fix(pipelines): Ubuntu 5 images will be slow, move to Ubuntu 6 (#24544)

CodeBuild has moved the `STANDARD_5` images to the slow path, meaning they will not be cached on the host anymore. Every customer using CDK Pipelines has gotten an email about this.

Move the CDK Pipelines default image to `STANDARD_6`.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: rix0rrr

packages/@aws-cdk/pipelines/lib/codepipeline/codepipeline.ts

@@ -22,6 +22,7 @@ import { AssetSingletonRole } from '../private/asset-singleton-role';
 import { CachedFnSub } from '../private/cached-fnsub';
 import { preferredCliVersion } from '../private/cli-version';
 import { appOf, assemblyBuilderOf, embeddedAsmPath, obtainScope } from '../private/construct-internals';
+import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../private/default-codebuild-image';
 import { toPosixPath } from '../private/fs';
 import { actionName, stackVariableNamespace } from '../private/identifiers';
 import { enumerate, flatten, maybeSuffix, noUndefined } from '../private/javascript';
@@ -145,7 +146,7 @@ export interface CodePipelineProps {
   /**
    * Customize the CodeBuild projects created for this pipeline
    *
-   * @default - All projects run non-privileged build, SMALL instance, LinuxBuildImage.STANDARD_5_0
+   * @default - All projects run non-privileged build, SMALL instance, LinuxBuildImage.STANDARD_6_0
    */
   readonly codeBuildDefaults?: CodeBuildOptions;
 
@@ -245,7 +246,7 @@ export interface CodeBuildOptions {
   /**
    * Partial build environment, will be combined with other build environments that apply
    *
-   * @default - Non-privileged build, SMALL instance, LinuxBuildImage.STANDARD_5_0
+   * @default - Non-privileged build, SMALL instance, LinuxBuildImage.STANDARD_6_0
    */
   readonly buildEnvironment?: cb.BuildEnvironment;
 
@@ -833,7 +834,7 @@ export class CodePipeline extends PipelineBase {
   private codeBuildDefaultsFor(nodeType: CodeBuildProjectType): CodeBuildOptions | undefined {
     const defaultOptions: CodeBuildOptions = {
       buildEnvironment: {
-        buildImage: cb.LinuxBuildImage.STANDARD_5_0,
+        buildImage: CDKP_DEFAULT_CODEBUILD_IMAGE,
         computeType: cb.ComputeType.SMALL,
       },
     };

packages/@aws-cdk/pipelines/lib/legacy/actions/publish-assets-action.ts

@@ -9,6 +9,7 @@ import * as iam from '@aws-cdk/aws-iam';
 import { ISynthesisSession, Lazy, Stack, attachCustomSynthesis } from '@aws-cdk/core';
 import { IDependable, Construct } from 'constructs';
 import { AssetType } from '../../blueprint/asset-type';
+import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../../private/default-codebuild-image';
 import { toPosixPath } from '../../private/fs';
 
 /**
@@ -140,7 +141,7 @@ export class PublishAssetsAction extends Construct implements codepipeline.IActi
     const project = new codebuild.PipelineProject(this, 'Default', {
       projectName: this.props.projectName,
       environment: {
-        buildImage: codebuild.LinuxBuildImage.STANDARD_5_0,
+        buildImage: CDKP_DEFAULT_CODEBUILD_IMAGE,
         privileged: (props.assetType === AssetType.DOCKER_IMAGE) ? true : undefined,
       },
       vpc: props.vpc,

packages/@aws-cdk/pipelines/lib/legacy/actions/update-pipeline-action.ts

@@ -7,6 +7,7 @@ import { Stack } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { dockerCredentialsInstallCommands, DockerCredential, DockerCredentialUsage } from '../../docker-credentials';
 import { embeddedAsmPath } from '../../private/construct-internals';
+import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../../private/default-codebuild-image';
 
 /**
  * Props for the UpdatePipelineAction
@@ -109,7 +110,7 @@ export class UpdatePipelineAction extends Construct implements codepipeline.IAct
     const selfMutationProject = new codebuild.PipelineProject(this, 'SelfMutation', {
       projectName: props.projectName,
       environment: {
-        buildImage: codebuild.LinuxBuildImage.STANDARD_5_0,
+        buildImage: CDKP_DEFAULT_CODEBUILD_IMAGE,
         privileged: props.privileged ?? false,
       },
       buildSpec: props.buildSpec ? codebuild.mergeBuildSpecs(props.buildSpec, buildSpec) : buildSpec,

packages/@aws-cdk/pipelines/lib/legacy/synths/simple-synth-action.ts

@@ -10,6 +10,7 @@ import { Stack } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { copyEnvironmentVariables, filterEmpty } from './_util';
 import { dockerCredentialsInstallCommands, DockerCredential, DockerCredentialUsage } from '../../docker-credentials';
+import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../../private/default-codebuild-image';
 import { toPosixPath } from '../../private/fs';
 
 const DEFAULT_OUTPUT_DIR = 'cdk.out';
@@ -68,7 +69,7 @@ export interface SimpleSynthOptions {
   /**
    * Build environment to use for CodeBuild job
    *
-   * @default BuildEnvironment.LinuxBuildImage.STANDARD_5_0
+   * @default BuildEnvironment.LinuxBuildImage.STANDARD_6_0
    */
   readonly environment?: codebuild.BuildEnvironment;
 
@@ -340,7 +341,7 @@ export class SimpleSynthAction implements codepipeline.IAction, iam.IGrantable {
     const testCommands = this.props.testCommands ?? [];
     const synthCommand = this.props.synthCommand;
 
-    const environment = { buildImage: codebuild.LinuxBuildImage.STANDARD_5_0, ...this.props.environment };
+    const environment = { buildImage: CDKP_DEFAULT_CODEBUILD_IMAGE, ...this.props.environment };
     const osType = (environment.buildImage instanceof codebuild.WindowsBuildImage)
       ? ec2.OperatingSystemType.WINDOWS
       : ec2.OperatingSystemType.LINUX;

packages/@aws-cdk/pipelines/lib/legacy/validation/shell-script-action.ts

@@ -5,6 +5,7 @@ import * as ec2 from '@aws-cdk/aws-ec2';
 import * as events from '@aws-cdk/aws-events';
 import * as iam from '@aws-cdk/aws-iam';
 import { Construct } from 'constructs';
+import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../../private/default-codebuild-image';
 import { StackOutput } from '../stage';
 
 /**
@@ -59,7 +60,7 @@ export interface ShellScriptActionProps {
   /**
    * The CodeBuild environment where scripts are executed.
    *
-   * @default LinuxBuildImage.STANDARD_5_0
+   * @default LinuxBuildImage.STANDARD_6_0
    */
   readonly environment?: codebuild.BuildEnvironment
 
@@ -195,7 +196,7 @@ export class ShellScriptAction implements codepipeline.IAction, iam.IGrantable {
     }
 
     this._project = new codebuild.PipelineProject(scope, 'Project', {
-      environment: this.props.environment || { buildImage: codebuild.LinuxBuildImage.STANDARD_5_0 },
+      environment: this.props.environment || { buildImage: CDKP_DEFAULT_CODEBUILD_IMAGE },
       vpc: this.props.vpc,
       securityGroups: this.props.securityGroups,
       subnetSelection: this.props.subnetSelection,

packages/@aws-cdk/pipelines/lib/private/application-security-check.ts

@@ -5,6 +5,7 @@ import * as iam from '@aws-cdk/aws-iam';
 import * as lambda from '@aws-cdk/aws-lambda';
 import { Duration, Tags } from '@aws-cdk/core';
 import { Construct } from 'constructs';
+import { CDKP_DEFAULT_CODEBUILD_IMAGE } from './default-codebuild-image';
 
 /**
  * Properties for an ApplicationSecurityCheck
@@ -101,7 +102,7 @@ export class ApplicationSecurityCheck extends Construct {
 
     this.cdkDiffProject = new codebuild.Project(this, 'CDKSecurityCheck', {
       environment: {
-        buildImage: codebuild.LinuxBuildImage.STANDARD_5_0,
+        buildImage: CDKP_DEFAULT_CODEBUILD_IMAGE,
       },
       buildSpec: codebuild.BuildSpec.fromObject({
         version: 0.2,

packages/@aws-cdk/pipelines/lib/private/default-codebuild-image.ts

@@ -0,0 +1,3 @@
+import { LinuxBuildImage } from '@aws-cdk/aws-codebuild';
+
+export const CDKP_DEFAULT_CODEBUILD_IMAGE = LinuxBuildImage.STANDARD_6_0;

packages/@aws-cdk/pipelines/test/compliance/assets.test.ts

@@ -4,6 +4,7 @@ import { Capture, Match, Template } from '@aws-cdk/assertions';
 import * as cb from '@aws-cdk/aws-codebuild';
 import * as ec2 from '@aws-cdk/aws-ec2';
 import { Stack, Stage } from '@aws-cdk/core';
+import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../../lib/private/default-codebuild-image';
 import { behavior, PIPELINE_ENV, TestApp, LegacyTestGitHubNpmPipeline, ModernTestGitHubNpmPipeline, FileAssetApp, MegaAssetsApp, TwoFileAssetsApp, DockerAssetApp, PlainStackApp, stringLike } from '../testhelpers';
 
 const FILE_ASSET_SOURCE_HASH = '8289faf53c7da377bb2b90615999171adef5e1d8f6b88810e5fef75e6ca09ba5';
@@ -187,7 +188,7 @@ describe('basic pipeline', () => {
     function THEN_codePipelineExpectation() {
       Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', {
         Environment: {
-          Image: 'aws/codebuild/standard:5.0',
+          Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId,
         },
         Source: {
           BuildSpec: Match.serializedJson(Match.objectLike({
@@ -288,7 +289,7 @@ describe('basic pipeline', () => {
         },
         Environment: Match.objectLike({
           PrivilegedMode: false,
-          Image: 'aws/codebuild/standard:5.0',
+          Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId,
         }),
       });
     }
@@ -321,7 +322,7 @@ describe('basic pipeline', () => {
           })),
         },
         Environment: Match.objectLike({
-          Image: 'aws/codebuild/standard:5.0',
+          Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId,
           PrivilegedMode: true,
         }),
       });
@@ -350,7 +351,7 @@ describe('basic pipeline', () => {
     function THEN_codePipelineExpectation() {
       Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', {
         Environment: {
-          Image: 'aws/codebuild/standard:5.0',
+          Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId,
         },
         Source: {
           BuildSpec: Match.serializedJson(Match.objectLike({
@@ -593,7 +594,7 @@ behavior('can supply pre-install scripts to asset upload', (suite) => {
   function THEN_codePipelineExpectation() {
     Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', {
       Environment: {
-        Image: 'aws/codebuild/standard:5.0',
+        Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId,
       },
       Source: {
         BuildSpec: Match.serializedJson(Match.objectLike({
@@ -770,7 +771,7 @@ describe('pipeline with single asset publisher', () => {
       });
       Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', {
         Environment: {
-          Image: 'aws/codebuild/standard:5.0',
+          Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId,
         },
         Source: {
           BuildSpec: buildSpecName,
@@ -898,7 +899,7 @@ describe('pipeline with custom asset publisher BuildSpec', () => {
       });
       Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', {
         Environment: {
-          Image: 'aws/codebuild/standard:5.0',
+          Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId,
         },
         Source: {
           BuildSpec: buildSpecName,

packages/@aws-cdk/pipelines/test/compliance/docker-credentials.test.ts

@@ -5,6 +5,7 @@ import { Stack } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import * as cdkp from '../../lib';
 import { CodeBuildStep } from '../../lib';
+import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../../lib/private/default-codebuild-image';
 import { behavior, PIPELINE_ENV, TestApp, LegacyTestGitHubNpmPipeline, ModernTestGitHubNpmPipeline, DockerAssetApp, stringLike } from '../testhelpers';
 
 const secretSynthArn = 'arn:aws:secretsmanager:eu-west-1:0123456789012:secret:synth-012345';
@@ -51,7 +52,7 @@ behavior('synth action receives install commands and access to relevant credenti
     });
 
     Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', {
-      Environment: { Image: 'aws/codebuild/standard:5.0' },
+      Environment: { Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId },
       Source: {
         BuildSpec: Match.serializedJson(Match.objectLike({
           phases: {
@@ -164,7 +165,7 @@ behavior('self-update receives install commands and access to relevant credentia
     });
 
     Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', {
-      Environment: { Image: 'aws/codebuild/standard:5.0' },
+      Environment: { Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId },
       Source: {
         BuildSpec: Match.serializedJson(Match.objectLike({
           phases: {
@@ -220,7 +221,7 @@ behavior('asset publishing receives install commands and access to relevant cred
     });
 
     Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', {
-      Environment: { Image: 'aws/codebuild/standard:5.0' },
+      Environment: { Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId },
       Source: {
         BuildSpec: Match.serializedJson(Match.objectLike({
           phases: {

packages/@aws-cdk/pipelines/test/compliance/security-check.test.ts

@@ -2,6 +2,7 @@ import { Match, Template } from '@aws-cdk/assertions';
 import { Topic } from '@aws-cdk/aws-sns';
 import { Stack } from '@aws-cdk/core';
 import * as cdkp from '../../lib';
+import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../../lib/private/default-codebuild-image';
 import { LegacyTestGitHubNpmPipeline, ModernTestGitHubNpmPipeline, OneStackApp, PIPELINE_ENV, TestApp, stringLike } from '../testhelpers';
 import { behavior } from '../testhelpers/compliance';
 
@@ -53,11 +54,11 @@ behavior('security check option generates lambda/codebuild at pipeline scope', (
     // 1 for github build, 1 for synth stage, and 1 for the application security check
     template.resourceCountIs('AWS::CodeBuild::Project', 3);
 
-    // No CodeBuild project has a build image that is not standard:5.0
+    // No CodeBuild project has a build image that is not the standard iamge
     const projects = template.findResources('AWS::CodeBuild::Project', {
       Properties: {
         Environment: {
-          Image: 'aws/codebuild/standard:5.0',
+          Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId,
         },
       },
     });