feat(core): support ssh build arg in DockerImageAsset

packages/aws-cdk-lib/aws-ecr-assets/lib/image-asset.ts

@@ -105,6 +105,13 @@ export interface DockerImageAssetInvalidationOptions {
    */
   readonly buildSecrets?: boolean;
 
+  /**
+   * Use `buildSSH` while calculating the asset hash
+   * 
+   * @default true
+   */
+  readonly buildSSH?: boolean;
+
   /**
    * Use `target` while calculating the asset hash
    *
@@ -223,6 +230,23 @@ export interface DockerImageAssetOptions extends FingerprintOptions, FileFingerp
    */
   readonly buildSecrets?: { [key: string]: string }
 
+  /**
+   * SSH agent socket or keys to pass to the `docker build` command.
+   * 
+   * Docker BuildKit must be enabled to use the ssh flag
+   * 
+   * @see https://docs.docker.com/build/buildkit/
+   * 
+   * @default - no --ssh flag
+   * 
+   * @example
+   * import { DockerBuildSSH } from `aws-cdk-lib`;
+   * 
+   * const sshFlag = 'default';
+   * 
+   */
+  readonly buildSSH?: string;
+
   /**
    * Docker target to build to
    *
@@ -364,6 +388,10 @@ export class DockerImageAsset extends Construct implements IAsset {
    */
   private readonly dockerBuildSecrets?: { [key: string]: string };
 
+  /**
+   * SSH agent socket or keys to pass to the `docker build` command.
+   */
+  private readonly dockerBuildSSH?: string;
   /**
    * Outputs to pass to the `docker build` command.
    */
@@ -446,6 +474,7 @@ export class DockerImageAsset extends Construct implements IAsset {
     if (props.invalidation?.extraHash !== false && props.extraHash) { extraHash.user = props.extraHash; }
     if (props.invalidation?.buildArgs !== false && props.buildArgs) { extraHash.buildArgs = props.buildArgs; }
     if (props.invalidation?.buildSecrets !== false && props.buildSecrets) { extraHash.buildSecrets = props.buildSecrets; }
+    if (props.invalidation?.buildSSH !== false && props.buildSSH) {extraHash.buildSSH = props.buildSSH; }
     if (props.invalidation?.target !== false && props.target) { extraHash.target = props.target; }
     if (props.invalidation?.file !== false && props.file) { extraHash.file = props.file; }
     if (props.invalidation?.repositoryName !== false && props.repositoryName) { extraHash.repositoryName = props.repositoryName; }
@@ -477,6 +506,7 @@ export class DockerImageAsset extends Construct implements IAsset {
     this.assetName = props.assetName;
     this.dockerBuildArgs = props.buildArgs;
     this.dockerBuildSecrets = props.buildSecrets;
+    this.dockerBuildSSH = props.buildSSH;
     this.dockerBuildTarget = props.target;
     this.dockerOutputs = props.outputs;
     this.dockerCacheFrom = props.cacheFrom;
@@ -487,6 +517,7 @@ export class DockerImageAsset extends Construct implements IAsset {
       assetName: this.assetName,
       dockerBuildArgs: this.dockerBuildArgs,
       dockerBuildSecrets: this.dockerBuildSecrets,
+      dockerBuildSSH: this.dockerBuildSSH,
       dockerBuildTarget: this.dockerBuildTarget,
       dockerFile: props.file,
       sourceHash: staging.assetHash,
@@ -530,6 +561,7 @@ export class DockerImageAsset extends Construct implements IAsset {
     resource.cfnOptions.metadata[cxapi.ASSET_RESOURCE_METADATA_DOCKERFILE_PATH_KEY] = this.dockerfilePath;
     resource.cfnOptions.metadata[cxapi.ASSET_RESOURCE_METADATA_DOCKER_BUILD_ARGS_KEY] = this.dockerBuildArgs;
     resource.cfnOptions.metadata[cxapi.ASSET_RESOURCE_METADATA_DOCKER_BUILD_SECRETS_KEY] = this.dockerBuildSecrets;
+    resource.cfnOptions.metadata[cxapi.ASSET_RESOURCE_METADATA_DOCKER_BUILD_SSH_KEY] = this.dockerBuildSSH;
     resource.cfnOptions.metadata[cxapi.ASSET_RESOURCE_METADATA_DOCKER_BUILD_TARGET_KEY] = this.dockerBuildTarget;
     resource.cfnOptions.metadata[cxapi.ASSET_RESOURCE_METADATA_PROPERTY_KEY] = resourceProperty;
     resource.cfnOptions.metadata[cxapi.ASSET_RESOURCE_METADATA_DOCKER_OUTPUTS_KEY] = this.dockerOutputs;

packages/aws-cdk-lib/aws-ecr-assets/test/image-asset.test.ts

@@ -151,6 +151,7 @@ describe('image asset', () => {
     const asset6 = new DockerImageAsset(stack, 'Asset6', { directory, extraHash: 'random-extra' });
     const asset7 = new DockerImageAsset(stack, 'Asset7', { directory, outputs: ['123'] });
     const asset8 = new DockerImageAsset(stack, 'Asset8', { directory, buildSecrets: { mySecret: DockerBuildSecret.fromSrc('abc.txt') } });
+    const asset9 = new DockerImageAsset(stack, 'Asset9', { directory, buildSSH: 'default'});
 
     expect(asset1.assetHash).toEqual('13248c55633f3b198a628bb2ea4663cb5226f8b2801051bd0c725950266fd590');
     expect(asset2.assetHash).toEqual('36bf205fb9adc5e45ba1c8d534158a0aed96d190eff433af1d90f3b94f96e751');

packages/aws-cdk-lib/cloud-assembly-schema/lib/assets/docker-image-asset.ts

@@ -63,6 +63,15 @@ export interface DockerImageSource {
    */
   readonly dockerBuildArgs?: { [name: string]: string };
 
+  /**
+   * SSH agent socket or keys
+   * 
+   * Requires building with docker buildkit.
+   * 
+   * @default - No ssh flag is set
+   */
+  readonly dockerBuildSSH?: string;
+
   /**
    * Additional build secrets
    *

packages/aws-cdk-lib/cloud-assembly-schema/lib/cloud-assembly/metadata-schema.ts

@@ -146,6 +146,13 @@ export interface ContainerImageAssetMetadataEntry extends BaseAssetMetadataEntry
    */
   readonly buildArgs?: { [key: string]: string };
 
+  /**
+   * SSH agent socket or keys to pass to the `docker build` command
+   * 
+   * @default no ssh arg is passed
+   */
+  readonly buildSSH?: string;
+
   /**
    * Build secrets to pass to the `docker build` command
    *

packages/aws-cdk-lib/core/lib/assets.ts

@@ -202,6 +202,14 @@ export interface DockerImageAssetSource {
    */
   readonly dockerBuildSecrets?: { [key: string]: string };
 
+  /**
+   * SSH agent socket or keys to pass to the `docker buildx` command.
+   * 
+   * 
+   * @default - no ssh arg is passed
+   */
+  readonly dockerBuildSSH?: string;
+
   /**
    * Docker target to build to
    *

packages/aws-cdk-lib/cx-api/lib/assets.ts

@@ -13,6 +13,7 @@ export const ASSET_RESOURCE_METADATA_PATH_KEY = 'aws:asset:path';
 export const ASSET_RESOURCE_METADATA_DOCKERFILE_PATH_KEY = 'aws:asset:dockerfile-path';
 export const ASSET_RESOURCE_METADATA_DOCKER_BUILD_ARGS_KEY = 'aws:asset:docker-build-args';
 export const ASSET_RESOURCE_METADATA_DOCKER_BUILD_SECRETS_KEY = 'aws:asset:docker-build-secrets';
+export const ASSET_RESOURCE_METADATA_DOCKER_BUILD_SSH_KEY = 'aws:asset:docker-build-ssh';
 export const ASSET_RESOURCE_METADATA_DOCKER_BUILD_TARGET_KEY = 'aws:asset:docker-build-target';
 export const ASSET_RESOURCE_METADATA_PROPERTY_KEY = 'aws:asset:property';
 export const ASSET_RESOURCE_METADATA_IS_BUNDLED_KEY = 'aws:asset:is-bundled';

packages/aws-cdk/lib/assets.ts

@@ -120,6 +120,7 @@ async function prepareDockerImageAsset(
   assetManifest.addDockerImageAsset(asset.sourceHash, {
     directory: asset.path,
     dockerBuildArgs: asset.buildArgs,
+    dockerBuildSSH: asset.buildSSH,
     dockerBuildTarget: asset.target,
     dockerFile: asset.file,
     networkMode: asset.networkMode,

packages/cdk-assets/lib/private/docker.ts

@@ -16,6 +16,7 @@ interface BuildOptions {
   readonly file?: string;
   readonly buildArgs?: Record<string, string>;
   readonly buildSecrets?: Record<string, string>;
+  readonly buildSSH?: string;
   readonly networkMode?: string;
   readonly platform?: string;
   readonly outputs?: string[];
@@ -91,6 +92,7 @@ export class Docker {
       'build',
       ...flatten(Object.entries(options.buildArgs || {}).map(([k, v]) => ['--build-arg', `${k}=${v}`])),
       ...flatten(Object.entries(options.buildSecrets || {}).map(([k, v]) => ['--secret', `id=${k},${v}`])),
+      '--ssh', options.buildSSH,
       '--tag', options.tag,
       ...options.target ? ['--target', options.target] : [],
       ...options.file ? ['--file', options.file] : [],