aws
diff --git a/‎tests/ci/cdk/app.py‎
Lines changed: 0 additions & 24 deletions b/‎tests/ci/cdk/app.py‎
Lines changed: 0 additions & 24 deletions
diff --git a/‎tests/ci/cdk/cdk/aws_lc_github_actions_stack.py‎
Lines changed: 14 additions & 12 deletions b/‎tests/ci/cdk/cdk/aws_lc_github_actions_stack.py‎
Lines changed: 14 additions & 12 deletions
diff --git a/‎tests/ci/cdk/cdk/aws_lc_github_ci_stack.py‎
Lines changed: 0 additions & 11 deletions b/‎tests/ci/cdk/cdk/aws_lc_github_ci_stack.py‎
Lines changed: 0 additions & 11 deletions
diff --git a/‎tests/ci/cdk/cdk/aws_lc_github_docker_actions_stack.py‎
Lines changed: 126 additions & 0 deletions b/‎tests/ci/cdk/cdk/aws_lc_github_docker_actions_stack.py‎
Lines changed: 126 additions & 0 deletions
diff --git a/‎tests/ci/cdk/cdk/ecr_stack.py‎
Lines changed: 77 additions & 1 deletion b/‎tests/ci/cdk/cdk/ecr_stack.py‎
Lines changed: 77 additions & 1 deletion
diff --git a/‎tests/ci/cdk/pipeline/ci_stage.py‎
Lines changed: 1 addition & 3 deletions b/‎tests/ci/cdk/pipeline/ci_stage.py‎
Lines changed: 1 addition & 3 deletions
@@ -11,13 +11,8 @@
 from cdk.windows_docker_image_build_stack import WindowsDockerImageBuildStack
 from cdk.ecr_stack import EcrStack
 from util.metadata import (
-    LINUX_X86_ECR_REPO,
-    LINUX_AARCH_ECR_REPO,
-    WINDOWS_X86_ECR_REPO,
     PIPELINE_ACCOUNT,
     PIPELINE_REGION,
-    DEPLOY_ACCOUNT,
-    DEPLOY_REGION,
 )
 
 # Initialize app.
@@ -29,23 +24,4 @@
     env=Environment(account=PIPELINE_ACCOUNT, region=PIPELINE_REGION),
 )
 
-if DEPLOY_ACCOUNT and DEPLOY_REGION:
-    # Initialize env.
-    env = Environment(account=DEPLOY_ACCOUNT, region=DEPLOY_REGION)
-
-    # Define AWS ECR stacks.
-    # ECR holds the docker images, which are pre-built to accelerate the code builds/tests of git pull requests.
-    EcrStack(app, "aws-lc-ecr-linux-x86", LINUX_X86_ECR_REPO, env=env)
-    EcrStack(app, "aws-lc-ecr-linux-aarch", LINUX_AARCH_ECR_REPO, env=env)
-    EcrStack(app, "aws-lc-ecr-windows-x86", WINDOWS_X86_ECR_REPO, env=env)
-
-    # Define CodeBuild Batch job for building Docker images.
-    LinuxDockerImageBatchBuildStack(app, "aws-lc-docker-image-build-linux", env=env)
-
-    # AWS CodeBuild cannot build Windows Docker images because DIND (Docker In Docker) is not supported on Windows.
-    # Windows Docker images are created by running commands in Windows EC2 instance.
-    WindowsDockerImageBuildStack(app, "aws-lc-docker-image-build-windows", env=env)
-
-    add_ci_stacks(app, env=env)
-
 app.synth()
@@ -4,11 +4,10 @@
 
 from aws_cdk import (
     Duration,
-    Stack,
     aws_codebuild as codebuild,
     aws_iam as iam,
-    aws_s3_assets,
     aws_logs as logs,
+    aws_ecr as ecr,
     Environment,
 )
 from constructs import Construct
@@ -18,7 +17,7 @@
 from util.iam_policies import (
     code_build_publish_metrics_in_json,
 )
-from util.metadata import LINUX_X86_ECR_REPO, LINUX_AARCH_ECR_REPO, WINDOWS_X86_ECR_REPO
+from util.metadata import AMAZONLINUX_ECR_REPO, CENTOS_ECR_REPO, FEDORA_ECR_REPO, LINUX_X86_ECR_REPO, LINUX_AARCH_ECR_REPO, UBUNTU_ECR_REPO, WINDOWS_X86_ECR_REPO
 
 class AwsLcGitHubActionsStack(AwsLcBaseCiStack):
     """Define a stack used to execute AWS-LC self-hosted GitHub Actions Runners."""
@@ -32,6 +31,12 @@ def __init__(
     ) -> None:
         super().__init__(scope, id, env=env, timeout=180, **kwargs)
 
+        # TODO: First 3 indices ordering is important for now as they are referenced directly for now.
+        repo_names = [LINUX_X86_ECR_REPO, LINUX_AARCH_ECR_REPO, WINDOWS_X86_ECR_REPO, UBUNTU_ECR_REPO,
+                      AMAZONLINUX_ECR_REPO, CENTOS_ECR_REPO, FEDORA_ECR_REPO]
+        ecr_repos = [ecr.Repository.from_repository_name(self, x.replace('/', '-'), repository_name=x)
+                     for x in repo_names]
+
         # Define a IAM role for this stack.
         metrics_policy = iam.PolicyDocument.from_json(
             code_build_publish_metrics_in_json(env)
@@ -55,12 +60,7 @@ def __init__(
                             "ecr:BatchCheckLayerAvailability",
                             "ecr:GetDownloadUrlForLayer",
                         ],
-                        resources=[
-                            "arn:aws:ecr:{}:{}:repository/{}"
-                                .format(env.region, env.account, repo) for repo in [LINUX_X86_ECR_REPO,
-                                                                                    LINUX_AARCH_ECR_REPO,
-                                                                                    WINDOWS_X86_ECR_REPO]
-                        ],
+                        resources=[x.repository_arn for x in ecr_repos],
                     ),
                 ],
             )
@@ -105,16 +105,18 @@ def __init__(
                 environment_variables={
                     "AWS_ACCOUNT_ID": codebuild.BuildEnvironmentVariable(value=env.account),
                     "AWS_ECR_REPO_LINUX_X86": codebuild.BuildEnvironmentVariable(
-                        value="{}.dkr.ecr.{}.amazonaws.com/{}".format(env.account, env.region, LINUX_X86_ECR_REPO)
+                        value=ecr_repos[0].repository_uri
                     ),
                     "AWS_ECR_REPO_LINUX_AARCH": codebuild.BuildEnvironmentVariable(
-                        value="{}.dkr.ecr.{}.amazonaws.com/{}".format(env.account, env.region, LINUX_AARCH_ECR_REPO)
+                        value=ecr_repos[1].repository_uri
                     ),
                     "AWS_ECR_REPO_WINDOWS_X86": codebuild.BuildEnvironmentVariable(
-                        value="{}.dkr.ecr.{}.amazonaws.com/{}".format(env.account, env.region, WINDOWS_X86_ECR_REPO)
+                        value=ecr_repos[2].repository_uri
                     ),
+                    "ECR_REGISTRY_URL": codebuild.BuildEnvironmentVariable(value=ecr_repos[0].registry_uri),
                 },
             ),
+            # TODO: We can do away with this if we use aws-actions/amazon-ecr-login@v2, just need to migrate
             build_spec=codebuild.BuildSpec.from_object({
                 "version": 0.2,
                 "phases": {
 
@@ -4,10 +4,8 @@
 
 from aws_cdk import (
     Duration,
-    Stack,
     aws_codebuild as codebuild,
     aws_iam as iam,
-    aws_s3_assets,
     aws_logs as logs,
     Environment,
 )
@@ -20,17 +18,8 @@
     code_build_publish_metrics_in_json,
     code_build_cloudwatch_logs_policy_in_json,
 )
-from util.metadata import (
-    GITHUB_PUSH_CI_BRANCH_TARGETS,
-    GITHUB_REPO_OWNER,
-    GITHUB_REPO_NAME,
-    PRE_PROD_ACCOUNT,
-    STAGING_GITHUB_REPO_OWNER,
-    STAGING_GITHUB_REPO_NAME,
-)
 from util.build_spec_loader import BuildSpecLoader
 
-
 class AwsLcGitHubCIStack(AwsLcBaseCiStack):
     """Define a stack used to batch execute AWS-LC tests in GitHub."""
 
 
@@ -0,0 +1,126 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+import itertools
+import typing
+
+from aws_cdk import (
+    Duration,
+    aws_codebuild as codebuild,
+    aws_iam as iam,
+    aws_logs as logs,
+    aws_ecr as ecr,
+    Environment,
+)
+from constructs import Construct
+
+from cdk.aws_lc_base_ci_stack import AwsLcBaseCiStack
+from util.iam_policies import (
+    code_build_publish_metrics_in_json,
+)
+from util.metadata import UBUNTU_ECR_REPO, AMAZONLINUX_ECR_REPO, CENTOS_ECR_REPO, FEDORA_ECR_REPO
+
+class AwsLcGitHubDockerActionsStack(AwsLcBaseCiStack):
+    """Define a stack used to execute AWS-LC self-hosted GitHub Actions Runners on Docker Images."""
+
+    def __init__(
+        self,
+        scope: Construct,
+        id: str,
+        env: typing.Union[Environment, typing.Dict[str, typing.Any]],
+        **kwargs
+    ) -> None:
+        super().__init__(scope, id, env=env, timeout=180, **kwargs)
+
+        # Define a IAM role for this stack.
+        metrics_policy = iam.PolicyDocument.from_json(
+            code_build_publish_metrics_in_json(env)
+        )
+
+        repo_names = [UBUNTU_ECR_REPO, AMAZONLINUX_ECR_REPO, CENTOS_ECR_REPO, FEDORA_ECR_REPO]
+        ecr_repos = [ecr.Repository.from_repository_name(self, x.replace('/', '-'), repository_name=x)
+                     for x in repo_names]
+        
+        staging_repo = ecr.Repository(self, "aws-lc-ecr-staging",
+                              image_tag_mutability=ecr.TagMutability.IMMUTABLE,
+                              lifecycle_rules=[ecr.LifecycleRule(
+                                  max_image_age=Duration.days(7),
+                              )])
+        
+        ecr_repos.append(staging_repo)
+
+        inline_policies = {
+            "metrics_policy": metrics_policy,
+            "ecr": iam.PolicyDocument(
+                statements=[
+                    iam.PolicyStatement(
+                        effect=iam.Effect.ALLOW,
+                        actions=[
+                            "ecr:GetAuthorizationToken",
+                        ],
+                        resources=["*"],
+                    ),
+                    iam.PolicyStatement(
+                        effect=iam.Effect.ALLOW,
+                        actions=[
+                            "ecr:BatchGetImage",
+                            "ecr:BatchCheckLayerAvailability",
+                            "ecr:CompleteLayerUpload",
+                            "ecr:GetDownloadUrlForLayer",
+                            "ecr:InitiateLayerUpload",
+                            "ecr:PutImage",
+                            "ecr:UploadLayerPart",
+                        ],
+                        resources=[x for x in itertools.chain([
+                            x.repository_arn for x in ecr_repos
+                        ], [ecr.Repository.from_repository_name(self, "quay-io", "quay.io/*").repository_arn])],
+                    ),
+                ],
+            )
+        }
+        role = iam.Role(
+            scope=self,
+            id="{}-role".format(id),
+            assumed_by=iam.ServicePrincipal("codebuild.amazonaws.com"),
+            inline_policies=inline_policies,
+        )
+
+        logging_options = codebuild.LoggingOptions(
+            cloud_watch=codebuild.CloudWatchLoggingOptions(log_group=logs.LogGroup(
+                self, id="{}-logs".format(id)))
+        )
+
+        # Override base class provided configuration
+        self.git_hub_source = codebuild.Source.git_hub(
+            owner=self.github_repo_owner,
+            repo=self.github_repo_name,
+            webhook=True,
+            webhook_filters=[
+                codebuild.FilterGroup.in_event_of(
+                    codebuild.EventAction.WORKFLOW_JOB_QUEUED
+                ),
+            ],
+        )
+
+        # Define CodeBuild.
+        project = codebuild.Project(
+            scope=self,
+            id=id,
+            project_name=id,
+            source=self.git_hub_source,
+            role=role,
+            timeout=Duration.minutes(self.timeout),
+            logging=logging_options,
+            environment=codebuild.BuildEnvironment(
+                compute_type=codebuild.ComputeType.SMALL,
+                privileged=True,
+                build_image=codebuild.LinuxBuildImage.STANDARD_7_0,
+                environment_variables={
+                    "AWS_ACCOUNT_ID": codebuild.BuildEnvironmentVariable(value=env.account),
+                    "ECR_REGISTRY_URL": codebuild.BuildEnvironmentVariable(value=staging_repo.registry_uri),
+                    "ECR_STAGING_REPO": codebuild.BuildEnvironmentVariable(value=staging_repo.repository_uri),
+                },
+            ),
+        )
+
+        cfn_project = project.node.default_child
+        cfn_project.add_property_override("Triggers.PullRequestBuildPolicy", self.pull_request_policy)
@@ -1,8 +1,11 @@
 # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0 OR ISC
 
-from aws_cdk import Stack, Duration, aws_ecr as ecr, aws_iam as iam
+import dataclasses
+import typing
+from aws_cdk import Environment, RemovalPolicy, Stack, Duration, aws_ecr as ecr, aws_iam as iam
 from constructs import Construct
+from util.metadata import AMAZONLINUX_ECR_REPO, CENTOS_ECR_REPO, FEDORA_ECR_REPO, UBUNTU_ECR_REPO
 
 
 class EcrStack(Stack):
@@ -30,3 +33,76 @@ def __init__(self, scope: Construct, id: str, repo_name: str, **kwargs) -> None:
             tag_status=ecr.TagStatus.UNTAGGED,
             max_image_age=Duration.days(1),
         )
+
+
+@dataclasses.dataclass
+class EcrRepoDataClass:
+    cdk_id: str
+    ecr_name: str
+
+
+class PrivateEcrStackV2(Stack):
+    def __init__(self,
+                 scope: Construct,
+                 id: str,
+                 env: typing.Union[Environment, typing.Dict[str, typing.Any]],
+                 **kwargs) -> None:
+        super().__init__(scope, id, env=env, **kwargs)
+
+        ecr.CfnRepositoryCreationTemplate(self, "pull-through-cache-template",
+                                          applied_for=["PULL_THROUGH_CACHE"],
+                                          description="Used to create pull through cache repositories",
+                                          prefix="ROOT",
+                                          image_tag_mutability="MUTABLE",
+                                          encryption_configuration={
+                                                "encryptionType": "AES256"
+                                          },
+                                          lifecycle_policy="""
+{
+    "rules": [
+        {
+            "rulePriority": 1,
+            "description": "Expire images older than 30 days",
+            "selection": {
+                "tagStatus": "untagged",
+                "countType": "sinceImagePushed",
+                "countUnit": "days",
+                "countNumber": 30
+            },
+            "action": {
+                "type": "expire"
+            }
+        }
+    ]
+}
+""")
+        
+        quay_io_prefixes = ["centos"]
+        for repo in quay_io_prefixes:
+            ecr.CfnPullThroughCacheRule(self, f"quay-io-{repo}",
+                                        ecr_repository_prefix=f"quay.io/{repo}",
+                                        upstream_registry_url="quay.io",
+                                        upstream_repository_prefix=repo)
+
+        for x in [
+            EcrRepoDataClass("aws-lc-ecr-ubuntu", UBUNTU_ECR_REPO),
+            EcrRepoDataClass("aws-lc-ecr-amazonlinux", AMAZONLINUX_ECR_REPO),
+            EcrRepoDataClass("aws-lc-ecr-fedora", FEDORA_ECR_REPO),
+            EcrRepoDataClass("aws-lc-ecr-centos", CENTOS_ECR_REPO),
+        ]:
+            EcrPrivateRepo(self, x.cdk_id, repo_name=x.ecr_name)
+
+
+class EcrPrivateRepo(Construct):
+    """Define private ECR repository to store container images."""
+
+    def __init__(self, scope: Construct, id: str, repo_name: str, **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        self.repo = ecr.Repository(
+            scope=self, id=id, repository_name=repo_name, removal_policy=RemovalPolicy.RETAIN)
+        self.repo.add_lifecycle_rule(
+            description="Remove untagged images after 1 day",
+            tag_status=ecr.TagStatus.UNTAGGED,
+            max_image_age=Duration.days(90),
+        )
@@ -15,7 +15,6 @@
 from constructs import Construct
 
 from cdk.aws_lc_base_ci_stack import AwsLcBaseCiStack
-from cdk.aws_lc_github_actions_stack import AwsLcGitHubActionsStack
 from pipeline.ci_util import add_ci_stacks
 from pipeline.codebuild_batch_step import CodeBuildBatchStep
 from util.metadata import (
@@ -48,8 +47,7 @@ def __init__(
     @property
     def stacks(self) -> typing.List[AwsLcBaseCiStack]:
         return [
-            child for child in self.node.children if isinstance(child, AwsLcBaseCiStack) and 
-                not isinstance(child, AwsLcGitHubActionsStack)
+            child for child in self.node.children if isinstance(child, AwsLcBaseCiStack)
         ]
 
     def add_stage_to_pipeline(