Merge branch 'master' into doc_update_scale_to_0

packages/@aws-cdk/aws-ecs/lib/base/base-service.ts

@@ -159,6 +159,15 @@ export interface BaseServiceOptions {
    */
   readonly propagateTags?: PropagatedTagSource;
 
+  /**
+   * Specifies whether to propagate the tags from the task definition or the service to the tasks in the service.
+   * Tags can only be propagated to the tasks within the service during service creation.
+   *
+   * @deprecated Use `propagateTags` instead.
+   * @default PropagatedTagSource.NONE
+   */
+  readonly propagateTaskTagsFrom?: PropagatedTagSource;
+
   /**
    * Specifies whether to enable Amazon ECS managed tags for the tasks within the service. For more information, see
    * [Tagging Your Amazon ECS Resources](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-using-tags.html)
@@ -373,13 +382,19 @@ export abstract class BaseService extends Resource
       physicalName: props.serviceName,
     });
 
+    if (props.propagateTags && props.propagateTaskTagsFrom) {
+      throw new Error('You can only specify either propagateTags or propagateTaskTagsFrom. Alternatively, you can leave both blank');
+    }
+
     this.taskDefinition = taskDefinition;
 
     // launchType will set to undefined if using external DeploymentController or capacityProviderStrategies
     const launchType = props.deploymentController?.type === DeploymentControllerType.EXTERNAL ||
       props.capacityProviderStrategies !== undefined ?
       undefined : props.launchType;
 
+    const propagateTagsFromSource = props.propagateTaskTagsFrom ?? props.propagateTags ?? PropagatedTagSource.NONE;
+
     this.resource = new CfnService(this, 'Service', {
       desiredCount: props.desiredCount,
       serviceName: this.physicalName,
@@ -392,7 +407,7 @@ export abstract class BaseService extends Resource
           rollback: props.circuitBreaker.rollback ?? false,
         } : undefined,
       },
-      propagateTags: props.propagateTags === PropagatedTagSource.NONE ? undefined : props.propagateTags,
+      propagateTags: propagateTagsFromSource === PropagatedTagSource.NONE ? undefined : props.propagateTags,
       enableEcsManagedTags: props.enableECSManagedTags ?? false,
       deploymentController: props.circuitBreaker ? {
         type: DeploymentControllerType.ECS,

packages/@aws-cdk/aws-ecs/lib/base/task-definition.ts

@@ -584,7 +584,7 @@ export class TaskDefinition extends TaskDefinitionBase {
   }
 
   /**
-   * Adds the specified extention to the task definition.
+   * Adds the specified extension to the task definition.
    *
    * Extension can be used to apply a packaged modification to
    * a task definition.

packages/@aws-cdk/aws-ecs/lib/ec2/ec2-service.ts

@@ -1,7 +1,7 @@
 import * as ec2 from '@aws-cdk/aws-ec2';
 import { Lazy, Resource, Stack } from '@aws-cdk/core';
 import { Construct } from 'constructs';
-import { BaseService, BaseServiceOptions, DeploymentControllerType, IBaseService, IService, LaunchType, PropagatedTagSource } from '../base/base-service';
+import { BaseService, BaseServiceOptions, DeploymentControllerType, IBaseService, IService, LaunchType } from '../base/base-service';
 import { fromServiceAtrributes } from '../base/from-service-attributes';
 import { NetworkMode, TaskDefinition } from '../base/task-definition';
 import { ICluster } from '../cluster';
@@ -82,15 +82,6 @@ export interface Ec2ServiceProps extends BaseServiceOptions {
    * @default false
    */
   readonly daemon?: boolean;
-
-  /**
-   * Specifies whether to propagate the tags from the task definition or the service to the tasks in the service.
-   * Tags can only be propagated to the tasks within the service during service creation.
-   *
-   * @deprecated Use `propagateTags` instead.
-   * @default PropagatedTagSource.NONE
-   */
-  readonly propagateTaskTagsFrom?: PropagatedTagSource;
 }
 
 /**
@@ -173,23 +164,16 @@ export class Ec2Service extends BaseService implements IEc2Service {
       throw new Error('Supplied TaskDefinition is not configured for compatibility with EC2');
     }
 
-    if (props.propagateTags && props.propagateTaskTagsFrom) {
-      throw new Error('You can only specify either propagateTags or propagateTaskTagsFrom. Alternatively, you can leave both blank');
-    }
-
     if (props.securityGroup !== undefined && props.securityGroups !== undefined) {
       throw new Error('Only one of SecurityGroup or SecurityGroups can be populated.');
     }
 
-    const propagateTagsFromSource = props.propagateTaskTagsFrom ?? props.propagateTags ?? PropagatedTagSource.NONE;
-
     super(scope, id, {
       ...props,
       desiredCount: props.desiredCount,
       maxHealthyPercent: props.daemon && props.maxHealthyPercent === undefined ? 100 : props.maxHealthyPercent,
       minHealthyPercent: props.daemon && props.minHealthyPercent === undefined ? 0 : props.minHealthyPercent,
       launchType: LaunchType.EC2,
-      propagateTags: propagateTagsFromSource,
       enableECSManagedTags: props.enableECSManagedTags,
     },
     {

packages/@aws-cdk/aws-ecs/lib/fargate/fargate-service.ts

@@ -1,7 +1,7 @@
 import * as ec2 from '@aws-cdk/aws-ec2';
 import * as cdk from '@aws-cdk/core';
 import { Construct } from 'constructs';
-import { BaseService, BaseServiceOptions, DeploymentControllerType, IBaseService, IService, LaunchType, PropagatedTagSource } from '../base/base-service';
+import { BaseService, BaseServiceOptions, DeploymentControllerType, IBaseService, IService, LaunchType } from '../base/base-service';
 import { fromServiceAtrributes } from '../base/from-service-attributes';
 import { TaskDefinition } from '../base/task-definition';
 import { ICluster } from '../cluster';
@@ -58,16 +58,6 @@ export interface FargateServiceProps extends BaseServiceOptions {
    * @default Latest
    */
   readonly platformVersion?: FargatePlatformVersion;
-
-  /**
-   * Specifies whether to propagate the tags from the task definition or the service to the tasks in the service.
-   * Tags can only be propagated to the tasks within the service during service creation.
-   *
-   * @deprecated Use `propagateTags` instead.
-   * @default PropagatedTagSource.NONE
-   */
-  readonly propagateTaskTagsFrom?: PropagatedTagSource;
-
 }
 
 /**
@@ -134,10 +124,6 @@ export class FargateService extends BaseService implements IFargateService {
       throw new Error('Supplied TaskDefinition is not configured for compatibility with Fargate');
     }
 
-    if (props.propagateTags && props.propagateTaskTagsFrom) {
-      throw new Error('You can only specify either propagateTags or propagateTaskTagsFrom. Alternatively, you can leave both blank');
-    }
-
     if (props.securityGroup !== undefined && props.securityGroups !== undefined) {
       throw new Error('Only one of SecurityGroup or SecurityGroups can be populated.');
     }
@@ -147,15 +133,11 @@ export class FargateService extends BaseService implements IFargateService {
         && SECRET_JSON_FIELD_UNSUPPORTED_PLATFORM_VERSIONS.includes(props.platformVersion)) {
       throw new Error(`The task definition of this service uses at least one container that references a secret JSON field. This feature requires platform version ${FargatePlatformVersion.VERSION1_4} or later.`);
     }
-
-    const propagateTagsFromSource = props.propagateTaskTagsFrom ?? props.propagateTags ?? PropagatedTagSource.NONE;
-
     super(scope, id, {
       ...props,
       desiredCount: props.desiredCount,
       launchType: LaunchType.FARGATE,
       capacityProviderStrategies: props.capacityProviderStrategies,
-      propagateTags: propagateTagsFromSource,
       enableECSManagedTags: props.enableECSManagedTags,
     }, {
       cluster: props.cluster.clusterName,

packages/@aws-cdk/aws-ecs/test/ec2/ec2-service.test.ts

@@ -1859,13 +1859,14 @@ nodeunitShim({
         memoryLimitMiB: 512,
       });
 
-      test.throws(() => new ecs.Ec2Service(stack, 'Ec2Service', {
-        cluster,
-        taskDefinition,
-        propagateTags: PropagatedTagSource.SERVICE,
-        propagateTaskTagsFrom: PropagatedTagSource.SERVICE,
-      }));
-
+      test.throws(() => {
+        new ecs.Ec2Service(stack, 'Ec2Service', {
+          cluster,
+          taskDefinition,
+          propagateTags: PropagatedTagSource.SERVICE,
+          propagateTaskTagsFrom: PropagatedTagSource.SERVICE,
+        });
+      }, /You can only specify either propagateTags or propagateTaskTagsFrom. Alternatively, you can leave both blank/);
       test.done();
     },
 

packages/@aws-cdk/aws-ecs/test/fargate/fargate-service.test.ts

@@ -11,7 +11,7 @@ import * as cloudmap from '@aws-cdk/aws-servicediscovery';
 import * as cdk from '@aws-cdk/core';
 import { nodeunitShim, Test } from 'nodeunit-shim';
 import * as ecs from '../../lib';
-import { DeploymentControllerType, LaunchType } from '../../lib/base/base-service';
+import { DeploymentControllerType, LaunchType, PropagatedTagSource } from '../../lib/base/base-service';
 
 nodeunitShim({
   'When creating a Fargate Service': {
@@ -2948,5 +2948,29 @@ nodeunitShim({
 
       test.done();
     },
+
+    'with both propagateTags and propagateTaskTagsFrom defined'(test: Test) {
+      // GIVEN
+      const stack = new cdk.Stack();
+      const vpc = new ec2.Vpc(stack, 'MyVpc', {});
+      const cluster = new ecs.Cluster(stack, 'EcsCluster', { vpc });
+      const taskDefinition = new ecs.FargateTaskDefinition(stack, 'FargateTaskDef');
+
+      taskDefinition.addContainer('web', {
+        image: ecs.ContainerImage.fromRegistry('amazon/amazon-ecs-sample'),
+        memoryLimitMiB: 512,
+      });
+
+      // THEN
+      test.throws(() => {
+        new ecs.FargateService(stack, 'FargateService', {
+          cluster,
+          taskDefinition,
+          propagateTags: PropagatedTagSource.SERVICE,
+          propagateTaskTagsFrom: PropagatedTagSource.SERVICE,
+        });
+      }, /You can only specify either propagateTags or propagateTaskTagsFrom. Alternatively, you can leave both blank/);
+      test.done();
+    },
   },
 });

packages/@aws-cdk/core/lib/stack-synthesizers/default-synthesizer.ts

@@ -19,7 +19,7 @@ export const BOOTSTRAP_QUALIFIER_CONTEXT = '@aws-cdk/core:bootstrapQualifier';
 /**
  * The minimum bootstrap stack version required by this app.
  */
-const MIN_BOOTSTRAP_STACK_VERSION = 4;
+const MIN_BOOTSTRAP_STACK_VERSION = 6;
 
 /**
  * Configuration properties for DefaultStackSynthesizer
@@ -643,4 +643,4 @@ function validateDockerImageAssetSource(asset: DockerImageAssetSource) {
       throw new Error(`'${key}' is only allowed in combination with 'directoryName', got: ${JSON.stringify(asset)}`);
     }
   }
-}
+}

packages/@aws-cdk/core/test/stack-synthesis/new-style-synthesis.test.ts

@@ -76,7 +76,7 @@ nodeunitShim({
     test.deepEqual(assertions.length, 1);
     test.deepEqual(assertions[0].Assert, {
       'Fn::Not': [
-        { 'Fn::Contains': [['1', '2', '3'], { Ref: 'BootstrapVersion' }] },
+        { 'Fn::Contains': [['1', '2', '3', '4', '5'], { Ref: 'BootstrapVersion' }] },
       ],
     });
 

packages/@aws-cdk/pipelines/lib/actions/update-pipeline-action.ts

@@ -3,6 +3,7 @@ import * as codepipeline from '@aws-cdk/aws-codepipeline';
 import * as cpactions from '@aws-cdk/aws-codepipeline-actions';
 import * as events from '@aws-cdk/aws-events';
 import * as iam from '@aws-cdk/aws-iam';
+import { Stack } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { embeddedAsmPath } from '../private/construct-internals';
 
@@ -97,7 +98,12 @@ export class UpdatePipelineAction extends CoreConstruct implements codepipeline.
     // allow the self-mutating project permissions to assume the bootstrap Action role
     selfMutationProject.addToRolePolicy(new iam.PolicyStatement({
       actions: ['sts:AssumeRole'],
-      resources: ['arn:*:iam::*:role/*-deploy-role-*', 'arn:*:iam::*:role/*-publishing-role-*'],
+      resources: [`arn:*:iam::${Stack.of(this).account}:role/*`],
+      conditions: {
+        'ForAnyValue:StringEquals': {
+          'iam:ResourceTag/aws-cdk:bootstrap-role': ['image-publishing', 'file-publishing', 'deploy'],
+        },
+      },
     }));
     selfMutationProject.addToRolePolicy(new iam.PolicyStatement({
       actions: ['cloudformation:DescribeStacks'],

packages/@aws-cdk/pipelines/test/actions/update-pipeline-action.test.ts

@@ -0,0 +1,50 @@
+import {
+  arrayWith,
+} from '@aws-cdk/assert-internal';
+import '@aws-cdk/assert-internal/jest';
+import * as cp from '@aws-cdk/aws-codepipeline';
+import { Stack } from '@aws-cdk/core';
+import * as cdkp from '../../lib';
+import { TestApp } from '../testutil';
+
+let app: TestApp;
+let pipelineStack: Stack;
+
+test('self-update project role has proper permissions', () => {
+  app = new TestApp();
+  pipelineStack = new Stack(app, 'PipelineStack');
+
+  new cdkp.UpdatePipelineAction(pipelineStack, 'Update', {
+    cloudAssemblyInput: new cp.Artifact(),
+    pipelineStackHierarchicalId: pipelineStack.node.path,
+    projectName: 'pipeline-selfupdate',
+  });
+
+  expect(pipelineStack).toHaveResourceLike('AWS::IAM::Policy', {
+    PolicyDocument: {
+      Statement: arrayWith(
+        {
+          Action: 'sts:AssumeRole',
+          Effect: 'Allow',
+          Resource: { 'Fn::Join': ['', ['arn:*:iam::', { Ref: 'AWS::AccountId' }, ':role/*']] },
+          Condition: {
+            'ForAnyValue:StringEquals': {
+              'iam:ResourceTag/aws-cdk:bootstrap-role': ['image-publishing', 'file-publishing', 'deploy'],
+            },
+          },
+        },
+        {
+          Action: 'cloudformation:DescribeStacks',
+          Effect: 'Allow',
+          Resource: '*',
+        },
+        {
+          Action: 's3:ListBucket',
+          Effect: 'Allow',
+          Resource: '*',
+        },
+      ),
+    },
+  });
+
+});