diff --git a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.template-transform.js.snapshot/TemplateTransformTestDefaultTestDeployAssertB5F926BB.assets.json b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.template-transform.js.snapshot/TemplateTransformTestDefaultTestDeployAssertB5F926BB.assets.json new file mode 100644 index 0000000000000..f188db5aa189b --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.template-transform.js.snapshot/TemplateTransformTestDefaultTestDeployAssertB5F926BB.assets.json @@ -0,0 +1,20 @@ +{ + "version": "48.0.0", + "files": { + "c5b0673a7d9a998b80da334309ee5687dbae44beb357372838262748d9f69bea": { + "displayName": "TemplateTransformTestDefaultTestDeployAssertB5F926BB Template", + "source": { + "path": "TemplateTransformTestDefaultTestDeployAssertB5F926BB.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region-6c403213": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "c5b0673a7d9a998b80da334309ee5687dbae44beb357372838262748d9f69bea.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.template-transform.js.snapshot/TemplateTransformTestDefaultTestDeployAssertB5F926BB.template.json b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.template-transform.js.snapshot/TemplateTransformTestDefaultTestDeployAssertB5F926BB.template.json new file mode 100644 index 0000000000000..5ed49d7bedc37 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.template-transform.js.snapshot/TemplateTransformTestDefaultTestDeployAssertB5F926BB.template.json @@ -0,0 +1,41 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + }, + "Metadata": { + "TemplateTransformApplied": true, + "TransformTimestamp": "test-timestamp", + "SecondTransformApplied": true + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.template-transform.js.snapshot/TemplateTransformTestStack.assets.json b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.template-transform.js.snapshot/TemplateTransformTestStack.assets.json new file mode 100644 index 0000000000000..8d0b2daaf5375 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.template-transform.js.snapshot/TemplateTransformTestStack.assets.json @@ -0,0 +1,20 @@ +{ + "version": "48.0.0", + "files": { + "73e6fc58380bae965860e652daee3e4a49eec24aa5bc2756f51457b2610cf1df": { + "displayName": "TemplateTransformTestStack Template", + "source": { + "path": "TemplateTransformTestStack.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region-c85d8b62": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "73e6fc58380bae965860e652daee3e4a49eec24aa5bc2756f51457b2610cf1df.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.template-transform.js.snapshot/TemplateTransformTestStack.template.json b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.template-transform.js.snapshot/TemplateTransformTestStack.template.json new file mode 100644 index 0000000000000..a17f0f21b50f3 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.template-transform.js.snapshot/TemplateTransformTestStack.template.json @@ -0,0 +1,51 @@ +{ + "Resources": { + "TestQueue6F0069AA": { + "Type": "AWS::SQS::Queue", + "Properties": { + "VisibilityTimeout": 300 + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + }, + "Metadata": { + "TemplateTransformApplied": true, + "TransformTimestamp": "test-timestamp", + "SecondTransformApplied": true + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.template-transform.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.template-transform.js.snapshot/cdk.out new file mode 100644 index 0000000000000..523a9aac37cbf --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.template-transform.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"48.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.template-transform.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.template-transform.js.snapshot/integ.json new file mode 100644 index 0000000000000..ac3b9e69a8371 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.template-transform.js.snapshot/integ.json @@ -0,0 +1,13 @@ +{ + "version": "48.0.0", + "testCases": { + "TemplateTransformTest/DefaultTest": { + "stacks": [ + "TemplateTransformTestStack" + ], + "assertionStack": "TemplateTransformTest/DefaultTest/DeployAssert", + "assertionStackName": "TemplateTransformTestDefaultTestDeployAssertB5F926BB" + } + }, + "minimumCliVersion": "2.1027.0" +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.template-transform.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.template-transform.js.snapshot/manifest.json new file mode 100644 index 0000000000000..f8c4b1ae196e6 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.template-transform.js.snapshot/manifest.json @@ -0,0 +1,617 @@ +{ + "version": "48.0.0", + "artifacts": { + "TemplateTransformTestStack.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "TemplateTransformTestStack.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "TemplateTransformTestStack": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "TemplateTransformTestStack.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/73e6fc58380bae965860e652daee3e4a49eec24aa5bc2756f51457b2610cf1df.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "TemplateTransformTestStack.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "TemplateTransformTestStack.assets" + ], + "metadata": { + "/TemplateTransformTestStack/TestQueue": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "visibilityTimeout": "*" + } + } + ], + "/TemplateTransformTestStack/TestQueue/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "TestQueue6F0069AA" + } + ], + "/TemplateTransformTestStack/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/TemplateTransformTestStack/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "TemplateTransformTestStack" + }, + "TemplateTransformTestDefaultTestDeployAssertB5F926BB.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "TemplateTransformTestDefaultTestDeployAssertB5F926BB.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "TemplateTransformTestDefaultTestDeployAssertB5F926BB": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "TemplateTransformTestDefaultTestDeployAssertB5F926BB.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/c5b0673a7d9a998b80da334309ee5687dbae44beb357372838262748d9f69bea.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "TemplateTransformTestDefaultTestDeployAssertB5F926BB.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "TemplateTransformTestDefaultTestDeployAssertB5F926BB.assets" + ], + "metadata": { + "/TemplateTransformTest/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/TemplateTransformTest/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "TemplateTransformTest/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + }, + "aws-cdk-lib/feature-flag-report": { + "type": "cdk:feature-flag-report", + "properties": { + "module": "aws-cdk-lib", + "flags": { + "@aws-cdk/aws-signer:signingProfileNamePassedToCfn": { + "userValue": true, + "recommendedValue": true, + "explanation": "Pass signingProfileName to CfnSigningProfile" + }, + "@aws-cdk/core:newStyleStackSynthesis": { + "recommendedValue": true, + "explanation": "Switch to new stack synthesis method which enables CI/CD", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:stackRelativeExports": { + "recommendedValue": true, + "explanation": "Name exports based on the construct paths relative to the stack, rather than the global construct path", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-ecs-patterns:secGroupsDisablesImplicitOpenListener": { + "userValue": true, + "recommendedValue": true, + "explanation": "Disable implicit openListener when custom security groups are provided" + }, + "@aws-cdk/aws-rds:lowercaseDbIdentifier": { + "recommendedValue": true, + "explanation": "Force lowercasing of RDS Cluster names in CDK", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": { + "recommendedValue": true, + "explanation": "Allow adding/removing multiple UsagePlanKeys independently", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-lambda:recognizeVersionProps": { + "recommendedValue": true, + "explanation": "Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-lambda:recognizeLayerVersion": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`." + }, + "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": { + "recommendedValue": true, + "explanation": "Enable this feature flag to have cloudfront distributions use the security policy TLSv1.2_2021 by default.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:checkSecretUsage": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this flag to make it impossible to accidentally use SecretValues in unsafe locations" + }, + "@aws-cdk/core:target-partitions": { + "recommendedValue": [ + "aws", + "aws-cn" + ], + "explanation": "What regions to include in lookup tables of environment agnostic stacks" + }, + "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": { + "userValue": true, + "recommendedValue": true, + "explanation": "ECS extensions will automatically add an `awslogs` driver if no logging is specified" + }, + "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to have Launch Templates generated by the `InstanceRequireImdsv2Aspect` use unique names." + }, + "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": { + "userValue": true, + "recommendedValue": true, + "explanation": "ARN format used by ECS. In the new ARN format, the cluster name is part of the resource ID." + }, + "@aws-cdk/aws-iam:minimizePolicies": { + "userValue": true, + "recommendedValue": true, + "explanation": "Minimize IAM policies by combining Statements" + }, + "@aws-cdk/core:validateSnapshotRemovalPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Error on snapshot removal policies on resources that do not support it." + }, + "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate key aliases that include the stack name" + }, + "@aws-cdk/aws-s3:createDefaultLoggingPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to create an S3 bucket policy by default in cases where an AWS service would automatically create the Policy if one does not exist." + }, + "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": { + "userValue": true, + "recommendedValue": true, + "explanation": "Restrict KMS key policy for encrypted Queues a bit more" + }, + "@aws-cdk/aws-apigateway:disableCloudWatchRole": { + "userValue": true, + "recommendedValue": true, + "explanation": "Make default CloudWatch Role behavior safe for multiple API Gateways in one environment" + }, + "@aws-cdk/core:enablePartitionLiterals": { + "userValue": true, + "recommendedValue": true, + "explanation": "Make ARNs concrete if AWS partition is known" + }, + "@aws-cdk/aws-events:eventsTargetQueueSameAccount": { + "userValue": true, + "recommendedValue": true, + "explanation": "Event Rules may only push to encrypted SQS queues in the same account" + }, + "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": { + "userValue": true, + "recommendedValue": true, + "explanation": "Avoid setting the \"ECS\" deployment controller when adding a circuit breaker" + }, + "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature to create default policy names for imported roles that depend on the stack the role is in." + }, + "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use S3 Bucket Policy instead of ACLs for Server Access Logging" + }, + "@aws-cdk/aws-route53-patters:useCertificate": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use the official `Certificate` resource instead of `DnsValidatedCertificate`" + }, + "@aws-cdk/customresources:installLatestAwsSdkDefault": { + "userValue": false, + "recommendedValue": false, + "explanation": "Whether to install the latest SDK by default in AwsCustomResource" + }, + "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use unique resource name for Database Proxy" + }, + "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "Remove CloudWatch alarms from deployment group" + }, + "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Include authorizer configuration in the calculation of the API deployment logical ID." + }, + "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": { + "userValue": true, + "recommendedValue": true, + "explanation": "Define user data for a launch template by default when a machine image is provided." + }, + "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": { + "userValue": true, + "recommendedValue": true, + "explanation": "SecretTargetAttachments uses the ResourcePolicy of the attached Secret." + }, + "@aws-cdk/aws-redshift:columnId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Whether to use an ID to track Redshift column changes" + }, + "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable AmazonEMRServicePolicy_v2 managed policies" + }, + "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "Restrict access to the VPC default security group" + }, + "@aws-cdk/aws-apigateway:requestValidatorUniqueId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate a unique id for each RequestValidator added to a method" + }, + "@aws-cdk/aws-kms:aliasNameRef": { + "userValue": true, + "recommendedValue": true, + "explanation": "KMS Alias name and keyArn will have implicit reference to KMS Key" + }, + "@aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable grant methods on Aliases imported by name to use kms:ResourceAliases condition" + }, + "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate a launch template when creating an AutoScalingGroup" + }, + "@aws-cdk/core:includePrefixInUniqueNameGeneration": { + "userValue": true, + "recommendedValue": true, + "explanation": "Include the stack prefix in the stack name generation process" + }, + "@aws-cdk/aws-efs:denyAnonymousAccess": { + "userValue": true, + "recommendedValue": true, + "explanation": "EFS denies anonymous clients accesses" + }, + "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables support for Multi-AZ with Standby deployment for opensearch domains" + }, + "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables aws-lambda-nodejs.Function to use the latest available NodeJs runtime as the default" + }, + "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, mount targets will have a stable logicalId that is linked to the associated subnet." + }, + "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, a scope of InstanceParameterGroup for AuroraClusterInstance with each parameters will change." + }, + "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, will always use the arn for identifiers for CfnSourceApiAssociation in the GraphqlApi construct rather than id." + }, + "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, creating an RDS database cluster from a snapshot will only render credentials for snapshot credentials." + }, + "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the CodeCommit source action is using the default branch name 'main'." + }, + "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the logical ID of a Lambda permission for a Lambda action includes an alarm ID." + }, + "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables Pipeline to set the default value for crossAccountKeys to false." + }, + "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables Pipeline to set the default pipeline type to V2." + }, + "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only." + }, + "@aws-cdk/pipelines:reduceAssetRoleTrustScope": { + "recommendedValue": true, + "explanation": "Remove the root account principal from PipelineAssetsFileRole trust policy", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-eks:nodegroupNameAttribute": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, nodegroupName attribute of the provisioned EKS NodeGroup will not have the cluster name prefix." + }, + "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default volume type of the EBS volume will be GP3" + }, + "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, remove default deployment alarm settings" + }, + "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": { + "userValue": false, + "recommendedValue": false, + "explanation": "When enabled, the custom resource used for `AwsCustomResource` will configure the `logApiResponseData` property as true by default" + }, + "@aws-cdk/aws-s3:keepNotificationInImportedBucket": { + "userValue": false, + "recommendedValue": false, + "explanation": "When enabled, Adding notifications to a bucket in the current stack will not remove notification from imported stack." + }, + "@aws-cdk/aws-stepfunctions-tasks:useNewS3UriParametersForBedrockInvokeModelTask": { + "recommendedValue": true, + "explanation": "When enabled, use new props for S3 URI field in task definition of state machine for bedrock invoke model.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:explicitStackTags": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, stack tags need to be assigned explicitly on a Stack." + }, + "@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature": { + "userValue": false, + "recommendedValue": false, + "explanation": "When set to true along with canContainersAccessInstanceRole=false in ECS cluster, new updated commands will be added to UserData to block container accessing IMDS. **Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)**" + }, + "@aws-cdk/aws-ecs:disableEcsImdsBlocking": { + "userValue": true, + "recommendedValue": true, + "explanation": "When set to true, CDK synth will throw exception if canContainersAccessInstanceRole is false. **IMPORTANT: See [details.](#aws-cdkaws-ecsdisableEcsImdsBlocking)**" + }, + "@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, we will only grant the necessary permissions when users specify cloudwatch log group through logConfiguration" + }, + "@aws-cdk/aws-dynamodb:resourcePolicyPerReplica": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled will allow you to specify a resource policy per replica, and not copy the source table policy to all replicas" + }, + "@aws-cdk/aws-ec2:ec2SumTImeoutEnabled": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, initOptions.timeout and resourceSignalTimeout values will be summed together." + }, + "@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, a Lambda authorizer Permission created when using GraphqlApi will be properly scoped with a SourceArn." + }, + "@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the value of property `instanceResourceId` in construct `DatabaseInstanceReadReplica` will be set to the correct value which is `DbiResourceId` instead of currently `DbInstanceArn`" + }, + "@aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CFN templates added with `cfn-include` will error if the template contains Resource Update or Create policies with CFN Intrinsics that include non-primitive values." + }, + "@aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, both `@aws-sdk` and `@smithy` packages will be excluded from the Lambda Node.js 18.x runtime to prevent version mismatches in bundled applications." + }, + "@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the resource of IAM Run Ecs policy generated by SFN EcsRunTask will reference the definition, instead of constructing ARN." + }, + "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the BastionHost construct will use the latest Amazon Linux 2023 AMI, instead of Amazon Linux 2." + }, + "@aws-cdk/core:aspectStabilization": { + "recommendedValue": true, + "explanation": "When enabled, a stabilization loop will be run when invoking Aspects during synthesis.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, use a new method for DNS Name of user pool domain target without creating a custom resource." + }, + "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere" + }, + "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default behaviour of OIDC provider will reject unauthorized connections" + }, + "@aws-cdk/core:enableAdditionalMetadataCollection": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK will expand the scope of usage data collected to better inform CDK development and improve communication for security concerns and emerging issues." + }, + "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": { + "userValue": false, + "recommendedValue": false, + "explanation": "[Deprecated] When enabled, Lambda will create new inline policies with AddToRolePolicy instead of adding to the Default Policy Statement" + }, + "@aws-cdk/aws-s3:setUniqueReplicationRoleName": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK will automatically generate a unique role name that is used for s3 object replication." + }, + "@aws-cdk/pipelines:reduceStageRoleTrustScope": { + "recommendedValue": true, + "explanation": "Remove the root account principal from Stage addActions trust policy", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-events:requireEventBusPolicySid": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, grantPutEventsTo() will use resource policies with Statement IDs for service principals." + }, + "@aws-cdk/core:aspectPrioritiesMutating": { + "userValue": true, + "recommendedValue": true, + "explanation": "When set to true, Aspects added by the construct library on your behalf will be given a priority of MUTATING." + }, + "@aws-cdk/aws-dynamodb:retainTableReplica": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, table replica will be default to the removal policy of source table unless specified otherwise." + }, + "@aws-cdk/cognito:logUserPoolClientSecretValue": { + "recommendedValue": false, + "explanation": "When disabled, the value of the user pool client secret will not be logged in the custom resource lambda function logs." + }, + "@aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope": { + "recommendedValue": true, + "explanation": "When enabled, scopes down the trust policy for the cross-account action role", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-stepfunctions:useDistributedMapResultWriterV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the resultWriterV2 property of DistributedMap will be used insted of resultWriter" + }, + "@aws-cdk/s3-notifications:addS3TrustKeyPolicyForSnsSubscriptions": { + "userValue": true, + "recommendedValue": true, + "explanation": "Add an S3 trust policy to a KMS key resource policy for SNS subscriptions." + }, + "@aws-cdk/aws-ec2:requirePrivateSubnetsForEgressOnlyInternetGateway": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the EgressOnlyGateway resource is only created if private subnets are defined in the dual-stack VPC." + }, + "@aws-cdk/aws-ec2-alpha:useResourceIdForVpcV2Migration": { + "recommendedValue": false, + "explanation": "When enabled, use resource IDs for VPC V2 migration" + }, + "@aws-cdk/aws-s3:publicAccessBlockedByDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, setting any combination of options for BlockPublicAccess will automatically set true for any options not defined." + }, + "@aws-cdk/aws-lambda:useCdkManagedLogGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK creates and manages loggroup for the lambda function" + }, + "@aws-cdk/aws-elasticloadbalancingv2:networkLoadBalancerWithSecurityGroupByDefault": { + "recommendedValue": true, + "explanation": "When enabled, Network Load Balancer will be created with a security group by default." + }, + "@aws-cdk/aws-stepfunctions-tasks:httpInvokeDynamicJsonPathEndpoint": { + "recommendedValue": true, + "explanation": "When enabled, allows using a dynamic apiEndpoint with JSONPath format in HttpInvoke tasks.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-ecs-patterns:uniqueTargetGroupId": { + "recommendedValue": true, + "explanation": "When enabled, ECS patterns will generate unique target group IDs to prevent conflicts during load balancer replacement" + } + } + } + } + }, + "minimumCliVersion": "2.1033.0" +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.template-transform.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.template-transform.js.snapshot/tree.json new file mode 100644 index 0000000000000..ce40c3701ba45 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.template-transform.js.snapshot/tree.json @@ -0,0 +1 @@ +{"version":"tree-0.1","tree":{"id":"App","path":"","constructInfo":{"fqn":"aws-cdk-lib.App","version":"0.0.0"},"children":{"TemplateTransformTestStack":{"id":"TemplateTransformTestStack","path":"TemplateTransformTestStack","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"TestQueue":{"id":"TestQueue","path":"TemplateTransformTestStack/TestQueue","constructInfo":{"fqn":"aws-cdk-lib.aws_sqs.Queue","version":"0.0.0","metadata":[{"visibilityTimeout":"*"}]},"children":{"Resource":{"id":"Resource","path":"TemplateTransformTestStack/TestQueue/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_sqs.CfnQueue","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::SQS::Queue","aws:cdk:cloudformation:props":{"visibilityTimeout":300}}}}},"BootstrapVersion":{"id":"BootstrapVersion","path":"TemplateTransformTestStack/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"TemplateTransformTestStack/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}},"TemplateTransformTest":{"id":"TemplateTransformTest","path":"TemplateTransformTest","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTest","version":"0.0.0"},"children":{"DefaultTest":{"id":"DefaultTest","path":"TemplateTransformTest/DefaultTest","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTestCase","version":"0.0.0"},"children":{"Default":{"id":"Default","path":"TemplateTransformTest/DefaultTest/Default","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}},"DeployAssert":{"id":"DeployAssert","path":"TemplateTransformTest/DefaultTest/DeployAssert","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"BootstrapVersion":{"id":"BootstrapVersion","path":"TemplateTransformTest/DefaultTest/DeployAssert/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"TemplateTransformTest/DefaultTest/DeployAssert/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}}}}}},"Tree":{"id":"Tree","path":"Tree","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}}}}} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.template-transform.ts b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.template-transform.ts new file mode 100644 index 0000000000000..c389fd35ae38e --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.template-transform.ts @@ -0,0 +1,40 @@ +import * as cdk from 'aws-cdk-lib/core'; +import * as integ from '@aws-cdk/integ-tests-alpha'; +import * as sqs from 'aws-cdk-lib/aws-sqs'; + +/** + * This test verifies that template transforms are invoked during synthesis + * and can modify the final CloudFormation template. + * + * The transform adds custom metadata to the template, which can be verified + * in the synthesized output. + */ + +const app = new cdk.App(); + +// Register a template transform that adds metadata +app.addTemplateTransform({ + transformTemplate: (_stack, template) => { + template.Metadata = template.Metadata || {}; + template.Metadata.TemplateTransformApplied = true; + template.Metadata.TransformTimestamp = 'test-timestamp'; + }, +}); + +// Register a second transform to verify chaining works +app.addTemplateTransform({ + transformTemplate: (_stack, template) => { + template.Metadata.SecondTransformApplied = true; + }, +}); + +const stack = new cdk.Stack(app, 'TemplateTransformTestStack'); + +// Add a simple resource to ensure the template has content +new sqs.Queue(stack, 'TestQueue', { + visibilityTimeout: cdk.Duration.seconds(300), +}); + +new integ.IntegTest(app, 'TemplateTransformTest', { + testCases: [stack], +}); diff --git a/packages/aws-cdk-lib/README.md b/packages/aws-cdk-lib/README.md index 33685e58e1e42..402cc10d55490 100644 --- a/packages/aws-cdk-lib/README.md +++ b/packages/aws-cdk-lib/README.md @@ -1896,6 +1896,81 @@ for (const aspectApplication of aspectApplications) { } ``` +## Template Transforms + +Template Transforms allow you to inspect or modify the final CloudFormation template during synthesis, +after all tokens have been resolved but before the template is written to disk. This is useful for: + +- **Template validation**: Enforce security policies or compliance rules on the final template +- **Metadata injection**: Add audit information, timestamps, or custom annotations +- **Resource modification**: Add tags or modify properties across all resources +- **Governance**: Implement organization-wide template standards + +Unlike [Aspects](#aspects) which operate on the construct tree before synthesis, Template Transforms +operate on the fully resolved CloudFormation template, giving you access to the actual values that +will be deployed. + +### Basic Usage + +Register a transform on your `App` to apply it to all stacks: + +```ts +class MetadataInjector implements ITemplateTransform { + public transformTemplate(stack: Stack, template: any) { + // Add metadata to track when the template was generated + template.Metadata = template.Metadata || {}; + template.Metadata.GeneratedBy = 'CDK'; + } +} + +const app = new App(); +app.addTemplateTransform(new MetadataInjector()); +``` + +### Validation Example + +Add warnings for S3 buckets that lack public access blocking: + +```ts +class BucketPolicyValidator implements ITemplateTransform { + public transformTemplate(stack: Stack, template: any) { + for (const [id, resource] of Object.entries(template.Resources || {})) { + const res = resource as any; + if (res.Type === 'AWS::S3::Bucket') { + if (!res.Properties?.PublicAccessBlockConfiguration) { + Annotations.of(stack).addWarningV2( + `@aws-cdk/bucket-policy:${id}`, + `Bucket ${id} should have PublicAccessBlockConfiguration`, + ); + } + } + } + } +} + +const app = new App(); +app.addTemplateTransform(new BucketPolicyValidator()); +``` + +> **Note:** To fail synthesis on validation errors, the `transformTemplate` method can throw an `Error`. +> This stops synthesis immediately with a clear error message. + +### Transform Behavior + +- Transforms are invoked in registration order (first registered, first executed) +- Transforms can mutate the template in place (return `void`) or return a new template object +- If a transform throws an error, synthesis fails immediately +- Transforms apply to all stacks in the app, including nested stacks +- Use `stack.nested` to check if the current stack is a nested stack + +### Comparison with Other Extension Points + +| Extension Point | When It Runs | What It Sees | Can Modify? | +|-----------------|--------------|--------------|-------------| +| [Aspects](#aspects) | Before synthesis | Construct tree | Yes (constructs) | +| Template Transforms | During synthesis | Final template | Yes (template) | +| [Policy Validation](#policy-validation) | After synthesis | Final template | No (read-only) | + ## Blueprint Property Injection The goal of Blueprint Property Injection is to provide builders an automatic way to set default property values. diff --git a/packages/aws-cdk-lib/core/lib/app.ts b/packages/aws-cdk-lib/core/lib/app.ts index 9d5bdeca7a78d..890a9f73a65ab 100644 --- a/packages/aws-cdk-lib/core/lib/app.ts +++ b/packages/aws-cdk-lib/core/lib/app.ts @@ -5,6 +5,7 @@ import { addCustomSynthesis, ICustomSynthesis } from './private/synthesis'; import { IPropertyInjector, PropertyInjectors } from './prop-injectors'; import { IReusableStackSynthesizer } from './stack-synthesizers'; import { Stage } from './stage'; +import { ITemplateTransform, TemplateTransforms } from './template-transform'; import { IPolicyValidationPluginBeta1 } from './validation/validation'; import * as cxapi from '../../cx-api'; @@ -210,6 +211,60 @@ export class App extends Stage { this._treeMetadata = props.treeMetadata ?? true; } + /** + * Adds a template transform that will be applied to all stacks in this app. + * + * Template transforms are invoked during synthesis after the CloudFormation + * template has been fully resolved, but before it is written to disk. This + * allows inspection or modification of the final template. + * + * Transforms are invoked in the order they were added (first-added, first-run). + * Each transform receives the template as modified by previous transforms. + * If a transform throws an error, synthesis will fail immediately. + * + * @param transform An object implementing `ITemplateTransform`. Must have a + * `transformTemplate(stack, template)` method that receives the Stack and + * the resolved CloudFormation template object. The method can: + * - Mutate the template in place (return void/undefined) + * - Return a new template object to replace the original + * - Throw an error to fail synthesis + * + * @example + * // Prevent unsafe IAM policies that use hard-coded ARNs instead of dynamic references + * class BlockHardCodedIamArns implements ITemplateTransform { + * public transformTemplate(stack: Stack, template: any): void { + * const resources = template.Resources || {}; + * + * for (const logicalId of Object.keys(resources)) { + * const resource = resources[logicalId]; + * + * if (resource.Type === 'AWS::IAM::Policy') { + * const document = resource.Properties?.PolicyDocument; + * if (document) { + * // Scan policy for hard-coded ARN values. + * // Tokens are resolved at this point, so any string starting with "arn:" is literal. + * const json = JSON.stringify(document); + * if (json.indexOf('"arn:') !== -1) { + * // Add an error annotation - this will fail synthesis + * Annotations.of(stack).addError( + * `IAM Policy ${logicalId} contains a hard-coded ARN. ` + + * 'Use Fn.importValue, Ref, or GetAtt instead.', + * ); + * } + * } + * } + * } + * } + * } + * + * // Registration + * const app = new App(); + * app.addTemplateTransform(new BlockHardCodedIamArns()); + */ + public addTemplateTransform(transform: ITemplateTransform): void { + TemplateTransforms.of(this).add(transform); + } + private loadContext(defaults: { [key: string]: string } = { }, final: { [key: string]: string } = {}) { // prime with defaults passed through constructor for (const [k, v] of Object.entries(defaults)) { diff --git a/packages/aws-cdk-lib/core/lib/index.ts b/packages/aws-cdk-lib/core/lib/index.ts index d02350c401511..4cb75cd629489 100644 --- a/packages/aws-cdk-lib/core/lib/index.ts +++ b/packages/aws-cdk-lib/core/lib/index.ts @@ -1,5 +1,6 @@ export * from './aspect'; export * from './tag-aspect'; +export * from './template-transform'; export * from './token'; export * from './resolvable'; diff --git a/packages/aws-cdk-lib/core/lib/stack.ts b/packages/aws-cdk-lib/core/lib/stack.ts index 72954c939a28b..e9ebef364cb03 100644 --- a/packages/aws-cdk-lib/core/lib/stack.ts +++ b/packages/aws-cdk-lib/core/lib/stack.ts @@ -1434,7 +1434,17 @@ export class Stack extends Construct implements ITaggable { } // resolve all tokens and remove all empties - const ret = this.resolve(template) || {}; + let ret = this.resolve(template) || {}; + + // Apply template transforms registered on the app (opt-in: only if any exist) + if (TemplateTransforms.hasAny(this)) { + for (const templateTransform of TemplateTransforms.of(this).all) { + const result = templateTransform.transformTemplate(this, ret); + if (result != null) { + ret = result; + } + } + } this._logicalIds.assertAllRenamesApplied(); @@ -1869,6 +1879,7 @@ import { DefaultStackSynthesizer, IStackSynthesizer, ISynthesisSession, LegacySt import { StringSpecializer } from './helpers-internal/string-specializer'; import { Stage } from './stage'; import { ITaggable, TagManager } from './tag-manager'; +import { TemplateTransforms } from './template-transform'; import { Token, Tokenization } from './token'; import { getExportable, STRING_LIST_REFERENCE_DELIMITER } from './private/refs'; import { Fact, RegionInfo } from '../../region-info'; diff --git a/packages/aws-cdk-lib/core/lib/template-transform.ts b/packages/aws-cdk-lib/core/lib/template-transform.ts new file mode 100644 index 0000000000000..94b03739d0aeb --- /dev/null +++ b/packages/aws-cdk-lib/core/lib/template-transform.ts @@ -0,0 +1,110 @@ +import { IConstruct } from 'constructs'; +import { Stack } from './stack'; + +const TEMPLATE_TRANSFORMS_SYMBOL = Symbol.for('@aws-cdk/core.TemplateTransforms'); + +/** + * Represents a template transform that can inspect or modify + * the final CloudFormation template during synthesis. + * + * Implement this interface as a class with a `transformTemplate` method: + * + * @example + * class MyTransform implements ITemplateTransform { + * public transformTemplate(stack: Stack, template: any) { + * // Inspect or modify template here + * template.Metadata = { CustomKey: 'CustomValue' }; + * } + * } + * app.addTemplateTransform(new MyTransform()); + */ +export interface ITemplateTransform { + /** + * Called for each stack during synthesis, after the CloudFormation + * template has been fully resolved. + * + * The transform may mutate the template in place, or return a new + * template object. If the transform returns `undefined` or `void`, + * the original (possibly mutated) template is used. + * + * If the transform throws an error, synthesis will fail. + * + * @param stack The stack being synthesized. Use `stack.nested` to + * check if this is a nested stack. + * @param template The fully resolved CloudFormation template object. + * @returns A new template object, or `undefined`/`void` to use the + * original (possibly mutated) template. + */ + transformTemplate(stack: Stack, template: any): any | void; +} + +/** + * Manages template transforms registered on an App. + * + * Template transforms are invoked during synthesis after token resolution, + * allowing inspection or modification of the final CloudFormation template + * before it is written to disk. + */ +export class TemplateTransforms { + /** + * Returns true if any template transforms have been registered on the + * given scope's root construct. + * + * This method does not create the TemplateTransforms singleton if it + * doesn't exist, making it suitable for checking before invoking transforms. + * + * @param scope The scope to check for transforms. + * @returns true if transforms have been registered, false otherwise. + */ + public static hasAny(scope: IConstruct): boolean { + const root = scope.node.root; + const transforms = (root as any)[TEMPLATE_TRANSFORMS_SYMBOL] as TemplateTransforms | undefined; + return transforms !== undefined && transforms._transforms.length > 0; + } + + /** + * Returns the `TemplateTransforms` object associated with a construct scope. + * + * Template transforms are typically registered on the App, and apply to + * all stacks (including nested stacks) within that App. + * + * @param scope The scope to get transforms for. Transforms are looked up + * from the root of the construct tree. + */ + public static of(scope: IConstruct): TemplateTransforms { + const root = scope.node.root; + let transforms = (root as any)[TEMPLATE_TRANSFORMS_SYMBOL]; + if (!transforms) { + transforms = new TemplateTransforms(); + + Object.defineProperty(root, TEMPLATE_TRANSFORMS_SYMBOL, { + value: transforms, + configurable: false, + enumerable: false, + }); + } + return transforms; + } + + private readonly _transforms: ITemplateTransform[] = []; + + private constructor() {} + + /** + * Adds a template transform. + * + * Transforms are invoked in the order they were added (first-added, first-run). + * + * @param transform The transform to add. + */ + public add(transform: ITemplateTransform): void { + this._transforms.push(transform); + } + + /** + * The list of registered template transforms, in registration order. + */ + public get all(): ITemplateTransform[] { + return [...this._transforms]; + } +} diff --git a/packages/aws-cdk-lib/core/test/template-transform.test.ts b/packages/aws-cdk-lib/core/test/template-transform.test.ts new file mode 100644 index 0000000000000..6a618620ced1f --- /dev/null +++ b/packages/aws-cdk-lib/core/test/template-transform.test.ts @@ -0,0 +1,351 @@ +import { App, Stack, CfnResource } from '../lib'; +import { NestedStack } from '../lib/nested-stack'; +import { ITemplateTransform, TemplateTransforms } from '../lib/template-transform'; + +describe('TemplateTransforms', () => { + describe('registration', () => { + test('can register transforms via App.addTemplateTransform()', () => { + const app = new App(); + const transform: ITemplateTransform = { + transformTemplate: jest.fn(), + }; + + app.addTemplateTransform(transform); + + expect(TemplateTransforms.of(app).all).toContain(transform); + }); + + test('can register transforms via TemplateTransforms.of()', () => { + const app = new App(); + const transform: ITemplateTransform = { + transformTemplate: jest.fn(), + }; + + TemplateTransforms.of(app).add(transform); + + expect(TemplateTransforms.of(app).all).toContain(transform); + }); + + test('transforms are returned in registration order', () => { + const app = new App(); + const transform1: ITemplateTransform = { transformTemplate: jest.fn() }; + const transform2: ITemplateTransform = { transformTemplate: jest.fn() }; + const transform3: ITemplateTransform = { transformTemplate: jest.fn() }; + + app.addTemplateTransform(transform1); + app.addTemplateTransform(transform2); + app.addTemplateTransform(transform3); + + expect(TemplateTransforms.of(app).all).toEqual([transform1, transform2, transform3]); + }); + + test('TemplateTransforms.of() returns same instance for same app', () => { + const app = new App(); + const transforms1 = TemplateTransforms.of(app); + const transforms2 = TemplateTransforms.of(app); + + expect(transforms1).toBe(transforms2); + }); + + test('TemplateTransforms.of() on stack returns app transforms', () => { + const app = new App(); + const stack = new Stack(app, 'Stack'); + const transform: ITemplateTransform = { transformTemplate: jest.fn() }; + + app.addTemplateTransform(transform); + + expect(TemplateTransforms.of(stack).all).toContain(transform); + }); + }); + + describe('hasAny', () => { + test('returns false when no transforms registered', () => { + const app = new App(); + + expect(TemplateTransforms.hasAny(app)).toBe(false); + }); + + test('returns true when transforms are registered', () => { + const app = new App(); + app.addTemplateTransform({ transformTemplate: jest.fn() }); + + expect(TemplateTransforms.hasAny(app)).toBe(true); + }); + + test('does not create singleton when checking empty app', () => { + const app = new App(); + + // hasAny should not create the singleton + TemplateTransforms.hasAny(app); + + // Verify singleton was not created by checking that of() creates a new one with empty array + // If hasAny had created it, all would still be empty, but we verify the symbol isn't set + const TEMPLATE_TRANSFORMS_SYMBOL = Symbol.for('@aws-cdk/core.TemplateTransforms'); + expect((app as any)[TEMPLATE_TRANSFORMS_SYMBOL]).toBeUndefined(); + }); + + test('works when called on stack scope', () => { + const app = new App(); + const stack = new Stack(app, 'Stack'); + app.addTemplateTransform({ transformTemplate: jest.fn() }); + + expect(TemplateTransforms.hasAny(stack)).toBe(true); + }); + }); + + describe('invocation', () => { + test('transforms are invoked during synthesis', () => { + const app = new App(); + const stack = new Stack(app, 'Stack'); + new CfnResource(stack, 'Resource', { type: 'AWS::Test::Resource' }); + + const transformFn = jest.fn(); + app.addTemplateTransform({ transformTemplate: transformFn }); + + app.synth(); + + expect(transformFn).toHaveBeenCalledTimes(1); + expect(transformFn).toHaveBeenCalledWith( + stack, + expect.objectContaining({ + Resources: expect.objectContaining({ + Resource: expect.objectContaining({ Type: 'AWS::Test::Resource' }), + }), + }), + ); + }); + + test('transforms are invoked in registration order', () => { + const app = new App(); + const stack = new Stack(app, 'Stack'); + new CfnResource(stack, 'Resource', { type: 'AWS::Test::Resource' }); + + const order: number[] = []; + app.addTemplateTransform({ transformTemplate: () => { order.push(1); } }); + app.addTemplateTransform({ transformTemplate: () => { order.push(2); } }); + app.addTemplateTransform({ transformTemplate: () => { order.push(3); } }); + + app.synth(); + + expect(order).toEqual([1, 2, 3]); + }); + + test('transforms can mutate template in place', () => { + const app = new App(); + const stack = new Stack(app, 'Stack'); + new CfnResource(stack, 'Resource', { type: 'AWS::Test::Resource' }); + + app.addTemplateTransform({ + transformTemplate(_stack, template) { + template.Metadata = { Custom: 'Value' }; + }, + }); + + const assembly = app.synth(); + const template = assembly.getStackByName('Stack').template; + + expect(template.Metadata).toEqual({ Custom: 'Value' }); + }); + + test('transforms can return a new template', () => { + const app = new App(); + const stack = new Stack(app, 'Stack'); + new CfnResource(stack, 'Resource', { type: 'AWS::Test::Resource' }); + + app.addTemplateTransform({ + transformTemplate(_stack, template) { + return { + ...template, + Metadata: { Replaced: true }, + }; + }, + }); + + const assembly = app.synth(); + const template = assembly.getStackByName('Stack').template; + + expect(template.Metadata).toEqual({ Replaced: true }); + }); + + test('transform returning null is ignored (original template used)', () => { + const app = new App(); + const stack = new Stack(app, 'Stack'); + new CfnResource(stack, 'Resource', { type: 'AWS::Test::Resource' }); + + app.addTemplateTransform({ + transformTemplate(_stack, template) { + template.Metadata = { Modified: true }; + return null as any; // explicitly return null + }, + }); + + const assembly = app.synth(); + const template = assembly.getStackByName('Stack').template; + + // In-place mutation should still apply, but null return is treated like undefined + expect(template.Metadata).toEqual({ Modified: true }); + }); + + test('synthesis succeeds with no transforms registered', () => { + const app = new App(); + const stack = new Stack(app, 'Stack'); + new CfnResource(stack, 'Resource', { type: 'AWS::Test::Resource' }); + + // No transforms registered + expect(TemplateTransforms.of(app).all).toHaveLength(0); + + const assembly = app.synth(); + const template = assembly.getStackByName('Stack').template; + + expect(template.Resources.Resource.Type).toBe('AWS::Test::Resource'); + }); + + test('later transforms see changes from earlier transforms', () => { + const app = new App(); + const stack = new Stack(app, 'Stack'); + new CfnResource(stack, 'Resource', { type: 'AWS::Test::Resource' }); + + app.addTemplateTransform({ + transformTemplate(_stack, template) { + template.Metadata = { Step: 1 }; + }, + }); + app.addTemplateTransform({ + transformTemplate(_stack, template) { + template.Metadata.Step = 2; + }, + }); + + const assembly = app.synth(); + const template = assembly.getStackByName('Stack').template; + + expect(template.Metadata).toEqual({ Step: 2 }); + }); + + test('transforms are invoked for multiple stacks', () => { + const app = new App(); + const stack1 = new Stack(app, 'Stack1'); + const stack2 = new Stack(app, 'Stack2'); + new CfnResource(stack1, 'Resource', { type: 'AWS::Test::Resource' }); + new CfnResource(stack2, 'Resource', { type: 'AWS::Test::Resource' }); + + const stacks: Stack[] = []; + app.addTemplateTransform({ + transformTemplate(stack) { + stacks.push(stack); + }, + }); + + app.synth(); + + expect(stacks).toHaveLength(2); + expect(stacks).toContain(stack1); + expect(stacks).toContain(stack2); + }); + + test('transforms are invoked for nested stacks', () => { + const app = new App(); + const parentStack = new Stack(app, 'ParentStack'); + const nestedStack = new NestedStack(parentStack, 'NestedStack'); + new CfnResource(nestedStack, 'Resource', { type: 'AWS::Test::Resource' }); + + const stacks: Array<{ stack: Stack; nested: boolean }> = []; + app.addTemplateTransform({ + transformTemplate(stack) { + stacks.push({ stack, nested: stack.nested }); + }, + }); + + app.synth(); + + expect(stacks).toContainEqual({ stack: parentStack, nested: false }); + expect(stacks).toContainEqual({ stack: nestedStack, nested: true }); + }); + + test('transform can distinguish nested stacks', () => { + const app = new App(); + const parentStack = new Stack(app, 'ParentStack'); + const nestedStack = new NestedStack(parentStack, 'NestedStack'); + new CfnResource(nestedStack, 'Resource', { type: 'AWS::Test::Resource' }); + + app.addTemplateTransform({ + transformTemplate(stack, template) { + if (stack.nested) { + template.Metadata = { IsNested: true }; + } else { + template.Metadata = { IsNested: false }; + } + }, + }); + + const assembly = app.synth(); + const parentTemplate = assembly.getStackByName('ParentStack').template; + + expect(parentTemplate.Metadata).toEqual({ IsNested: false }); + // Nested stack template is embedded as an asset, harder to verify directly + }); + }); + + describe('error handling', () => { + test('synthesis fails if transform throws', () => { + const app = new App(); + const stack = new Stack(app, 'Stack'); + new CfnResource(stack, 'Resource', { type: 'AWS::Test::Resource' }); + + app.addTemplateTransform({ + transformTemplate() { + throw new Error('Validation failed: policy violation'); + }, + }); + + expect(() => app.synth()).toThrow('Validation failed: policy violation'); + }); + + test('first failing transform stops execution', () => { + const app = new App(); + const stack = new Stack(app, 'Stack'); + new CfnResource(stack, 'Resource', { type: 'AWS::Test::Resource' }); + + const secondTransform = jest.fn(); + + app.addTemplateTransform({ + transformTemplate() { + throw new Error('First transform failed'); + }, + }); + app.addTemplateTransform({ + transformTemplate: secondTransform, + }); + + expect(() => app.synth()).toThrow('First transform failed'); + expect(secondTransform).not.toHaveBeenCalled(); + }); + }); + + describe('template content', () => { + test('transforms receive fully resolved template (no tokens)', () => { + const app = new App(); + const stack = new Stack(app, 'Stack'); + new CfnResource(stack, 'Resource', { + type: 'AWS::Test::Resource', + properties: { + StackName: stack.stackName, + }, + }); + + let receivedTemplate: any; + app.addTemplateTransform({ + transformTemplate(_stack, template) { + receivedTemplate = template; + }, + }); + + app.synth(); + + // Verify the template is resolved (stackName should be a string, not a token) + const resource = receivedTemplate.Resources.Resource; + expect(typeof resource.Properties.StackName).toBe('string'); + expect(resource.Properties.StackName).toBe('Stack'); + }); + }); +}); diff --git a/packages/aws-cdk-lib/rosetta/default.ts-fixture b/packages/aws-cdk-lib/rosetta/default.ts-fixture index 520442e0e82bd..c5f80878e296b 100644 --- a/packages/aws-cdk-lib/rosetta/default.ts-fixture +++ b/packages/aws-cdk-lib/rosetta/default.ts-fixture @@ -40,6 +40,7 @@ import { Fn, IAspect, ITaggable, + ITemplateTransform, PermissionsBoundary, RemovalPolicy, RemovalPolicies,