east-2': 'ami-0f9c61b5a562a16af' }) }) Default: - Latest NAT instance image
         :param security_group: Security Group for NAT instances. Default: - A new security group will be created
+        :param user_data: Custom user data to run on the NAT instances. Default: UserData.forLinux().addCommands(...NatInstanceProviderV2.DEFAULT_USER_DATA_COMMANDS); - Appropriate user data commands to initialize and configure the NAT instances
 
         :deprecated:
 
@@ -79088,6 +79142,7 @@ class NatProvider(
             key_pair=key_pair,
             machine_image=machine_image,
             security_group=security_group,
+            user_data=user_data,
         )
 
         return typing.cast("NatInstanceProvider", jsii.sinvoke(cls, "instance", [props]))
@@ -79104,6 +79159,7 @@ class NatProvider(
         key_pair: typing.Optional[IKeyPair] = None,
         machine_image: typing.Optional[IMachineImage] = None,
         security_group: typing.Optional[ISecurityGroup] = None,
+        user_data: typing.Optional["UserData"] = None,
     ) -> "NatInstanceProviderV2":
         '''Use NAT instances to provide NAT services for your VPC.
 
@@ -79120,6 +79176,7 @@ class NatProvider(
         :param key_pair: The SSH keypair to grant access to the instance. Default: - No SSH access will be possible.
         :param machine_image: The machine image (AMI) to use. By default, will do an AMI lookup for the latest NAT instance image. If you have a specific AMI ID you want to use, pass a ``GenericLinuxImage``. For example:: ec2.NatProvider.instance({ instanceType: new ec2.InstanceType('t3.micro'), machineImage: new ec2.GenericLinuxImage({ 'us-east-2': 'ami-0f9c61b5a562a16af' }) }) Default: - Latest NAT instance image
         :param security_group: Security Group for NAT instances. Default: - A new security group will be created
+        :param user_data: Custom user data to run on the NAT instances. Default: UserData.forLinux().addCommands(...NatInstanceProviderV2.DEFAULT_USER_DATA_COMMANDS); - Appropriate user data commands to initialize and configure the NAT instances
 
         :see: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html
         '''
@@ -79131,6 +79188,7 @@ class NatProvider(
             key_pair=key_pair,
             machine_image=machine_image,
             security_group=security_group,
+            user_data=user_data,
         )
 
         return typing.cast("NatInstanceProviderV2", jsii.sinvoke(cls, "instanceV2", [props]))
@@ -83942,13 +84000,23 @@ class UserData(
 
     Example::
 
-        multipart_user_data = ec2.MultipartUserData()
-        commands_user_data = ec2.UserData.for_linux()
-        multipart_user_data.add_user_data_part(commands_user_data, ec2.MultipartBody.SHELL_SCRIPT, True)
+        # cluster: eks.Cluster
         
-        # Adding commands to the multipartUserData adds them to commandsUserData, and vice-versa.
-        multipart_user_data.add_commands("touch /root/multi.txt")
-        commands_user_data.add_commands("touch /root/userdata.txt")
+        user_data = ec2.UserData.for_linux()
+        user_data.add_commands("set -o xtrace", f"/etc/eks/bootstrap.sh {cluster.clusterName}")
+        lt = ec2.CfnLaunchTemplate(self, "LaunchTemplate",
+            launch_template_data=ec2.CfnLaunchTemplate.LaunchTemplateDataProperty(
+                image_id="some-ami-id",  # custom AMI
+                instance_type="t3.small",
+                user_data=Fn.base64(user_data.render())
+            )
+        )
+        cluster.add_nodegroup_capacity("extra-ng",
+            launch_template_spec=eks.LaunchTemplateSpec(
+                id=lt.ref,
+                version=lt.attr_latest_version_number
+            )
+        )
     '''
 
     def __init__(self) -> None:
@@ -91307,6 +91375,7 @@ class NatInstanceProvider(
         key_pair: typing.Optional[IKeyPair] = None,
         machine_image: typing.Optional[IMachineImage] = None,
         security_group: typing.Optional[ISecurityGroup] = None,
+        user_data: typing.Optional[UserData] = None,
     ) -> None:
         '''
         :param instance_type: Instance type of the NAT instance.
@@ -91316,6 +91385,7 @@ class NatInstanceProvider(
         :param key_pair: The SSH keypair to grant access to the instance. Default: - No SSH access will be possible.
         :param machine_image: The machine image (AMI) to use. By default, will do an AMI lookup for the latest NAT instance image. If you have a specific AMI ID you want to use, pass a ``GenericLinuxImage``. For example:: ec2.NatProvider.instance({ instanceType: new ec2.InstanceType('t3.micro'), machineImage: new ec2.GenericLinuxImage({ 'us-east-2': 'ami-0f9c61b5a562a16af' }) }) Default: - Latest NAT instance image
         :param security_group: Security Group for NAT instances. Default: - A new security group will be created
+        :param user_data: Custom user data to run on the NAT instances. Default: UserData.forLinux().addCommands(...NatInstanceProviderV2.DEFAULT_USER_DATA_COMMANDS); - Appropriate user data commands to initialize and configure the NAT instances
 
         :stability: deprecated
         '''
@@ -91327,6 +91397,7 @@ class NatInstanceProvider(
             key_pair=key_pair,
             machine_image=machine_image,
             security_group=security_group,
+            user_data=user_data,
         )
 
         jsii.create(self.__class__, self, [props])
@@ -91435,6 +91506,7 @@ class NatInstanceProviderV2(
         key_pair: typing.Optional[IKeyPair] = None,
         machine_image: typing.Optional[IMachineImage] = None,
         security_group: typing.Optional[ISecurityGroup] = None,
+        user_data: typing.Optional[UserData] = None,
     ) -> None:
         '''
         :param instance_type: Instance type of the NAT instance.
@@ -91444,6 +91516,7 @@ class NatInstanceProviderV2(
         :param key_pair: The SSH keypair to grant access to the instance. Default: - No SSH access will be possible.
         :param machine_image: The machine image (AMI) to use. By default, will do an AMI lookup for the latest NAT instance image. If you have a specific AMI ID you want to use, pass a ``GenericLinuxImage``. For example:: ec2.NatProvider.instance({ instanceType: new ec2.InstanceType('t3.micro'), machineImage: new ec2.GenericLinuxImage({ 'us-east-2': 'ami-0f9c61b5a562a16af' }) }) Default: - Latest NAT instance image
         :param security_group: Security Group for NAT instances. Default: - A new security group will be created
+        :param user_data: Custom user data to run on the NAT instances. Default: UserData.forLinux().addCommands(...NatInstanceProviderV2.DEFAULT_USER_DATA_COMMANDS); - Appropriate user data commands to initialize and configure the NAT instances
         '''
         props = NatInstanceProps(
             instance_type=instance_type,
@@ -91453,6 +91526,7 @@ class NatInstanceProviderV2(
             key_pair=key_pair,
             machine_image=machine_image,
             security_group=security_group,
+            user_data=user_data,
         )
 
         jsii.create(self.__class__, self, [props])
@@ -91492,6 +91566,15 @@ class NatInstanceProviderV2(
             check_type(argname="argument subnet", value=subnet, expected_type=type_hints["subnet"])
         return typing.cast(None, jsii.invoke(self, "configureSubnet", [subnet]))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="DEFAULT_USER_DATA_COMMANDS")
+    def DEFAULT_USER_DATA_COMMANDS(cls) -> typing.List[builtins.str]:
+        '''Amazon Linux 2023 NAT instance user data commands Enable iptables on the instance, enable persistent IP forwarding, configure NAT on instance.
+
+        :see: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#create-nat-ami
+        '''
+        return typing.cast(typing.List[builtins.str], jsii.sget(cls, "DEFAULT_USER_DATA_COMMANDS"))
+
     @builtins.property
     @jsii.member(jsii_name="configuredGateways")
     def configured_gateways(self) -> typing.List[GatewayConfig]:
@@ -91504,6 +91587,12 @@ class NatInstanceProviderV2(
         '''Manage the Security Groups associated with the NAT instances.'''
         return typing.cast(Connections, jsii.get(self, "connections"))
 
+    @builtins.property
+    @jsii.member(jsii_name="gatewayInstances")
+    def gateway_instances(self) -> typing.List[Instance]:
+        '''Array of gateway instances spawned by the provider after internal configuration.'''
+        return typing.cast(typing.List[Instance], jsii.get(self, "gatewayInstances"))
+
     @builtins.property
     @jsii.member(jsii_name="securityGroup")
     def security_group(self) -> ISecurityGroup:
@@ -104109,6 +104198,7 @@ def _typecheckingstub__d7c7c717447859e1ccc181bc97f7752cc3f7fa7afaee4c3a4266eeac3
     key_pair: typing.Optional[IKeyPair] = None,
     machine_image: typing.Optional[IMachineImage] = None,
     security_group: typing.Optional[ISecurityGroup] = None,
+    user_data: typing.Optional[UserData] = None,
 ) -> None:
     """Type checking stubs"""
     pass

aws_cdk/aws_ecr_assets/__init__.py

@@ -214,10 +214,9 @@ method. This will modify the IAM policy of the principal to allow it to
 pull images from this repository.
 
 If the pulling principal is not in the same account or is an AWS service that
-doesn't assume a role in your account (e.g. AWS CodeBuild), pull permissions
-must be granted on the **resource policy** (and not on the principal's policy).
-To do that, you can use `asset.repository.addToResourcePolicy(statement)` to
-grant the desired principal the following permissions: "ecr:GetDownloadUrlForLayer",
+doesn't assume a role in your account (e.g. AWS CodeBuild), you must either copy the image to a new repository, or
+grant pull permissions on the resource policy of the repository. Since the repository is managed by the CDK bootstrap stack,
+the following permissions must be granted there, or granted manually on the repository: "ecr:GetDownloadUrlForLayer",
 "ecr:BatchGetImage" and "ecr:BatchCheckLayerAvailability".
 '''
 from pkgutil import extend_path