diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/demo-image-build-context/context/hello.txt b/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/demo-image-build-context/context/hello.txt
new file mode 100644
index 0000000000000..d7016db8f76fd
--- /dev/null
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/demo-image-build-context/context/hello.txt
@@ -0,0 +1 @@
+Hello from build context!
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/demo-image-build-context/image/Dockerfile b/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/demo-image-build-context/image/Dockerfile
new file mode 100644
index 0000000000000..e9393c664f258
--- /dev/null
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/demo-image-build-context/image/Dockerfile
@@ -0,0 +1,6 @@
+FROM public.ecr.aws/docker/library/python:3.12-slim
+EXPOSE 8000
+WORKDIR /src
+ADD . /src
+COPY --from=mycontext hello.txt /src/hello.txt
+CMD ["python3", "index.py"]
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/demo-image-build-context/image/index.py b/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/demo-image-build-context/image/index.py
new file mode 100644
index 0000000000000..d5a0d5fc4a2b6
--- /dev/null
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/demo-image-build-context/image/index.py
@@ -0,0 +1,41 @@
+#!/usr/bin/python
+import sys
+import textwrap
+import http.server
+import socketserver
+
+PORT = 8000
+
+# Read the file that was copied from the build context
+try:
+ with open('/src/hello.txt', 'r') as f:
+ context_message = f.read().strip()
+except FileNotFoundError:
+ context_message = 'ERROR: hello.txt not found - build context may not have worked'
+
+
+class Handler(http.server.SimpleHTTPRequestHandler):
+ def do_GET(self):
+ self.send_response(200)
+ self.send_header('Content-Type', 'text/html')
+ self.end_headers()
+ self.wfile.write(textwrap.dedent('''\
+
+ It works
+
+ Hello from the integ test container with build context
+ Message from build context: {message}
+ 
+
+ ''').format(message=context_message).encode('utf-8'))
+
+
+def main():
+ httpd = http.server.HTTPServer(("", PORT), Handler)
+ print("serving at port", PORT)
+ print("message from build context:", context_message)
+ httpd.serve_forever()
+
+
+if __name__ == '__main__':
+ main()
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/integ.assets-docker-build-context.js.snapshot/DockerBuildContextTestDefaultTestDeployAssert7E73C929.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/integ.assets-docker-build-context.js.snapshot/DockerBuildContextTestDefaultTestDeployAssert7E73C929.assets.json
new file mode 100644
index 0000000000000..3d51e8f65a58e
--- /dev/null
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/integ.assets-docker-build-context.js.snapshot/DockerBuildContextTestDefaultTestDeployAssert7E73C929.assets.json
@@ -0,0 +1,20 @@
+{
+ "version": "53.0.0",
+ "files": {
+ "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
+ "displayName": "DockerBuildContextTestDefaultTestDeployAssert7E73C929 Template",
+ "source": {
+ "path": "DockerBuildContextTestDefaultTestDeployAssert7E73C929.template.json",
+ "packaging": "file"
+ },
+ "destinations": {
+ "current_account-current_region-d8d86b35": {
+ "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+ "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
+ "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+ }
+ }
+ }
+ },
+ "dockerImages": {}
+}
\ No newline at end of file
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/integ.assets-docker-build-context.js.snapshot/DockerBuildContextTestDefaultTestDeployAssert7E73C929.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/integ.assets-docker-build-context.js.snapshot/DockerBuildContextTestDefaultTestDeployAssert7E73C929.template.json
new file mode 100644
index 0000000000000..ad9d0fb73d1dd
--- /dev/null
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/integ.assets-docker-build-context.js.snapshot/DockerBuildContextTestDefaultTestDeployAssert7E73C929.template.json
@@ -0,0 +1,36 @@
+{
+ "Parameters": {
+ "BootstrapVersion": {
+ "Type": "AWS::SSM::Parameter::Value",
+ "Default": "/cdk-bootstrap/hnb659fds/version",
+ "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+ }
+ },
+ "Rules": {
+ "CheckBootstrapVersion": {
+ "Assertions": [
+ {
+ "Assert": {
+ "Fn::Not": [
+ {
+ "Fn::Contains": [
+ [
+ "1",
+ "2",
+ "3",
+ "4",
+ "5"
+ ],
+ {
+ "Ref": "BootstrapVersion"
+ }
+ ]
+ }
+ ]
+ },
+ "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/integ.assets-docker-build-context.js.snapshot/asset.21592aa0c60f855735949fa2ddd50ccfe5c2662eea8c60a4c95742dbc5aa3206/Dockerfile b/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/integ.assets-docker-build-context.js.snapshot/asset.21592aa0c60f855735949fa2ddd50ccfe5c2662eea8c60a4c95742dbc5aa3206/Dockerfile
new file mode 100644
index 0000000000000..e9393c664f258
--- /dev/null
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/integ.assets-docker-build-context.js.snapshot/asset.21592aa0c60f855735949fa2ddd50ccfe5c2662eea8c60a4c95742dbc5aa3206/Dockerfile
@@ -0,0 +1,6 @@
+FROM public.ecr.aws/docker/library/python:3.12-slim
+EXPOSE 8000
+WORKDIR /src
+ADD . /src
+COPY --from=mycontext hello.txt /src/hello.txt
+CMD ["python3", "index.py"]
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/integ.assets-docker-build-context.js.snapshot/asset.21592aa0c60f855735949fa2ddd50ccfe5c2662eea8c60a4c95742dbc5aa3206/index.py b/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/integ.assets-docker-build-context.js.snapshot/asset.21592aa0c60f855735949fa2ddd50ccfe5c2662eea8c60a4c95742dbc5aa3206/index.py
new file mode 100644
index 0000000000000..d5a0d5fc4a2b6
--- /dev/null
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/integ.assets-docker-build-context.js.snapshot/asset.21592aa0c60f855735949fa2ddd50ccfe5c2662eea8c60a4c95742dbc5aa3206/index.py
@@ -0,0 +1,41 @@
+#!/usr/bin/python
+import sys
+import textwrap
+import http.server
+import socketserver
+
+PORT = 8000
+
+# Read the file that was copied from the build context
+try:
+ with open('/src/hello.txt', 'r') as f:
+ context_message = f.read().strip()
+except FileNotFoundError:
+ context_message = 'ERROR: hello.txt not found - build context may not have worked'
+
+
+class Handler(http.server.SimpleHTTPRequestHandler):
+ def do_GET(self):
+ self.send_response(200)
+ self.send_header('Content-Type', 'text/html')
+ self.end_headers()
+ self.wfile.write(textwrap.dedent('''\
+
+ It works
+
+ Hello from the integ test container with build context
+ Message from build context: {message}
+
+
+ ''').format(message=context_message).encode('utf-8'))
+
+
+def main():
+ httpd = http.server.HTTPServer(("", PORT), Handler)
+ print("serving at port", PORT)
+ print("message from build context:", context_message)
+ httpd.serve_forever()
+
+
+if __name__ == '__main__':
+ main()
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/integ.assets-docker-build-context.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/integ.assets-docker-build-context.js.snapshot/cdk.out
new file mode 100644
index 0000000000000..60aa68e157090
--- /dev/null
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/integ.assets-docker-build-context.js.snapshot/cdk.out
@@ -0,0 +1 @@
+{"version":"53.0.0"}
\ No newline at end of file
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/integ.assets-docker-build-context.js.snapshot/integ-assets-docker-build-context.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/integ.assets-docker-build-context.js.snapshot/integ-assets-docker-build-context.assets.json
new file mode 100644
index 0000000000000..293a84cd11d4b
--- /dev/null
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/integ.assets-docker-build-context.js.snapshot/integ-assets-docker-build-context.assets.json
@@ -0,0 +1,37 @@
+{
+ "version": "53.0.0",
+ "files": {
+ "fd3ef8d77693a6339ca951518c027f236606fc59890dba9515b60cf1496c9e5c": {
+ "displayName": "integ-assets-docker-build-context Template",
+ "source": {
+ "path": "integ-assets-docker-build-context.template.json",
+ "packaging": "file"
+ },
+ "destinations": {
+ "current_account-current_region-4c9b0647": {
+ "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+ "objectKey": "fd3ef8d77693a6339ca951518c027f236606fc59890dba9515b60cf1496c9e5c.json",
+ "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+ }
+ }
+ }
+ },
+ "dockerImages": {
+ "21592aa0c60f855735949fa2ddd50ccfe5c2662eea8c60a4c95742dbc5aa3206": {
+ "displayName": "DockerImageWithBuildContext",
+ "source": {
+ "directory": "asset.21592aa0c60f855735949fa2ddd50ccfe5c2662eea8c60a4c95742dbc5aa3206",
+ "dockerBuildContexts": {
+ "mycontext": "/Users/jacsteve/test/aws-cdk/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/demo-image-build-context/context"
+ }
+ },
+ "destinations": {
+ "current_account-current_region-f88152a7": {
+ "repositoryName": "cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}",
+ "imageTag": "21592aa0c60f855735949fa2ddd50ccfe5c2662eea8c60a4c95742dbc5aa3206",
+ "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-image-publishing-role-${AWS::AccountId}-${AWS::Region}"
+ }
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/integ.assets-docker-build-context.js.snapshot/integ-assets-docker-build-context.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/integ.assets-docker-build-context.js.snapshot/integ-assets-docker-build-context.template.json
new file mode 100644
index 0000000000000..e453b4cec507e
--- /dev/null
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/integ.assets-docker-build-context.js.snapshot/integ-assets-docker-build-context.template.json
@@ -0,0 +1,100 @@
+{
+ "Resources": {
+ "MyUserDC45028B": {
+ "Type": "AWS::IAM::User"
+ },
+ "MyUserDefaultPolicy7B897426": {
+ "Type": "AWS::IAM::Policy",
+ "Properties": {
+ "PolicyDocument": {
+ "Statement": [
+ {
+ "Action": [
+ "ecr:BatchCheckLayerAvailability",
+ "ecr:BatchGetImage",
+ "ecr:GetDownloadUrlForLayer"
+ ],
+ "Effect": "Allow",
+ "Resource": {
+ "Fn::Join": [
+ "",
+ [
+ "arn:",
+ {
+ "Ref": "AWS::Partition"
+ },
+ ":ecr:",
+ {
+ "Ref": "AWS::Region"
+ },
+ ":",
+ {
+ "Ref": "AWS::AccountId"
+ },
+ ":repository/",
+ {
+ "Fn::Sub": "cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}"
+ }
+ ]
+ ]
+ }
+ },
+ {
+ "Action": "ecr:GetAuthorizationToken",
+ "Effect": "Allow",
+ "Resource": "*"
+ }
+ ],
+ "Version": "2012-10-17"
+ },
+ "PolicyName": "MyUserDefaultPolicy7B897426",
+ "Users": [
+ {
+ "Ref": "MyUserDC45028B"
+ }
+ ]
+ }
+ }
+ },
+ "Outputs": {
+ "ImageUri": {
+ "Value": {
+ "Fn::Sub": "${AWS::AccountId}.dkr.ecr.${AWS::Region}.${AWS::URLSuffix}/cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}:21592aa0c60f855735949fa2ddd50ccfe5c2662eea8c60a4c95742dbc5aa3206"
+ }
+ }
+ },
+ "Parameters": {
+ "BootstrapVersion": {
+ "Type": "AWS::SSM::Parameter::Value",
+ "Default": "/cdk-bootstrap/hnb659fds/version",
+ "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+ }
+ },
+ "Rules": {
+ "CheckBootstrapVersion": {
+ "Assertions": [
+ {
+ "Assert": {
+ "Fn::Not": [
+ {
+ "Fn::Contains": [
+ [
+ "1",
+ "2",
+ "3",
+ "4",
+ "5"
+ ],
+ {
+ "Ref": "BootstrapVersion"
+ }
+ ]
+ }
+ ]
+ },
+ "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/integ.assets-docker-build-context.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/integ.assets-docker-build-context.js.snapshot/integ.json
new file mode 100644
index 0000000000000..41ea32483fa23
--- /dev/null
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/integ.assets-docker-build-context.js.snapshot/integ.json
@@ -0,0 +1,12 @@
+{
+ "version": "53.0.0",
+ "testCases": {
+ "DockerBuildContextTest/DefaultTest": {
+ "stacks": [
+ "integ-assets-docker-build-context"
+ ],
+ "assertionStack": "DockerBuildContextTest/DefaultTest/DeployAssert",
+ "assertionStackName": "DockerBuildContextTestDefaultTestDeployAssert7E73C929"
+ }
+ }
+}
\ No newline at end of file
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/integ.assets-docker-build-context.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/integ.assets-docker-build-context.js.snapshot/manifest.json
new file mode 100644
index 0000000000000..25d6347915e47
--- /dev/null
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/integ.assets-docker-build-context.js.snapshot/manifest.json
@@ -0,0 +1,689 @@
+{
+ "version": "53.0.0",
+ "artifacts": {
+ "integ-assets-docker-build-context.assets": {
+ "type": "cdk:asset-manifest",
+ "properties": {
+ "file": "integ-assets-docker-build-context.assets.json",
+ "requiresBootstrapStackVersion": 6,
+ "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+ }
+ },
+ "integ-assets-docker-build-context": {
+ "type": "aws:cloudformation:stack",
+ "environment": "aws://unknown-account/unknown-region",
+ "properties": {
+ "templateFile": "integ-assets-docker-build-context.template.json",
+ "terminationProtection": false,
+ "validateOnSynth": false,
+ "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
+ "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
+ "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/fd3ef8d77693a6339ca951518c027f236606fc59890dba9515b60cf1496c9e5c.json",
+ "requiresBootstrapStackVersion": 6,
+ "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
+ "additionalDependencies": [
+ "integ-assets-docker-build-context.assets"
+ ],
+ "lookupRole": {
+ "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}",
+ "requiresBootstrapStackVersion": 8,
+ "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+ }
+ },
+ "dependencies": [
+ "integ-assets-docker-build-context.assets"
+ ],
+ "metadata": {
+ "/integ-assets-docker-build-context/MyUser": [
+ {
+ "type": "aws:cdk:analytics:construct",
+ "data": "*"
+ },
+ {
+ "type": "aws:cdk:analytics:method",
+ "data": {
+ "addToPrincipalPolicy": [
+ {}
+ ]
+ }
+ },
+ {
+ "type": "aws:cdk:analytics:method",
+ "data": {
+ "attachInlinePolicy": [
+ "*"
+ ]
+ }
+ },
+ {
+ "type": "aws:cdk:analytics:method",
+ "data": {
+ "addToPrincipalPolicy": [
+ {}
+ ]
+ }
+ }
+ ],
+ "/integ-assets-docker-build-context/MyUser/Resource": [
+ {
+ "type": "aws:cdk:logicalId",
+ "data": "MyUserDC45028B"
+ }
+ ],
+ "/integ-assets-docker-build-context/MyUser/DefaultPolicy": [
+ {
+ "type": "aws:cdk:analytics:construct",
+ "data": "*"
+ },
+ {
+ "type": "aws:cdk:analytics:method",
+ "data": {
+ "attachToUser": [
+ "*"
+ ]
+ }
+ },
+ {
+ "type": "aws:cdk:analytics:method",
+ "data": {
+ "attachToUser": [
+ "*"
+ ]
+ }
+ },
+ {
+ "type": "aws:cdk:analytics:method",
+ "data": {
+ "addStatements": [
+ {}
+ ]
+ }
+ },
+ {
+ "type": "aws:cdk:analytics:method",
+ "data": {
+ "addStatements": [
+ {}
+ ]
+ }
+ }
+ ],
+ "/integ-assets-docker-build-context/MyUser/DefaultPolicy/Resource": [
+ {
+ "type": "aws:cdk:logicalId",
+ "data": "MyUserDefaultPolicy7B897426"
+ }
+ ],
+ "/integ-assets-docker-build-context/ImageUri": [
+ {
+ "type": "aws:cdk:logicalId",
+ "data": "ImageUri"
+ }
+ ],
+ "/integ-assets-docker-build-context/BootstrapVersion": [
+ {
+ "type": "aws:cdk:logicalId",
+ "data": "BootstrapVersion"
+ }
+ ],
+ "/integ-assets-docker-build-context/CheckBootstrapVersion": [
+ {
+ "type": "aws:cdk:logicalId",
+ "data": "CheckBootstrapVersion"
+ }
+ ]
+ },
+ "displayName": "integ-assets-docker-build-context"
+ },
+ "DockerBuildContextTestDefaultTestDeployAssert7E73C929.assets": {
+ "type": "cdk:asset-manifest",
+ "properties": {
+ "file": "DockerBuildContextTestDefaultTestDeployAssert7E73C929.assets.json",
+ "requiresBootstrapStackVersion": 6,
+ "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+ }
+ },
+ "DockerBuildContextTestDefaultTestDeployAssert7E73C929": {
+ "type": "aws:cloudformation:stack",
+ "environment": "aws://unknown-account/unknown-region",
+ "properties": {
+ "templateFile": "DockerBuildContextTestDefaultTestDeployAssert7E73C929.template.json",
+ "terminationProtection": false,
+ "validateOnSynth": false,
+ "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
+ "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
+ "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
+ "requiresBootstrapStackVersion": 6,
+ "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
+ "additionalDependencies": [
+ "DockerBuildContextTestDefaultTestDeployAssert7E73C929.assets"
+ ],
+ "lookupRole": {
+ "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}",
+ "requiresBootstrapStackVersion": 8,
+ "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+ }
+ },
+ "dependencies": [
+ "DockerBuildContextTestDefaultTestDeployAssert7E73C929.assets"
+ ],
+ "metadata": {
+ "/DockerBuildContextTest/DefaultTest/DeployAssert/BootstrapVersion": [
+ {
+ "type": "aws:cdk:logicalId",
+ "data": "BootstrapVersion"
+ }
+ ],
+ "/DockerBuildContextTest/DefaultTest/DeployAssert/CheckBootstrapVersion": [
+ {
+ "type": "aws:cdk:logicalId",
+ "data": "CheckBootstrapVersion"
+ }
+ ]
+ },
+ "displayName": "DockerBuildContextTest/DefaultTest/DeployAssert"
+ },
+ "Tree": {
+ "type": "cdk:tree",
+ "properties": {
+ "file": "tree.json"
+ }
+ },
+ "aws-cdk-lib/feature-flag-report": {
+ "type": "cdk:feature-flag-report",
+ "properties": {
+ "module": "aws-cdk-lib",
+ "flags": {
+ "@aws-cdk/aws-signer:signingProfileNamePassedToCfn": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "Pass signingProfileName to CfnSigningProfile"
+ },
+ "@aws-cdk/core:newStyleStackSynthesis": {
+ "recommendedValue": true,
+ "explanation": "Switch to new stack synthesis method which enables CI/CD",
+ "unconfiguredBehavesLike": {
+ "v2": true
+ }
+ },
+ "@aws-cdk/core:stackRelativeExports": {
+ "recommendedValue": true,
+ "explanation": "Name exports based on the construct paths relative to the stack, rather than the global construct path",
+ "unconfiguredBehavesLike": {
+ "v2": true
+ }
+ },
+ "@aws-cdk/aws-ecs-patterns:secGroupsDisablesImplicitOpenListener": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "Disable implicit openListener when custom security groups are provided"
+ },
+ "@aws-cdk/aws-rds:lowercaseDbIdentifier": {
+ "recommendedValue": true,
+ "explanation": "Force lowercasing of RDS Cluster names in CDK",
+ "unconfiguredBehavesLike": {
+ "v2": true
+ }
+ },
+ "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": {
+ "recommendedValue": true,
+ "explanation": "Allow adding/removing multiple UsagePlanKeys independently",
+ "unconfiguredBehavesLike": {
+ "v2": true
+ }
+ },
+ "@aws-cdk/aws-lambda:recognizeVersionProps": {
+ "recommendedValue": true,
+ "explanation": "Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`.",
+ "unconfiguredBehavesLike": {
+ "v2": true
+ }
+ },
+ "@aws-cdk/aws-lambda:recognizeLayerVersion": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`."
+ },
+ "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": {
+ "recommendedValue": true,
+ "explanation": "Enable this feature flag to have cloudfront distributions use the security policy TLSv1.2_2021 by default.",
+ "unconfiguredBehavesLike": {
+ "v2": true
+ }
+ },
+ "@aws-cdk/core:checkSecretUsage": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "Enable this flag to make it impossible to accidentally use SecretValues in unsafe locations"
+ },
+ "@aws-cdk/core:target-partitions": {
+ "recommendedValue": [
+ "aws",
+ "aws-cn"
+ ],
+ "explanation": "What regions to include in lookup tables of environment agnostic stacks"
+ },
+ "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "ECS extensions will automatically add an `awslogs` driver if no logging is specified"
+ },
+ "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "Enable this feature flag to have Launch Templates generated by the `InstanceRequireImdsv2Aspect` use unique names."
+ },
+ "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "ARN format used by ECS. In the new ARN format, the cluster name is part of the resource ID."
+ },
+ "@aws-cdk/aws-iam:minimizePolicies": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "Minimize IAM policies by combining Statements"
+ },
+ "@aws-cdk/core:validateSnapshotRemovalPolicy": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "Error on snapshot removal policies on resources that do not support it."
+ },
+ "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "Generate key aliases that include the stack name"
+ },
+ "@aws-cdk/aws-s3:createDefaultLoggingPolicy": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "Enable this feature flag to create an S3 bucket policy by default in cases where an AWS service would automatically create the Policy if one does not exist."
+ },
+ "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "Restrict KMS key policy for encrypted Queues a bit more"
+ },
+ "@aws-cdk/aws-apigateway:disableCloudWatchRole": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "Make default CloudWatch Role behavior safe for multiple API Gateways in one environment"
+ },
+ "@aws-cdk/core:enablePartitionLiterals": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "Make ARNs concrete if AWS partition is known"
+ },
+ "@aws-cdk/aws-events:eventsTargetQueueSameAccount": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "Event Rules may only push to encrypted SQS queues in the same account"
+ },
+ "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "Avoid setting the \"ECS\" deployment controller when adding a circuit breaker"
+ },
+ "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "Enable this feature to create default policy names for imported roles that depend on the stack the role is in."
+ },
+ "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "Use S3 Bucket Policy instead of ACLs for Server Access Logging"
+ },
+ "@aws-cdk/aws-route53-patters:useCertificate": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "Use the official `Certificate` resource instead of `DnsValidatedCertificate`"
+ },
+ "@aws-cdk/customresources:installLatestAwsSdkDefault": {
+ "userValue": false,
+ "recommendedValue": false,
+ "explanation": "Whether to install the latest SDK by default in AwsCustomResource"
+ },
+ "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "Use unique resource name for Database Proxy"
+ },
+ "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "Remove CloudWatch alarms from deployment group"
+ },
+ "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "Include authorizer configuration in the calculation of the API deployment logical ID."
+ },
+ "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "Define user data for a launch template by default when a machine image is provided."
+ },
+ "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "SecretTargetAttachments uses the ResourcePolicy of the attached Secret."
+ },
+ "@aws-cdk/aws-redshift:columnId": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "Whether to use an ID to track Redshift column changes"
+ },
+ "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "Enable AmazonEMRServicePolicy_v2 managed policies"
+ },
+ "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "Restrict access to the VPC default security group"
+ },
+ "@aws-cdk/aws-apigateway:requestValidatorUniqueId": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "Generate a unique id for each RequestValidator added to a method"
+ },
+ "@aws-cdk/aws-kms:aliasNameRef": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "KMS Alias name and keyArn will have implicit reference to KMS Key"
+ },
+ "@aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "Enable grant methods on Aliases imported by name to use kms:ResourceAliases condition"
+ },
+ "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "Generate a launch template when creating an AutoScalingGroup"
+ },
+ "@aws-cdk/core:includePrefixInUniqueNameGeneration": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "Include the stack prefix in the stack name generation process"
+ },
+ "@aws-cdk/aws-efs:denyAnonymousAccess": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "EFS denies anonymous clients accesses"
+ },
+ "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "Enables support for Multi-AZ with Standby deployment for opensearch domains"
+ },
+ "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "Enables aws-lambda-nodejs.Function to use the latest available NodeJs runtime as the default"
+ },
+ "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "When enabled, mount targets will have a stable logicalId that is linked to the associated subnet."
+ },
+ "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "When enabled, a scope of InstanceParameterGroup for AuroraClusterInstance with each parameters will change."
+ },
+ "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "When enabled, will always use the arn for identifiers for CfnSourceApiAssociation in the GraphqlApi construct rather than id."
+ },
+ "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "When enabled, creating an RDS database cluster from a snapshot will only render credentials for snapshot credentials."
+ },
+ "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "When enabled, the CodeCommit source action is using the default branch name 'main'."
+ },
+ "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "When enabled, the logical ID of a Lambda permission for a Lambda action includes an alarm ID."
+ },
+ "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "Enables Pipeline to set the default value for crossAccountKeys to false."
+ },
+ "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "Enables Pipeline to set the default pipeline type to V2."
+ },
+ "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only."
+ },
+ "@aws-cdk/pipelines:reduceAssetRoleTrustScope": {
+ "recommendedValue": true,
+ "explanation": "Remove the root account principal from PipelineAssetsFileRole trust policy",
+ "unconfiguredBehavesLike": {
+ "v2": true
+ }
+ },
+ "@aws-cdk/aws-eks:nodegroupNameAttribute": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "When enabled, nodegroupName attribute of the provisioned EKS NodeGroup will not have the cluster name prefix."
+ },
+ "@aws-cdk/aws-eks:useNativeOidcProvider": {
+ "recommendedValue": true,
+ "explanation": "When enabled, EKS V2 clusters will use the native OIDC provider resource AWS::IAM::OIDCProvider instead of creating the OIDCProvider with a custom resource (iam.OpenIDConnectProvider)."
+ },
+ "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "When enabled, the default volume type of the EBS volume will be GP3"
+ },
+ "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "When enabled, remove default deployment alarm settings"
+ },
+ "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": {
+ "userValue": false,
+ "recommendedValue": false,
+ "explanation": "When enabled, the custom resource used for `AwsCustomResource` will configure the `logApiResponseData` property as true by default"
+ },
+ "@aws-cdk/aws-s3:keepNotificationInImportedBucket": {
+ "userValue": false,
+ "recommendedValue": false,
+ "explanation": "When enabled, Adding notifications to a bucket in the current stack will not remove notification from imported stack."
+ },
+ "@aws-cdk/aws-stepfunctions-tasks:useNewS3UriParametersForBedrockInvokeModelTask": {
+ "recommendedValue": true,
+ "explanation": "When enabled, use new props for S3 URI field in task definition of state machine for bedrock invoke model.",
+ "unconfiguredBehavesLike": {
+ "v2": true
+ }
+ },
+ "@aws-cdk/core:explicitStackTags": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "When enabled, stack tags need to be assigned explicitly on a Stack."
+ },
+ "@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "When enabled, we will only grant the necessary permissions when users specify cloudwatch log group through logConfiguration"
+ },
+ "@aws-cdk/aws-dynamodb:resourcePolicyPerReplica": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "When enabled will allow you to specify a resource policy per replica, and not copy the source table policy to all replicas"
+ },
+ "@aws-cdk/aws-ec2:ec2SumTImeoutEnabled": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "When enabled, initOptions.timeout and resourceSignalTimeout values will be summed together."
+ },
+ "@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "When enabled, a Lambda authorizer Permission created when using GraphqlApi will be properly scoped with a SourceArn."
+ },
+ "@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "When enabled, the value of property `instanceResourceId` in construct `DatabaseInstanceReadReplica` will be set to the correct value which is `DbiResourceId` instead of currently `DbInstanceArn`"
+ },
+ "@aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "When enabled, CFN templates added with `cfn-include` will error if the template contains Resource Update or Create policies with CFN Intrinsics that include non-primitive values."
+ },
+ "@aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "When enabled, both `@aws-sdk` and `@smithy` packages will be excluded from the Lambda Node.js 18.x runtime to prevent version mismatches in bundled applications."
+ },
+ "@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "When enabled, the resource of IAM Run Ecs policy generated by SFN EcsRunTask will reference the definition, instead of constructing ARN."
+ },
+ "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "When enabled, the BastionHost construct will use the latest Amazon Linux 2023 AMI, instead of Amazon Linux 2."
+ },
+ "@aws-cdk/core:aspectStabilization": {
+ "recommendedValue": true,
+ "explanation": "When enabled, a stabilization loop will be run when invoking Aspects during synthesis.",
+ "unconfiguredBehavesLike": {
+ "v2": true
+ }
+ },
+ "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "When enabled, use a new method for DNS Name of user pool domain target without creating a custom resource."
+ },
+ "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere"
+ },
+ "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "When enabled, the default behaviour of OIDC provider will reject unauthorized connections"
+ },
+ "@aws-cdk/core:enableAdditionalMetadataCollection": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "When enabled, CDK will expand the scope of usage data collected to better inform CDK development and improve communication for security concerns and emerging issues."
+ },
+ "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": {
+ "userValue": false,
+ "recommendedValue": false,
+ "explanation": "[Deprecated] When enabled, Lambda will create new inline policies with AddToRolePolicy instead of adding to the Default Policy Statement"
+ },
+ "@aws-cdk/aws-s3:setUniqueReplicationRoleName": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "When enabled, CDK will automatically generate a unique role name that is used for s3 object replication."
+ },
+ "@aws-cdk/pipelines:reduceStageRoleTrustScope": {
+ "recommendedValue": true,
+ "explanation": "Remove the root account principal from Stage addActions trust policy",
+ "unconfiguredBehavesLike": {
+ "v2": true
+ }
+ },
+ "@aws-cdk/aws-events:requireEventBusPolicySid": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "When enabled, grantPutEventsTo() will use resource policies with Statement IDs for service principals."
+ },
+ "@aws-cdk/core:aspectPrioritiesMutating": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "When set to true, Aspects added by the construct library on your behalf will be given a priority of MUTATING."
+ },
+ "@aws-cdk/aws-dynamodb:retainTableReplica": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "When enabled, table replica will be default to the removal policy of source table unless specified otherwise."
+ },
+ "@aws-cdk/cognito:logUserPoolClientSecretValue": {
+ "recommendedValue": false,
+ "explanation": "When disabled, the value of the user pool client secret will not be logged in the custom resource lambda function logs."
+ },
+ "@aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope": {
+ "recommendedValue": true,
+ "explanation": "When enabled, scopes down the trust policy for the cross-account action role",
+ "unconfiguredBehavesLike": {
+ "v2": true
+ }
+ },
+ "@aws-cdk/aws-stepfunctions:useDistributedMapResultWriterV2": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "When enabled, the resultWriterV2 property of DistributedMap will be used insted of resultWriter"
+ },
+ "@aws-cdk/s3-notifications:addS3TrustKeyPolicyForSnsSubscriptions": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "Add an S3 trust policy to a KMS key resource policy for SNS subscriptions."
+ },
+ "@aws-cdk/aws-ec2:requirePrivateSubnetsForEgressOnlyInternetGateway": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "When enabled, the EgressOnlyGateway resource is only created if private subnets are defined in the dual-stack VPC."
+ },
+ "@aws-cdk/aws-ec2-alpha:useResourceIdForVpcV2Migration": {
+ "recommendedValue": false,
+ "explanation": "When enabled, use resource IDs for VPC V2 migration"
+ },
+ "@aws-cdk/aws-s3:publicAccessBlockedByDefault": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "When enabled, setting any combination of options for BlockPublicAccess will automatically set true for any options not defined."
+ },
+ "@aws-cdk/aws-lambda:useCdkManagedLogGroup": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "When enabled, CDK creates and manages loggroup for the lambda function"
+ },
+ "@aws-cdk/aws-elasticloadbalancingv2:networkLoadBalancerWithSecurityGroupByDefault": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "When enabled, Network Load Balancer will be created with a security group by default."
+ },
+ "@aws-cdk/aws-stepfunctions-tasks:httpInvokeDynamicJsonPathEndpoint": {
+ "recommendedValue": true,
+ "explanation": "When enabled, allows using a dynamic apiEndpoint with JSONPath format in HttpInvoke tasks.",
+ "unconfiguredBehavesLike": {
+ "v2": true
+ }
+ },
+ "@aws-cdk/aws-ecs-patterns:uniqueTargetGroupId": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "When enabled, ECS patterns will generate unique target group IDs to prevent conflicts during load balancer replacement"
+ },
+ "@aws-cdk/aws-route53-patterns:useDistribution": {
+ "userValue": true,
+ "recommendedValue": true,
+ "explanation": "Use the `Distribution` resource instead of `CloudFrontWebDistribution`"
+ }
+ }
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/integ.assets-docker-build-context.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/integ.assets-docker-build-context.js.snapshot/tree.json
new file mode 100644
index 0000000000000..eb1f3269cd273
--- /dev/null
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/integ.assets-docker-build-context.js.snapshot/tree.json
@@ -0,0 +1 @@
+{"version":"tree-0.1","tree":{"id":"App","path":"","constructInfo":{"fqn":"aws-cdk-lib.App","version":"0.0.0"},"children":{"integ-assets-docker-build-context":{"id":"integ-assets-docker-build-context","path":"integ-assets-docker-build-context","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"DockerImageWithBuildContext":{"id":"DockerImageWithBuildContext","path":"integ-assets-docker-build-context/DockerImageWithBuildContext","constructInfo":{"fqn":"aws-cdk-lib.aws_ecr_assets.DockerImageAsset","version":"0.0.0"},"children":{"Staging":{"id":"Staging","path":"integ-assets-docker-build-context/DockerImageWithBuildContext/Staging","constructInfo":{"fqn":"aws-cdk-lib.AssetStaging","version":"0.0.0"}},"Repository":{"id":"Repository","path":"integ-assets-docker-build-context/DockerImageWithBuildContext/Repository","constructInfo":{"fqn":"aws-cdk-lib.aws_ecr.RepositoryBase","version":"0.0.0"}}}},"MyUser":{"id":"MyUser","path":"integ-assets-docker-build-context/MyUser","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.User","version":"0.0.0"},"children":{"Resource":{"id":"Resource","path":"integ-assets-docker-build-context/MyUser/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnUser","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::User","aws:cdk:cloudformation:props":{}}},"DefaultPolicy":{"id":"DefaultPolicy","path":"integ-assets-docker-build-context/MyUser/DefaultPolicy","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Policy","version":"0.0.0"},"children":{"Resource":{"id":"Resource","path":"integ-assets-docker-build-context/MyUser/DefaultPolicy/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnPolicy","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Policy","aws:cdk:cloudformation:props":{"policyDocument":{"Statement":[{"Action":["ecr:BatchCheckLayerAvailability","ecr:BatchGetImage","ecr:GetDownloadUrlForLayer"],"Effect":"Allow","Resource":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":ecr:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":repository/",{"Fn::Sub":"cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}"}]]}},{"Action":"ecr:GetAuthorizationToken","Effect":"Allow","Resource":"*"}],"Version":"2012-10-17"},"policyName":"MyUserDefaultPolicy7B897426","users":[{"Ref":"MyUserDC45028B"}]}}}}}}},"ImageUri":{"id":"ImageUri","path":"integ-assets-docker-build-context/ImageUri","constructInfo":{"fqn":"aws-cdk-lib.CfnOutput","version":"0.0.0"}},"BootstrapVersion":{"id":"BootstrapVersion","path":"integ-assets-docker-build-context/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"integ-assets-docker-build-context/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}},"DockerBuildContextTest":{"id":"DockerBuildContextTest","path":"DockerBuildContextTest","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTest","version":"0.0.0"},"children":{"DefaultTest":{"id":"DefaultTest","path":"DockerBuildContextTest/DefaultTest","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTestCase","version":"0.0.0"},"children":{"Default":{"id":"Default","path":"DockerBuildContextTest/DefaultTest/Default","constructInfo":{"fqn":"constructs.Construct","version":"10.4.5"}},"DeployAssert":{"id":"DeployAssert","path":"DockerBuildContextTest/DefaultTest/DeployAssert","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"BootstrapVersion":{"id":"BootstrapVersion","path":"DockerBuildContextTest/DefaultTest/DeployAssert/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"DockerBuildContextTest/DefaultTest/DeployAssert/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}}}}}},"Tree":{"id":"Tree","path":"Tree","constructInfo":{"fqn":"constructs.Construct","version":"10.4.5"}}}}}
\ No newline at end of file
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/integ.assets-docker-build-context.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/integ.assets-docker-build-context.ts
new file mode 100644
index 0000000000000..4a2cc6c2a0c5a
--- /dev/null
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ecr-assets/test/integ.assets-docker-build-context.ts
@@ -0,0 +1,26 @@
+import * as path from 'path';
+import * as iam from 'aws-cdk-lib/aws-iam';
+import * as cdk from 'aws-cdk-lib';
+import { IntegTest } from '@aws-cdk/integ-tests-alpha';
+import * as assets from 'aws-cdk-lib/aws-ecr-assets';
+
+const app = new cdk.App();
+const stack = new cdk.Stack(app, 'integ-assets-docker-build-context');
+
+const asset = new assets.DockerImageAsset(stack, 'DockerImageWithBuildContext', {
+ directory: path.join(__dirname, 'demo-image-build-context', 'image'),
+ buildContexts: {
+ mycontext: path.join(__dirname, 'demo-image-build-context', 'context'),
+ },
+});
+
+const user = new iam.User(stack, 'MyUser');
+asset.repository.grantPull(user);
+
+new cdk.CfnOutput(stack, 'ImageUri', { value: asset.imageUri });
+
+new IntegTest(app, 'DockerBuildContextTest', {
+ testCases: [
+ stack,
+ ],
+});
diff --git a/packages/aws-cdk-lib/aws-ecr-assets/README.md b/packages/aws-cdk-lib/aws-ecr-assets/README.md
index 3c9b2069776aa..00e196a1f5745 100644
--- a/packages/aws-cdk-lib/aws-ecr-assets/README.md
+++ b/packages/aws-cdk-lib/aws-ecr-assets/README.md
@@ -98,6 +98,44 @@ const asset = new DockerImageAsset(this, 'MyBuildImage', {
});
```
+You can optionally pass additional build contexts to the `docker build` command by specifying
+the `buildContexts` property. Each entry specifies a named build context and its source, which
+can be a directory path, a URL, or a docker image. This is equivalent to the `--build-context`
+flag in the `docker build` command.
+
+```ts
+import { DockerImageAsset } from 'aws-cdk-lib/aws-ecr-assets';
+
+const asset = new DockerImageAsset(this, 'MyBuildImage', {
+ directory: path.join(__dirname, 'my-image'),
+ buildContexts: {
+ mycontext: path.join(__dirname, 'path/to/context'),
+ alpine: 'docker-image://alpine:latest',
+ },
+});
+```
+
+Note that while changes to the `buildContexts` values (e.g. changing which directory a context
+points to) will invalidate the asset hash and trigger a rebuild, changes to the *contents* of
+directories referenced by build contexts are not automatically tracked. Only the contents of
+the primary `directory` are fingerprinted. If files in a build context directory change, you can
+use `extraHash` to trigger a rebuild:
+
+```ts
+import { DockerImageAsset } from 'aws-cdk-lib/aws-ecr-assets';
+import { FileSystem } from 'aws-cdk-lib';
+
+const contextDir = path.join(__dirname, 'path/to/context');
+
+const asset = new DockerImageAsset(this, 'MyBuildImage', {
+ directory: path.join(__dirname, 'my-image'),
+ buildContexts: {
+ mycontext: contextDir,
+ },
+ extraHash: FileSystem.fingerprint(contextDir),
+});
+```
+
You can optionally pass a target to the `docker build` command by specifying
the `target` property:
diff --git a/packages/aws-cdk-lib/aws-ecr-assets/lib/image-asset.ts b/packages/aws-cdk-lib/aws-ecr-assets/lib/image-asset.ts
index acf54e2bd924f..ea9f44d37a34b 100644
--- a/packages/aws-cdk-lib/aws-ecr-assets/lib/image-asset.ts
+++ b/packages/aws-cdk-lib/aws-ecr-assets/lib/image-asset.ts
@@ -101,6 +101,13 @@ export interface DockerImageAssetInvalidationOptions {
*/
readonly buildArgs?: boolean;
+ /**
+ * Use `buildContexts` while calculating the asset hash
+ *
+ * @default true
+ */
+ readonly buildContexts?: boolean;
+
/**
* Use `buildSecrets` while calculating the asset hash
*
@@ -215,6 +222,23 @@ export interface DockerImageAssetOptions extends FingerprintOptions, FileFingerp
*/
readonly buildArgs?: { [key: string]: string };
+ /**
+ * Build contexts to pass to the `docker build` command.
+ *
+ * Build contexts can be used to specify additional directories or images
+ * to use during the build. Each entry specifies a named build context
+ * and its source (a directory path, a URL, or a docker image).
+ *
+ * Since Docker build contexts are resolved before deployment, keys and
+ * values cannot refer to unresolved tokens (such as `lambda.functionArn` or
+ * `queue.queueUrl`).
+ *
+ * @see https://docs.docker.com/build/building/context/#additional-build-contexts
+ *
+ * @default - no additional build contexts
+ */
+ readonly buildContexts?: { [key: string]: string };
+
/**
* Build secrets.
*
@@ -416,6 +440,11 @@ export class DockerImageAsset extends Construct implements IAsset {
*/
private readonly dockerBuildArgs?: { [key: string]: string };
+ /**
+ * Build contexts to pass to the `docker build` command.
+ */
+ private readonly dockerBuildContexts?: { [key: string]: string };
+
/**
* Build secrets to pass to the `docker build` command.
*/
@@ -511,6 +540,7 @@ export class DockerImageAsset extends Construct implements IAsset {
const extraHash: { [field: string]: any } = {};
if (props.invalidation?.extraHash !== false && props.extraHash) { extraHash.user = props.extraHash; }
if (props.invalidation?.buildArgs !== false && props.buildArgs) { extraHash.buildArgs = props.buildArgs; }
+ if (props.invalidation?.buildContexts !== false && props.buildContexts) { extraHash.buildContexts = props.buildContexts; }
if (props.invalidation?.buildSecrets !== false && props.buildSecrets) { extraHash.buildSecrets = props.buildSecrets; }
if (props.invalidation?.buildSsh !== false && props.buildSsh) {extraHash.buildSsh = props.buildSsh; }
if (props.invalidation?.target !== false && props.target) { extraHash.target = props.target; }
@@ -543,6 +573,7 @@ export class DockerImageAsset extends Construct implements IAsset {
this.assetPath = staging.relativeStagedPath(stack);
this.assetName = props.assetName;
this.dockerBuildArgs = props.buildArgs;
+ this.dockerBuildContexts = props.buildContexts;
this.dockerBuildSecrets = props.buildSecrets;
this.dockerBuildSsh = props.buildSsh;
this.dockerBuildTarget = props.target;
@@ -555,6 +586,7 @@ export class DockerImageAsset extends Construct implements IAsset {
directoryName: this.assetPath,
assetName: this.assetName,
dockerBuildArgs: this.dockerBuildArgs,
+ dockerBuildContexts: this.dockerBuildContexts,
dockerBuildSecrets: this.dockerBuildSecrets,
dockerBuildSsh: this.dockerBuildSsh,
dockerBuildTarget: this.dockerBuildTarget,
@@ -601,6 +633,7 @@ export class DockerImageAsset extends Construct implements IAsset {
resource.cfnOptions.metadata[cxapi.ASSET_RESOURCE_METADATA_PATH_KEY] = this.assetPath;
resource.cfnOptions.metadata[cxapi.ASSET_RESOURCE_METADATA_DOCKERFILE_PATH_KEY] = this.dockerfilePath;
resource.cfnOptions.metadata[cxapi.ASSET_RESOURCE_METADATA_DOCKER_BUILD_ARGS_KEY] = this.dockerBuildArgs;
+ resource.cfnOptions.metadata[cxapi.ASSET_RESOURCE_METADATA_DOCKER_BUILD_CONTEXTS_KEY] = this.dockerBuildContexts;
resource.cfnOptions.metadata[cxapi.ASSET_RESOURCE_METADATA_DOCKER_BUILD_SECRETS_KEY] = this.dockerBuildSecrets;
resource.cfnOptions.metadata[cxapi.ASSET_RESOURCE_METADATA_DOCKER_BUILD_SSH_KEY] = this.dockerBuildSsh;
resource.cfnOptions.metadata[cxapi.ASSET_RESOURCE_METADATA_DOCKER_BUILD_TARGET_KEY] = this.dockerBuildTarget;
@@ -620,6 +653,7 @@ function validateProps(props: DockerImageAssetProps) {
}
validateBuildArgs(props.buildArgs);
+ validateBuildContexts(props.buildContexts);
validateBuildSecrets(props.buildSecrets);
}
@@ -635,6 +669,10 @@ function validateBuildArgs(buildArgs?: { [key: string]: string }) {
validateBuildProps('buildArgs', buildArgs);
}
+function validateBuildContexts(buildContexts?: { [key: string]: string }) {
+ validateBuildProps('buildContexts', buildContexts);
+}
+
function validateBuildSecrets(buildSecrets?: { [key: string]: string }) {
validateBuildProps('buildSecrets', buildSecrets);
}
diff --git a/packages/aws-cdk-lib/core/lib/assets.ts b/packages/aws-cdk-lib/core/lib/assets.ts
index 63f3669c7e60c..b2515516f09e8 100644
--- a/packages/aws-cdk-lib/core/lib/assets.ts
+++ b/packages/aws-cdk-lib/core/lib/assets.ts
@@ -197,6 +197,21 @@ export interface DockerImageAssetSource {
*/
readonly dockerBuildArgs?: { [key: string]: string };
+ /**
+ * Build contexts to pass to the `docker build` command.
+ *
+ * Build contexts can be used to specify additional directories or images
+ * to use during the build. Each entry specifies a named build context
+ * and its source (a directory path, a URL, or a docker image).
+ *
+ * Only allowed when `directoryName` is specified.
+ *
+ * @see https://docs.docker.com/build/building/context/#additional-build-contexts
+ *
+ * @default - no additional build contexts
+ */
+ readonly dockerBuildContexts?: { [key: string]: string };
+
/**
* Build secrets to pass to the `docker build` command.
*
diff --git a/packages/aws-cdk-lib/core/lib/bundling.ts b/packages/aws-cdk-lib/core/lib/bundling.ts
index 1cea09b628007..8bd3da43dbb0c 100644
--- a/packages/aws-cdk-lib/core/lib/bundling.ts
+++ b/packages/aws-cdk-lib/core/lib/bundling.ts
@@ -362,6 +362,7 @@ export class DockerImage extends BundlingDockerImage {
...(options.cacheTo ? ['--cache-to', this.cacheOptionToFlag(options.cacheTo)] : []),
...(options.cacheDisabled ? ['--no-cache'] : []),
...flatten(Object.entries(buildArgs).map(([k, v]) => ['--build-arg', `${k}=${v}`])),
+ ...flatten(Object.entries(options.buildContexts || {}).map(([k, v]) => ['--build-context', `${k}=${v}`])),
path,
];
@@ -592,6 +593,19 @@ export interface DockerBuildOptions {
*/
readonly buildArgs?: { [key: string]: string };
+ /**
+ * Build contexts to pass to the `docker build` command.
+ *
+ * Build contexts can be used to specify additional directories or images
+ * to use during the build. Each entry specifies a named build context
+ * and its source (a directory path, a URL, or a docker image).
+ *
+ * @see https://docs.docker.com/build/building/context/#additional-build-contexts
+ *
+ * @default - no additional build contexts
+ */
+ readonly buildContexts?: { [key: string]: string };
+
/**
* Name of the Dockerfile, must relative to the docker build path.
*
diff --git a/packages/aws-cdk-lib/core/lib/stack-synthesizers/asset-manifest-builder.ts b/packages/aws-cdk-lib/core/lib/stack-synthesizers/asset-manifest-builder.ts
index 4762048929912..f731dbdfee35f 100644
--- a/packages/aws-cdk-lib/core/lib/stack-synthesizers/asset-manifest-builder.ts
+++ b/packages/aws-cdk-lib/core/lib/stack-synthesizers/asset-manifest-builder.ts
@@ -72,6 +72,7 @@ export class AssetManifestBuilder {
executable: asset.executable,
directory: asset.directoryName,
dockerBuildArgs: asset.dockerBuildArgs,
+ dockerBuildContexts: asset.dockerBuildContexts,
dockerBuildSecrets: asset.dockerBuildSecrets,
dockerBuildSsh: asset.dockerBuildSsh,
dockerBuildTarget: asset.dockerBuildTarget,
@@ -323,6 +324,7 @@ function validateDockerImageAssetSource(asset: DockerImageAssetSource) {
}
check('dockerBuildArgs');
+ check('dockerBuildContexts');
check('dockerBuildTarget');
check('dockerOutputs');
check('dockerFile');
diff --git a/packages/aws-cdk-lib/core/lib/stack-synthesizers/legacy.ts b/packages/aws-cdk-lib/core/lib/stack-synthesizers/legacy.ts
index de015b3e8a702..250f33ebba333 100644
--- a/packages/aws-cdk-lib/core/lib/stack-synthesizers/legacy.ts
+++ b/packages/aws-cdk-lib/core/lib/stack-synthesizers/legacy.ts
@@ -144,6 +144,7 @@ export class LegacyStackSynthesizer extends StackSynthesizer implements IReusabl
path: asset.directoryName,
sourceHash: asset.sourceHash,
buildArgs: asset.dockerBuildArgs,
+ buildContexts: asset.dockerBuildContexts,
buildSecrets: asset.dockerBuildSecrets,
buildSsh: asset.dockerBuildSsh,
target: asset.dockerBuildTarget,
diff --git a/packages/aws-cdk-lib/core/test/bundling.test.ts b/packages/aws-cdk-lib/core/test/bundling.test.ts
index 1505e65a8612f..eab1b11816f10 100644
--- a/packages/aws-cdk-lib/core/test/bundling.test.ts
+++ b/packages/aws-cdk-lib/core/test/bundling.test.ts
@@ -749,6 +749,93 @@ describe('bundling', () => {
], { encoding: 'utf-8', stdio: ['ignore', process.stderr, 'inherit'] })).toEqual(true);
});
+ test('bundling with image from asset with build contexts', () => {
+ const spawnSyncStub = sinon.stub(child_process, 'spawnSync').returns({
+ status: 0,
+ stderr: Buffer.from('stderr'),
+ stdout: Buffer.from('stdout'),
+ pid: 123,
+ output: ['stdout', 'stderr'],
+ signal: null,
+ });
+
+ const imageHash = '123456abcdef';
+ const fingerprintStub = sinon.stub(FileSystem, 'fingerprint');
+ fingerprintStub.callsFake(() => imageHash);
+
+ const image = DockerImage.fromBuild('docker-path', {
+ buildContexts: {
+ mycontext: '/path/to/context',
+ alpine: 'docker-image://alpine:latest',
+ },
+ });
+ image.run();
+
+ const tagHash = crypto.createHash('sha256').update(JSON.stringify({
+ path: 'docker-path',
+ buildContexts: {
+ mycontext: '/path/to/context',
+ alpine: 'docker-image://alpine:latest',
+ },
+ })).digest('hex');
+ const tag = `cdk-${tagHash}`;
+
+ expect(spawnSyncStub.firstCall.calledWith(dockerCmd, [
+ 'build', '-t', tag,
+ '--build-context', 'mycontext=/path/to/context',
+ '--build-context', 'alpine=docker-image://alpine:latest',
+ 'docker-path',
+ ])).toEqual(true);
+
+ expect(spawnSyncStub.secondCall.calledWith(dockerCmd, [
+ 'run', '--rm',
+ tag,
+ ])).toEqual(true);
+ });
+
+ test('bundling with image from asset with build args and build contexts', () => {
+ const spawnSyncStub = sinon.stub(child_process, 'spawnSync').returns({
+ status: 0,
+ stderr: Buffer.from('stderr'),
+ stdout: Buffer.from('stdout'),
+ pid: 123,
+ output: ['stdout', 'stderr'],
+ signal: null,
+ });
+
+ const imageHash = '123456abcdef';
+ const fingerprintStub = sinon.stub(FileSystem, 'fingerprint');
+ fingerprintStub.callsFake(() => imageHash);
+
+ const image = DockerImage.fromBuild('docker-path', {
+ buildArgs: {
+ TEST_ARG: 'cdk-test',
+ },
+ buildContexts: {
+ mycontext: '/path/to/context',
+ },
+ });
+ image.run();
+
+ const tagHash = crypto.createHash('sha256').update(JSON.stringify({
+ path: 'docker-path',
+ buildArgs: {
+ TEST_ARG: 'cdk-test',
+ },
+ buildContexts: {
+ mycontext: '/path/to/context',
+ },
+ })).digest('hex');
+ const tag = `cdk-${tagHash}`;
+
+ expect(spawnSyncStub.firstCall.calledWith(dockerCmd, [
+ 'build', '-t', tag,
+ '--build-arg', 'TEST_ARG=cdk-test',
+ '--build-context', 'mycontext=/path/to/context',
+ 'docker-path',
+ ])).toEqual(true);
+ });
+
test('ensure correct Docker CLI arguments are returned', () => {
// GIVEN
const fromSrc = DockerBuildSecret.fromSrc('path.json');
diff --git a/packages/aws-cdk-lib/cx-api/lib/index.ts b/packages/aws-cdk-lib/cx-api/lib/index.ts
index 4969c6d10b9ca..7557807943dc9 100644
--- a/packages/aws-cdk-lib/cx-api/lib/index.ts
+++ b/packages/aws-cdk-lib/cx-api/lib/index.ts
@@ -5,3 +5,8 @@ export * from './legacy-moved';
export * from './cxapi';
export * from './features';
export * from './app';
+
+/**
+ * Metadata key for Docker build contexts.
+ */
+export const ASSET_RESOURCE_METADATA_DOCKER_BUILD_CONTEXTS_KEY = 'aws:asset:docker-build-contexts';