Merge branch 'main' into disable_api_termination

package.json

@@ -20,20 +20,20 @@
     "@types/prettier": "2.6.0",
     "@yarnpkg/lockfile": "^1.1.0",
     "aws-sdk-js-codemod": "^0.28.2",
-    "cdk-generate-synthetic-examples": "^0.2.7",
+    "cdk-generate-synthetic-examples": "^0.2.8",
     "conventional-changelog-cli": "^2.2.2",
     "fs-extra": "^9.1.0",
     "graceful-fs": "^4.2.11",
     "jest-junit": "^13.2.0",
-    "jsii-diff": "1.99.0",
-    "jsii-pacmak": "1.99.0",
-    "jsii-reflect": "1.99.0",
-    "lerna": "^8.1.4",
+    "jsii-diff": "1.100.0",
+    "jsii-pacmak": "1.100.0",
+    "jsii-reflect": "1.100.0",
+    "lerna": "^8.1.5",
     "nx": "^18.3.5",
     "patch-package": "^6.5.1",
     "semver": "^7.6.2",
     "standard-version": "^9.5.0",
-    "ts-jest": "^29.1.4",
+    "ts-jest": "^29.1.5",
     "ts-node": "^10.9.2",
     "typescript": "~5.4.5"
   },

packages/@aws-cdk-testing/cli-integ/package.json

@@ -39,7 +39,7 @@
   },
   "dependencies": {
     "@octokit/rest": "^18.12.0",
-    "aws-sdk": "^2.1639.0",
+    "aws-sdk": "^2.1648.0",
     "axios": "^1.7.2",
     "fs-extra": "^9.1.0",
     "glob": "^7.2.3",

packages/@aws-cdk-testing/framework-integ/package.json

@@ -43,9 +43,9 @@
     "@aws-cdk/lambda-layer-kubectl-v29": "^2.1.0",
     "@aws-cdk/lambda-layer-kubectl-v30": "^2.0.0",
     "aws-cdk-lib": "0.0.0",
-    "aws-sdk": "^2.1639.0",
+    "aws-sdk": "^2.1648.0",
     "aws-sdk-mock": "5.6.0",
-    "cdk8s": "2.68.78",
+    "cdk8s": "2.68.82",
     "cdk8s-plus-27": "2.9.5",
     "constructs": "^10.0.0"
   },

packages/@aws-cdk/aws-apprunner-alpha/lib/service.ts

@@ -1311,9 +1311,11 @@ export class Service extends cdk.Resource implements iam.IGrantable {
       } : undefined,
     });
 
-    // grant required privileges for the role
+    // grant required privileges for the role to access an image in Amazon ECR
+    // See https://docs.aws.amazon.com/apprunner/latest/dg/security_iam_service-with-iam.html#security_iam_service-with-iam-roles
     if (this.source.ecrRepository && this.accessRole) {
       this.source.ecrRepository.grantPull(this.accessRole);
+      this.source.ecrRepository.grant(this.accessRole, 'ecr:DescribeImages');
     }
 
     this.serviceArn = resource.attrServiceArn;

packages/@aws-cdk/aws-apprunner-alpha/test/integ.service-ecr.js.snapshot/integ-apprunner.template.json

@@ -1,5 +1,22 @@
 {
  "Resources": {
+  "Service3InstanceRoleD40BEE82": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "tasks.apprunner.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    }
+   }
+  },
   "Service3AccessRole3ACBAAA0": {
    "Type": "AWS::IAM::Role",
    "Properties": {
@@ -31,6 +48,7 @@
        "Action": [
         "ecr:BatchCheckLayerAvailability",
         "ecr:BatchGetImage",
+        "ecr:DescribeImages",
         "ecr:GetDownloadUrlForLayer"
        ],
        "Effect": "Allow",
@@ -72,6 +90,19 @@
   "Service342D067F2": {
    "Type": "AWS::AppRunner::Service",
    "Properties": {
+    "InstanceConfiguration": {
+     "InstanceRoleArn": {
+      "Fn::GetAtt": [
+       "Service3InstanceRoleD40BEE82",
+       "Arn"
+      ]
+     }
+    },
+    "NetworkConfiguration": {
+     "EgressConfiguration": {
+      "EgressType": "DEFAULT"
+     }
+    },
     "SourceConfiguration": {
      "AuthenticationConfiguration": {
       "AccessRoleArn": {
@@ -91,19 +122,23 @@
       },
       "ImageRepositoryType": "ECR"
      }
-    },
-    "InstanceConfiguration": {
-      "InstanceRoleArn": {
-        "Fn::GetAtt": [
-          "Service3InstanceRoleD40BEE82",
-          "Arn"
-        ]
+    }
+   }
+  },
+  "Service2InstanceRole3F57F2AA": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "tasks.apprunner.amazonaws.com"
+       }
       }
-    },
-    "NetworkConfiguration": {
-     "EgressConfiguration": {
-      "EgressType": "DEFAULT"
-     }
+     ],
+     "Version": "2012-10-17"
     }
    }
   },
@@ -138,6 +173,7 @@
        "Action": [
         "ecr:BatchCheckLayerAvailability",
         "ecr:BatchGetImage",
+        "ecr:DescribeImages",
         "ecr:GetDownloadUrlForLayer"
        ],
        "Effect": "Allow",
@@ -179,6 +215,19 @@
   "Service2AB4D14D8": {
    "Type": "AWS::AppRunner::Service",
    "Properties": {
+    "InstanceConfiguration": {
+     "InstanceRoleArn": {
+      "Fn::GetAtt": [
+       "Service2InstanceRole3F57F2AA",
+       "Arn"
+      ]
+     }
+    },
+    "NetworkConfiguration": {
+     "EgressConfiguration": {
+      "EgressType": "DEFAULT"
+     }
+    },
     "SourceConfiguration": {
      "AuthenticationConfiguration": {
       "AccessRoleArn": {
@@ -217,56 +266,9 @@
       },
       "ImageRepositoryType": "ECR"
      }
-    },
-    "InstanceConfiguration": {
-      "InstanceRoleArn": {
-        "Fn::GetAtt": [
-          "Service2InstanceRole3F57F2AA",
-          "Arn"
-        ]
-      }
-    },
-    "NetworkConfiguration": {
-     "EgressConfiguration": {
-      "EgressType": "DEFAULT"
-     }
-    }
-   }
-  },
-  "Service3InstanceRoleD40BEE82": {
-    "Type": "AWS::IAM::Role",
-    "Properties": {
-     "AssumeRolePolicyDocument": {
-      "Statement": [
-       {
-        "Action": "sts:AssumeRole",
-        "Effect": "Allow",
-        "Principal": {
-         "Service": "tasks.apprunner.amazonaws.com"
-        }
-       }
-      ],
-      "Version": "2012-10-17"
-     }
-    }
-   },
-   "Service2InstanceRole3F57F2AA": {
-    "Type": "AWS::IAM::Role",
-    "Properties": {
-     "AssumeRolePolicyDocument": {
-      "Statement": [
-       {
-        "Action": "sts:AssumeRole",
-        "Effect": "Allow",
-        "Principal": {
-         "Service": "tasks.apprunner.amazonaws.com"
-        }
-       }
-      ],
-      "Version": "2012-10-17"
-     }
     }
    }
+  }
  },
  "Outputs": {
   "URL3": {