chore(imagebuilder-alpha): enable Inspector via custom resource for imageScanningEnabled integ tests#37061
Open
aemada-aws wants to merge 2 commits intoaws:mainfrom
Open
Conversation
…geScanningEnabled integ tests All 4 all-parameters integ tests (image.ami, image.container, image-pipeline.ami, image-pipeline.container) fail because imageScanningEnabled: true requires Amazon Inspector to be enabled in the account. Added a shared test helper (enable-inspector.ts) that creates an AwsCustomResource calling inspector2:Enable before Image Builder resources are created. The API is idempotent, making tests environment-agnostic.
aemada-aws
changed the title
aemada-aws
added
the
pr/needs-integration-tests-deployment
aemada-aws
had a problem deploying
to
deployment-integ-test
GitHub Actions
Failure
Contributor
|
|
||||||||||||||||||||||||||||||
Contributor
|
|
||||||||||||||||||||||||||||||
aws-cdk-automation
added
the
pr/needs-further-review
aws-cdk-automation
had a problem deploying
to
deployment-integ-test
GitHub Actions
Error
aemada-aws
had a problem deploying
to
deployment-integ-test
GitHub Actions
Error
aws-cdk-automation
added
the
pr/needs-maintainer-review
aws-cdk-automation
temporarily deployed
to
deployment-integ-test
GitHub Actions
Inactive
kumsmrit
reviewed
Feb 24, 2026
| policy: cr.AwsCustomResourcePolicy.fromStatements([ | ||
| new iam.PolicyStatement({ | ||
| actions: ['inspector2:Enable', 'iam:CreateServiceLinkedRole'], | ||
| resources: ['*'], |
Contributor
Author
There was a problem hiding this comment.
inspector2:Enable does not target a specific resource so we can't scope it.
For iam:CreateServiceLinkedRole I tried to restrict it with conditions and resource scoping but it doesn't work and result in "Invoking account is not authorized to perform iam:CreateServiceLinkedRole". The only variation that works is * with no condition. These 2 fail:
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2*",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "inspector2.amazonaws.com"
}
}
}{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "inspector2.amazonaws.com"
}
}
}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue # (if applicable)
N/A
Reason for this change
All 4
aws-imagebuilder-alpha"all-parameters" integration tests for Image and ImagePipeline (AMI + container variants) fail because they setimageScanningEnabled: true, which requires Amazon Inspector to be enabled in the account. This is an account-level prerequisite that may not be configured in all test environments.Original errors:
integ.all-parameters.image.ami:Resource dependency error: Amazon Inspector is not enabled for 'ec2' resources in accountinteg.all-parameters.image.container:Resource dependency error: Amazon Inspector is not enabled for 'ecr' resources in accountinteg.all-parameters.image-pipeline.ami:Resource dependency error: Amazon Inspector is not enabled for 'ec2' resources in accountinteg.all-parameters.image-pipeline.container:Resource dependency error: Amazon Inspector is not enabled for 'ecr' resources in accountDescription of changes
Added a shared test helper (
test/enable-inspector.ts) that creates anAwsCustomResourcecalling theinspector2:EnableAPI during stack creation. Each of the 4 test files imports this helper and adds a dependency so Image Builder resources wait for Inspector to be enabled. Theinspector2:EnableAPI is idempotent — calling it when already enabled is a no-op.Files changed:
test/enable-inspector.ts— new shared helpertest/integ.all-parameters.image.ami.ts— usesenableInspector(stack, ['EC2'])test/integ.all-parameters.image.container.ts— usesenableInspector(stack, ['ECR'])test/integ.all-parameters.image-pipeline.ami.ts— usesenableInspector(stack, ['EC2'])test/integ.all-parameters.image-pipeline.container.ts— usesenableInspector(stack, ['ECR'])Describe any new or updated permissions being added
The
AwsCustomResourceLambda role gets:inspector2:Enable— to enable Inspector scanningiam:CreateServiceLinkedRole— required by Inspector on first enable to create its service-linked roleBoth are scoped to
*(required by these APIs).Description of how you validated changes
All 4 tests pass:
cd packages/@aws-cdk/aws-imagebuilder-alpha yarn integ test/integ.all-parameters.image.ami.js test/integ.all-parameters.image.container.js test/integ.all-parameters.image-pipeline.ami.js test/integ.all-parameters.image-pipeline.container.js \ --disable-update-workflow --update-on-failed --force \ --parallel-regions us-east-1 --parallel-regions us-east-2 --parallel-regions us-west-2 --parallel-regions eu-west-1 \ --verboseResults: Tests: 4 passed, 4 total
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license