Skip to content

Comments

chore(imagebuilder-alpha): enable Inspector via custom resource for imageScanningEnabled integ tests#37061

Open
aemada-aws wants to merge 2 commits intoaws:mainfrom
aemada-aws:fix/imagebuilder-integ-enable-inspector
Open

chore(imagebuilder-alpha): enable Inspector via custom resource for imageScanningEnabled integ tests#37061
aemada-aws wants to merge 2 commits intoaws:mainfrom
aemada-aws:fix/imagebuilder-integ-enable-inspector

Conversation

@aemada-aws
Copy link
Contributor

Issue # (if applicable)

N/A

Reason for this change

All 4 aws-imagebuilder-alpha "all-parameters" integration tests for Image and ImagePipeline (AMI + container variants) fail because they set imageScanningEnabled: true, which requires Amazon Inspector to be enabled in the account. This is an account-level prerequisite that may not be configured in all test environments.

Original errors:

  • integ.all-parameters.image.ami: Resource dependency error: Amazon Inspector is not enabled for 'ec2' resources in account
  • integ.all-parameters.image.container: Resource dependency error: Amazon Inspector is not enabled for 'ecr' resources in account
  • integ.all-parameters.image-pipeline.ami: Resource dependency error: Amazon Inspector is not enabled for 'ec2' resources in account
  • integ.all-parameters.image-pipeline.container: Resource dependency error: Amazon Inspector is not enabled for 'ecr' resources in account

Description of changes

Added a shared test helper (test/enable-inspector.ts) that creates an AwsCustomResource calling the inspector2:Enable API during stack creation. Each of the 4 test files imports this helper and adds a dependency so Image Builder resources wait for Inspector to be enabled. The inspector2:Enable API is idempotent — calling it when already enabled is a no-op.

Files changed:

  • test/enable-inspector.ts — new shared helper
  • test/integ.all-parameters.image.ami.ts — uses enableInspector(stack, ['EC2'])
  • test/integ.all-parameters.image.container.ts — uses enableInspector(stack, ['ECR'])
  • test/integ.all-parameters.image-pipeline.ami.ts — uses enableInspector(stack, ['EC2'])
  • test/integ.all-parameters.image-pipeline.container.ts — uses enableInspector(stack, ['ECR'])

Describe any new or updated permissions being added

The AwsCustomResource Lambda role gets:

  • inspector2:Enable — to enable Inspector scanning
  • iam:CreateServiceLinkedRole — required by Inspector on first enable to create its service-linked role

Both are scoped to * (required by these APIs).

Description of how you validated changes

All 4 tests pass:

cd packages/@aws-cdk/aws-imagebuilder-alpha
yarn integ test/integ.all-parameters.image.ami.js test/integ.all-parameters.image.container.js test/integ.all-parameters.image-pipeline.ami.js test/integ.all-parameters.image-pipeline.container.js \
  --disable-update-workflow --update-on-failed --force \
  --parallel-regions us-east-1 --parallel-regions us-east-2 --parallel-regions us-west-2 --parallel-regions eu-west-1 \
  --verbose

Results: Tests: 4 passed, 4 total

Checklist


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

…geScanningEnabled integ tests

All 4 all-parameters integ tests (image.ami, image.container,
image-pipeline.ami, image-pipeline.container) fail because
imageScanningEnabled: true requires Amazon Inspector to be enabled
in the account.

Added a shared test helper (enable-inspector.ts) that creates an
AwsCustomResource calling inspector2:Enable before Image Builder
resources are created. The API is idempotent, making tests
environment-agnostic.
@aws-cdk-automation aws-cdk-automation requested a review from a team February 23, 2026 15:13
@github-actions github-actions bot added the p2 label Feb 23, 2026
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Feb 23, 2026
@aemada-aws aemada-aws changed the title fix(imagebuilder-alpha): enable Inspector via custom resource for imageScanningEnabled integ tests chore(imagebuilder-alpha): enable Inspector via custom resource for imageScanningEnabled integ tests Feb 23, 2026
@aemada-aws aemada-aws marked this pull request as ready for review February 23, 2026 15:15
@aemada-aws aemada-aws added the pr/needs-integration-tests-deployment Requires the PR to deploy the integration test snapshots. label Feb 23, 2026
@aemada-aws aemada-aws had a problem deploying to deployment-integ-test February 23, 2026 15:15 — with GitHub Actions Failure
@github-actions
Copy link
Contributor

github-actions bot commented Feb 23, 2026

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
Please try merge from main to avoid findings unrelated to the PR.


TestsPassed ☑️SkippedFailed ❌️
Security Guardian Results96 ran92 passed4 failed
TestResult
Security Guardian Results
packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.ami.js.snapshot/aws-cdk-imagebuilder-image-pipeline-ami-all-parameters.template.json
iam-no-overly-permissive-passrole.guard❌ failure
packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.container.js.snapshot/aws-cdk-imagebuilder-image-pipeline-container-all-parameters.template.json
iam-no-overly-permissive-passrole.guard❌ failure
packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image.ami.js.snapshot/aws-cdk-imagebuilder-image-ami-all-parameters.template.json
iam-no-overly-permissive-passrole.guard❌ failure
packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image.container.js.snapshot/aws-cdk-imagebuilder-image-container-all-parameters.template.json
iam-no-overly-permissive-passrole.guard❌ failure

@github-actions
Copy link
Contributor

github-actions bot commented Feb 23, 2026

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
Please try merge from main to avoid findings unrelated to the PR.


TestsPassed ☑️SkippedFailed ❌️
Security Guardian Results with resolved templates96 ran92 passed4 failed
TestResult
Security Guardian Results with resolved templates
packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.ami.js.snapshot/aws-cdk-imagebuilder-image-pipeline-ami-all-parameters.template.json
iam-no-overly-permissive-passrole.guard❌ failure
packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image-pipeline.container.js.snapshot/aws-cdk-imagebuilder-image-pipeline-container-all-parameters.template.json
iam-no-overly-permissive-passrole.guard❌ failure
packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image.ami.js.snapshot/aws-cdk-imagebuilder-image-ami-all-parameters.template.json
iam-no-overly-permissive-passrole.guard❌ failure
packages/@aws-cdk/aws-imagebuilder-alpha/test/integ.all-parameters.image.container.js.snapshot/aws-cdk-imagebuilder-image-container-all-parameters.template.json
iam-no-overly-permissive-passrole.guard❌ failure

@aws-cdk-automation aws-cdk-automation added the pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes. label Feb 23, 2026
@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Feb 23, 2026
policy: cr.AwsCustomResourcePolicy.fromStatements([
new iam.PolicyStatement({
actions: ['inspector2:Enable', 'iam:CreateServiceLinkedRole'],
resources: ['*'],
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we scope this down?

Copy link
Contributor Author

@aemada-aws aemada-aws Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

inspector2:Enable does not target a specific resource so we can't scope it.

For iam:CreateServiceLinkedRole I tried to restrict it with conditions and resource scoping but it doesn't work and result in "Invoking account is not authorized to perform iam:CreateServiceLinkedRole". The only variation that works is * with no condition. These 2 fail:

{
  "Effect": "Allow",
  "Action": "iam:CreateServiceLinkedRole",
  "Resource": "arn:aws:iam::*:role/aws-service-role/inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2*",
  "Condition": {
    "StringLike": {
      "iam:AWSServiceName": "inspector2.amazonaws.com"
    }
  }
}
{
  "Effect": "Allow",
  "Action": "iam:CreateServiceLinkedRole",
  "Resource": "*",
  "Condition": {
    "StringLike": {
      "iam:AWSServiceName": "inspector2.amazonaws.com"
    }
  }
}

@kumsmrit kumsmrit self-assigned this Feb 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

contribution/core This is a PR that came from AWS. p2 pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes. pr/needs-integration-tests-deployment Requires the PR to deploy the integration test snapshots. pr/needs-maintainer-review This PR needs a review from a Core Team Member

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants