feat(cdk): build all container images in CodeBuild via ContainerImageBuild

konokenj · konokenj · commit 393e96c9601e · 2026-03-26T14:37:01.000+09:00
Migrate async-job and dsql-migrator from DockerImageCode.fromImageAsset
(local Docker build) to ContainerImageBuild from @cdklabs/deploy-time-build,
matching the pattern already used by webapp.

Also migrate the package from deploy-time-build to @cdklabs/deploy-time-build
(the official cdklabs-scoped successor).

This removes Docker from deployment prerequisites, eliminating Windows Docker
Desktop setup friction and CI Docker-in-Docker requirements. All three images
are built natively on ARM64 CodeBuild (general1.small) during cdk deploy.

Trade-off: no Docker layer cache (full rebuild each deploy) and CodeBuild
ARM/Small concurrent build quota defaults to 1 (builds queue sequentially;
adjustable via Service Quotas).
diff --git a/.serverless-full-stack-webapp-starter-kit/docs/v3.0.0/design.ja.md b/.serverless-full-stack-webapp-starter-kit/docs/v3.0.0/design.ja.md
@@ -206,6 +206,19 @@ DSQL 非互換パターンをコーディング時とマイグレーション時
 
 選定理由は [ADR-002](adr-002-pnpm-workspaces.ja.md) を参照。以下は実装上の制約と対処。
 
+### ContainerImageBuild によるリモートビルド
+
+全コンテナイメージ（webapp、async-job、dsql-migrator）を `@cdklabs/deploy-time-build` の `ContainerImageBuild` でビルドする。`DockerImageCode.fromImageAsset`（ローカル Docker ビルド）は使用しない。
+
+動機: デプロイ時のローカル Docker 依存を排除する。Windows での Docker Desktop セットアップや CI 環境での Docker-in-Docker が不要になり、Prerequisites から Docker を削除できる。
+
+仕組み: `cdk deploy` 時に CloudFormation カスタムリソースが CodeBuild（ARM/Small）でイメージをビルドし ECR にプッシュする。同一スタック・同一アーキテクチャの `ContainerImageBuild` は `SingletonProject` により1つの CodeBuild プロジェクトを共有する。
+
+トレードオフ:
+
+- Docker レイヤーキャッシュが効かない（毎回フルビルド）
+- CodeBuild ARM/Small の同時実行クォータがデフォルト1のため、複数ビルドはキューイングされ直列実行になる。Service Quotas で引き上げ可能
+
 ### スクリプト規約
 
 各サブパッケージが定型タスク名（`dev`、`build`、`test:unit`、`lint`、`check:ci` 等）を自身の `package.json` に定義し、ルートからは `pnpm -r run <task>` で一括実行する。ルート `package.json` にはタスクのエイリアススクリプトを置かない — 各パッケージが自身のスクリプトを持つため冗長であり、`--if-present` 付きの間接呼び出しはデバッグを困難にする。
diff --git a/README.md b/README.md
@@ -52,7 +52,6 @@ Fully serverless — no VPC required, high cost efficiency, scalability, and min
 Prerequisites:
 * [Node.js](https://nodejs.org/) (>= v22)
 * [pnpm](https://pnpm.io/) (>= v10)
-* [Docker](https://docs.docker.com/get-docker/)
 * [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) with a configured IAM profile
 
 ### 1. Copy the kit
diff --git a/apps/cdk/lib/constructs/async-job.ts b/apps/cdk/lib/constructs/async-job.ts
@@ -1,14 +1,15 @@
 import { Construct } from 'constructs';
 import { CfnOutput, Duration, IgnoreMode, RemovalPolicy, TimeZone } from 'aws-cdk-lib';
 import { LogGroup, RetentionDays } from 'aws-cdk-lib/aws-logs';
-import { Architecture, DockerImageCode, DockerImageFunction, IFunction } from 'aws-cdk-lib/aws-lambda';
+import { Architecture, DockerImageFunction, IFunction } from 'aws-cdk-lib/aws-lambda';
 import { Platform } from 'aws-cdk-lib/aws-ecr-assets';
 import { Database } from './database';
 import { EventBus } from './event-bus';
 import { PolicyStatement } from 'aws-cdk-lib/aws-iam';
 import { join } from 'path';
 import { Schedule, ScheduleExpression, ScheduleTargetInput } from 'aws-cdk-lib/aws-scheduler';
 import { LambdaInvoke } from 'aws-cdk-lib/aws-scheduler-targets';
+import { ContainerImageBuild } from '@cdklabs/deploy-time-build';
 
 export interface AsyncJobProps {
   readonly database: Database;
@@ -22,13 +23,15 @@ export class AsyncJob extends Construct {
     super(scope, id);
     const { database, eventBus } = props;
 
+    const image = new ContainerImageBuild(this, 'Build', {
+      directory: join('..', '..'),
+      platform: Platform.LINUX_ARM64,
+      file: 'apps/async-job/Dockerfile',
+      ignoreMode: IgnoreMode.DOCKER,
+    });
+
     const handler = new DockerImageFunction(this, 'Handler', {
-      code: DockerImageCode.fromImageAsset(join('..', '..'), {
-        cmd: ['handler.handler'],
-        platform: Platform.LINUX_ARM64,
-        file: 'apps/async-job/Dockerfile',
-        ignoreMode: IgnoreMode.DOCKER,
-      }),
+      code: image.toLambdaDockerImageCode(),
       memorySize: 256,
       timeout: Duration.minutes(10),
       architecture: Architecture.ARM_64,
diff --git a/apps/cdk/lib/constructs/dsql-migrator/index.ts b/apps/cdk/lib/constructs/dsql-migrator/index.ts
@@ -1,11 +1,12 @@
 import { CfnOutput, Duration, IgnoreMode, RemovalPolicy, Stack } from 'aws-cdk-lib';
 import { LogGroup, RetentionDays } from 'aws-cdk-lib/aws-logs';
 import { Platform } from 'aws-cdk-lib/aws-ecr-assets';
-import { DockerImageFunction, DockerImageCode, Architecture } from 'aws-cdk-lib/aws-lambda';
+import { DockerImageFunction, Architecture } from 'aws-cdk-lib/aws-lambda';
 import { Construct } from 'constructs';
 import { Trigger } from 'aws-cdk-lib/triggers';
 import { Database } from '../database';
 import { join } from 'path';
+import { ContainerImageBuild } from '@cdklabs/deploy-time-build';
 
 export interface DsqlMigratorProps {
   readonly database: Database;
@@ -17,12 +18,15 @@ export class DsqlMigrator extends Construct {
 
     const { database } = props;
 
+    const image = new ContainerImageBuild(this, 'Build', {
+      directory: join(__dirname, '..', '..', '..', '..', '..'),
+      platform: Platform.LINUX_ARM64,
+      file: 'apps/cdk/lib/constructs/dsql-migrator/Dockerfile',
+      ignoreMode: IgnoreMode.DOCKER,
+    });
+
     const migrationRunner = new DockerImageFunction(this, 'Handler', {
-      code: DockerImageCode.fromImageAsset(join(__dirname, '..', '..', '..', '..', '..'), {
-        platform: Platform.LINUX_ARM64,
-        file: 'apps/cdk/lib/constructs/dsql-migrator/Dockerfile',
-        ignoreMode: IgnoreMode.DOCKER,
-      }),
+      code: image.toLambdaDockerImageCode(),
       architecture: Architecture.ARM_64,
       timeout: Duration.minutes(15),
       environment: database.getLambdaEnvironment(),
diff --git a/apps/cdk/lib/constructs/webapp.ts b/apps/cdk/lib/constructs/webapp.ts
@@ -10,7 +10,7 @@ import { Database } from './database';
 import { EdgeFunction } from './cf-lambda-furl-service/edge-function';
 import { ICertificate } from 'aws-cdk-lib/aws-certificatemanager';
 import { Auth } from './auth/';
-import { ContainerImageBuild } from 'deploy-time-build';
+import { ContainerImageBuild } from '@cdklabs/deploy-time-build';
 import { join } from 'path';
 import { EventBus } from './event-bus/';
 import { AsyncJob } from './async-job';
diff --git a/apps/cdk/package.json b/apps/cdk/package.json
@@ -17,11 +17,11 @@
   "dependencies": {
     "@aws-appsync/utils": "^1.12.0",
     "@aws-sdk/client-cognito-identity-provider": "^3.987.0",
+    "@cdklabs/deploy-time-build": "^0.1.1",
     "@types/aws-lambda": "^8.10.149",
     "aws-cdk-lib": "^2.189.1",
     "cdk-nag": "^2.14.29",
     "constructs": "^10.0.0",
-    "deploy-time-build": "^0.3.32",
     "source-map-support": "^0.5.21"
   },
   "devDependencies": {
diff --git a/apps/cdk/test/__snapshots__/serverless-fullstack-webapp-starter-kit-without-domain.test.ts.snap b/apps/cdk/test/__snapshots__/serverless-fullstack-webapp-starter-kit-without-domain.test.ts.snap
diff --git a/apps/cdk/test/__snapshots__/serverless-fullstack-webapp-starter-kit.test.ts.snap b/apps/cdk/test/__snapshots__/serverless-fullstack-webapp-starter-kit.test.ts.snap
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
