feat(core): add docker security option to asset bundling (#15204)

Allow users to add [Docker security option](https://docs.docker.com/engine/reference/run/#security-configuration) when setting their [BundlingOptions](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_core.BundlingOptions.html). Improvement on PR [14682](#14682), related to issue #14681 Last PR [14682](#14682) only addressed [DockerRunOptions](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_core.DockerRunOptions.html) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Jul 5, 2021 · cbee18a · cbee18a
1 parent 0419356
commit cbee18a
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 1 deletion.
diff --git a/packages/@aws-cdk/core/lib/asset-staging.ts b/packages/@aws-cdk/core/lib/asset-staging.ts
@@ -463,6 +463,7 @@ export class AssetStaging extends CoreConstruct {
           volumes,
           environment: options.environment,
           workingDirectory: options.workingDirectory ?? AssetStaging.BUNDLING_INPUT_DIR,
+          securityOpt: options.securityOpt ?? '',
         });
       }
     } catch (err) {

diff --git a/packages/@aws-cdk/core/lib/bundling.ts b/packages/@aws-cdk/core/lib/bundling.ts
@@ -86,6 +86,14 @@ export interface BundlingOptions {
    *
    */
   readonly outputType?: BundlingOutput;
+
+  /**
+   * [Security configuration](https://docs.docker.com/engine/reference/run/#security-configuration)
+   * when running the docker container.
+   *
+   * @default - no security options
+   */
+  readonly securityOpt?: string;
 }
 
 /**
@@ -413,7 +421,7 @@ export interface DockerRunOptions {
    * [Security configuration](https://docs.docker.com/engine/reference/run/#security-configuration)
    * when running the docker container.
    *
-   * @default - no secutiy options
+   * @default - no security options
    */
   readonly securityOpt?: string;
 }

diff --git a/packages/@aws-cdk/core/test/staging.test.ts b/packages/@aws-cdk/core/test/staging.test.ts
@@ -597,6 +597,34 @@ nodeunitShim({
     test.done();
   },
 
+
+  'bundling with docker security option'(test: Test) {
+    // GIVEN
+    const app = new App();
+    const stack = new Stack(app, 'stack');
+    const directory = path.join(__dirname, 'fs', 'fixtures', 'test1');
+
+    // WHEN
+    const asset = new AssetStaging(stack, 'Asset', {
+      sourcePath: directory,
+      bundling: {
+        image: BundlingDockerImage.fromRegistry('alpine'),
+        command: [DockerStubCommand.SUCCESS],
+        securityOpt: 'no-new-privileges',
+      },
+      assetHashType: AssetHashType.BUNDLE,
+    });
+
+    // THEN
+    test.equal(
+      readDockerStubInput(),
+      `run --rm --security-opt no-new-privileges ${USER_ARG} -v /input:/asset-input:delegated -v /output:/asset-output:delegated -w /asset-input alpine DOCKER_STUB_SUCCESS`,
+    );
+    test.equal(asset.assetHash, '33cbf2cae5432438e0f046bc45ba8c3cef7b6afcf47b59d1c183775c1918fb1f');
+
+    test.done();
+  },
+
   'bundling with OUTPUT asset hash type'(test: Test) {
     // GIVEN
     const app = new App();