feat(codepipeline-actions): native Amazon EC2 deployment support

[Tietew]

Issue # (if applicable)

Closes #33584.

Reason for this change

AWS CodePipeline introduces a new action to deploy to Amazon Elastic Compute Cloud (EC2).
https://aws.amazon.com/about-aws/whats-new/2025/02/aws-codepipeline-native-ec2-deployment-support/

Description of changes

Added the Ec2DeployAction action class and corresponding helpers.

• Ec2InstanceType - specify instance type: EC2 or SSM_MANAGED_NODE
• Ec2DeploySpecification - choose deploy specification: inline or DeploySpec (not yet included)
• Ec2MaxInstances - specify maxBatch and maxError configuration

Usage

new cpactions.Ec2DeployAction({
  actionName: 'EC2',
  input: buildOutput,
  // specify instance type
  instanceType: cpactions.Ec2InstanceType.EC2,  // REQUIRED
  // specify tag key and value, not ec2.IInstance
  instanceTagKey: 'Target',                     // REQUIRED
  instanceTagValue: 'DeployTarget',
  // deploy specifications
  deploySpecifications: cpactions.Ec2DeploySpecifications.inline({
    targetDirectory: '/home/ec2-user/deploy',   // REQUIRED
    preScript: 'hooks/pre-script',
    postScript: 'hooks/post-script',            // REQUIRED
  }),
  // the action will detach and attach instances from/to target groups
  targetGroups: [myTargetGroup],
  // the number or percentage of instances that can deploy in parallel
  maxBatch: cpactions.Ec2MaxInstances.target(2),
  maxError: cpactions.Ec2MaxInstances.percent(50),
});

Describe any new or updated permissions being added

Ec2DeployAction adds permissions based on CodePipeline documentation:
https://docs.aws.amazon.com/codepipeline/latest/userguide/action-reference-EC2Deploy.html#action-reference-EC2Deploy-permissions-action

For details of actions, resource, and condition keys, see the Service Authorization Reference: EC2, ELBv2, SSM

Description of how you validated changes

Unit tests and an integ test.
The integ test also asserts pipeline execution.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 83.98%. Comparing base (994e952) to head (ea61e43).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #33604   +/-   ##
=======================================
  Coverage   83.98%   83.98%           
=======================================
  Files         120      120           
  Lines        6976     6976           
  Branches     1178     1178           
=======================================
  Hits         5859     5859           
  Misses       1005     1005           
  Partials      112      112           

Flag	Coverage Δ
suite.unit	83.98% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	∅ <ø> (∅)
packages/aws-cdk-lib/core	83.98% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Tietew]

Validation based on AWS console:

[Tietew]

Validation based on AWS console:

[Tietew]

I've succeeded to deploy with maxBatch: '100%'. The note of the AWS console seems inaccurate.

[Tietew]

I've updated max allowed percentage to 100%.

[Tietew]

From AWS console, TargetGroupListName is a comma-separated string instead of a JSON array.

Result of GetPipeline: (pipeline created by console)

[Tietew]

From AWS console, percentage is represented as "NN%"

[Tietew]

snapshot change is caused by #33742

[Tietew]

AWS CodePipeline now supports Deploy Spec file
https://aws.amazon.com/about-aws/whats-new/2025/05/aws-codepipeline-deploy-spec-file-ec2-deploy-action/

[kumvprat]

Left some comments on the PR

[kumvprat]

The ssm:CancelCommand may need to be scoped down, similar to ssm:SendCommand, assuming it can cancel the post/pre-scripts running on the specific instance.

[Tietew]

Hmmm, looks like ssm:CancelCommand has been added as part of the deploy spec support...
I'll reflect it anyway.

[Tietew]

Sorry, I misunderstood your comment.

These policy statements are described in Amazon EC2 action reference.

The ssm:CancelCommand has no related resource types and resources field must be [*].
See https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html

[kumvprat]

Thanks for investigating this
We could add this link : https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html and for the related elasticloadbalancing to the PR description/README

Would be nice for users to know about IAM actions

[kumvprat]

Overall the PR looks good, except for a few remaining changes.

Is there a specific reason for clubbing the deploy spec support in this PR ?
Releasing it as a follow-up PR would also work

[kumvprat]

Why not add the same checks for SSM_MANAGED_NODES and EC2 one ?
Is there some difference between the usages of the two instance types ? If so maybe we need to update the README example to reflect this

These checks seem to be missing from SSM_MANAGED_NODE types :

waitPipelieneSuccess.next(
integ.assertions
.httpApiCall(http://${alb.loadBalancerDnsName}/LB/index.html)
.expect(ExpectedResult.objectLike({ status: 200 })),
);
instances.NoLB.forEach((instance) => waitPipelieneSuccess.next(
integ.assertions
.httpApiCall(http://${instance.instancePublicDnsName}/NoLB/index.html)
.expect(ExpectedResult.objectLike({ status: 200 })),
));

[Tietew]

As far as I know, SSM_MANAGED_NODES are on-premise instances outside of AWS.
These instances cannot be created in integ test.
(please correct me if wrong.)

The EC2 deploy action will succeed if no instances match.
So I only verify whether the pipeline succeeds.

[Tietew]

I noticed that SSM_MANAGED_NODE matches EC2 instances.
I've made separate 2 integ tests with EC2 and SSM_MANAGED_NODE.

[kumvprat]

Thanks for investigating this
We could add this link : https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html and for the related elasticloadbalancing to the PR description/README

Would be nice for users to know about IAM actions

[Tietew]

Is there a specific reason for clubbing the deploy spec support in this PR ?

DeploySpec support will introduce the "choice" which deployment style are used.
At least I want to supply bind()-style integration class.
https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md#unions

I'll drop deploySpec support in this PR if needed.

[Tietew]

I could not succeed to deploy with deployspec.yml currently.
Therefore, I'll drop DeploySpec support in this PR...

[Tietew]

@kumvprat
Thanks for review!

I've pushed updates and marked as ready.
The DeploySpec support will be a separate PR.

We could add this link : https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html and for the related elasticloadbalancing to the PR description/README

I've added refs in PR description and code comments.
But I didn't add to README because it doesn't explain any IAM permissions CDK will grant.

[kumvprat]

LGTM

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 558af95
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.