Update to AWS CDK v2

tests/ci/cdk/app.py

@@ -3,7 +3,7 @@
 # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0 OR ISC
 
-from aws_cdk import core
+from aws_cdk import Environment, App
 
 # from cdk.bm_framework_stack import BmFrameworkStack
 from cdk.aws_lc_mac_arm_ci_stack import AwsLcMacArmCIStack
@@ -17,10 +17,10 @@
 from util.metadata import AWS_ACCOUNT, AWS_REGION, LINUX_X86_ECR_REPO, LINUX_AARCH_ECR_REPO, WINDOWS_X86_ECR_REPO
 
 # Initialize app.
-app = core.App()
+app = App()
 
 # Initialize env.
-env = core.Environment(account=AWS_ACCOUNT, region=AWS_REGION)
+env = Environment(account=AWS_ACCOUNT, region=AWS_REGION)
 
 # Define AWS ECR stacks.
 # ECR holds the docker images, which are pre-built to accelerate the code builds/tests of git pull requests.
@@ -49,7 +49,7 @@
 # bm_framework_build_spec_file = "cdk/codebuild/bm_framework_omnibus.yaml"
 # BmFrameworkStack(app, "aws-lc-ci-bm-framework", bm_framework_build_spec_file, env=env)
 mac_arm_build_spec_file = "cdk/codebuild/github_ci_macos_m1_omnibus.yaml"
-AwsLcMacArmCIStack(app, "aws-lc-ci-macos-arm", mac_arm_build_spec_file, env=env)
+# AwsLcMacArmCIStack(app, "aws-lc-ci-macos-arm", mac_arm_build_spec_file, env=env)
 android_build_spec_file = "cdk/codebuild/github_ci_android_omnibus.yaml"
 AwsLcAndroidCIStack(app, "aws-lc-ci-devicefarm-android", android_build_spec_file, env=env)
 

tests/ci/cdk/cdk.json

@@ -1,7 +1,4 @@
 {
   "app": "python3 app.py",
-  "context": {
-    "@aws-cdk/core:enableStackNameDuplicates": "true",
-    "aws-cdk:enableDiffNoFail": "true"
-  }
+  "context": {}
 }

tests/ci/cdk/cdk/aws_lc_analytics_stack.py

@@ -1,18 +1,19 @@
 # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0 OR ISC
 
-from aws_cdk import core, aws_codebuild as codebuild, aws_iam as iam, aws_ec2 as ec2, aws_efs as efs
+from aws_cdk import Duration, Stack, aws_codebuild as codebuild, aws_iam as iam, aws_ec2 as ec2, aws_efs as efs
+from constructs import Construct
 
 from util.iam_policies import code_build_publish_metrics_in_json
 from util.metadata import GITHUB_REPO_OWNER, GITHUB_REPO_NAME
 from util.build_spec_loader import BuildSpecLoader
 
 
-class AwsLcGitHubAnalyticsStack(core.Stack):
+class AwsLcGitHubAnalyticsStack(Stack):
     """Define a stack used to batch execute AWS-LC tests in GitHub."""
 
     def __init__(self,
-                 scope: core.Construct,
+                 scope: Construct,
                  id: str,
                  spec_file_path: str,
                  **kwargs) -> None:
@@ -46,7 +47,7 @@ def __init__(self,
             project_name=id,
             source=git_hub_source,
             role=role,
-            timeout=core.Duration.minutes(120),
+            timeout=Duration.minutes(120),
             environment=codebuild.BuildEnvironment(compute_type=codebuild.ComputeType.LARGE,
                                                    privileged=True,
                                                    build_image=codebuild.LinuxBuildImage.STANDARD_4_0),

tests/ci/cdk/cdk/aws_lc_android_ci_stack.py

@@ -1,19 +1,20 @@
 # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0 OR ISC
 
-from aws_cdk import core, aws_codebuild as codebuild, aws_iam as iam
+from aws_cdk import Duration, Stack, aws_codebuild as codebuild, aws_iam as iam
+from constructs import Construct
 from util.iam_policies import code_build_batch_policy_in_json, device_farm_access_policy_in_json
 from util.metadata import GITHUB_REPO_OWNER, GITHUB_REPO_NAME
 from util.build_spec_loader import BuildSpecLoader
 
 
-class AwsLcAndroidCIStack(core.Stack):
+class AwsLcAndroidCIStack(Stack):
     """Define a stack used to batch execute AWS-LC tests in GitHub."""
     # The Device Farm resource used to in this CI spec, must be manually created.
     # TODO: Automate Device Farm creation with cdk script.
 
     def __init__(self,
-                 scope: core.Construct,
+                 scope: Construct,
                  id: str,
                  spec_file_path: str,
                  **kwargs) -> None:
@@ -52,7 +53,7 @@ def __init__(self,
             project_name=id,
             source=git_hub_source,
             role=role,
-            timeout=core.Duration.minutes(180),
+            timeout=Duration.minutes(180),
             environment=codebuild.BuildEnvironment(compute_type=codebuild.ComputeType.SMALL,
                                                    privileged=False,
                                                    build_image=codebuild.LinuxBuildImage.STANDARD_4_0),

tests/ci/cdk/cdk/aws_lc_github_ci_stack.py

@@ -1,17 +1,18 @@
 # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0 OR ISC
 
-from aws_cdk import core, aws_codebuild as codebuild, aws_iam as iam
+from aws_cdk import Duration, Stack, aws_codebuild as codebuild, aws_iam as iam, aws_s3_assets
+from constructs import Construct
 from util.iam_policies import code_build_batch_policy_in_json
-from util.metadata import GITHUB_REPO_OWNER, GITHUB_REPO_NAME
+from util.metadata import CAN_AUTOLOAD, GITHUB_REPO_OWNER, GITHUB_REPO_NAME
 from util.build_spec_loader import BuildSpecLoader
 
 
-class AwsLcGitHubCIStack(core.Stack):
+class AwsLcGitHubCIStack(Stack):
     """Define a stack used to batch execute AWS-LC tests in GitHub."""
 
     def __init__(self,
-                 scope: core.Construct,
+                 scope: Construct,
                  id: str,
                  spec_file_path: str,
                  **kwargs) -> None:
@@ -47,7 +48,7 @@ def __init__(self,
             project_name=id,
             source=git_hub_source,
             role=role,
-            timeout=core.Duration.minutes(180),
+            timeout=Duration.minutes(180),
             environment=codebuild.BuildEnvironment(compute_type=codebuild.ComputeType.SMALL,
                                                    privileged=False,
                                                    build_image=codebuild.LinuxBuildImage.STANDARD_4_0),

tests/ci/cdk/cdk/aws_lc_github_fuzz_ci_stack.py

@@ -1,7 +1,8 @@
 # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0 OR ISC
 
-from aws_cdk import core, aws_codebuild as codebuild, aws_iam as iam, aws_ec2 as ec2, aws_efs as efs
+from aws_cdk import Duration, Size, Stack, aws_codebuild as codebuild, aws_iam as iam, aws_ec2 as ec2, aws_efs as efs
+from constructs import Construct
 
 from util.ecr_util import ecr_arn
 from util.iam_policies import code_build_batch_policy_in_json, \
@@ -10,11 +11,11 @@
 from util.build_spec_loader import BuildSpecLoader
 
 
-class AwsLcGitHubFuzzCIStack(core.Stack):
+class AwsLcGitHubFuzzCIStack(Stack):
     """Define a stack used to batch execute AWS-LC tests in GitHub."""
 
     def __init__(self,
-                 scope: core.Construct,
+                 scope: Construct,
                  id: str,
                  spec_file_path: str,
                  **kwargs) -> None:
@@ -47,7 +48,7 @@ def __init__(self,
 
         # Create the VPC for EFS and CodeBuild
         public_subnet = ec2.SubnetConfiguration(name="PublicFuzzingSubnet", subnet_type=ec2.SubnetType.PUBLIC)
-        private_subnet = ec2.SubnetConfiguration(name="PrivateFuzzingSubnet", subnet_type=ec2.SubnetType.PRIVATE)
+        private_subnet = ec2.SubnetConfiguration(name="PrivateFuzzingSubnet", subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS)
 
         # Create a VPC with a single public and private subnet in a single AZ. This is to avoid the elastic IP limit
         # being used up by a bunch of idle NAT gateways
@@ -69,7 +70,7 @@ def __init__(self,
             description="Allow all traffic inside security group"
         )
 
-        efs_subnet_selection = ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE)
+        efs_subnet_selection = ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS)
 
         # Create the EFS to store the corpus and logs. EFS allows new filesystems to burst to 100 MB/s for the first 2
         # TB of data read/written, after that the rate is limited based on the size of the filesystem. As of late
@@ -90,7 +91,7 @@ def __init__(self,
             vpc_subnets=efs_subnet_selection,
             performance_mode=efs.PerformanceMode.GENERAL_PURPOSE,
             throughput_mode=efs.ThroughputMode.PROVISIONED,
-            provisioned_throughput_per_second=core.Size.mebibytes(100),
+            provisioned_throughput_per_second=Size.mebibytes(100),
         )
 
         # Define CodeBuild.
@@ -100,7 +101,7 @@ def __init__(self,
             project_name=id,
             source=git_hub_source,
             role=role,
-            timeout=core.Duration.minutes(120),
+            timeout=Duration.minutes(120),
             environment=codebuild.BuildEnvironment(compute_type=codebuild.ComputeType.LARGE,
                                                    privileged=True,
                                                    build_image=codebuild.LinuxBuildImage.STANDARD_4_0),

tests/ci/cdk/cdk/aws_lc_mac_arm_ci_stack.py

@@ -5,18 +5,19 @@
 import boto3
 
 from botocore.exceptions import ClientError
-from aws_cdk import core, aws_ec2 as ec2, aws_codebuild as codebuild, aws_iam as iam, aws_s3 as s3, aws_logs as logs
+from aws_cdk import CfnTag, Duration, Stack, Tags, aws_ec2 as ec2, aws_codebuild as codebuild, aws_iam as iam, aws_s3 as s3, aws_logs as logs
+from constructs import Construct
 from util.metadata import AWS_ACCOUNT, AWS_REGION, GITHUB_REPO_OWNER, GITHUB_REPO_NAME
 from util.iam_policies import code_build_batch_policy_in_json, ec2_policies_in_json, ssm_policies_in_json, s3_read_write_policy_in_json
 from util.build_spec_loader import BuildSpecLoader
 
 # detailed documentation can be found here: https://docs.aws.amazon.com/cdk/api/latest/docs/aws-ec2-readme.html
 
-class AwsLcMacArmCIStack(core.Stack):
+class AwsLcMacArmCIStack(Stack):
     """Define a stack used to create a CodeBuild instance on which to execute the AWS-LC m1 ci ec2 instance"""
 
     def __init__(self,
-                 scope: core.Construct,
+                 scope: Construct,
                  id: str,
                  spec_file_path: str,
                  **kwargs) -> None:
@@ -60,7 +61,7 @@ def __init__(self,
             project_name=id,
             source=git_hub_source,
             role=codebuild_role,
-            timeout=core.Duration.minutes(120),
+            timeout=Duration.minutes(120),
             environment=codebuild.BuildEnvironment(compute_type=codebuild.ComputeType.SMALL,
                                                    privileged=False,
                                                    build_image=codebuild.LinuxBuildImage.STANDARD_4_0),
@@ -97,7 +98,7 @@ def __init__(self,
                                 availability_zone="us-west-2a",
                                 auto_placement="off",
                                 instance_type="mac2.metal")
-        core.Tags.of(cfn_host).add("Name", "{}-dedicated-host".format(id))
+        Tags.of(cfn_host).add("Name", "{}-dedicated-host".format(id))
 
         # AMI is for M1 MacOS Monterey.
         ami_id="ami-084c6ab9d03ad4d46"
@@ -110,7 +111,7 @@ def __init__(self,
                         instance_type="mac2.metal",
                         security_group_ids=[security_group.security_group_id],
                         subnet_id=selection.subnet_ids[0],
-                        tags=[core.CfnTag(key="Name",value="aws-lc-ci-macos-arm-ec2-instance")])
+                        tags=[CfnTag(key="Name",value="aws-lc-ci-macos-arm-ec2-instance")])
 
         # Define logs for SSM.
         logs.LogGroup(self, "{}-cw-logs".format(id), log_group_name=CLOUDWATCH_LOGS)

tests/ci/cdk/cdk/bm_framework_stack.py

@@ -5,7 +5,8 @@
 import boto3
 
 from botocore.exceptions import ClientError
-from aws_cdk import core, aws_ec2 as ec2, aws_codebuild as codebuild, aws_iam as iam, aws_s3 as s3, aws_logs as logs
+from aws_cdk import Duration, Stack, aws_ec2 as ec2, aws_codebuild as codebuild, aws_iam as iam, aws_s3 as s3, aws_logs as logs
+from constructs import Construct
 from util.metadata import AWS_ACCOUNT, AWS_REGION, GITHUB_REPO_OWNER, GITHUB_REPO_NAME
 from util.iam_policies import code_build_batch_policy_in_json, s3_read_write_policy_in_json, \
     ec2_bm_framework_policies_in_json, ssm_bm_framework_policies_in_json, s3_bm_framework_policies_in_json, \
@@ -14,11 +15,11 @@
 
 # detailed documentation can be found here: https://docs.aws.amazon.com/cdk/api/latest/docs/aws-ec2-readme.html
 
-class BmFrameworkStack(core.Stack):
+class BmFrameworkStack(Stack):
     """Define a stack used to create a CodeBuild instance on which to execute the AWS-LC benchmarking framework"""
 
     def __init__(self,
-                 scope: core.Construct,
+                 scope: Construct,
                  id: str,
                  spec_file_path: str,
                  **kwargs) -> None:
@@ -72,7 +73,7 @@ def __init__(self,
             project_name=id,
             source=git_hub_source,
             role=codebuild_role,
-            timeout=core.Duration.minutes(120),
+            timeout=Duration.minutes(120),
             environment=codebuild.BuildEnvironment(compute_type=codebuild.ComputeType.SMALL,
                                                    privileged=False,
                                                    build_image=codebuild.LinuxBuildImage.STANDARD_4_0),

tests/ci/cdk/cdk/ecr_stack.py

@@ -1,13 +1,14 @@
 # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0 OR ISC
 
-from aws_cdk import core, aws_ecr as ecr, aws_iam as iam
+from aws_cdk import Stack, aws_ecr as ecr, aws_iam as iam
+from constructs import Construct
 
 
-class EcrStack(core.Stack):
+class EcrStack(Stack):
     """Define a stack of ECR to store pre-built Docker Images."""
 
-    def __init__(self, scope: core.Construct, id: str, repo_name: str, **kwargs) -> None:
+    def __init__(self, scope: Construct, id: str, repo_name: str, **kwargs) -> None:
         super().__init__(scope, id, **kwargs)
 
         ecr.Repository(scope=self, id=id, repository_name=repo_name).grant_pull_push(

tests/ci/cdk/cdk/linux_docker_image_batch_build_stack.py

@@ -1,18 +1,19 @@
 # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0 OR ISC
 
-from aws_cdk import core, aws_codebuild as codebuild, aws_iam as iam, aws_ec2 as ec2
+from aws_cdk import Duration, Stack, aws_codebuild as codebuild, aws_iam as iam, aws_ec2 as ec2
+from constructs import Construct
 
 from util.metadata import AWS_ACCOUNT, GITHUB_REPO_OWNER, GITHUB_REPO_NAME, GITHUB_SOURCE_VERSION, LINUX_AARCH_ECR_REPO, \
     LINUX_X86_ECR_REPO
 from util.iam_policies import code_build_batch_policy_in_json, ecr_power_user_policy_in_json
 from util.yml_loader import YmlLoader
 
 
-class LinuxDockerImageBatchBuildStack(core.Stack):
+class LinuxDockerImageBatchBuildStack(Stack):
     """Define a temporary stack used to batch build Linux Docker images. After build, this stack will be destroyed."""
 
-    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
+    def __init__(self, scope: Construct, id: str, **kwargs) -> None:
         super().__init__(scope, id, **kwargs)
 
         # Define CodeBuild resource.
@@ -61,6 +62,6 @@ def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
                 build_image=codebuild.LinuxBuildImage.STANDARD_4_0),
             environment_variables=environment_variables,
             role=role,
-            timeout=core.Duration.minutes(180),
+            timeout=Duration.minutes(180),
             build_spec=codebuild.BuildSpec.from_object(build_spec_content))
         project.enable_batch_builds()

tests/ci/cdk/cdk/windows_docker_image_build_stack.py

@@ -1,18 +1,19 @@
 # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0 OR ISC
 
-from aws_cdk import core, aws_ec2 as ec2, aws_s3 as s3, aws_iam as iam, aws_ssm as ssm
+from aws_cdk import Stack, Tags, aws_ec2 as ec2, aws_s3 as s3, aws_iam as iam, aws_ssm as ssm
+from constructs import Construct
 from util.iam_policies import ecr_power_user_policy_in_json, s3_read_write_policy_in_json
 from util.metadata import AWS_ACCOUNT, AWS_REGION, WINDOWS_X86_ECR_REPO, S3_BUCKET_NAME, GITHUB_REPO_OWNER, WIN_EC2_TAG_KEY, \
     WIN_EC2_TAG_VALUE, SSM_DOCUMENT_NAME, GITHUB_SOURCE_VERSION
 from util.yml_loader import YmlLoader
 
 
-class WindowsDockerImageBuildStack(core.Stack):
+class WindowsDockerImageBuildStack(Stack):
     """Define a temporary stack used to build Windows Docker images. After build, this stack will be destroyed."""
 
     def __init__(self,
-                 scope: core.Construct,
+                 scope: Construct,
                  id: str,
                  **kwargs) -> None:
         super().__init__(scope, id, **kwargs)
@@ -59,4 +60,4 @@ def __init__(self,
                                 vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC),
                                 machine_image=machine_image)
 
-        core.Tags.of(instance).add(WIN_EC2_TAG_KEY, WIN_EC2_TAG_VALUE)
+        Tags.of(instance).add(WIN_EC2_TAG_KEY, WIN_EC2_TAG_VALUE)

tests/ci/cdk/util/build_spec_loader.py

@@ -3,7 +3,7 @@
 # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0 OR ISC
 
-from aws_cdk import aws_codebuild as codebuild
+from aws_cdk import aws_codebuild as codebuild, aws_s3_assets
 from util.metadata import CAN_AUTOLOAD, TEAM_ACCOUNT, AWS_ACCOUNT, DEFAULT_REGION, AWS_REGION
 import yaml
 

tests/ci/setup.py

@@ -20,10 +20,8 @@
 
     install_requires=[
         # CDK dependencies.
-        "aws-cdk.core==1.190.0",
-        "aws-cdk.aws-codebuild==1.190.0",
-        "aws-cdk.aws-ecr==1.190.0",
-        "aws-cdk.aws-iam==1.190.0",
+        "aws-cdk-lib==2.74.0",
+        "constructs==10.1.314",
         # PyYAML is a YAML parser and emitter for Python. Used to read build_spec.yaml.
         "pyyaml==5.3.1",
         # A formatter for Python code.