Skip to content

feat(imagebuilder): add support for EC2 Image Builder L2 Constructs - Infrastructure Configuration #35882

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat(imagebuilder): add support for EC2 Image Builder L2 Constructs - Infrastructure Configuration #35882

wants to merge 2 commits into from
+4,572 −0

Conversation

@tarunb12
Copy link

@tarunb12 tarunb12 commented Oct 29, 2025
edited
Loading

Issue # (aws/aws-cdk-rfcs#789)

Reason for this change

This change adds a new alpha module for EC2 Image Builder L2 Constructs (@aws-cdk/aws-imagebuilder-alpha), as outlined in aws/aws-cdk-rfcs#789. This PR specifically implements the InfrastructureConfiguration construct.

Description of changes

This change implements the InfrastructureConfiguration construct, which is a higher-level construct of CfnInfrastructureConfiguration.

Note - I have also added the YAML library as a dependency to the module. This will be used for the component/workflow resources, which need to pass JSON objects in a YAML string format when creating the resource.

Example

const infrastructureConfiguration = new imagebuilder.InfrastructureConfiguration(this, 'InfrastructureConfiguration', {
  infrastructureConfigurationName: 'test-infrastructure-configuration',
  description: 'An Infrastructure Configuration',
  // Optional - instance types to use for build/test
  instanceTypes: [
    ec2.InstanceType.of(ec2.InstanceClass.STANDARD7_INTEL, ec2.InstanceSize.LARGE),
    ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE3, ec2.InstanceSize.LARGE)
  ],
  // Optional - create an instance profile with necessary permissions
  instanceProfile: new iam.InstanceProfile(this, 'InstanceProfile', {
    instanceProfileName: 'test-instance-profile',
    role: new iam.Role(this, 'InstanceProfileRole', {
      assumedBy: iam.ServicePrincipal.fromStaticServicePrincipleName('ec2.amazonaws.com'),
      managedPolicies: [
        iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonSSMManagedInstanceCore'),
        iam.ManagedPolicy.fromAwsManagedPolicyName('EC2InstanceProfileForImageBuilder')
      ]
    })
  }),
  // Use VPC network configuration
  vpc,
  subnetSelection: { subnetType: ec2.SubnetType.PUBLIC },
  securityGroups: [ec2.SecurityGroup.fromSecurityGroupId(this, 'SecurityGroup', vpc.vpcDefaultSecurityGroup)],
  keyPair: ec2.KeyPair.fromKeyPairName(this, 'KeyPair', 'imagebuilder-instance-key-pair'),
  terminateInstanceOnFailure: true,
  // Optional - IMDSv2 settings
  httpTokens: imagebuilder.HttpTokens.REQUIRED,
  httpPutResponseHopLimit: 1,
  // Optional - publish image completion messages to an SNS topic
  notificationTopic: sns.Topic.fromTopicArn(
    this,
    'Topic',
    this.formatArn({ service: 'sns', resource: 'image-builder-topic' })
  ),
  // Optional - log settings. Logging is enabled by default
  logging: {
    s3Bucket: s3.Bucket.fromBucketName(this, 'LogBucket', `imagebuilder-logging-${Aws.ACCOUNT_ID}`),
    s3KeyPrefix: 'imagebuilder-logs'
  },
  // Optional - host placement settings
  ec2InstanceAvailabilityZone: Stack.of(this).availabilityZones[0],
  ec2InstanceHostId: dedicatedHost.attrHostId,
  ec2InstanceTenancy: imagebuilder.Tenancy.HOST,
  resourceTags: {
    Environment: 'production'
  }
});

Describe any new or updated permissions being added

N/A - new L2 construct in alpha module

Description of how you validated changes

Validated with unit tests and integration tests. Manually verified generated CFN templates as well.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team October 29, 2025 06:59
@github-actions github-actions bot added p2 beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK labels Oct 29, 2025
@aws-cdk-automation aws-cdk-automation added the pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes. label Oct 29, 2025
@tarunb12 tarunb12 marked this pull request as ready for review October 29, 2025 07:35
@kumsmrit kumsmrit self-assigned this Oct 30, 2025
@github-actions github-actions bot mentioned this pull request Nov 1, 2025
Open
@tarunb12 tarunb12 force-pushed the imagebuilder branch 2 times, most recently from 4c463b8 to e6969a9 Compare November 4, 2025 06:10
kumsmrit
kumsmrit previously requested changes Nov 6, 2025
View reviewed changes
@mergify mergify bot dismissed kumsmrit’s stale review November 7, 2025 07:18

Pull request has been modified.

@tarunb12 tarunb12 force-pushed the imagebuilder branch 4 times, most recently from 007c467 to ab5b1f9 Compare November 7, 2025 09:15
@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Nov 7, 2025
@tarunb12 tarunb12 force-pushed the imagebuilder branch 2 times, most recently from da30685 to 5c5bf40 Compare November 7, 2025 10:05
kumsmrit
kumsmrit previously requested changes Nov 7, 2025
View reviewed changes
packages/@aws-cdk/aws-imagebuilder-alpha/lib/infrastructure-configuration.ts
securityGroupIds: props.securityGroups?.length
? props.securityGroups?.map((securityGroup) => securityGroup.securityGroupId)
: undefined,
subnetId: props.vpc?.selectSubnets(props.subnetSelection).subnetIds[0],
Copy link

@kumsmrit kumsmrit Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If selectSubnets() returns 0 results, this becomes undefined and thus contradicts the user’s intent (where they provided vpc/subnetSelection). We should consider adding validation for this along with a default subnet selection type.

const selectedSubnets = props.vpc ? props.vpc.selectSubnets(props.subnetSelection ?? { subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }) : undefined;
if (props.vpc && selectedSubnets && selectedSubnets.subnetIds.length === 0) {
  throw new cdk.ValidationError(
    'No subnets matched the given subnetSelection for the provided VPC.', this,
  );
}

Or we should avoid accepting a VPC without a subnetSelection:

if (props.vpc && !props.subnetSelection) {
  throw new cdk.ValidationError(
    'A subnetSelection is required when providing a VPC. ' this,
  );
}

const selectedSubnets = props.vpc ? props.vpc.selectSubnets(props.subnetSelection!) : undefined;
if (props.vpc && selectedSubnets && selectedSubnets.subnetIds.length === 0) {
  throw new cdk.ValidationError(
    'No subnets matched the given subnetSelection for the provided VPC.', this,
  );
}

Copy link
Author

@tarunb12 tarunb12 Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added the first validation on checking length of selected subnets

@aws-cdk-automation aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Nov 7, 2025
@tarunb12 tarunb12 force-pushed the imagebuilder branch 2 times, most recently from e4d2666 to b523ba3 Compare November 7, 2025 15:42
@mergify mergify bot dismissed kumsmrit’s stale review November 7, 2025 15:42

Pull request has been modified.

kumsmrit
kumsmrit requested changes Nov 10, 2025
View reviewed changes
packages/@aws-cdk/aws-imagebuilder-alpha/lib/infrastructure-configuration.ts
}

const placement: CfnInfrastructureConfiguration.PlacementProperty = {
...(props.ec2InstanceAvailabilityZone && { availabilityZone: props.ec2InstanceAvailabilityZone }),
Copy link

@kumsmrit kumsmrit Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider changing this to !==undefined to handle CDK tokens safely:

const placement = 
  props.ec2InstanceAvailabilityZone !== undefined ||
  props.ec2InstanceHostId !== undefined ||
  props.ec2InstanceHostResourceGroupArn !== undefined ||
  props.ec2InstanceTenancy !== undefined
    ? {
        ...(props.ec2InstanceAvailabilityZone !== undefined && { availabilityZone: props.ec2InstanceAvailabilityZone }),
        ...(props.ec2InstanceHostId !== undefined && { hostId: props.ec2InstanceHostId }),
        ...(props.ec2InstanceHostResourceGroupArn !== undefined && { hostResourceGroupArn: props.ec2InstanceHostResourceGroupArn }),
        ...(props.ec2InstanceTenancy !== undefined && { tenancy: props.ec2InstanceTenancy }),
      }
    : undefined;

packages/@aws-cdk/aws-imagebuilder-alpha/lib/infrastructure-configuration.ts
*
* @default - 2
*/
readonly httpPutResponseHopLimit?: number;
Copy link

@kumsmrit kumsmrit Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't we need validation on the max value for HttpPutResponseHopLimit ? CFN states max as 64.

kumsmrit
kumsmrit reviewed Nov 10, 2025
View reviewed changes
packages/@aws-cdk/aws-imagebuilder-alpha/lib/infrastructure-configuration.ts
public readonly instanceProfile: iam.IInstanceProfile;

/**
* The role associateded with the EC2 instance profile used for the build
Copy link

@kumsmrit kumsmrit Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Type: associatededassociated

kumsmrit
kumsmrit reviewed Nov 10, 2025
View reviewed changes
packages/@aws-cdk/aws-imagebuilder-alpha/lib/infrastructure-configuration.ts
this.logBucket = props.logging?.s3Bucket;

if (this.logBucket && this.role && props.logging?.s3KeyPrefix !== undefined) {
this.logBucket.grantPut(this.role, `${props.logging.s3KeyPrefix}/*`);
Copy link

@kumsmrit kumsmrit Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since s3KeyPrefix is optional, if user sets logging.s3Bucket without s3KeyPrefix- Image Builder may then fail to upload logs due to msising write permissions; we can change this grant back to:

this.logBucket.grantPut( this.role, props.logging?.s3KeyPrefix ? `${props.logging.s3KeyPrefix}/*` : '*',`

@gasolima gasolima added the pr/requires-two-approvers This PR is critical (e.g., security, broadly-impacting) and requires 2 approvers to be merged. label Nov 10, 2025
kumsmrit
kumsmrit reviewed Nov 10, 2025
View reviewed changes
packages/@aws-cdk/aws-imagebuilder-alpha/test/infrastructure-configuration.test.ts
}).toThrow(cdk.ValidationError);
});

test('throws a validation error an a subnet selection is provided without a VPC', () => {
Copy link

@kumsmrit kumsmrit Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typo: throws validation error when subnet selection is provided without a VPC

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kumsmrit kumsmrit kumsmrit requested changes

@gasolima gasolima gasolima approved these changes

+1 more reviewer

@Naton1 Naton1 Naton1 approved these changes

Reviewers whose approvals may not affect merge requirements

Requested changes must be addressed to merge this pull request.

Assignees

@kumsmrit kumsmrit

Labels

beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK p2 pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes. pr/requires-two-approvers This PR is critical (e.g., security, broadly-impacting) and requires 2 approvers to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@tarunb12 @Naton1 @gasolima @kumsmrit @aws-cdk-automation