feat(assets): Add deploy-time content hash (#2334)

Introduces an `IAsset` interface that centralizes common aspects about
assets, such as the `sourceHash` and `bundleHash` properties.

The `sourceHash` fingerprints the objects that are used as the source
for the asset bundling logic, and is available at synthesis time (it can
for example be injected in construct IDs when it one wants to ensure a
new logical ID is issued for every new version of the asset).

The `bundleHash` fingerprints the result of the bundling logic, and is
more accurate than `sourceHash` (in that, if the same source can produce
different artifacts at different points in time, the `sourceHash` will
remain un-changed, but the `bundleHash` will change. The `bundleHash` is
however a deploy-time value and thus cannot be used in construct IDs.

Fixes #1400

Author: RomainMuller

Diff for: .gitignore

@@ -1,24 +1,28 @@
-*.tsbuildinfo
-.cdk.staging
-
-.vscode
 # VSCode extension
+.vscode/
 /.favorites.json
+
+# TypeScript incremental build states
+*.tsbuildinfo
+
+# Local state files & OS specifics
 .DS_Store
-node_modules
+node_modules/
 lerna-debug.log
-dist
-pack
+dist/
+pack/
 .BUILD_COMPLETED
-.local-npm
-.tools
-coverage
+.local-npm/
+.tools/
+coverage/
 .nyc_output
 .LAST_BUILD
 *.sw[a-z]
 *~
 
-# we don't want tsconfig at the root
+# We don't want tsconfig at the root
 /tsconfig.json
+
+# CDK Context & Staging files
 cdk.context.json
-tsconfig.tsbuildinfo
+.cdk.staging/

Diff for: packages/@aws-cdk/assets-docker/lib/adopt-repository/handler.js

@@ -26,10 +26,14 @@ exports.handler = async function(event, context, _callback, respond) {
       }
     }
 
-    const repo = event.ResourceProperties.RepositoryName;
+    let repo = event.ResourceProperties.RepositoryName;
     if (!repo) {
       throw new Error('Missing required property "RepositoryName"');
     }
+    const isRepoUri = repo.match(/^(\d+\.dkr\.ecr\.[^.]+\.[^/]+\/)(.+)$/i);
+    if (isRepoUri) {
+      repo = isRepoUri[2];
+    }
 
     const adopter = await getAdopter(repo);
     if (event.RequestType === 'Delete') {

Diff for: packages/@aws-cdk/assets-docker/lib/adopted-repository.ts

@@ -59,6 +59,10 @@ export class AdoptedRepository extends ecr.RepositoryBase {
         PolicyDocument: this.policyDocument
       }
     });
+    if (fn.role) {
+      // Need to explicitly depend on the role's policies, so they are applied before we try to use them
+      adopter.node.addDependency(fn.role);
+    }
 
     // we use the Fn::GetAtt with the RepositoryName returned by the custom
     // resource in order to implicitly create a dependency between consumers

Diff for: packages/@aws-cdk/assets-docker/lib/image-asset.ts

@@ -6,7 +6,7 @@ import fs = require('fs');
 import path = require('path');
 import { AdoptedRepository } from './adopted-repository';
 
-export interface DockerImageAssetProps {
+export interface DockerImageAssetProps extends assets.CopyOptions {
   /**
    * The directory where the Dockerfile is stored
    */
@@ -36,7 +36,7 @@ export interface DockerImageAssetProps {
  *
  * The image will be created in build time and uploaded to an ECR repository.
  */
-export class DockerImageAsset extends cdk.Construct {
+export class DockerImageAsset extends cdk.Construct implements assets.IAsset {
   /**
    * The full URI of the image (including a tag). Use this reference to pull
    * the asset.
@@ -48,6 +48,9 @@ export class DockerImageAsset extends cdk.Construct {
    */
   public repository: ecr.IRepository;
 
+  public readonly sourceHash: string;
+  public readonly artifactHash: string;
+
   /**
    * Directory where the source files are stored
    */
@@ -66,31 +69,35 @@ export class DockerImageAsset extends cdk.Construct {
     }
 
     const staging = new assets.Staging(this, 'Staging', {
+      ...props,
       sourcePath: dir
     });
 
     this.directory = staging.stagedPath;
+    this.sourceHash = staging.sourceHash;
 
     const imageNameParameter = new cdk.CfnParameter(this, 'ImageName', {
       type: 'String',
       description: `ECR repository name and tag asset "${this.node.path}"`,
     });
 
     const asset: cxapi.ContainerImageAssetMetadataEntry = {
+      id: this.node.uniqueId,
       packaging: 'container-image',
       path: this.directory,
-      id: this.node.uniqueId,
+      sourceHash: this.sourceHash,
       imageNameParameter: imageNameParameter.logicalId,
       repositoryName: props.repositoryName,
       buildArgs: props.buildArgs
     };
 
     this.node.addMetadata(cxapi.ASSET_METADATA, asset);
 
-    // parse repository name and tag from the parameter (<REPO_NAME>:<TAG>)
-    const components = cdk.Fn.split(':', imageNameParameter.stringValue);
+    // Parse repository name and tag from the parameter (<REPO_NAME>@sha256:<TAG>)
+    // Example: cdk/cdkexampleimageb2d7f504@sha256:72c4f956379a43b5623d529ddd969f6826dde944d6221f445ff3e7add9875500
+    const components = cdk.Fn.split('@sha256:', imageNameParameter.stringValue);
     const repositoryName = cdk.Fn.select(0, components).toString();
-    const imageTag = cdk.Fn.select(1, components).toString();
+    const imageSha = cdk.Fn.select(1, components).toString();
 
     // Require that repository adoption happens first, so we route the
     // input ARN into the Custom Resource and then get the URI which we use to
@@ -99,6 +106,7 @@ export class DockerImageAsset extends cdk.Construct {
     // If adoption fails (because the repository might be twice-adopted), we
     // haven't already started using the image.
     this.repository = new AdoptedRepository(this, 'AdoptRepository', { repositoryName });
-    this.imageUri = this.repository.repositoryUriForTag(imageTag);
+    this.imageUri = `${this.repository.repositoryUri}@sha256:${imageSha}`;
+    this.artifactHash = imageSha;
   }
 }