From e5d846f76576bace2ca0c5ae4459f4de34ee9326 Mon Sep 17 00:00:00 2001 From: mazyu36 Date: Sat, 14 Sep 2024 07:20:39 +0900 Subject: [PATCH 1/4] chore(ec2): support interface VPC endpoint for RAM (#31384) Add interface VPC endpoint for Resource Access Manager. Ref: * https://aws.amazon.com/about-aws/whats-new/2024/09/aws-resource-access-manager-privatelink/ * https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts b/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts index d7c7bf6e7716f..d186d00987317 100644 --- a/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts +++ b/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts @@ -538,6 +538,7 @@ export class InterfaceVpcEndpointAwsService implements IInterfaceVpcEndpointServ public static readonly REKOGNITION_STREAMING = new InterfaceVpcEndpointAwsService('streaming-rekognition'); public static readonly REKOGNITION_STREAMING_FIPS = new InterfaceVpcEndpointAwsService('streaming-rekognition-fips'); public static readonly REPOST_SPACE = new InterfaceVpcEndpointAwsService('repostspace'); + public static readonly RESOURCE_ACCESS_MANAGER = new InterfaceVpcEndpointAwsService('ram'); public static readonly ROBOMAKER = new InterfaceVpcEndpointAwsService('robomaker'); public static readonly RECYCLE_BIN = new InterfaceVpcEndpointAwsService('rbin'); public static readonly S3 = new InterfaceVpcEndpointAwsService('s3'); From 36baf5172d3d70bb906a5dccbf28b22b1473ed11 Mon Sep 17 00:00:00 2001 From: Kazuho Cryer-Shinozuka Date: Sat, 14 Sep 2024 07:52:06 +0900 Subject: [PATCH 2/4] feat(apigatewayv2): support for setting `routeSelectionExpression` for an HTTP API (#31373) ### Issue # (if applicable) Closes #31104. ### Reason for this change Cloudformation supports for configuring `routeSelectionExpression` but AWS CDK doesn't support this. ### Description of changes Added `routeSelectionExpression` prop to `HttpApiProps`. For HTTP API, `routeSelectionExpression` must be `${request.method} ${request.path}`. Therefore, I defined `routeSelectionExpression` as boolean and set it to `${request.method} ${request.path}`. ### Description of how you validated changes Added unit and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../aws-cdk-aws-apigatewayv2.assets.json | 6 ++--- .../aws-cdk-aws-apigatewayv2.template.json | 3 ++- .../test/http/integ.api.js.snapshot/cdk.out | 2 +- ...efaultTestDeployAssert77633A40.assets.json | 2 +- .../http/integ.api.js.snapshot/integ.json | 2 +- .../http/integ.api.js.snapshot/manifest.json | 4 +-- .../test/http/integ.api.js.snapshot/tree.json | 3 ++- .../aws-apigatewayv2/test/http/integ.api.ts | 4 ++- .../aws-cdk-lib/aws-apigatewayv2/README.md | 8 ++++++ .../aws-apigatewayv2/lib/http/api.ts | 10 +++++++ .../aws-apigatewayv2/test/http/api.test.ts | 26 +++++++++++++++++++ 11 files changed, 59 insertions(+), 11 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2/test/http/integ.api.js.snapshot/aws-cdk-aws-apigatewayv2.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2/test/http/integ.api.js.snapshot/aws-cdk-aws-apigatewayv2.assets.json index 2a97a56ed3ab4..d4faf85d53ac2 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2/test/http/integ.api.js.snapshot/aws-cdk-aws-apigatewayv2.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2/test/http/integ.api.js.snapshot/aws-cdk-aws-apigatewayv2.assets.json @@ -1,7 +1,7 @@ { - "version": "35.0.0", + "version": "36.0.24", "files": { - "f753b6c52b805082d600dd33b6be3b816c0954f254acf84347e2447774db5100": { + "9f85e0964776ba83e66fcd671c3a1742f019c357f8fc867e1890e86af1fdec7b": { "source": { "path": "aws-cdk-aws-apigatewayv2.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "f753b6c52b805082d600dd33b6be3b816c0954f254acf84347e2447774db5100.json", + "objectKey": "9f85e0964776ba83e66fcd671c3a1742f019c357f8fc867e1890e86af1fdec7b.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2/test/http/integ.api.js.snapshot/aws-cdk-aws-apigatewayv2.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2/test/http/integ.api.js.snapshot/aws-cdk-aws-apigatewayv2.template.json index 36bd57da384f9..27b13d1802598 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2/test/http/integ.api.js.snapshot/aws-cdk-aws-apigatewayv2.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2/test/http/integ.api.js.snapshot/aws-cdk-aws-apigatewayv2.template.json @@ -4,7 +4,8 @@ "Type": "AWS::ApiGatewayV2::Api", "Properties": { "Name": "HttpApi", - "ProtocolType": "HTTP" + "ProtocolType": "HTTP", + "RouteSelectionExpression": "${request.method} ${request.path}" } }, "HttpApiDefaultStage3EEB07D6": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2/test/http/integ.api.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2/test/http/integ.api.js.snapshot/cdk.out index c5cb2e5de6344..4efaa16f29af9 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2/test/http/integ.api.js.snapshot/cdk.out +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2/test/http/integ.api.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"35.0.0"} \ No newline at end of file +{"version":"36.0.24"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2/test/http/integ.api.js.snapshot/httpapiDefaultTestDeployAssert77633A40.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2/test/http/integ.api.js.snapshot/httpapiDefaultTestDeployAssert77633A40.assets.json index 1b6f704767526..ac2d13efda342 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2/test/http/integ.api.js.snapshot/httpapiDefaultTestDeployAssert77633A40.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2/test/http/integ.api.js.snapshot/httpapiDefaultTestDeployAssert77633A40.assets.json @@ -1,5 +1,5 @@ { - "version": "35.0.0", + "version": "36.0.24", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2/test/http/integ.api.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2/test/http/integ.api.js.snapshot/integ.json index 1b3ad22cef14a..80fc2143882d2 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2/test/http/integ.api.js.snapshot/integ.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2/test/http/integ.api.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "35.0.0", + "version": "36.0.24", "testCases": { "http-api/DefaultTest": { "stacks": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2/test/http/integ.api.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2/test/http/integ.api.js.snapshot/manifest.json index 91e40a0cbe7bb..27baec36eb925 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2/test/http/integ.api.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2/test/http/integ.api.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "35.0.0", + "version": "36.0.24", "artifacts": { "aws-cdk-aws-apigatewayv2.assets": { "type": "cdk:asset-manifest", @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/f753b6c52b805082d600dd33b6be3b816c0954f254acf84347e2447774db5100.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/9f85e0964776ba83e66fcd671c3a1742f019c357f8fc867e1890e86af1fdec7b.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2/test/http/integ.api.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2/test/http/integ.api.js.snapshot/tree.json index d17481862eddf..68ac7cffc7318 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2/test/http/integ.api.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2/test/http/integ.api.js.snapshot/tree.json @@ -19,7 +19,8 @@ "aws:cdk:cloudformation:type": "AWS::ApiGatewayV2::Api", "aws:cdk:cloudformation:props": { "name": "HttpApi", - "protocolType": "HTTP" + "protocolType": "HTTP", + "routeSelectionExpression": "${request.method} ${request.path}" } }, "constructInfo": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2/test/http/integ.api.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2/test/http/integ.api.ts index dac08621b9906..e60b20380a4ac 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2/test/http/integ.api.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2/test/http/integ.api.ts @@ -6,7 +6,9 @@ import * as apigw from 'aws-cdk-lib/aws-apigatewayv2'; const app = new cdk.App(); const stack = new cdk.Stack(app, 'aws-cdk-aws-apigatewayv2'); -new apigw.HttpApi(stack, 'HttpApi'); +new apigw.HttpApi(stack, 'HttpApi', { + routeSelectionExpression: true, +}); new IntegTest(app, 'http-api', { testCases: [stack], diff --git a/packages/aws-cdk-lib/aws-apigatewayv2/README.md b/packages/aws-cdk-lib/aws-apigatewayv2/README.md index 8b74889d941cb..fdde2f476c216 100644 --- a/packages/aws-cdk-lib/aws-apigatewayv2/README.md +++ b/packages/aws-cdk-lib/aws-apigatewayv2/README.md @@ -93,6 +93,14 @@ new apigwv2.HttpApi(this, 'HttpProxyApi', { }); ``` +The `routeSelectionExpression` option allows configuring the HTTP API to accept only `${request.method} ${request.path}`. Setting it to `true` automatically applies this value. + +```ts +new apigwv2.HttpApi(this, 'HttpProxyApi', { + routeSelectionExpression: true, +}); +``` + ### Cross Origin Resource Sharing (CORS) [Cross-origin resource sharing (CORS)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) is a browser security diff --git a/packages/aws-cdk-lib/aws-apigatewayv2/lib/http/api.ts b/packages/aws-cdk-lib/aws-apigatewayv2/lib/http/api.ts index 55ff0955df3b8..53437c47a5db3 100644 --- a/packages/aws-cdk-lib/aws-apigatewayv2/lib/http/api.ts +++ b/packages/aws-cdk-lib/aws-apigatewayv2/lib/http/api.ts @@ -160,6 +160,15 @@ export interface HttpApiProps { * @default - no default authorization scopes */ readonly defaultAuthorizationScopes?: string[]; + + /** + * Whether to set the default route selection expression for the API. + * + * When enabled, "${request.method} ${request.path}" is set as the default route selection expression. + * + * @default false + */ + readonly routeSelectionExpression?: boolean; } /** @@ -434,6 +443,7 @@ export class HttpApi extends HttpApiBase { corsConfiguration, description: props?.description, disableExecuteApiEndpoint: this.disableExecuteApiEndpoint, + routeSelectionExpression: props?.routeSelectionExpression ? '${request.method} ${request.path}' : undefined, }; const resource = new CfnApi(this, 'Resource', apiProps); diff --git a/packages/aws-cdk-lib/aws-apigatewayv2/test/http/api.test.ts b/packages/aws-cdk-lib/aws-apigatewayv2/test/http/api.test.ts index e703dbd9d7d56..295986b4bc2bc 100644 --- a/packages/aws-cdk-lib/aws-apigatewayv2/test/http/api.test.ts +++ b/packages/aws-cdk-lib/aws-apigatewayv2/test/http/api.test.ts @@ -234,6 +234,32 @@ describe('HttpApi', () => { }); }); + test('routeSelectionExpression is enabled', () => { + const stack = new Stack(); + new HttpApi(stack, 'api', { + routeSelectionExpression: true, + }); + + Template.fromStack(stack).hasResourceProperties('AWS::ApiGatewayV2::Api', { + Name: 'api', + ProtocolType: 'HTTP', + RouteSelectionExpression: '${request.method} ${request.path}', + }); + }); + + test.each([false, undefined])('routeSelectionExpression is not enabled', (routeSelectionExpression) => { + const stack = new Stack(); + new HttpApi(stack, 'api', { + routeSelectionExpression, + }); + + Template.fromStack(stack).hasResourceProperties('AWS::ApiGatewayV2::Api', { + Name: 'api', + ProtocolType: 'HTTP', + RouteSelectionExpression: Match.absent(), + }); + }); + test('can add a vpc links', () => { // GIVEN const stack = new Stack(); From 84701d62bea78cfa5971b988dc06ab9eaa906c95 Mon Sep 17 00:00:00 2001 From: GZ Date: Fri, 13 Sep 2024 16:22:51 -0700 Subject: [PATCH 3/4] chore(s3): readme update with mixing L1 and L2 bucket policy (#31437) ### Issue # (if applicable) Closes https://github.com/aws/aws-cdk/issues/30148 ### Reason for this change Users using L1 and L2 bucket policy with `serverAccessLogsBucket` would cause bucket policy overwrite instead of append. ### Description of changes No behavioural change, only readme update to explain the issues and the workaround. ### Description of how you validated changes No behavioural change. ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/aws-cdk-lib/aws-s3/README.md | 111 ++++++++++++++++++++++++++ 1 file changed, 111 insertions(+) diff --git a/packages/aws-cdk-lib/aws-s3/README.md b/packages/aws-cdk-lib/aws-s3/README.md index f7d35ba94dc79..f1670876e5e4a 100644 --- a/packages/aws-cdk-lib/aws-s3/README.md +++ b/packages/aws-cdk-lib/aws-s3/README.md @@ -492,6 +492,117 @@ const bucket = new s3.Bucket(this, 'MyBucket', { }); ``` +The above code will create a new bucket policy if none exists or update the +existing bucket policy to allow access log delivery. + +However, there could be an edge case if the `accessLogsBucket` also defines a bucket +policy resource using the L1 Construct. Although the mixing of L1 and L2 Constructs is not +recommended, there are no mechanisms in place to prevent users from doing this at the moment. + +```ts +const bucketName = "my-favorite-bucket-name"; +const accessLogsBucket = new s3.Bucket(this, 'AccessLogsBucket', { + objectOwnership: s3.ObjectOwnership.BUCKET_OWNER_ENFORCED, + bucketName, +}); + +// Creating a bucket policy using L1 +const bucketPolicy = new s3.CfnBucketPolicy(this, "BucketPolicy", { + bucket: bucketName, + policyDocument: { + Statement: [ + { + Action: 's3:*', + Effect: 'Deny', + Principal: { + AWS: '*', + }, + Resource: [ + accessLogsBucket.bucketArn, + `${accessLogsBucket.bucketArn}/*` + ], + }, + ], + Version: '2012-10-17', + }, +}); + +// 'serverAccessLogsBucket' will create a new L2 bucket policy +// to allow log delivery and overwrite the L1 bucket policy. +const bucket = new s3.Bucket(this, 'MyBucket', { + serverAccessLogsBucket: accessLogsBucket, + serverAccessLogsPrefix: 'logs', +}); +``` + +The above example uses the L2 Bucket Construct with the L1 CfnBucketPolicy Construct. However, +when `serverAccessLogsBucket` is set, a new L2 Bucket Policy resource will be created +which overwrites the permissions defined in the L1 Bucket Policy causing unintended +behaviours. + +As noted above, we highly discourage the mixed usage of L1 and L2 Constructs. The recommended +approach would to define the bucket policy using `addToResourcePolicy` method. + +```ts +const accessLogsBucket = new s3.Bucket(this, 'AccessLogsBucket', { + objectOwnership: s3.ObjectOwnership.BUCKET_OWNER_ENFORCED, +}); + +accessLogsBucket.addToResourcePolicy( + new iam.PolicyStatement({ + actions: ['s3:*'], + resources: [accessLogsBucket.bucketArn, accessLogsBucket.arnForObjects('*')], + principals: [new iam.AnyPrincipal()], + }) +) + +const bucket = new s3.Bucket(this, 'MyBucket', { + serverAccessLogsBucket: accessLogsBucket, + serverAccessLogsPrefix: 'logs', +}); +``` + +Alternatively, users can use the L2 Bucket Policy Construct +`BucketPolicy.fromCfnBucketPolicy` to wrap around `CfnBucketPolicy` Construct. This will allow the subsequent bucket policy generated by `serverAccessLogsBucket` usage to append to the existing bucket policy instead of overwriting. + +```ts +const bucketName = "my-favorite-bucket-name"; +const accessLogsBucket = new s3.Bucket(this, 'AccessLogsBucket', { + objectOwnership: s3.ObjectOwnership.BUCKET_OWNER_ENFORCED, + bucketName, +}); + +const bucketPolicy = new s3.CfnBucketPolicy(this, "BucketPolicy", { + bucket: bucketName, + policyDocument: { + Statement: [ + { + Action: 's3:*', + Effect: 'Deny', + Principal: { + AWS: '*', + }, + Resource: [ + accessLogsBucket.bucketArn, + `${accessLogsBucket.bucketArn}/*` + ], + }, + ], + Version: '2012-10-17', + }, +}); + +// Wrap L1 Construct with L2 Bucket Policy Construct. Subsequent +// generated bucket policy to allow access log delivery would append +// to the current policy. +s3.BucketPolicy.fromCfnBucketPolicy(bucketPolicy); + +const bucket = new s3.Bucket(this, 'MyBucket', { + serverAccessLogsBucket: accessLogsBucket, + serverAccessLogsPrefix: 'logs', +}); +``` + ## S3 Inventory An [inventory](https://docs.aws.amazon.com/AmazonS3/latest/dev/storage-inventory.html) contains a list of the objects in the source bucket and metadata for each object. The inventory lists are stored in the destination bucket as a CSV file compressed with GZIP, as an Apache optimized row columnar (ORC) file compressed with ZLIB, or as an Apache Parquet (Parquet) file compressed with Snappy. From 386fca3e1408a9389efac08598bde2d93d53fbba Mon Sep 17 00:00:00 2001 From: natekruse-aws Date: Fri, 13 Sep 2024 19:16:28 -0500 Subject: [PATCH 4/4] fix(eks): update private ecr repo url regex (#31394) ### Issue # (if applicable) ### Reason for this change The regex for private ECR repos currently excludes some supported URLs in AWS regions. Updating the regex to be more inclusive of all AWS regions. ### Description of changes Modified private ECR repo URL to be domain agnostic. ### Description of how you validated changes All existing tests pass: - `npx cdk -a test/aws-eks/test/integ.eks-helm-asset.js deploy --all` - `yarn test aws-eks` - `yarn integ --directory test/aws-eks/test` Manually updated lambda function highside to verify change works in isolated regions as well. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../lib/aws-eks/kubectl-handler/helm/__init__.py | 2 +- packages/aws-cdk-lib/aws-eks/test/helm-chart.test.ts | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/packages/@aws-cdk/custom-resource-handlers/lib/aws-eks/kubectl-handler/helm/__init__.py b/packages/@aws-cdk/custom-resource-handlers/lib/aws-eks/kubectl-handler/helm/__init__.py index ddf0753a8aa6b..49b684851420e 100644 --- a/packages/@aws-cdk/custom-resource-handlers/lib/aws-eks/kubectl-handler/helm/__init__.py +++ b/packages/@aws-cdk/custom-resource-handlers/lib/aws-eks/kubectl-handler/helm/__init__.py @@ -101,7 +101,7 @@ def helm_handler(event, context): def get_oci_cmd(repository, version): # Generates OCI command based on pattern. Public ECR vs Private ECR are treated differently. - private_ecr_pattern = 'oci://(?P\d+\.dkr\.ecr\.(?P[a-z0-9\-]+)\.amazonaws\.com(\.cn)?)*' + private_ecr_pattern = 'oci://(?P\d+\.dkr\.ecr\.(?P[a-z0-9\-]+)\.(?P[a-z0-9\.-]+))*' public_ecr_pattern = 'oci://(?Ppublic\.ecr\.aws)*' private_registry = re.match(private_ecr_pattern, repository).groupdict() diff --git a/packages/aws-cdk-lib/aws-eks/test/helm-chart.test.ts b/packages/aws-cdk-lib/aws-eks/test/helm-chart.test.ts index cb3804d4289e7..0974ebbf844e6 100644 --- a/packages/aws-cdk-lib/aws-eks/test/helm-chart.test.ts +++ b/packages/aws-cdk-lib/aws-eks/test/helm-chart.test.ts @@ -272,5 +272,15 @@ describe('helm chart', () => { // THEN Template.fromStack(stack).hasResourceProperties(eks.HelmChart.RESOURCE_TYPE, { SkipCrds: true }); }); + test('should use private ecr repo when specified', () => { + // GIVEN + const { stack, cluster } = testFixtureCluster(); + + // WHEN + new eks.HelmChart(stack, 'MyPrivateChart', { cluster, chart: 'chart', repository: 'oci://012345678.dkr.ecr.us-east-1.amazonaws.com/private-repo' }); + + // THEN + Template.fromStack(stack).hasResourceProperties(eks.HelmChart.RESOURCE_TYPE, { Repository: 'oci://012345678.dkr.ecr.us-east-1.amazonaws.com/private-repo' }); + }); }); });