From 4b837dfadbd1336b7f4deeb828b5bf4cac781aa1 Mon Sep 17 00:00:00 2001 From: AWS CDK Automation <43080478+aws-cdk-automation@users.noreply.github.com> Date: Thu, 26 May 2022 02:48:55 -0700 Subject: [PATCH 01/13] docs(cfnspec): update CloudFormation documentation (#20500) --- .../spec-source/cfn-docs/cfn-docs.json | 89 +++++++++++-------- 1 file changed, 53 insertions(+), 36 deletions(-) diff --git a/packages/@aws-cdk/cfnspec/spec-source/cfn-docs/cfn-docs.json b/packages/@aws-cdk/cfnspec/spec-source/cfn-docs/cfn-docs.json index 77519b7245d71..1cee622dab798 100644 --- a/packages/@aws-cdk/cfnspec/spec-source/cfn-docs/cfn-docs.json +++ b/packages/@aws-cdk/cfnspec/spec-source/cfn-docs/cfn-docs.json @@ -9280,11 +9280,11 @@ "description": "The template for verification messages.", "properties": { "DefaultEmailOption": "The default email option.", - "EmailMessage": "The email message template. EmailMessage is allowed only if [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is DEVELOPER.", - "EmailMessageByLink": "The email message template for sending a confirmation link to the user. EmailMessageByLink is allowed only if [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is DEVELOPER.", - "EmailSubject": "The subject line for the email message template. EmailSubject is allowed only if [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is DEVELOPER.", - "EmailSubjectByLink": "The subject line for the email message template for sending a confirmation link to the user. EmailSubjectByLink is allowed only [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is DEVELOPER.", - "SmsMessage": "The SMS message template." + "EmailMessage": "The template for email messages that Amazon Cognito sends to your users. You can set an `EmailMessage` template only if the value of [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is `DEVELOPER` . When your [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is `DEVELOPER` , your user pool sends email messages with your own Amazon SES configuration.", + "EmailMessageByLink": "The email message template for sending a confirmation link to the user. You can set an `EmailMessageByLink` template only if the value of [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is `DEVELOPER` . When your [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is `DEVELOPER` , your user pool sends email messages with your own Amazon SES configuration.", + "EmailSubject": "The subject line for the email message template. You can set an `EmailSubject` template only if the value of [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is `DEVELOPER` . When your [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is `DEVELOPER` , your user pool sends email messages with your own Amazon SES configuration.", + "EmailSubjectByLink": "The subject line for the email message template for sending a confirmation link to the user. You can set an `EmailSubjectByLink` template only if the value of [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is `DEVELOPER` . When your [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is `DEVELOPER` , your user pool sends email messages with your own Amazon SES configuration.", + "SmsMessage": "The template for SMS messages that Amazon Cognito sends to your users." } }, "AWS::Cognito::UserPoolClient": { @@ -9548,7 +9548,7 @@ "ConfigRuleId": "The ID of the AWS Config rule, such as `config-rule-a1bzhi` .", "Ref": "`Ref` returns the rule name, such as `mystack-MyConfigRule-12ABCFPXHV4OV` ." }, - "description": "Specifies an AWS Config rule for evaluating whether your AWS resources comply with your desired configurations.\n\nYou can use this action for custom AWS Config rules and AWS managed Config rules. A custom AWS Config rule is a rule that you develop and maintain. An AWS managed Config rule is a customizable, predefined rule that AWS Config provides.\n\nIf you are adding a new custom AWS Config rule, you must first create the AWS Lambda function that the rule invokes to evaluate your resources. When you use the `PutConfigRule` action to add the rule to AWS Config , you must specify the Amazon Resource Name (ARN) that AWS Lambda assigns to the function. Specify the ARN for the `SourceIdentifier` key. This key is part of the `Source` object, which is part of the `ConfigRule` object.\n\nIf you are adding an AWS managed Config rule, specify the rule's identifier for the `SourceIdentifier` key. To reference AWS managed Config rule identifiers, see [About AWS Managed Config Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_use-managed-rules.html) .\n\nFor any new rule that you add, specify the `ConfigRuleName` in the `ConfigRule` object. Do not specify the `ConfigRuleArn` or the `ConfigRuleId` . These values are generated by AWS Config for new rules.\n\nIf you are updating a rule that you added previously, you can specify the rule by `ConfigRuleName` , `ConfigRuleId` , or `ConfigRuleArn` in the `ConfigRule` data type that you use in this request.\n\nThe maximum number of rules that AWS Config supports is 150.\n\nFor information about requesting a rule limit increase, see [AWS Config Limits](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html#limits_config) in the *AWS General Reference Guide* .\n\nFor more information about developing and using AWS Config rules, see [Evaluating AWS Resource Configurations with AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html) in the *AWS Config Developer Guide* .", + "description": "Specifies an AWS Config rule for evaluating whether your AWS resources comply with your desired configurations.\n\nYou can use this action for custom AWS Config rules and AWS managed Config rules. A custom AWS Config rule is a rule that you develop and maintain. An AWS managed Config rule is a customizable, predefined rule that AWS Config provides.\n\nIf you are adding a new custom AWS Config rule, you must first create the AWS Lambda function that the rule invokes to evaluate your resources. When you use the `PutConfigRule` action to add the rule to AWS Config , you must specify the Amazon Resource Name (ARN) that AWS Lambda assigns to the function. Specify the ARN for the `SourceIdentifier` key. This key is part of the `Source` object, which is part of the `ConfigRule` object.\n\nIf you are adding an AWS managed Config rule, specify the rule's identifier for the `SourceIdentifier` key. To reference AWS managed Config rule identifiers, see [About AWS Managed Config Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_use-managed-rules.html) .\n\nFor any new rule that you add, specify the `ConfigRuleName` in the `ConfigRule` object. Do not specify the `ConfigRuleArn` or the `ConfigRuleId` . These values are generated by AWS Config for new rules.\n\nIf you are updating a rule that you added previously, you can specify the rule by `ConfigRuleName` , `ConfigRuleId` , or `ConfigRuleArn` in the `ConfigRule` data type that you use in this request.\n\nThe maximum number of rules that AWS Config supports is 400.\n\nFor information about requesting a rule limit increase, see [AWS Config endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/awsconfig.html) in the *AWS General Reference Guide* .\n\nFor more information about developing and using AWS Config rules, see [Evaluating AWS Resource Configurations with AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html) in the *AWS Config Developer Guide* .", "properties": { "ConfigRuleName": "A name for the AWS Config rule. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the rule name. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html) .", "Description": "The description that you provide for the AWS Config rule.", @@ -11755,15 +11755,15 @@ }, "description": "The `AWS::DataSync::LocationObjectStorage` resource specifies an endpoint for a self-managed object storage bucket. For more information about self-managed object storage locations, see [Creating a Location for Object Storage](https://docs.aws.amazon.com/datasync/latest/userguide/create-object-location.html) .", "properties": { - "AccessKey": "Optional. The access key is used if credentials are required to access the self-managed object storage server. If your object storage requires a user name and password to authenticate, use `AccessKey` and `SecretKey` to provide the user name and password, respectively.", - "AgentArns": "The Amazon Resource Name (ARN) of the agents associated with the self-managed object storage server location.", - "BucketName": "The bucket on the self-managed object storage server that is used to read data from.", - "SecretKey": "Optional. The secret key is used if credentials are required to access the self-managed object storage server. If your object storage requires a user name and password to authenticate, use `AccessKey` and `SecretKey` to provide the user name and password, respectively.", - "ServerHostname": "The name of the self-managed object storage server. This value is the IP address or Domain Name Service (DNS) name of the object storage server. An agent uses this hostname to mount the object storage server in a network.", - "ServerPort": "The port that your self-managed object storage server accepts inbound network traffic on. The server port is set by default to TCP 80 (HTTP) or TCP 443 (HTTPS). You can specify a custom port if your self-managed object storage server requires one.", - "ServerProtocol": "The protocol that the object storage server uses to communicate. Valid values are HTTP or HTTPS.", - "Subdirectory": "The subdirectory in the self-managed object storage server that is used to read data from.", - "Tags": "The key-value pair that represents the tag that you want to add to the location. The value can be an empty string. We recommend using tags to name your resources." + "AccessKey": "Specifies the access key (or user name) if credentials are required to access the object storage server.", + "AgentArns": "Specifies the Amazon Resource Names (ARNs) of the agents associated with the location.", + "BucketName": "Specifies the name of the bucket that DataSync reads from or writes to.", + "SecretKey": "Specifies the secret key (or password) if credentials are required to access the object storage server.", + "ServerHostname": "Specifies the domain name or IP address of the object storage server. A DataSync agent uses this hostname to mount the object storage server.", + "ServerPort": "Specifies the port that your object storage server accepts inbound network traffic on. Set to port 80 (HTTP), 443 (HTTPS), or a custom port if needed.", + "ServerProtocol": "Specifies the protocol that your object storage server uses to communicate.", + "Subdirectory": "Specifies the object prefix that DataSync reads from or writes to.", + "Tags": "Specifies the key-value pair that represents the tag to help you manage, filter, and search for your location. We recommend using tags for naming your locations." } }, "AWS::DataSync::LocationS3": { @@ -14749,10 +14749,10 @@ "attributes": { "Ref": "`Ref` returns the ID of the Traffic Mirror target." }, - "description": "Specifies a target for your Traffic Mirror session.\n\nA Traffic Mirror target is the destination for mirrored traffic. The Traffic Mirror source and the Traffic Mirror target (monitoring appliances) can be in the same VPC, or in different VPCs connected via VPC peering or a transit gateway.\n\nA Traffic Mirror target can be a network interface, or a Network Load Balancer.\n\nTo use the target in a Traffic Mirror session, use [AWS::EC2::TrafficMirrorSession](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-trafficmirrorsession.html) .", + "description": "Specifies a target for your Traffic Mirror session.\n\nA Traffic Mirror target is the destination for mirrored traffic. The Traffic Mirror source and the Traffic Mirror target (monitoring appliances) can be in the same VPC, or in different VPCs connected via VPC peering or a transit gateway.\n\nA Traffic Mirror target can be a network interface, a Network Load Balancer, or a Gateway Load Balancer endpoint.\n\nTo use the target in a Traffic Mirror session, use [AWS::EC2::TrafficMirrorSession](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-trafficmirrorsession.html) .", "properties": { "Description": "The description of the Traffic Mirror target.", - "GatewayLoadBalancerEndpointId": "", + "GatewayLoadBalancerEndpointId": "The ID of the Gateway Load Balancer endpoint.", "NetworkInterfaceId": "The network interface ID that is associated with the target.", "NetworkLoadBalancerArn": "The Amazon Resource Name (ARN) of the Network Load Balancer that is associated with the target.", "Tags": "The tags to assign to the Traffic Mirror target." @@ -14957,11 +14957,11 @@ }, "AWS::EC2::VPC": { "attributes": { - "CidrBlock": "The set of IP addresses for the VPC. For example, `10.0.0.0/16` .", - "CidrBlockAssociations": "The IPv4 CIDR block association IDs for the VPC. For example, `[ vpc-cidr-assoc-0280ab6b ]` .", - "DefaultNetworkAcl": "The default network ACL ID that is associated with the VPC. For example, `acl-814dafe3` .", - "DefaultSecurityGroup": "The default security group ID that is associated with the VPC. For example, `sg-b178e0d3` .", - "Ipv6CidrBlocks": "The IPv6 CIDR blocks that are associated with the VPC, such as `[ 2001:db8:1234:1a00::/56 ]` .", + "CidrBlock": "The primary IPv4 CIDR block for the VPC. For example, 10.0.0.0/16.", + "CidrBlockAssociations": "The association IDs of the IPv4 CIDR blocks for the VPC. For example, [ vpc-cidr-assoc-0280ab6b ].", + "DefaultNetworkAcl": "The ID of the default network ACL for the VPC. For example, acl-814dafe3.", + "DefaultSecurityGroup": "The ID of the default security group for the VPC. For example, sg-b178e0d3.", + "Ipv6CidrBlocks": "The IPv6 CIDR blocks for the VPC. For example, [ 2001:db8:1234:1a00::/56 ].", "Ref": "`Ref` returns the ID of the VPC.", "VpcId": "" }, @@ -14970,7 +14970,7 @@ "CidrBlock": "The IPv4 network range for the VPC, in CIDR notation. For example, `10.0.0.0/16` . We modify the specified CIDR block to its canonical form; for example, if you specify `100.68.0.18/18` , we modify it to `100.68.0.0/18` .\n\nYou must specify either `CidrBlock` or `Ipv4IpamPoolId` .", "EnableDnsHostnames": "Indicates whether the instances launched in the VPC get DNS hostnames. If enabled, instances in the VPC get DNS hostnames; otherwise, they do not. Disabled by default for nondefault VPCs. For more information, see [DNS attributes in your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#vpc-dns-support) .\n\nYou can only enable DNS hostnames if you've enabled DNS support.", "EnableDnsSupport": "Indicates whether the DNS resolution is supported for the VPC. If enabled, queries to the Amazon provided DNS server at the 169.254.169.253 IP address, or the reserved IP address at the base of the VPC network range \"plus two\" succeed. If disabled, the Amazon provided DNS service in the VPC that resolves public DNS hostnames to IP addresses is not enabled. Enabled by default. For more information, see [DNS attributes in your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#vpc-dns-support) .", - "InstanceTenancy": "The allowed tenancy of instances launched into the VPC.\n\n- `\"default\"` : An instance launched into the VPC runs on shared hardware by default, unless you explicitly specify a different tenancy during instance launch.\n- `\"dedicated\"` : An instance launched into the VPC is a Dedicated Instance by default, unless you explicitly specify a tenancy of host during instance launch. You cannot specify a tenancy of default during instance launch.\n\nUpdating `InstanceTenancy` requires no replacement only if you are updating its value from `\"dedicated\"` to `\"default\"` . Updating `InstanceTenancy` from `\"default\"` to `\"dedicated\"` requires replacement.", + "InstanceTenancy": "The allowed tenancy of instances launched into the VPC.\n\n- `default` : An instance launched into the VPC runs on shared hardware by default, unless you explicitly specify a different tenancy during instance launch.\n- `dedicated` : An instance launched into the VPC runs on dedicated hardware by default, unless you explicitly specify a tenancy of `host` during instance launch. You cannot specify a tenancy of `default` during instance launch.\n\nUpdating `InstanceTenancy` requires no replacement only if you are updating its value from `dedicated` to `default` . Updating `InstanceTenancy` from `default` to `dedicated` requires replacement.", "Ipv4IpamPoolId": "The ID of an IPv4 IPAM pool you want to use for allocating this VPC's CIDR. For more information, see [What is IPAM?](https://docs.aws.amazon.com//vpc/latest/ipam/what-is-it-ipam.html) in the *Amazon VPC IPAM User Guide* .\n\nYou must specify either `CidrBlock` or `Ipv4IpamPoolId` .", "Ipv4NetmaskLength": "The netmask length of the IPv4 CIDR you want to allocate to this VPC from an Amazon VPC IP Address Manager (IPAM) pool. For more information about IPAM, see [What is IPAM?](https://docs.aws.amazon.com//vpc/latest/ipam/what-is-it-ipam.html) in the *Amazon VPC IPAM User Guide* .", "Tags": "The tags for the VPC." @@ -26023,7 +26023,7 @@ "attributes": {}, "description": "Provides the identifier of the AWS KMS customer master key (CMK) used to encrypt data indexed by Amazon Kendra. We suggest that you use a CMK from your account to help secure your index. Amazon Kendra doesn't support asymmetric CMKs.", "properties": { - "KmsKeyId": "The identifier of the AWS KMS customer master key (CMK). Amazon Kendra doesn't support asymmetric CMKs." + "KmsKeyId": "The identifier of the AWS KMS key . Amazon Kendra doesn't support asymmetric keys." } }, "AWS::Kendra::Index.UserTokenConfiguration": { @@ -29204,10 +29204,10 @@ "attributes": {}, "description": "Contains information about how the source data should be interpreted.", "properties": { - "AppFlowConfig": "An object containing information about the AppFlow configuration.", - "CloudwatchConfig": "An object containing information about the Amazon CloudWatch monitoring configuration.", - "RDSSourceConfig": "An object containing information about the Amazon Relational Database Service (RDS) configuration.", - "RedshiftSourceConfig": "An object containing information about the Amazon Redshift database configuration.", + "AppFlowConfig": "Details about an AppFlow datasource.", + "CloudwatchConfig": "Details about an Amazon CloudWatch monitoring datasource.", + "RDSSourceConfig": "Details about an Amazon Relational Database Service (RDS) datasource.", + "RedshiftSourceConfig": "Details about an Amazon Redshift database datasource.", "S3SourceConfig": "Contains information about the configuration of the S3 bucket that contains source files." } }, @@ -36600,7 +36600,7 @@ "Arn": "The Amazon Resource Name (ARN) of the fleet, such as `arn:aws:robomaker:us-west-2:123456789012:deployment-fleet/MyFleet/1539894765711` .", "Ref": "When you pass the logical ID of an `AWS::RoboMaker::Fleet` resource to the intrinsic `Ref` function, the function returns the Amazon Resource Name (ARN) of the fleet, such as `arn:aws:robomaker:us-west-2:123456789012:deployment-fleet/MyFleet/1539894765711` ." }, - "description": "The `AWS::RoboMaker::Fleet` resource creates an AWS RoboMaker fleet. Fleets contain robots and can receive deployments.", + "description": "> The following resource is now deprecated. This resource can no longer be provisioned via stack create or update operations, and should not be included in your stack templates.\n> \n> We recommend migrating to AWS IoT Greengrass Version 2. For more information, see [Support Changes: May 2, 2022](https://docs.aws.amazon.com/robomaker/latest/dg/chapter-support-policy.html#software-support-policy-may2022) in the *AWS RoboMaker Developer Guide* . \n\nThe `AWS::RoboMaker::Fleet` resource creates an AWS RoboMaker fleet. Fleets contain robots and can receive deployments.", "properties": { "Name": "The name of the fleet.", "Tags": "The list of all tags added to the fleet." @@ -36611,7 +36611,7 @@ "Arn": "The Amazon Resource Name (ARN) of the robot.", "Ref": "When you pass the logical ID of an `AWS::RoboMaker::Robot` resource to the intrinsic `Ref` function, the function returns the Amazon Resource Name (ARN) of the robot application, such as `arn:aws:robomaker:us-west-2:123456789012:robot/MyRobot/1544035373264` ." }, - "description": "The `AWS::RoboMaker::RobotApplication` resource creates an AWS RoboMaker robot.", + "description": "> The following resource is now deprecated. This resource can no longer be provisioned via stack create or update operations, and should not be included in your stack templates.\n> \n> We recommend migrating to AWS IoT Greengrass Version 2. For more information, see [Support Changes: May 2, 2022](https://docs.aws.amazon.com/robomaker/latest/dg/chapter-support-policy.html#software-support-policy-may2022) in the *AWS RoboMaker Developer Guide* . \n\nThe `AWS::RoboMaker::RobotApplication` resource creates an AWS RoboMaker robot.", "properties": { "Architecture": "The architecture of the robot.", "Fleet": "The Amazon Resource Name (ARN) of the fleet to which the robot will be registered.", @@ -38944,6 +38944,21 @@ "ChatbotSns": "The SNS targets that AWS Chatbot uses to notify the chat channel of updates to an incident. You can also make updates to the incident through the chat channel by using the SNS topics" } }, + "AWS::SSMIncidents::ResponsePlan.DynamicSsmParameter": { + "attributes": {}, + "description": "", + "properties": { + "Key": "", + "Value": "" + } + }, + "AWS::SSMIncidents::ResponsePlan.DynamicSsmParameterValue": { + "attributes": {}, + "description": "", + "properties": { + "Variable": "" + } + }, "AWS::SSMIncidents::ResponsePlan.IncidentTemplate": { "attributes": {}, "description": "The `IncidentTemplate` property type specifies details used to create an incident when using this response plan.", @@ -38968,6 +38983,7 @@ "properties": { "DocumentName": "The automation document's name.", "DocumentVersion": "The automation document's version to use when running.", + "DynamicParameters": "", "Parameters": "The key-value pair parameters to use when running the automation document.", "RoleArn": "The Amazon Resource Name (ARN) of the role that the automation document will assume when running commands.", "TargetAccount": "The account that the automation document will be run in. This can be in either the management account or an application account." @@ -40688,7 +40704,7 @@ "Ref": "`Ref` returns the Domain ID and the user profile name, such as `d-xxxxxxxxxxxx` and `my-user-profile` , respectively.", "UserProfileArn": "The Amazon Resource Name (ARN) of the user profile, such as `arn:aws:sagemaker:us-west-2:account-id:user-profile/my-user-profile` ." }, - "description": "Creates a user profile. A user profile represents a single user within a domain, and is the main way to reference a \"person\" for the purposes of sharing, reporting, and other user-oriented features. This entity is created when a user onboards to Amazon SageMaker Studio. If an administrator invites a person by email or imports them from SSO, a user profile is automatically created. A user profile is the primary holder of settings for an individual user and has a reference to the user's private Amazon Elastic File System (EFS) home directory.", + "description": "Creates a user profile. A user profile represents a single user within a domain, and is the main way to reference a \"person\" for the purposes of sharing, reporting, and other user-oriented features. This entity is created when a user onboards to Amazon SageMaker Studio. If an administrator invites a person by email or imports them from SSO, a user profile is automatically created. A user profile is the primary holder of settings for an individual user and has a reference to the user's private Amazon Elastic File System (EFS) home directory.\n\n> If you're using SSO authentication, an SSO user, or an SSO group containing that user, must be assigned to the Amazon SageMaker Studio application from the AWS SSO Console to create a user profile. For more information about application assignment, see [Assign user access](https://docs.aws.amazon.com/singlesignon/latest/userguide/assignuserstoapp.html) . After assignment is complete, a user profile can be created for that SSO user with AWS CloudFormation.", "properties": { "DomainId": "The domain ID.", "SingleSignOnUserIdentifier": "A specifier for the type of value specified in SingleSignOnUserValue. Currently, the only supported value is \"UserName\". If the Domain's AuthMode is SSO, this field is required. If the Domain's AuthMode is not SSO, this field cannot be specified.", @@ -41783,8 +41799,9 @@ "attributes": {}, "description": "Protocol settings that are configured for your server.", "properties": { - "PassiveIp": "Indicates passive mode, for FTP and FTPS protocols. Enter a single dotted-quad IPv4 address, such as the external IP address of a firewall, router, or load balancer. For example:\n\n`aws transfer update-server --protocol-details PassiveIp= *0.0.0.0*`\n\nReplace `*0.0.0.0*` in the example above with the actual IP address you want to use.\n\n> If you change the `PassiveIp` value, you must stop and then restart your Transfer server for the change to take effect. For details on using Passive IP (PASV) in a NAT environment, see [Configuring your FTPS server behind a firewall or NAT with AWS Transfer Family](https://docs.aws.amazon.com/storage/configuring-your-ftps-server-behind-a-firewall-or-nat-with-aws-transfer-family/) .", - "TlsSessionResumptionMode": "A property used with Transfer servers that use the FTPS protocol. TLS Session Resumption provides a mechanism to resume or share a negotiated secret key between the control and data connection for an FTPS session. `TlsSessionResumptionMode` determines whether or not the server resumes recent, negotiated sessions through a unique session ID. This property is available during `CreateServer` and `UpdateServer` calls. If a `TlsSessionResumptionMode` value is not specified during CreateServer, it is set to `ENFORCED` by default.\n\n- `DISABLED` : the server does not process TLS session resumption client requests and creates a new TLS session for each request.\n- `ENABLED` : the server processes and accepts clients that are performing TLS session resumption. The server doesn't reject client data connections that do not perform the TLS session resumption client processing.\n- `ENFORCED` : the server processes and accepts clients that are performing TLS session resumption. The server rejects client data connections that do not perform the TLS session resumption client processing. Before you set the value to `ENFORCED` , test your clients.\n\n> Not all FTPS clients perform TLS session resumption. So, if you choose to enforce TLS session resumption, you prevent any connections from FTPS clients that don't perform the protocol negotiation. To determine whether or not you can use the `ENFORCED` value, you need to test your clients." + "PassiveIp": "Indicates passive mode, for FTP and FTPS protocols. Enter a single IPv4 address, such as the public IP address of a firewall, router, or load balancer. For example:\n\n`aws transfer update-server --protocol-details PassiveIp= *0.0.0.0*`\n\nReplace `*0.0.0.0*` in the example above with the actual IP address you want to use.\n\n> If you change the `PassiveIp` value, you must stop and then restart your Transfer Family server for the change to take effect. For details on using passive mode (PASV) in a NAT environment, see [Configuring your FTPS server behind a firewall or NAT with AWS Transfer Family](https://docs.aws.amazon.com/storage/configuring-your-ftps-server-behind-a-firewall-or-nat-with-aws-transfer-family/) .", + "SetStatOption": "Use the `SetStatOption` to ignore the error that is generated when the client attempts to use SETSTAT on a file you are uploading to an S3 bucket.\n\nSome SFTP file transfer clients can attempt to change the attributes of remote files, including timestamp and permissions, using commands, such as SETSTAT when uploading the file. However, these commands are not compatible with object storage systems, such as Amazon S3. Due to this incompatibility, file uploads from these clients can result in errors even when the file is otherwise successfully uploaded.\n\nSet the value to `ENABLE_NO_OP` to have the Transfer Family server ignore the SETSTAT command, and upload files without needing to make any changes to your SFTP client. While the `SetStatOption` `ENABLE_NO_OP` setting ignores the error, it does generate a log entry in CloudWatch Logs, so you can determine when the client is making a SETSTAT call.\n\n> If you want to preserve the original timestamp for your file, and modify other file attributes using SETSTAT, you can use Amazon EFS as backend storage with Transfer Family.", + "TlsSessionResumptionMode": "A property used with Transfer Family servers that use the FTPS protocol. TLS Session Resumption provides a mechanism to resume or share a negotiated secret key between the control and data connection for an FTPS session. `TlsSessionResumptionMode` determines whether or not the server resumes recent, negotiated sessions through a unique session ID. This property is available during `CreateServer` and `UpdateServer` calls. If a `TlsSessionResumptionMode` value is not specified during `CreateServer` , it is set to `ENFORCED` by default.\n\n- `DISABLED` : the server does not process TLS session resumption client requests and creates a new TLS session for each request.\n- `ENABLED` : the server processes and accepts clients that are performing TLS session resumption. The server doesn't reject client data connections that do not perform the TLS session resumption client processing.\n- `ENFORCED` : the server processes and accepts clients that are performing TLS session resumption. The server rejects client data connections that do not perform the TLS session resumption client processing. Before you set the value to `ENFORCED` , test your clients.\n\n> Not all FTPS clients perform TLS session resumption. So, if you choose to enforce TLS session resumption, you prevent any connections from FTPS clients that don't perform the protocol negotiation. To determine whether or not you can use the `ENFORCED` value, you need to test your clients." } }, "AWS::Transfer::Server.WorkflowDetail": { @@ -41874,11 +41891,11 @@ "DomainId": "The identifier of the domain.", "Ref": "`Ref` returns the `DomainId` of the domain." }, - "description": "Creates a domain that contains all Voice ID data, such as speakers, fraudsters, customer audio, and voiceprints.", + "description": "Creates a domain that contains all Amazon Connect Voice ID data, such as speakers, fraudsters, customer audio, and voiceprints.", "properties": { "Description": "The client-provided description of the domain.", "Name": "The client-provided name for the domain.", - "ServerSideEncryptionConfiguration": "The server-side encryption configuration containing the KMS Key Identifier you want VoiceID to use to encrypt your data.", + "ServerSideEncryptionConfiguration": "The server-side encryption configuration containing the KMS Key Identifier you want Voice ID to use to encrypt your data.", "Tags": "The tags used to organize, track, or control access for this resource." } }, @@ -41886,7 +41903,7 @@ "attributes": {}, "description": "The configuration containing information about the customer-managed KMS Key used for encrypting customer data.", "properties": { - "KmsKeyId": "The identifier of the KMS Key you want VoiceID to use to encrypt your data." + "KmsKeyId": "The identifier of the KMS Key you want Voice ID to use to encrypt your data." } }, "AWS::WAF::ByteMatchSet": { From adc0368dc1f137aeaa4bd92de77028269e3a48f4 Mon Sep 17 00:00:00 2001 From: Joe Flateau Date: Thu, 26 May 2022 09:21:35 -0400 Subject: [PATCH 02/13] feat(aws-ecr-assets): support the --platform option when building docker images (#20439) This PR adds support for specifying the desired build platform when building docker images (ie: build an arm64 image on an amd64/x86_64 host). Closes #12472 This PR does NOT touch Lambda builders, only ECR assets. #16770 attempted to implement support for ECR and Lambda but was abandoned. Meanwhile #16858 implemented lambda platform support. This implements the ECR side I have run `yarn integ` ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? * [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/@aws-cdk/aws-ecr-assets/README.md | 12 +++++ .../aws-ecr-assets/lib/image-asset.ts | 46 +++++++++++++++++++ .../Dockerfile | 5 ++ .../index.py | 33 +++++++++++++ .../test/assets-docker.integ.snapshot/cdk.out | 2 +- .../integ-assets-docker.template.json | 42 +++++++++++++++++ .../assets-docker.integ.snapshot/integ.json | 4 +- .../manifest.json | 26 ++++++++++- .../assets-docker.integ.snapshot/tree.json | 46 ++++++++++++++++++- .../aws-ecr-assets/test/image-asset.test.ts | 20 ++++++-- .../test/integ.assets-docker.ts | 8 ++++ .../lib/assets/docker-image-asset.ts | 9 ++++ .../lib/cloud-assembly/metadata-schema.ts | 7 +++ .../schema/assets.schema.json | 4 ++ .../schema/cloud-assembly.schema.json | 4 ++ .../schema/cloud-assembly.version.json | 2 +- packages/@aws-cdk/core/lib/assets.ts | 9 ++++ .../core/lib/stack-synthesizers/legacy.ts | 1 + packages/aws-cdk/lib/assets.ts | 1 + packages/cdk-assets/lib/private/docker.ts | 2 + .../lib/private/handlers/container-images.ts | 1 + .../cdk-assets/test/docker-images.test.ts | 44 ++++++++++++++++++ 22 files changed, 318 insertions(+), 10 deletions(-) create mode 100644 packages/@aws-cdk/aws-ecr-assets/test/assets-docker.integ.snapshot/asset.394b24fcdc153a83b1fc400bf2e812ee67e3a5ffafdf977d531cfe2187d95f38/Dockerfile create mode 100644 packages/@aws-cdk/aws-ecr-assets/test/assets-docker.integ.snapshot/asset.394b24fcdc153a83b1fc400bf2e812ee67e3a5ffafdf977d531cfe2187d95f38/index.py diff --git a/packages/@aws-cdk/aws-ecr-assets/README.md b/packages/@aws-cdk/aws-ecr-assets/README.md index 9be425daadd06..f88cef5b256bb 100644 --- a/packages/@aws-cdk/aws-ecr-assets/README.md +++ b/packages/@aws-cdk/aws-ecr-assets/README.md @@ -92,6 +92,18 @@ const asset = new DockerImageAsset(this, 'MyBuildImage', { }) ``` +You can optionally pass an alternate platform to the `docker build` command by specifying +the `platform` property: + +```ts +import { DockerImageAsset, Platform } from '@aws-cdk/aws-ecr-assets'; + +const asset = new DockerImageAsset(this, 'MyBuildImage', { + directory: path.join(__dirname, 'my-image'), + platform: Platform.LINUX_ARM64, +}) +``` + ## Images from Tarball Images are loaded from a local tarball, uploaded to ECR by the CDK toolkit and/or your app's CI-CD pipeline, and can be diff --git a/packages/@aws-cdk/aws-ecr-assets/lib/image-asset.ts b/packages/@aws-cdk/aws-ecr-assets/lib/image-asset.ts index 665b67e73105b..b6ddd3f5dafcf 100644 --- a/packages/@aws-cdk/aws-ecr-assets/lib/image-asset.ts +++ b/packages/@aws-cdk/aws-ecr-assets/lib/image-asset.ts @@ -56,6 +56,36 @@ export class NetworkMode { private constructor(public readonly mode: string) {} } +/** + * platform supported by docker + */ +export class Platform { + /** + * Build for linux/amd64 + */ + public static readonly LINUX_AMD64 = new Platform('linux/amd64'); + + /** + * Build for linux/arm64 + */ + public static readonly LINUX_ARM64 = new Platform('linux/arm64'); + + /** + * Used to specify a custom platform + * Use this if the platform name is not yet supported by the CDK. + * + * @param platform The platform to use for docker build + */ + public static custom(platform: string) { + return new Platform(platform); + } + + /** + * @param platform The platform to use for docker build + */ + private constructor(public readonly platform: string) {} +} + /** * Options to control invalidation of `DockerImageAsset` asset hashes */ @@ -101,6 +131,13 @@ export interface DockerImageAssetInvalidationOptions { * @default true */ readonly networkMode?: boolean; + + /** + * Use `platform` while calculating the asset hash + * + * @default true + */ + readonly platform?: boolean; } /** @@ -153,6 +190,13 @@ export interface DockerImageAssetOptions extends FingerprintOptions, FileFingerp */ readonly networkMode?: NetworkMode; + /** + * Platform to build for. _Requires Docker Buildx_. + * + * @default - no platform specified (the current machine architecture will be used) + */ + readonly platform?: Platform; + /** * Options to control which parameters are used to invalidate the asset hash. * @@ -286,6 +330,7 @@ export class DockerImageAsset extends CoreConstruct implements IAsset { if (props.invalidation?.file !== false && props.file) { extraHash.file = props.file; } if (props.invalidation?.repositoryName !== false && props.repositoryName) { extraHash.repositoryName = props.repositoryName; } if (props.invalidation?.networkMode !== false && props.networkMode) { extraHash.networkMode = props.networkMode; } + if (props.invalidation?.platform !== false && props.platform) { extraHash.platform = props.platform; } // add "salt" to the hash in order to invalidate the image in the upgrade to // 1.21.0 which removes the AdoptedRepository resource (and will cause the @@ -318,6 +363,7 @@ export class DockerImageAsset extends CoreConstruct implements IAsset { dockerFile: props.file, sourceHash: staging.assetHash, networkMode: props.networkMode?.mode, + platform: props.platform?.platform, }); this.repository = ecr.Repository.fromRepositoryName(this, 'Repository', location.repositoryName); diff --git a/packages/@aws-cdk/aws-ecr-assets/test/assets-docker.integ.snapshot/asset.394b24fcdc153a83b1fc400bf2e812ee67e3a5ffafdf977d531cfe2187d95f38/Dockerfile b/packages/@aws-cdk/aws-ecr-assets/test/assets-docker.integ.snapshot/asset.394b24fcdc153a83b1fc400bf2e812ee67e3a5ffafdf977d531cfe2187d95f38/Dockerfile new file mode 100644 index 0000000000000..235b30e9661ed --- /dev/null +++ b/packages/@aws-cdk/aws-ecr-assets/test/assets-docker.integ.snapshot/asset.394b24fcdc153a83b1fc400bf2e812ee67e3a5ffafdf977d531cfe2187d95f38/Dockerfile @@ -0,0 +1,5 @@ +FROM public.ecr.aws/lambda/python:3.6 +EXPOSE 8000 +WORKDIR /src +ADD . /src +CMD python3 index.py diff --git a/packages/@aws-cdk/aws-ecr-assets/test/assets-docker.integ.snapshot/asset.394b24fcdc153a83b1fc400bf2e812ee67e3a5ffafdf977d531cfe2187d95f38/index.py b/packages/@aws-cdk/aws-ecr-assets/test/assets-docker.integ.snapshot/asset.394b24fcdc153a83b1fc400bf2e812ee67e3a5ffafdf977d531cfe2187d95f38/index.py new file mode 100644 index 0000000000000..2ccedfce3ab76 --- /dev/null +++ b/packages/@aws-cdk/aws-ecr-assets/test/assets-docker.integ.snapshot/asset.394b24fcdc153a83b1fc400bf2e812ee67e3a5ffafdf977d531cfe2187d95f38/index.py @@ -0,0 +1,33 @@ +#!/usr/bin/python +import sys +import textwrap +import http.server +import socketserver + +PORT = 8000 + + +class Handler(http.server.SimpleHTTPRequestHandler): + def do_GET(self): + self.send_response(200) + self.send_header('Content-Type', 'text/html') + self.end_headers() + self.wfile.write(textwrap.dedent('''\ + + It works + +

Hello from the integ test container

+

This container got built and started as part of the integ test.

+ + + ''').encode('utf-8')) + + +def main(): + httpd = http.server.HTTPServer(("", PORT), Handler) + print("serving at port", PORT) + httpd.serve_forever() + + +if __name__ == '__main__': + main() diff --git a/packages/@aws-cdk/aws-ecr-assets/test/assets-docker.integ.snapshot/cdk.out b/packages/@aws-cdk/aws-ecr-assets/test/assets-docker.integ.snapshot/cdk.out index 90bef2e09ad39..588d7b269d34f 100644 --- a/packages/@aws-cdk/aws-ecr-assets/test/assets-docker.integ.snapshot/cdk.out +++ b/packages/@aws-cdk/aws-ecr-assets/test/assets-docker.integ.snapshot/cdk.out @@ -1 +1 @@ -{"version":"17.0.0"} \ No newline at end of file +{"version":"20.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-ecr-assets/test/assets-docker.integ.snapshot/integ-assets-docker.template.json b/packages/@aws-cdk/aws-ecr-assets/test/assets-docker.integ.snapshot/integ-assets-docker.template.json index 1f1fffdf5581f..fcdf714d71415 100644 --- a/packages/@aws-cdk/aws-ecr-assets/test/assets-docker.integ.snapshot/integ-assets-docker.template.json +++ b/packages/@aws-cdk/aws-ecr-assets/test/assets-docker.integ.snapshot/integ-assets-docker.template.json @@ -74,6 +74,48 @@ ] ] } + }, + "ImageUri2": { + "Value": { + "Fn::Join": [ + "", + [ + { + "Ref": "AWS::AccountId" + }, + ".dkr.ecr.", + { + "Ref": "AWS::Region" + }, + ".", + { + "Ref": "AWS::URLSuffix" + }, + "/aws-cdk/assets:0a3355be12051c9984bf2b0b2bba4e6ea535968e5b6e7396449701732fe5ed14" + ] + ] + } + }, + "ImageUri3": { + "Value": { + "Fn::Join": [ + "", + [ + { + "Ref": "AWS::AccountId" + }, + ".dkr.ecr.", + { + "Ref": "AWS::Region" + }, + ".", + { + "Ref": "AWS::URLSuffix" + }, + "/aws-cdk/assets:394b24fcdc153a83b1fc400bf2e812ee67e3a5ffafdf977d531cfe2187d95f38" + ] + ] + } } } } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-ecr-assets/test/assets-docker.integ.snapshot/integ.json b/packages/@aws-cdk/aws-ecr-assets/test/assets-docker.integ.snapshot/integ.json index d8588aafe50f8..5792f49559a4d 100644 --- a/packages/@aws-cdk/aws-ecr-assets/test/assets-docker.integ.snapshot/integ.json +++ b/packages/@aws-cdk/aws-ecr-assets/test/assets-docker.integ.snapshot/integ.json @@ -1,7 +1,7 @@ { - "version": "18.0.0", + "version": "20.0.0", "testCases": { - "aws-ecr-assets/test/integ.assets-docker": { + "integ.assets-docker": { "stacks": [ "integ-assets-docker" ], diff --git a/packages/@aws-cdk/aws-ecr-assets/test/assets-docker.integ.snapshot/manifest.json b/packages/@aws-cdk/aws-ecr-assets/test/assets-docker.integ.snapshot/manifest.json index da54ddfe4c530..d3bf0ba4e8491 100644 --- a/packages/@aws-cdk/aws-ecr-assets/test/assets-docker.integ.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-ecr-assets/test/assets-docker.integ.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "17.0.0", + "version": "20.0.0", "artifacts": { "Tree": { "type": "cdk:tree", @@ -26,6 +26,18 @@ "path": "asset.0a3355be12051c9984bf2b0b2bba4e6ea535968e5b6e7396449701732fe5ed14", "sourceHash": "0a3355be12051c9984bf2b0b2bba4e6ea535968e5b6e7396449701732fe5ed14" } + }, + { + "type": "aws:cdk:asset", + "data": { + "repositoryName": "aws-cdk/assets", + "imageTag": "394b24fcdc153a83b1fc400bf2e812ee67e3a5ffafdf977d531cfe2187d95f38", + "id": "394b24fcdc153a83b1fc400bf2e812ee67e3a5ffafdf977d531cfe2187d95f38", + "packaging": "container-image", + "path": "asset.394b24fcdc153a83b1fc400bf2e812ee67e3a5ffafdf977d531cfe2187d95f38", + "sourceHash": "394b24fcdc153a83b1fc400bf2e812ee67e3a5ffafdf977d531cfe2187d95f38", + "platform": "linux/arm64" + } } ], "/integ-assets-docker/MyUser/Resource": [ @@ -45,6 +57,18 @@ "type": "aws:cdk:logicalId", "data": "ImageUri" } + ], + "/integ-assets-docker/ImageUri2": [ + { + "type": "aws:cdk:logicalId", + "data": "ImageUri2" + } + ], + "/integ-assets-docker/ImageUri3": [ + { + "type": "aws:cdk:logicalId", + "data": "ImageUri3" + } ] }, "displayName": "integ-assets-docker" diff --git a/packages/@aws-cdk/aws-ecr-assets/test/assets-docker.integ.snapshot/tree.json b/packages/@aws-cdk/aws-ecr-assets/test/assets-docker.integ.snapshot/tree.json index 4764014f0323b..e5caed87f3db3 100644 --- a/packages/@aws-cdk/aws-ecr-assets/test/assets-docker.integ.snapshot/tree.json +++ b/packages/@aws-cdk/aws-ecr-assets/test/assets-docker.integ.snapshot/tree.json @@ -68,6 +68,32 @@ "version": "0.0.0" } }, + "DockerImage3": { + "id": "DockerImage3", + "path": "integ-assets-docker/DockerImage3", + "children": { + "Staging": { + "id": "Staging", + "path": "integ-assets-docker/DockerImage3/Staging", + "constructInfo": { + "fqn": "@aws-cdk/core.AssetStaging", + "version": "0.0.0" + } + }, + "Repository": { + "id": "Repository", + "path": "integ-assets-docker/DockerImage3/Repository", + "constructInfo": { + "fqn": "@aws-cdk/aws-ecr.RepositoryBase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-ecr-assets.DockerImageAsset", + "version": "0.0.0" + } + }, "MyUser": { "id": "MyUser", "path": "integ-assets-docker/MyUser", @@ -99,8 +125,8 @@ { "Action": [ "ecr:BatchCheckLayerAvailability", - "ecr:BatchGetImage", - "ecr:GetDownloadUrlForLayer" + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage" ], "Effect": "Allow", "Resource": { @@ -164,6 +190,22 @@ "fqn": "@aws-cdk/core.CfnOutput", "version": "0.0.0" } + }, + "ImageUri2": { + "id": "ImageUri2", + "path": "integ-assets-docker/ImageUri2", + "constructInfo": { + "fqn": "@aws-cdk/core.CfnOutput", + "version": "0.0.0" + } + }, + "ImageUri3": { + "id": "ImageUri3", + "path": "integ-assets-docker/ImageUri3", + "constructInfo": { + "fqn": "@aws-cdk/core.CfnOutput", + "version": "0.0.0" + } } }, "constructInfo": { diff --git a/packages/@aws-cdk/aws-ecr-assets/test/image-asset.test.ts b/packages/@aws-cdk/aws-ecr-assets/test/image-asset.test.ts index 19e5b764407ef..4fe6299ab9c87 100644 --- a/packages/@aws-cdk/aws-ecr-assets/test/image-asset.test.ts +++ b/packages/@aws-cdk/aws-ecr-assets/test/image-asset.test.ts @@ -1,12 +1,12 @@ -import * as fs from 'fs'; -import * as path from 'path'; import { Template } from '@aws-cdk/assertions'; import * as iam from '@aws-cdk/aws-iam'; import { describeDeprecated, testDeprecated, testFutureBehavior } from '@aws-cdk/cdk-build-tools'; import * as cxschema from '@aws-cdk/cloud-assembly-schema'; import { App, DefaultStackSynthesizer, IgnoreMode, Lazy, LegacyStackSynthesizer, Stack, Stage } from '@aws-cdk/core'; import * as cxapi from '@aws-cdk/cx-api'; -import { DockerImageAsset, NetworkMode } from '../lib'; +import * as fs from 'fs'; +import * as path from 'path'; +import { DockerImageAsset, NetworkMode, Platform } from '../lib'; /* eslint-disable quote-props */ @@ -156,6 +156,20 @@ describe('image asset', () => { expect(assetMetadata && (assetMetadata.data as cxschema.ContainerImageAssetMetadataEntry).networkMode).toEqual('default'); }); + testFutureBehavior('with platform', flags, App, (app) => { + // GIVEN + const stack = new Stack(app); + // WHEN + new DockerImageAsset(stack, 'Image', { + directory: path.join(__dirname, 'demo-image'), + platform: Platform.LINUX_ARM64, + }); + + // THEN + const assetMetadata = stack.node.metadataEntry.find(({ type }) => type === cxschema.ArtifactMetadataEntryType.ASSET); + expect(assetMetadata && (assetMetadata.data as cxschema.ContainerImageAssetMetadataEntry).platform).toEqual('linux/arm64'); + }); + testFutureBehavior('asset.repository.grantPull can be used to grant a principal permissions to use the image', flags, App, (app) => { // GIVEN const stack = new Stack(app); diff --git a/packages/@aws-cdk/aws-ecr-assets/test/integ.assets-docker.ts b/packages/@aws-cdk/aws-ecr-assets/test/integ.assets-docker.ts index d6c4c2aac75b7..6aecb9ac7bda9 100644 --- a/packages/@aws-cdk/aws-ecr-assets/test/integ.assets-docker.ts +++ b/packages/@aws-cdk/aws-ecr-assets/test/integ.assets-docker.ts @@ -19,10 +19,18 @@ const asset2 = new assets.DockerImageAsset(stack, 'DockerImage2', { directory: path.join(__dirname, 'demo-image'), }); +const asset3 = new assets.DockerImageAsset(stack, 'DockerImage3', { + directory: path.join(__dirname, 'demo-image'), + platform: assets.Platform.LINUX_ARM64, +}); + const user = new iam.User(stack, 'MyUser'); asset.repository.grantPull(user); asset2.repository.grantPull(user); +asset3.repository.grantPull(user); new cdk.CfnOutput(stack, 'ImageUri', { value: asset.imageUri }); +new cdk.CfnOutput(stack, 'ImageUri2', { value: asset2.imageUri }); +new cdk.CfnOutput(stack, 'ImageUri3', { value: asset3.imageUri }); app.synth(); diff --git a/packages/@aws-cdk/cloud-assembly-schema/lib/assets/docker-image-asset.ts b/packages/@aws-cdk/cloud-assembly-schema/lib/assets/docker-image-asset.ts index 5b3efeee0b375..ed39ad833b9ce 100644 --- a/packages/@aws-cdk/cloud-assembly-schema/lib/assets/docker-image-asset.ts +++ b/packages/@aws-cdk/cloud-assembly-schema/lib/assets/docker-image-asset.ts @@ -71,6 +71,15 @@ export interface DockerImageSource { * @default - no networking mode specified */ readonly networkMode?: string; + + /** + * Platform to build for. _Requires Docker Buildx_. + * + * Specify this property to build images on a specific platform/architecture. + * + * @default - current machine platform + */ + readonly platform?: string; } /** diff --git a/packages/@aws-cdk/cloud-assembly-schema/lib/cloud-assembly/metadata-schema.ts b/packages/@aws-cdk/cloud-assembly-schema/lib/cloud-assembly/metadata-schema.ts index b58d02849bd9c..3ed8bfe42cf50 100644 --- a/packages/@aws-cdk/cloud-assembly-schema/lib/cloud-assembly/metadata-schema.ts +++ b/packages/@aws-cdk/cloud-assembly-schema/lib/cloud-assembly/metadata-schema.ts @@ -138,6 +138,13 @@ export interface ContainerImageAssetMetadataEntry extends BaseAssetMetadataEntry * @default - no networking mode specified */ readonly networkMode?: string; + + /** + * Platform to build for. _Requires Docker Buildx_. + * + * @default - current machine platform + */ + readonly platform?: string; } /** diff --git a/packages/@aws-cdk/cloud-assembly-schema/schema/assets.schema.json b/packages/@aws-cdk/cloud-assembly-schema/schema/assets.schema.json index 40134a4e554a5..e2b5aa8780c04 100644 --- a/packages/@aws-cdk/cloud-assembly-schema/schema/assets.schema.json +++ b/packages/@aws-cdk/cloud-assembly-schema/schema/assets.schema.json @@ -158,6 +158,10 @@ "networkMode": { "description": "Networking mode for the RUN commands during build. _Requires Docker Engine API v1.25+_.\n\nSpecify this property to build images on a specific networking mode. (Default - no networking mode specified)", "type": "string" + }, + "platform": { + "description": "Platform to build for. _Requires Docker Buildx_.\n\nSpecify this property to build images on a specific platform/architecture. (Default - current machine platform)", + "type": "string" } } }, diff --git a/packages/@aws-cdk/cloud-assembly-schema/schema/cloud-assembly.schema.json b/packages/@aws-cdk/cloud-assembly-schema/schema/cloud-assembly.schema.json index 19ab465985d24..7f877222e4563 100644 --- a/packages/@aws-cdk/cloud-assembly-schema/schema/cloud-assembly.schema.json +++ b/packages/@aws-cdk/cloud-assembly-schema/schema/cloud-assembly.schema.json @@ -230,6 +230,10 @@ "description": "Networking mode for the RUN commands during build. (Default - no networking mode specified)", "type": "string" }, + "platform": { + "description": "Platform to build for. _Requires Docker Buildx_. (Default - current machine platform)", + "type": "string" + }, "id": { "description": "Logical identifier for the asset", "type": "string" diff --git a/packages/@aws-cdk/cloud-assembly-schema/schema/cloud-assembly.version.json b/packages/@aws-cdk/cloud-assembly-schema/schema/cloud-assembly.version.json index ccdfc1ff96a9d..588d7b269d34f 100644 --- a/packages/@aws-cdk/cloud-assembly-schema/schema/cloud-assembly.version.json +++ b/packages/@aws-cdk/cloud-assembly-schema/schema/cloud-assembly.version.json @@ -1 +1 @@ -{"version":"19.0.0"} \ No newline at end of file +{"version":"20.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk/core/lib/assets.ts b/packages/@aws-cdk/core/lib/assets.ts index b9a0ebd2b1bc6..906841f21e8eb 100644 --- a/packages/@aws-cdk/core/lib/assets.ts +++ b/packages/@aws-cdk/core/lib/assets.ts @@ -212,6 +212,15 @@ export interface DockerImageAssetSource { * @default - no networking mode specified */ readonly networkMode?: string; + + /** + * Platform to build for. _Requires Docker Buildx_. + * + * Specify this property to build images on a specific platform. + * + * @default - no platform specified (the current machine architecture will be used) + */ + readonly platform?: string; } /** diff --git a/packages/@aws-cdk/core/lib/stack-synthesizers/legacy.ts b/packages/@aws-cdk/core/lib/stack-synthesizers/legacy.ts index 204f3b8ba6827..587181de3ce33 100644 --- a/packages/@aws-cdk/core/lib/stack-synthesizers/legacy.ts +++ b/packages/@aws-cdk/core/lib/stack-synthesizers/legacy.ts @@ -149,6 +149,7 @@ export class LegacyStackSynthesizer extends StackSynthesizer { target: asset.dockerBuildTarget, file: asset.dockerFile, networkMode: asset.networkMode, + platform: asset.platform, }; this.stack.node.addMetadata(cxschema.ArtifactMetadataEntryType.ASSET, metadata); diff --git a/packages/aws-cdk/lib/assets.ts b/packages/aws-cdk/lib/assets.ts index 632292853c670..cb343db5282f1 100644 --- a/packages/aws-cdk/lib/assets.ts +++ b/packages/aws-cdk/lib/assets.ts @@ -123,6 +123,7 @@ async function prepareDockerImageAsset( dockerBuildTarget: asset.target, dockerFile: asset.file, networkMode: asset.networkMode, + platform: asset.platform, }, { repositoryName, imageTag, diff --git a/packages/cdk-assets/lib/private/docker.ts b/packages/cdk-assets/lib/private/docker.ts index 1a9b2293230f6..999d44de7fb4c 100644 --- a/packages/cdk-assets/lib/private/docker.ts +++ b/packages/cdk-assets/lib/private/docker.ts @@ -16,6 +16,7 @@ interface BuildOptions { readonly file?: string; readonly buildArgs?: Record; readonly networkMode?: string; + readonly platform?: string; } export interface DockerCredentialsConfig { @@ -56,6 +57,7 @@ export class Docker { ...options.target ? ['--target', options.target] : [], ...options.file ? ['--file', options.file] : [], ...options.networkMode ? ['--network', options.networkMode] : [], + ...options.platform ? ['--platform', options.platform] : [], '.', ]; await this.execute(buildCommand, { cwd: options.directory }); diff --git a/packages/cdk-assets/lib/private/handlers/container-images.ts b/packages/cdk-assets/lib/private/handlers/container-images.ts index 61ac1004cc714..88b56bf11e00a 100644 --- a/packages/cdk-assets/lib/private/handlers/container-images.ts +++ b/packages/cdk-assets/lib/private/handlers/container-images.ts @@ -134,6 +134,7 @@ class ContainerImageBuilder { target: source.dockerBuildTarget, file: source.dockerFile, networkMode: source.networkMode, + platform: source.platform, }); } diff --git a/packages/cdk-assets/test/docker-images.test.ts b/packages/cdk-assets/test/docker-images.test.ts index 62af7cf399abb..b6fa692dd24a4 100644 --- a/packages/cdk-assets/test/docker-images.test.ts +++ b/packages/cdk-assets/test/docker-images.test.ts @@ -124,6 +124,26 @@ beforeEach(() => { }, }), '/default-network/cdk.out/dockerdir/Dockerfile': 'FROM scratch', + '/platform-arm64/cdk.out/assets.json': JSON.stringify({ + version: Manifest.version(), + dockerImages: { + theAsset: { + source: { + directory: 'dockerdir', + platform: 'linux/arm64', + }, + destinations: { + theDestination: { + region: 'us-north-50', + assumeRoleArn: 'arn:aws:role', + repositoryName: 'repo', + imageTag: 'nopqr', + }, + }, + }, + }, + }), + '/platform-arm64/cdk.out/dockerdir/Dockerfile': 'FROM scratch', }); aws = mockAws(); @@ -239,6 +259,30 @@ describe('with a complete manifest', () => { expectAllSpawns(); expect(true).toBeTruthy(); // Expect no exception, satisfy linter }); + + test('build with platform option', async () => { + pub = new AssetPublishing(AssetManifest.fromPath('/platform-arm64/cdk.out'), { aws }); + const defaultNetworkDockerpath = '/platform-arm64/cdk.out/dockerdir'; + aws.mockEcr.describeImages = mockedApiFailure('ImageNotFoundException', 'File does not exist'); + aws.mockEcr.getAuthorizationToken = mockedApiResult({ + authorizationData: [ + { authorizationToken: 'dXNlcjpwYXNz', proxyEndpoint: 'https://proxy.com/' }, + ], + }); + + const expectAllSpawns = mockSpawn( + { commandLine: ['docker', 'login', '--username', 'user', '--password-stdin', 'https://proxy.com/'] }, + { commandLine: ['docker', 'inspect', 'cdkasset-theasset'], exitCode: 1 }, + { commandLine: ['docker', 'build', '--tag', 'cdkasset-theasset', '--platform', 'linux/arm64', '.'], cwd: defaultNetworkDockerpath }, + { commandLine: ['docker', 'tag', 'cdkasset-theasset', '12345.amazonaws.com/repo:nopqr'] }, + { commandLine: ['docker', 'push', '12345.amazonaws.com/repo:nopqr'] }, + ); + + await pub.publish(); + + expectAllSpawns(); + expect(true).toBeTruthy(); // Expect no exception, satisfy linter + }); }); describe('external assets', () => { From 7f237a2d3a74706120b2d479e618cbe9051129ae Mon Sep 17 00:00:00 2001 From: Mitchell Valine Date: Thu, 26 May 2022 08:33:19 -0700 Subject: [PATCH 03/13] chore: remove callout that go is in dev preview (#20507) ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index ddf9cce9d3997..1e8a2ca307188 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,6 @@ The CDK is available in the following languages: * Java ([Java ≥ 8](https://www.oracle.com/technetwork/java/javase/downloads/index.html) and [Maven ≥ 3.5.4](https://maven.apache.org/download.cgi)) * .NET ([.NET Core ≥ 3.1](https://dotnet.microsoft.com/download)) * Go ([Go ≥ 1.16.4](https://golang.org/)) - - Go is currently in developer preview and is not recommended for production use. \ Jump To: From 71380571b878a50fe4b754c7dac78da075a98242 Mon Sep 17 00:00:00 2001 From: Cory Hall <43035978+corymhall@users.noreply.github.com> Date: Thu, 26 May 2022 12:37:52 -0400 Subject: [PATCH 04/13] fix(integ-runner): always resynth on deploy (#20508) We were trying to save time by re-using a previously synthed cloud assembly if it existed, but we should not be doing this. When we perform the deployment we could be using new settings (or context) that needs to be applied to the synth. ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../@aws-cdk/integ-runner/lib/runner/integ-test-runner.ts | 2 +- packages/@aws-cdk/integ-runner/lib/runner/runner-base.ts | 8 ++------ .../integ-runner/test/runner/integ-test-runner.test.ts | 2 +- 3 files changed, 4 insertions(+), 8 deletions(-) diff --git a/packages/@aws-cdk/integ-runner/lib/runner/integ-test-runner.ts b/packages/@aws-cdk/integ-runner/lib/runner/integ-test-runner.ts index 705f9f045e6e9..3c325d34c3700 100644 --- a/packages/@aws-cdk/integ-runner/lib/runner/integ-test-runner.ts +++ b/packages/@aws-cdk/integ-runner/lib/runner/integ-test-runner.ts @@ -259,7 +259,7 @@ export class IntegTestRunner extends IntegRunner { ...actualTestCase?.cdkCommandOptions?.deploy?.args, ...actualTestCase.assertionStack ? { outputsFile: path.join(this.cdkOutDir, 'assertion-results.json') } : undefined, context: this.getContext(actualTestCase?.cdkCommandOptions?.deploy?.args?.context), - app: this.hasTmpActualSnapshot() ? this.cdkOutDir : this.cdkApp, + app: this.cdkApp, }); if (actualTestCase.hooks?.postDeploy) { diff --git a/packages/@aws-cdk/integ-runner/lib/runner/runner-base.ts b/packages/@aws-cdk/integ-runner/lib/runner/runner-base.ts index eff0e68191acb..18b8a3c6e9f64 100644 --- a/packages/@aws-cdk/integ-runner/lib/runner/runner-base.ts +++ b/packages/@aws-cdk/integ-runner/lib/runner/runner-base.ts @@ -146,7 +146,7 @@ export abstract class IntegRunner { this.testName = testName; } else { const relativePath = path.relative(options.directory, parsed.dir); - this.testName = `${relativePath ? relativePath+'/' : ''}${parsed.name}`; + this.testName = `${relativePath ? relativePath + '/' : ''}${parsed.name}`; } this.snapshotDir = path.join(this.directory, `${testName}.integ.snapshot`); this.relativeSnapshotDir = `${testName}.integ.snapshot`; @@ -210,10 +210,6 @@ export abstract class IntegRunner { return fs.existsSync(this.snapshotDir); } - public hasTmpActualSnapshot(): boolean { - return fs.existsSync(path.join(this.directory, this.cdkOutDir)); - } - /** * Load the integ manifest which contains information * on how to execute the tests @@ -371,7 +367,7 @@ export abstract class IntegRunner { } protected getContext(additionalContext?: Record): Record { - const futureFlags: {[key: string]: any} = {}; + const futureFlags: { [key: string]: any } = {}; Object.entries(FUTURE_FLAGS) .filter(([k, _]) => !FUTURE_FLAGS_EXPIRED.includes(k)) .forEach(([k, v]) => futureFlags[k] = v); diff --git a/packages/@aws-cdk/integ-runner/test/runner/integ-test-runner.test.ts b/packages/@aws-cdk/integ-runner/test/runner/integ-test-runner.test.ts index 78f321e81d9aa..db4c4a434554d 100644 --- a/packages/@aws-cdk/integ-runner/test/runner/integ-test-runner.test.ts +++ b/packages/@aws-cdk/integ-runner/test/runner/integ-test-runner.test.ts @@ -78,7 +78,7 @@ describe('IntegTest runIntegTests', () => { stacks: ['test-stack'], }); expect(deployMock).toHaveBeenCalledWith({ - app: 'cdk-integ.out.test-with-snapshot', + app: 'node integ.test-with-snapshot.js', requireApproval: 'never', pathMetadata: false, assetMetadata: false, From 7a010993f10e5a8e4035e28a1f977e877ab4ca49 Mon Sep 17 00:00:00 2001 From: AWS CDK Team Date: Fri, 27 May 2022 04:56:56 +0000 Subject: [PATCH 05/13] chore(release): 1.158.0 --- CHANGELOG.md | 22 ++++++++++++++++++++++ version.v1.json | 2 +- 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e09741c20e89e..d1e96f8f71317 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,28 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. +## [1.158.0](https://github.com/aws/aws-cdk/compare/v1.157.0...v1.158.0) (2022-05-27) + + +### Features + +* **apprunner:** VpcConnector construct ([#20471](https://github.com/aws/aws-cdk/issues/20471)) ([5052191](https://github.com/aws/aws-cdk/commit/50521911f22f433323d700db77530e883762138a)) +* **aws-ecr-assets:** support the --platform option when building docker images ([#20439](https://github.com/aws/aws-cdk/issues/20439)) ([adc0368](https://github.com/aws/aws-cdk/commit/adc0368dc1f137aeaa4bd92de77028269e3a48f4)), closes [#12472](https://github.com/aws/aws-cdk/issues/12472) [#16770](https://github.com/aws/aws-cdk/issues/16770) [#16858](https://github.com/aws/aws-cdk/issues/16858) +* **lambda:** validate function description length ([#20476](https://github.com/aws/aws-cdk/issues/20476)) ([de027e2](https://github.com/aws/aws-cdk/commit/de027e28ce5c95e70fed8874e6531eabba24521c)), closes [#20475](https://github.com/aws/aws-cdk/issues/20475) +* **s3:** adds objectSizeGreaterThan property for s3 lifecycle rule ([#20425](https://github.com/aws/aws-cdk/issues/20425)) ([23690e4](https://github.com/aws/aws-cdk/commit/23690e40b1604839f99da8b8f96168dda8679c47)), closes [#20372](https://github.com/aws/aws-cdk/issues/20372) +* **servicecatalog:** ProductStackHistory can retain old ProductStack iterations ([#20244](https://github.com/aws/aws-cdk/issues/20244)) ([1037b8c](https://github.com/aws/aws-cdk/commit/1037b8c7f58ccd162491b49d75954c38d685d67f)) + + +### Bug Fixes + +* **core:** NestedStack defaultChild is undefined ([#20450](https://github.com/aws/aws-cdk/issues/20450)) ([0a49927](https://github.com/aws/aws-cdk/commit/0a49927e9e5bc250f339f664fa843fae2fab92ec)), closes [#11221](https://github.com/aws/aws-cdk/issues/11221) +* **iam:** Role policies cannot grow beyond 10k ([#20400](https://github.com/aws/aws-cdk/issues/20400)) ([75bfce7](https://github.com/aws/aws-cdk/commit/75bfce70dbc57fe688c96b3c5cbb67fc4e6fcc56)), closes [#19276](https://github.com/aws/aws-cdk/issues/19276) [#19939](https://github.com/aws/aws-cdk/issues/19939) [#19835](https://github.com/aws/aws-cdk/issues/19835) +* **integ-runner:** always resynth on deploy ([#20508](https://github.com/aws/aws-cdk/issues/20508)) ([7138057](https://github.com/aws/aws-cdk/commit/71380571b878a50fe4b754c7dac78da075a98242)) +* **integ-tests:** DeployAssert should be private ([#20466](https://github.com/aws/aws-cdk/issues/20466)) ([0f52813](https://github.com/aws/aws-cdk/commit/0f52813bcf6a48c352f697004a899461dd06935d)) +* **lambda:** Fix typo in public subnet warning ([#20470](https://github.com/aws/aws-cdk/issues/20470)) ([85f4e29](https://github.com/aws/aws-cdk/commit/85f4e29e0551d71dd5f2f588584785cbc1ae7b72)) +* **pipelines:** too many CodeBuild steps inflate policy size ([#20396](https://github.com/aws/aws-cdk/issues/20396)) ([f334060](https://github.com/aws/aws-cdk/commit/f334060fca02e928bc4f5fdcfd45244060731d78)), closes [#20189](https://github.com/aws/aws-cdk/issues/20189) [#19276](https://github.com/aws/aws-cdk/issues/19276) [#19939](https://github.com/aws/aws-cdk/issues/19939) [#19835](https://github.com/aws/aws-cdk/issues/19835) +* **s3-deployment:** default role does not get `PutAcl` permissions on… ([#20492](https://github.com/aws/aws-cdk/issues/20492)) ([3e6ec5c](https://github.com/aws/aws-cdk/commit/3e6ec5c48cff41cec2b32566990046fd704f4ec1)) + ## [1.157.0](https://github.com/aws/aws-cdk/compare/v1.156.1...v1.157.0) (2022-05-20) diff --git a/version.v1.json b/version.v1.json index e9b6f5ffd7864..aeca1be32b0b5 100644 --- a/version.v1.json +++ b/version.v1.json @@ -1,3 +1,3 @@ { - "version": "1.157.0" + "version": "1.158.0" } \ No newline at end of file From 953afa90e3e331909772e8146760e1de1cf59a59 Mon Sep 17 00:00:00 2001 From: AWS CDK Automation <43080478+aws-cdk-automation@users.noreply.github.com> Date: Fri, 27 May 2022 02:47:09 -0700 Subject: [PATCH 06/13] docs(cfnspec): update CloudFormation documentation (#20519) --- .../spec-source/cfn-docs/cfn-docs.json | 101 +++++++++++++++++- 1 file changed, 100 insertions(+), 1 deletion(-) diff --git a/packages/@aws-cdk/cfnspec/spec-source/cfn-docs/cfn-docs.json b/packages/@aws-cdk/cfnspec/spec-source/cfn-docs/cfn-docs.json index 1cee622dab798..c99e5a9c1f3a7 100644 --- a/packages/@aws-cdk/cfnspec/spec-source/cfn-docs/cfn-docs.json +++ b/packages/@aws-cdk/cfnspec/spec-source/cfn-docs/cfn-docs.json @@ -9109,6 +9109,7 @@ "SmsAuthenticationMessage": "A string representing the SMS authentication message.", "SmsConfiguration": "The SMS configuration with the settings that your Amazon Cognito user pool must use to send an SMS message from your AWS account through Amazon Simple Notification Service. To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account .", "SmsVerificationMessage": "A string representing the SMS verification message.", + "UserAttributeUpdateSettings": "The settings for updates to user attributes. These settings include the property `AttributesRequireVerificationBeforeUpdate` ,\na user-pool setting that tells Amazon Cognito how to handle changes to the value of your users' email address and phone number attributes. For\nmore information, see [Verifying updates to to email addresses and phone numbers](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html#user-pool-settings-verifications-verify-attribute-updates) .", "UserPoolAddOns": "Enables advanced security risk detection. Set the key `AdvancedSecurityMode` to the value \"AUDIT\".", "UserPoolName": "A string used to name the user pool.", "UserPoolTags": "The tag keys and values to assign to the user pool. A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.", @@ -9261,6 +9262,13 @@ "MinLength": "The minimum length." } }, + "AWS::Cognito::UserPool.UserAttributeUpdateSettings": { + "attributes": {}, + "description": "The settings for updates to user attributes. These settings include the property `AttributesRequireVerificationBeforeUpdate` ,\na user-pool setting that tells Amazon Cognito how to handle changes to the value of your users' email address and phone number attributes. For\nmore information, see [Verifying updates to to email addresses and phone numbers](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html#user-pool-settings-verifications-verify-attribute-updates) .", + "properties": { + "AttributesRequireVerificationBeforeUpdate": "Requires that your user verifies their email address, phone number, or both before Amazon Cognito updates the value of that attribute. When you update a user attribute that has this option activated, Amazon Cognito sends a verification message to the new phone number or email address. Amazon Cognito doesn\u2019t change the value of the attribute until your user responds to the verification message and confirms the new value.\n\nYou can verify an updated email address or phone number with a [VerifyUserAttribute](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerifyUserAttribute.html) API request. You can also call the [UpdateUserAttributes](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html) or [AdminUpdateUserAttributes](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html) API and set `email_verified` or `phone_number_verified` to true.\n\nWhen `AttributesRequireVerificationBeforeUpdate` is false, your user pool doesn't require that your users verify attribute changes before Amazon Cognito updates them. In a user pool where `AttributesRequireVerificationBeforeUpdate` is false, API operations that change attribute values can immediately update a user\u2019s `email` or `phone_number` attribute." + } + }, "AWS::Cognito::UserPool.UserPoolAddOns": { "attributes": {}, "description": "The user pool add-ons type.", @@ -16876,6 +16884,82 @@ "Namespace": "The namespaces of the EKS cluster.\n\n*Minimum* : 1\n\n*Maximum* : 63\n\n*Pattern* : `[a-z0-9]([-a-z0-9]*[a-z0-9])?`" } }, + "AWS::EMRServerless::Application": { + "attributes": { + "ApplicationId": "The ID of the application, such as `ab4rp1abcs8xz47n3x0example` .", + "Arn": "The Amazon Resource Name (ARN) of the project.", + "Ref": "When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the ID of the application.\n\nFor more information about using the `Ref` function, see [`Ref`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html) ." + }, + "description": "The `AWS::EMRServerless::Application` resource specifies an EMR Serverless application. An application uses open source analytics frameworks to run jobs that process data. To create an application, you must specify the release version for the open source framework version you want to use and the type of application you want, such as Apache Spark or Apache Hive. After you create an application, you can submit data processing jobs or interactive requests to it.", + "properties": { + "AutoStartConfiguration": "The configuration for an application to automatically start on job submission.", + "AutoStopConfiguration": "The configuration for an application to automatically stop after a certain amount of time being idle.", + "InitialCapacity": "The initial capacity of the application.", + "MaximumCapacity": "The maximum capacity of the application. This is cumulative across all workers at any given point in time during the lifespan of the application is created. No new resources will be created once any one of the defined limits is hit.", + "Name": "The name of the application.\n\n*Minimum* : 1\n\n*Maximum* : 64\n\n*Pattern* : `^[A-Za-z0-9._\\\\/#-]+$`", + "NetworkConfiguration": "The network configuration for customer VPC connectivity for the application.", + "ReleaseLabel": "The EMR release version associated with the application.\n\n*Minimum* : 1\n\n*Maximum* : 64\n\n*Pattern* : `^[A-Za-z0-9._/-]+$`", + "Tags": "The tags assigned to the application.", + "Type": "The type of application, such as Spark or Hive." + } + }, + "AWS::EMRServerless::Application.AutoStartConfiguration": { + "attributes": {}, + "description": "The con\ufb01guration for an application to automatically start on job submission.", + "properties": { + "Enabled": "Enables the application to automatically start on job submission. Defaults to true." + } + }, + "AWS::EMRServerless::Application.AutoStopConfiguration": { + "attributes": {}, + "description": "The con\ufb01guration for an application to automatically stop after a certain amount of time being idle.", + "properties": { + "Enabled": "Enables the application to automatically stop after a certain amount of time being idle. Defaults to true.", + "IdleTimeoutMinutes": "The amount of idle time in minutes after which your application will automatically stop. Defaults to 15 minutes.\n\n*Minimum* : 1\n\n*Maximum* : 10080" + } + }, + "AWS::EMRServerless::Application.InitialCapacityConfig": { + "attributes": {}, + "description": "The initial capacity configuration per worker.", + "properties": { + "WorkerConfiguration": "The resource configuration of the initial capacity configuration.", + "WorkerCount": "The number of workers in the initial capacity configuration.\n\n*Minimum* : 1\n\n*Maximum* : 1000000" + } + }, + "AWS::EMRServerless::Application.InitialCapacityConfigKeyValuePair": { + "attributes": {}, + "description": "The initial capacity configuration per worker.", + "properties": { + "Key": "The worker type for an analytics framework. For Spark applications, the key can either be set to `Driver` or `Executor` . For Hive applications, it can be set to `HiveDriver` or `TezTask` .\n\n*Minimum* : 1\n\n*Maximum* : 50\n\n*Pattern* : `^[a-zA-Z]+[-_]*[a-zA-Z]+$`", + "Value": "The value for the initial capacity configuration per worker." + } + }, + "AWS::EMRServerless::Application.MaximumAllowedResources": { + "attributes": {}, + "description": "The maximum allowed cumulative resources for an application. No new resources will be created once the limit is hit.", + "properties": { + "Cpu": "The maximum allowed CPU for an application.\n\n*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(vCPU|vcpu|VCPU)?$`", + "Disk": "The maximum allowed disk for an application.\n\n*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(GB|gb|gB|Gb)$\"`", + "Memory": "The maximum allowed resources for an application.\n\n*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(GB|gb|gB|Gb)?$`" + } + }, + "AWS::EMRServerless::Application.NetworkConfiguration": { + "attributes": {}, + "description": "The network configuration for customer VPC connectivity.", + "properties": { + "SecurityGroupIds": "The array of security group Ids for customer VPC connectivity.\n\n*Minimum* : 1\n\n*Maximum* : 32\n\n*Pattern* : `^[-0-9a-zA-Z]+`", + "SubnetIds": "The array of subnet Ids for customer VPC connectivity.\n\n*Minimum* : 1\n\n*Maximum* : 32\n\n*Pattern* : `^[-0-9a-zA-Z]+`" + } + }, + "AWS::EMRServerless::Application.WorkerConfiguration": { + "attributes": {}, + "description": "The resource configuration of the initial capacity configuration.", + "properties": { + "Cpu": "*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(vCPU|vcpu|VCPU)?$`", + "Disk": "*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(GB|gb|gB|Gb)$\"`", + "Memory": "*Minimum* : 1\n\n*Maximum* : 15\n\n*Pattern* : `^[1-9][0-9]*(\\\\s)?(GB|gb|gB|Gb)?$`" + } + }, "AWS::ElastiCache::CacheCluster": { "attributes": { "ConfigurationEndpoint.Address": "The DNS hostname of the cache node.\n\n> Redis (cluster mode disabled) replication groups don't have this attribute. Therefore, `Fn::GetAtt` returns a value for this attribute only if the replication group is clustered. Otherwise, `Fn::GetAtt` fails.", @@ -24955,6 +25039,21 @@ "RfRegion": "The frequency band (RFRegion) value." } }, + "AWS::IoTWireless::NetworkAnalyzerConfiguration": { + "attributes": { + "Arn": "", + "Ref": "" + }, + "description": "", + "properties": { + "Description": "", + "Name": "", + "Tags": "", + "TraceContent": "", + "WirelessDevices": "", + "WirelessGateways": "" + } + }, "AWS::IoTWireless::PartnerAccount": { "attributes": { "Arn": "The Amazon Resource Name (ARN) of the resource.", @@ -38532,7 +38631,7 @@ "Tags": "AWS CloudFormation resource tags to apply to the document. Use tags to help you identify and categorize resources.", "TargetType": "Specify a target type to define the kinds of resources the document can run on. For example, to run a document on EC2 instances, specify the following value: `/AWS::EC2::Instance` . If you specify a value of '/' the document can run on all types of resources. If you don't specify a value, the document can't run on any resources. For a list of valid resource types, see [AWS resource and property types reference](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html) in the *AWS CloudFormation User Guide* .", "UpdateMethod": "If the document resource you specify in your template already exists, this parameter determines whether a new version of the existing document is created, or the existing document is replaced. `Replace` is the default method. If you specify `NewVersion` for the `UpdateMethod` parameter, and the `Name` of the document does not match an existing resource, a new document is created. When you specify `NewVersion` , the default version of the document is changed to the newly created version.", - "VersionName": "An optional field specifying the version of the artifact you are creating with the document. For example, \"Release 12, Update 6\". This value is unique across all versions of a document, and can't be changed." + "VersionName": "An optional field specifying the version of the artifact you are creating with the document. For example, `Release12.1` . This value is unique across all versions of a document, and can't be changed." } }, "AWS::SSM::Document.AttachmentsSource": { From 777953106ac550b058fdaa3ccde25b62be07defa Mon Sep 17 00:00:00 2001 From: Cory Hall <43035978+corymhall@users.noreply.github.com> Date: Fri, 27 May 2022 08:46:36 -0400 Subject: [PATCH 07/13] feat(integ-runner): publish integ-runner cli (#20477) This PR switches the `integ-runner` package from private to public. ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/@aws-cdk/integ-runner/README.md | 7 ++++++ .../integ-runner/lib/runner/runner-base.ts | 4 ---- packages/@aws-cdk/integ-runner/package.json | 2 +- packages/cdk-cli-wrapper/lib/cdk-wrapper.ts | 4 ++-- .../cdk-cli-wrapper/test/cdk-wrapper.test.ts | 24 +++++++++---------- 5 files changed, 22 insertions(+), 19 deletions(-) diff --git a/packages/@aws-cdk/integ-runner/README.md b/packages/@aws-cdk/integ-runner/README.md index 3f983273a4a1e..db79cf866b9ca 100644 --- a/packages/@aws-cdk/integ-runner/README.md +++ b/packages/@aws-cdk/integ-runner/README.md @@ -19,6 +19,13 @@ ## Overview +This tool has been created to be used initially by this repo (aws/aws-cdk). Long term the goal is +for this tool to be a general tool that can be used for running CDK integration tests. We are +publishing this tool so that it can be used by the community and we would love to receive feedback +on use cases that the tool should support, or issues that prevent the tool from being used in your +library. + +This tool is meant to be used with the [integ-tests](https://github.com/aws/aws-cdk/tree/master/packages/%40aws-cdk/integ-tests) library. ## Usage diff --git a/packages/@aws-cdk/integ-runner/lib/runner/runner-base.ts b/packages/@aws-cdk/integ-runner/lib/runner/runner-base.ts index 18b8a3c6e9f64..6ebdce2eea40c 100644 --- a/packages/@aws-cdk/integ-runner/lib/runner/runner-base.ts +++ b/packages/@aws-cdk/integ-runner/lib/runner/runner-base.ts @@ -129,8 +129,6 @@ export abstract class IntegRunner { protected readonly profile?: string; - protected readonly cdkExecutable: string; - protected _destructiveChanges?: DestructiveChange[]; private legacyContext?: Record; @@ -153,9 +151,7 @@ export abstract class IntegRunner { this.sourceFilePath = path.join(this.directory, parsed.base); this.cdkContextPath = path.join(this.directory, 'cdk.context.json'); - this.cdkExecutable = require.resolve('aws-cdk/bin/cdk'); this.cdk = options.cdk ?? new CdkCliWrapper({ - cdkExecutable: this.cdkExecutable, directory: this.directory, env: { ...options.env, diff --git a/packages/@aws-cdk/integ-runner/package.json b/packages/@aws-cdk/integ-runner/package.json index 5f08391b5bf08..fdf44c3311b9a 100644 --- a/packages/@aws-cdk/integ-runner/package.json +++ b/packages/@aws-cdk/integ-runner/package.json @@ -2,7 +2,7 @@ "name": "@aws-cdk/integ-runner", "description": "CDK Integration Testing Tool", "version": "0.0.0", - "private": true, + "private": false, "main": "lib/index.js", "types": "lib/index.d.ts", "bin": { diff --git a/packages/cdk-cli-wrapper/lib/cdk-wrapper.ts b/packages/cdk-cli-wrapper/lib/cdk-wrapper.ts index fd45c4ae0c07b..069673582f195 100644 --- a/packages/cdk-cli-wrapper/lib/cdk-wrapper.ts +++ b/packages/cdk-cli-wrapper/lib/cdk-wrapper.ts @@ -109,9 +109,9 @@ export class CdkCliWrapper implements ICdk { this.directory = options.directory; this.env = options.env; try { - this.cdk = options.cdkExecutable ?? require.resolve('aws-cdk/bin/cdk'); + this.cdk = options.cdkExecutable ?? 'cdk'; } catch (e) { - throw new Error(`could not resolve path to cdk executable: "${options.cdkExecutable}"`); + throw new Error(`could not resolve path to cdk executable: "${options.cdkExecutable ?? 'cdk'}"`); } } diff --git a/packages/cdk-cli-wrapper/test/cdk-wrapper.test.ts b/packages/cdk-cli-wrapper/test/cdk-wrapper.test.ts index c0d8f75195ea9..0a9d370426aae 100644 --- a/packages/cdk-cli-wrapper/test/cdk-wrapper.test.ts +++ b/packages/cdk-cli-wrapper/test/cdk-wrapper.test.ts @@ -32,7 +32,7 @@ test('default deploy', () => { // THEN expect(spawnSyncMock).toHaveBeenCalledWith( - expect.stringMatching(/aws-cdk\/bin\/cdk/), + expect.stringMatching(/cdk/), ['deploy', '--app', 'node bin/my-app.js', 'test-stack1'], expect.objectContaining({ env: expect.anything(), @@ -86,7 +86,7 @@ test('deploy with all arguments', () => { // THEN expect(spawnSyncMock).toHaveBeenCalledWith( - expect.stringMatching(/aws-cdk\/bin\/cdk/), + expect.stringMatching(/cdk/), expect.arrayContaining([ 'deploy', '--no-strict', @@ -146,7 +146,7 @@ test('can parse boolean arguments', () => { // THEN expect(spawnSyncMock).toHaveBeenCalledWith( - expect.stringMatching(/aws-cdk\/bin\/cdk/), + expect.stringMatching(/cdk/), [ 'deploy', '--app', @@ -179,7 +179,7 @@ test('can parse parameters', () => { // THEN expect(spawnSyncMock).toHaveBeenCalledWith( - expect.stringMatching(/aws-cdk\/bin\/cdk/), + expect.stringMatching(/cdk/), [ 'deploy', '--parameters', 'myparam=test', @@ -211,7 +211,7 @@ test('can parse context', () => { // THEN expect(spawnSyncMock).toHaveBeenCalledWith( - expect.stringMatching(/aws-cdk\/bin\/cdk/), + expect.stringMatching(/cdk/), [ 'deploy', '--app', @@ -243,7 +243,7 @@ test('can parse array arguments', () => { // THEN expect(spawnSyncMock).toHaveBeenCalledWith( - expect.stringMatching(/aws-cdk\/bin\/cdk/), + expect.stringMatching(/cdk/), [ 'deploy', '--notification-arns', 'arn:aws:us-east-1:1111111111:some:resource', @@ -274,7 +274,7 @@ test('can provide additional environment', () => { // THEN expect(spawnSyncMock).toHaveBeenCalledWith( - expect.stringMatching(/aws-cdk\/bin\/cdk/), + expect.stringMatching(/cdk/), ['deploy', '--app', 'node bin/my-app.js', 'test-stack1'], expect.objectContaining({ env: expect.objectContaining({ @@ -300,7 +300,7 @@ test('default synth', () => { // THEN expect(spawnSyncMock).toHaveBeenCalledWith( - expect.stringMatching(/aws-cdk\/bin\/cdk/), + expect.stringMatching(/cdk/), ['synth', '--app', 'node bin/my-app.js', 'test-stack1'], expect.objectContaining({ env: expect.objectContaining({ @@ -326,7 +326,7 @@ test('synth arguments', () => { // THEN expect(spawnSyncMock).toHaveBeenCalledWith( - expect.stringMatching(/aws-cdk\/bin\/cdk/), + expect.stringMatching(/cdk/), ['destroy', '--app', 'node bin/my-app.js', 'test-stack1'], expect.objectContaining({ env: expect.objectContaining({ @@ -354,7 +354,7 @@ test('destroy arguments', () => { // THEN expect(spawnSyncMock).toHaveBeenCalledWith( - expect.stringMatching(/aws-cdk\/bin\/cdk/), + expect.stringMatching(/cdk/), ['destroy', '--force', '--no-exclusively', '--app', 'node bin/my-app.js', 'test-stack1'], expect.objectContaining({ env: expect.objectContaining({ @@ -380,7 +380,7 @@ test('default ls', () => { // THEN expect(spawnSyncMock).toHaveBeenCalledWith( - expect.stringMatching(/aws-cdk\/bin\/cdk/), + expect.stringMatching(/cdk/), ['ls', '--app', 'node bin/my-app.js', '*'], expect.objectContaining({ env: expect.objectContaining({ @@ -415,7 +415,7 @@ test('ls arguments', () => { // THEN expect(spawnSyncMock).toHaveBeenCalledWith( - expect.stringMatching(/aws-cdk\/bin\/cdk/), + expect.stringMatching(/cdk/), ['ls', '--long', '--app', 'node bin/my-app.js', '*'], expect.objectContaining({ env: expect.objectContaining({ From c274c2f983de2dfd20ed2886a3c50f7fd3f6b3f4 Mon Sep 17 00:00:00 2001 From: Cory Hall <43035978+corymhall@users.noreply.github.com> Date: Fri, 27 May 2022 09:32:37 -0400 Subject: [PATCH 08/13] fix(integ-runner): don't throw error if tests pass (#20511) If you run `integ-runner --update-on-failed` and the test succeeds, then the cli should not return an exit code. re #20384 ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/@aws-cdk/integ-runner/lib/cli.ts | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk/integ-runner/lib/cli.ts b/packages/@aws-cdk/integ-runner/lib/cli.ts index 1c7c7920375d5..6014d4997378a 100644 --- a/packages/@aws-cdk/integ-runner/lib/cli.ts +++ b/packages/@aws-cdk/integ-runner/lib/cli.ts @@ -49,9 +49,10 @@ async function main() { let failedSnapshots: IntegTestWorkerConfig[] = []; if (argv['max-workers'] < testRegions.length * (profiles ?? [1]).length) { - logger.warning('You are attempting to run %s tests in parallel, but only have %s workers. Not all of your profiles+regions will be utilized', argv.profiles*argv['parallel-regions'], argv['max-workers']); + logger.warning('You are attempting to run %s tests in parallel, but only have %s workers. Not all of your profiles+regions will be utilized', argv.profiles * argv['parallel-regions'], argv['max-workers']); } + let testsSucceeded = false; try { if (argv.list) { const tests = await new IntegrationTests(argv.directory).fromCliArgs(); @@ -99,6 +100,8 @@ async function main() { verbose: argv.verbose, updateWorkflow: !argv['disable-update-workflow'], }); + testsSucceeded = success; + if (argv.clean === false) { logger.warning('Not cleaning up stacks since "--no-clean" was used'); @@ -125,7 +128,9 @@ async function main() { if (!runUpdateOnFailed) { message = 'To re-run failed tests run: yarn integ-runner --update-on-failed'; } - throw new Error(`Some snapshot tests failed!\n${message}`); + if (!testsSucceeded) { + throw new Error(`Some tests failed!\n${message}`); + } } } From df419ba70a1ab5bca22baf104750dcc61e2cd4e7 Mon Sep 17 00:00:00 2001 From: Madeline Kusters Date: Fri, 27 May 2022 07:32:04 -0700 Subject: [PATCH 09/13] chore: empty commit to trigger pr build From 6f4aba805b93523958d5cb4c8db4c1c800f53806 Mon Sep 17 00:00:00 2001 From: Stephen Blackstone Date: Fri, 27 May 2022 11:05:59 -0400 Subject: [PATCH 10/13] Fix error message when creating a NodeJS function (#20524) Error message gives the incorrect field depsFileLockPath Should be depsLockFilePath ---- ### All Submissions: * [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: None. * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features None. * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* Yep. --- packages/@aws-cdk/aws-lambda-nodejs/lib/function.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-lambda-nodejs/lib/function.ts b/packages/@aws-cdk/aws-lambda-nodejs/lib/function.ts index ee82e25ccca18..eea143f5713f9 100644 --- a/packages/@aws-cdk/aws-lambda-nodejs/lib/function.ts +++ b/packages/@aws-cdk/aws-lambda-nodejs/lib/function.ts @@ -147,7 +147,7 @@ function findLockFile(depsLockFilePath?: string): string { throw new Error('Cannot find a package lock file (`pnpm-lock.yaml`, `yarn.lock` or `package-lock.json`). Please specify it with `depsLockFilePath`.'); } if (lockFiles.length > 1) { - throw new Error(`Multiple package lock files found: ${lockFiles.join(', ')}. Please specify the desired one with \`depsFileLockPath\`.`); + throw new Error(`Multiple package lock files found: ${lockFiles.join(', ')}. Please specify the desired one with \`depsLockFilePath\`.`); } return lockFiles[0]; From b7bc10cc7a734fe3b4a9194dffbc017f2fe3ef43 Mon Sep 17 00:00:00 2001 From: Adam Brodziak Date: Fri, 27 May 2022 18:23:10 +0200 Subject: [PATCH 11/13] fix: Default username in RoleSessionName (#20188) In case user does not have entry in `/etc/passwd` the `os.userInfo()` call will throw `SystemError` exception as documented: https://nodejs.org/docs/latest-v16.x/api/os.html#osuserinfooptions Fixes #19401 issue. It can be tested inside Docker for ad-hoc 1234 user ID: ```sh docker run -u 1234 -e CDK_HOME=/tmp npm run cdk diff ``` The `CDK_HOME=/tmp` is a workaround for #7937 issue, where CDK complains that it can't write cached info in user homedir, because it does not exists. Once #7937 will be fixed then #19401 will most likely hit users. However above workaround is a viable option. Hence those two issues are related, but not duplicated. ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) Yes, followed the guide. ### Adding new Unconventional Dependencies: * [x] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) No new dependencies. ### New Features * [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? * [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? No, it's a bugfix, not a feature. *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../aws-cdk/lib/api/aws-auth/sdk-provider.ts | 6 +++- .../aws-cdk/test/api/sdk-provider.test.ts | 28 +++++++++++++++++++ packages/cdk-assets/lib/aws.ts | 6 +++- 3 files changed, 38 insertions(+), 2 deletions(-) diff --git a/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts b/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts index 39f7cd2f2a1b1..200f6548c6554 100644 --- a/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts +++ b/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts @@ -459,7 +459,11 @@ function readIfPossible(filename: string): string | undefined { * @see https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html#API_AssumeRole_RequestParameters */ function safeUsername() { - return os.userInfo().username.replace(/[^\w+=,.@-]/g, '@'); + try { + return os.userInfo().username.replace(/[^\w+=,.@-]/g, '@'); + } catch (e) { + return 'noname'; + } } /** diff --git a/packages/aws-cdk/test/api/sdk-provider.test.ts b/packages/aws-cdk/test/api/sdk-provider.test.ts index c2e3d311af647..9c03a7be0beed 100644 --- a/packages/aws-cdk/test/api/sdk-provider.test.ts +++ b/packages/aws-cdk/test/api/sdk-provider.test.ts @@ -341,6 +341,34 @@ describe('with intercepted network calls', () => { }); }); + test('assuming a role does not fail when OS username cannot be read', async () => { + // GIVEN + prepareCreds({ + fakeSts, + config: { + default: { aws_access_key_id: 'foo', $account: '11111' }, + }, + }); + + await withMocked(os, 'userInfo', async (userInfo) => { + userInfo.mockImplementation(() => { + // SystemError thrown as documented: https://nodejs.org/docs/latest-v16.x/api/os.html#osuserinfooptions + throw new Error('SystemError on Linux: uv_os_get_passwd returned ENOENT. See #19401 issue.'); + }); + + // WHEN + const provider = await providerFromProfile(undefined); + + const sdk = (await provider.forEnvironment(env(uniq('88888')), Mode.ForReading, { assumeRoleArn: 'arn:aws:role' })).sdk as SDK; + await sdk.currentAccount(); + + // THEN + expect(fakeSts.assumedRoles[0]).toEqual(expect.objectContaining({ + roleSessionName: 'aws-cdk-noname', + })); + }); + }); + test('even if current credentials are for the wrong account, we will still use them to AssumeRole', async () => { // GIVEN prepareCreds({ diff --git a/packages/cdk-assets/lib/aws.ts b/packages/cdk-assets/lib/aws.ts index c35dedb38bbe2..4f79ead780227 100644 --- a/packages/cdk-assets/lib/aws.ts +++ b/packages/cdk-assets/lib/aws.ts @@ -150,6 +150,10 @@ export class DefaultAwsClient implements IAws { * @see https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html#API_AssumeRole_RequestParameters */ function safeUsername() { - return os.userInfo().username.replace(/[^\w+=,.@-]/g, '@'); + try { + return os.userInfo().username.replace(/[^\w+=,.@-]/g, '@'); + } catch (e) { + return 'noname'; + } } From dacefd6c4770f06390f853fdf4703d8662beb3f5 Mon Sep 17 00:00:00 2001 From: Joshua Weber <57131123+daschaa@users.noreply.github.com> Date: Fri, 27 May 2022 19:10:42 +0200 Subject: [PATCH 12/13] fix(ecs): canContainersAccessInstanceRole is ignored when passed in AsgCapacityProvider constructor (#20522) Fixes #20293 When adding an AsgCapacityProvider the property `canContainersAccessInstanceRole` is only checked when passed in via the method `addAsgCapacityProvider`. It is ignored when passing the property via the instantiation of an AsgCapacityProvider. In this PR I added, that if either one way (method or constructor) has got the property set - it is respected in the outcome. For more details please see the issue #20293 I decided **not** to omit the property on the class level because it would bring in breaking changes. ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? * [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/@aws-cdk/aws-ecs/lib/cluster.ts | 10 ++ .../@aws-cdk/aws-ecs/test/cluster.test.ts | 142 ++++++++++++++++++ 2 files changed, 152 insertions(+) diff --git a/packages/@aws-cdk/aws-ecs/lib/cluster.ts b/packages/@aws-cdk/aws-ecs/lib/cluster.ts index 8e48e2be59cec..188fa661944d3 100644 --- a/packages/@aws-cdk/aws-ecs/lib/cluster.ts +++ b/packages/@aws-cdk/aws-ecs/lib/cluster.ts @@ -370,6 +370,7 @@ export class Cluster extends Resource implements ICluster { machineImageType: provider.machineImageType, // Don't enable the instance-draining lifecycle hook if managed termination protection is enabled taskDrainTime: provider.enableManagedTerminationProtection ? Duration.seconds(0) : options.taskDrainTime, + canContainersAccessInstanceRole: options.canContainersAccessInstanceRole ?? provider.canContainersAccessInstanceRole, }); this._capacityProviderNames.push(provider.capacityProviderName); @@ -1109,6 +1110,13 @@ export class AsgCapacityProvider extends CoreConstruct { */ readonly enableManagedTerminationProtection?: boolean; + /** + * Specifies whether the containers can access the container instance role. + * + * @default false + */ + readonly canContainersAccessInstanceRole?: boolean; + constructor(scope: Construct, id: string, props: AsgCapacityProviderProps) { super(scope, id); @@ -1116,6 +1124,8 @@ export class AsgCapacityProvider extends CoreConstruct { this.machineImageType = props.machineImageType ?? MachineImageType.AMAZON_LINUX_2; + this.canContainersAccessInstanceRole = props.canContainersAccessInstanceRole; + this.enableManagedTerminationProtection = props.enableManagedTerminationProtection === undefined ? true : props.enableManagedTerminationProtection; diff --git a/packages/@aws-cdk/aws-ecs/test/cluster.test.ts b/packages/@aws-cdk/aws-ecs/test/cluster.test.ts index d167c30989ded..45f9601728ef7 100644 --- a/packages/@aws-cdk/aws-ecs/test/cluster.test.ts +++ b/packages/@aws-cdk/aws-ecs/test/cluster.test.ts @@ -2306,3 +2306,145 @@ test('throws when ASG Capacity Provider with capacityProviderName starting with cluster.addAsgCapacityProvider(capacityProviderAl2); }).toThrow(/Invalid Capacity Provider Name: ecscp, If a name is specified, it cannot start with aws, ecs, or fargate./); }); + +describe('Accessing container instance role', function () { + + const addUserDataMock = jest.fn(); + const autoScalingGroup: autoscaling.AutoScalingGroup = { + addUserData: addUserDataMock, + addToRolePolicy: jest.fn(), + protectNewInstancesFromScaleIn: jest.fn(), + } as unknown as autoscaling.AutoScalingGroup; + + afterEach(() => { + addUserDataMock.mockClear(); + }); + + test('block ecs from accessing metadata service when canContainersAccessInstanceRole not set', () => { + // GIVEN + const app = new cdk.App(); + const stack = new cdk.Stack(app, 'test'); + const cluster = new ecs.Cluster(stack, 'EcsCluster'); + + // WHEN + + const capacityProvider = new ecs.AsgCapacityProvider(stack, 'Provider', { + autoScalingGroup: autoScalingGroup, + }); + + cluster.addAsgCapacityProvider(capacityProvider); + + // THEN + expect(autoScalingGroup.addUserData).toHaveBeenCalledWith('sudo iptables --insert FORWARD 1 --in-interface docker+ --destination 169.254.169.254/32 --jump DROP'); + expect(autoScalingGroup.addUserData).toHaveBeenCalledWith('sudo service iptables save'); + expect(autoScalingGroup.addUserData).toHaveBeenCalledWith('echo ECS_AWSVPC_BLOCK_IMDS=true >> /etc/ecs/ecs.config'); + }); + + test('allow ecs accessing metadata service when canContainersAccessInstanceRole is set on addAsgCapacityProvider', () => { + // GIVEN + const app = new cdk.App(); + const stack = new cdk.Stack(app, 'test'); + const cluster = new ecs.Cluster(stack, 'EcsCluster'); + + // WHEN + const capacityProvider = new ecs.AsgCapacityProvider(stack, 'Provider', { + autoScalingGroup: autoScalingGroup, + }); + + cluster.addAsgCapacityProvider(capacityProvider, { + canContainersAccessInstanceRole: true, + }); + + // THEN + expect(autoScalingGroup.addUserData).not.toHaveBeenCalledWith('sudo iptables --insert FORWARD 1 --in-interface docker+ --destination 169.254.169.254/32 --jump DROP'); + expect(autoScalingGroup.addUserData).not.toHaveBeenCalledWith('sudo service iptables save'); + expect(autoScalingGroup.addUserData).not.toHaveBeenCalledWith('echo ECS_AWSVPC_BLOCK_IMDS=true >> /etc/ecs/ecs.config'); + }); + + test('allow ecs accessing metadata service when canContainersAccessInstanceRole is set on AsgCapacityProvider instantiation', () => { + // GIVEN + const app = new cdk.App(); + const stack = new cdk.Stack(app, 'test'); + const cluster = new ecs.Cluster(stack, 'EcsCluster'); + + // WHEN + const capacityProvider = new ecs.AsgCapacityProvider(stack, 'Provider', { + autoScalingGroup: autoScalingGroup, + canContainersAccessInstanceRole: true, + }); + + cluster.addAsgCapacityProvider(capacityProvider); + + // THEN + expect(autoScalingGroup.addUserData).not.toHaveBeenCalledWith('sudo iptables --insert FORWARD 1 --in-interface docker+ --destination 169.254.169.254/32 --jump DROP'); + expect(autoScalingGroup.addUserData).not.toHaveBeenCalledWith('sudo service iptables save'); + expect(autoScalingGroup.addUserData).not.toHaveBeenCalledWith('echo ECS_AWSVPC_BLOCK_IMDS=true >> /etc/ecs/ecs.config'); + }); + + test('allow ecs accessing metadata service when canContainersAccessInstanceRole is set on constructor and method', () => { + // GIVEN + const app = new cdk.App(); + const stack = new cdk.Stack(app, 'test'); + const cluster = new ecs.Cluster(stack, 'EcsCluster'); + + // WHEN + const capacityProvider = new ecs.AsgCapacityProvider(stack, 'Provider', { + autoScalingGroup: autoScalingGroup, + canContainersAccessInstanceRole: true, + }); + + cluster.addAsgCapacityProvider(capacityProvider, { + canContainersAccessInstanceRole: true, + }); + + // THEN + expect(autoScalingGroup.addUserData).not.toHaveBeenCalledWith('sudo iptables --insert FORWARD 1 --in-interface docker+ --destination 169.254.169.254/32 --jump DROP'); + expect(autoScalingGroup.addUserData).not.toHaveBeenCalledWith('sudo service iptables save'); + expect(autoScalingGroup.addUserData).not.toHaveBeenCalledWith('echo ECS_AWSVPC_BLOCK_IMDS=true >> /etc/ecs/ecs.config'); + }); + + test('block ecs from accessing metadata service when canContainersAccessInstanceRole set on constructor and not set on method', () => { + // GIVEN + const app = new cdk.App(); + const stack = new cdk.Stack(app, 'test'); + const cluster = new ecs.Cluster(stack, 'EcsCluster'); + + // WHEN + const capacityProvider = new ecs.AsgCapacityProvider(stack, 'Provider', { + autoScalingGroup: autoScalingGroup, + canContainersAccessInstanceRole: true, + }); + + cluster.addAsgCapacityProvider(capacityProvider, { + canContainersAccessInstanceRole: false, + }); + + // THEN + expect(autoScalingGroup.addUserData).toHaveBeenCalledWith('sudo iptables --insert FORWARD 1 --in-interface docker+ --destination 169.254.169.254/32 --jump DROP'); + expect(autoScalingGroup.addUserData).toHaveBeenCalledWith('sudo service iptables save'); + expect(autoScalingGroup.addUserData).toHaveBeenCalledWith('echo ECS_AWSVPC_BLOCK_IMDS=true >> /etc/ecs/ecs.config'); + }); + + test('allow ecs accessing metadata service when canContainersAccessInstanceRole is not set on constructor and set on method', () => { + // GIVEN + const app = new cdk.App(); + const stack = new cdk.Stack(app, 'test'); + const cluster = new ecs.Cluster(stack, 'EcsCluster'); + + // WHEN + const capacityProvider = new ecs.AsgCapacityProvider(stack, 'Provider', { + autoScalingGroup: autoScalingGroup, + canContainersAccessInstanceRole: false, + }); + + cluster.addAsgCapacityProvider(capacityProvider, { + canContainersAccessInstanceRole: true, + }); + + // THEN + expect(autoScalingGroup.addUserData).not.toHaveBeenCalledWith('sudo iptables --insert FORWARD 1 --in-interface docker+ --destination 169.254.169.254/32 --jump DROP'); + expect(autoScalingGroup.addUserData).not.toHaveBeenCalledWith('sudo service iptables save'); + expect(autoScalingGroup.addUserData).not.toHaveBeenCalledWith('echo ECS_AWSVPC_BLOCK_IMDS=true >> /etc/ecs/ecs.config'); + }); +}); + From f4439ceda079dd762ec30c6f4a893d6bcd7ed100 Mon Sep 17 00:00:00 2001 From: dafujii <41186511+dafujii@users.noreply.github.com> Date: Sat, 28 May 2022 10:26:48 +0900 Subject: [PATCH 13/13] fix(ecs): fix typo from fromServiceAtrributes to fromServiceAttributes (#20456) Fixed: #20458 I found `fromServiceAtrributes`. I fixed to `fromServiceAttributes` ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../@aws-cdk/aws-ecs/lib/base/from-service-attributes.ts | 2 +- packages/@aws-cdk/aws-ecs/lib/ec2/ec2-service.ts | 6 +++--- packages/@aws-cdk/aws-ecs/lib/external/external-service.ts | 6 +++--- packages/@aws-cdk/aws-ecs/lib/fargate/fargate-service.ts | 6 +++--- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/packages/@aws-cdk/aws-ecs/lib/base/from-service-attributes.ts b/packages/@aws-cdk/aws-ecs/lib/base/from-service-attributes.ts index 8dfc272300d41..7a9cbc0d28563 100644 --- a/packages/@aws-cdk/aws-ecs/lib/base/from-service-attributes.ts +++ b/packages/@aws-cdk/aws-ecs/lib/base/from-service-attributes.ts @@ -27,7 +27,7 @@ export interface ServiceAttributes { readonly serviceName?: string; } -export function fromServiceAtrributes(scope: Construct, id: string, attrs: ServiceAttributes): IBaseService { +export function fromServiceAttributes(scope: Construct, id: string, attrs: ServiceAttributes): IBaseService { if ((attrs.serviceArn && attrs.serviceName) || (!attrs.serviceArn && !attrs.serviceName)) { throw new Error('You can only specify either serviceArn or serviceName.'); } diff --git a/packages/@aws-cdk/aws-ecs/lib/ec2/ec2-service.ts b/packages/@aws-cdk/aws-ecs/lib/ec2/ec2-service.ts index eca66a4db6ff3..c24a1780c8b48 100644 --- a/packages/@aws-cdk/aws-ecs/lib/ec2/ec2-service.ts +++ b/packages/@aws-cdk/aws-ecs/lib/ec2/ec2-service.ts @@ -2,7 +2,7 @@ import * as ec2 from '@aws-cdk/aws-ec2'; import { ArnFormat, Lazy, Resource, Stack } from '@aws-cdk/core'; import { Construct } from 'constructs'; import { BaseService, BaseServiceOptions, DeploymentControllerType, IBaseService, IService, LaunchType } from '../base/base-service'; -import { fromServiceAtrributes } from '../base/from-service-attributes'; +import { fromServiceAttributes } from '../base/from-service-attributes'; import { NetworkMode, TaskDefinition } from '../base/task-definition'; import { ICluster } from '../cluster'; import { CfnService } from '../ecs.generated'; @@ -134,10 +134,10 @@ export class Ec2Service extends BaseService implements IEc2Service { } /** - * Imports from the specified service attrributes. + * Imports from the specified service attributes. */ public static fromEc2ServiceAttributes(scope: Construct, id: string, attrs: Ec2ServiceAttributes): IBaseService { - return fromServiceAtrributes(scope, id, attrs); + return fromServiceAttributes(scope, id, attrs); } private readonly constraints: CfnService.PlacementConstraintProperty[]; diff --git a/packages/@aws-cdk/aws-ecs/lib/external/external-service.ts b/packages/@aws-cdk/aws-ecs/lib/external/external-service.ts index 9bb1eaf0b8cef..ba3bb291d422b 100644 --- a/packages/@aws-cdk/aws-ecs/lib/external/external-service.ts +++ b/packages/@aws-cdk/aws-ecs/lib/external/external-service.ts @@ -5,7 +5,7 @@ import * as cloudmap from '@aws-cdk/aws-servicediscovery'; import { ArnFormat, Resource, Stack } from '@aws-cdk/core'; import { Construct } from 'constructs'; import { AssociateCloudMapServiceOptions, BaseService, BaseServiceOptions, CloudMapOptions, DeploymentControllerType, EcsTarget, IBaseService, IEcsLoadBalancerTarget, IService, LaunchType, PropagatedTagSource } from '../base/base-service'; -import { fromServiceAtrributes } from '../base/from-service-attributes'; +import { fromServiceAttributes } from '../base/from-service-attributes'; import { ScalableTaskCount } from '../base/scalable-task-count'; import { Compatibility, LoadBalancerTargetOptions, TaskDefinition } from '../base/task-definition'; import { ICluster } from '../cluster'; @@ -79,10 +79,10 @@ export class ExternalService extends BaseService implements IExternalService { } /** - * Imports from the specified service attrributes. + * Imports from the specified service attributes. */ public static fromExternalServiceAttributes(scope: Construct, id: string, attrs: ExternalServiceAttributes): IBaseService { - return fromServiceAtrributes(scope, id, attrs); + return fromServiceAttributes(scope, id, attrs); } /** diff --git a/packages/@aws-cdk/aws-ecs/lib/fargate/fargate-service.ts b/packages/@aws-cdk/aws-ecs/lib/fargate/fargate-service.ts index b654c87887dda..a1ae858d0be61 100644 --- a/packages/@aws-cdk/aws-ecs/lib/fargate/fargate-service.ts +++ b/packages/@aws-cdk/aws-ecs/lib/fargate/fargate-service.ts @@ -3,7 +3,7 @@ import * as cdk from '@aws-cdk/core'; import { ArnFormat } from '@aws-cdk/core'; import { Construct } from 'constructs'; import { BaseService, BaseServiceOptions, DeploymentControllerType, IBaseService, IService, LaunchType } from '../base/base-service'; -import { fromServiceAtrributes } from '../base/from-service-attributes'; +import { fromServiceAttributes } from '../base/from-service-attributes'; import { TaskDefinition } from '../base/task-definition'; import { ICluster } from '../cluster'; @@ -111,10 +111,10 @@ export class FargateService extends BaseService implements IFargateService { } /** - * Imports from the specified service attrributes. + * Imports from the specified service attributes. */ public static fromFargateServiceAttributes(scope: Construct, id: string, attrs: FargateServiceAttributes): IBaseService { - return fromServiceAtrributes(scope, id, attrs); + return fromServiceAttributes(scope, id, attrs); } /**