Merge branch 'master' into query

Author: mergify[bot]

CHANGELOG.md

@@ -2,6 +2,13 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [1.61.1](https://github.com/aws/aws-cdk/compare/v1.61.0...v1.61.1) (2020-08-28)
+
+
+### Bug Fixes
+
+* **cli:** unable to upgrade new style bootstrap to version ([#10030](https://github.com/aws/aws-cdk/issues/10030)) ([8d3e422](https://github.com/aws/aws-cdk/commit/8d3e422809c29da926bae878276619a59ae82ecb)), closes [#10016](https://github.com/aws/aws-cdk/issues/10016)
+
 ## [1.61.0](https://github.com/aws/aws-cdk/compare/v1.60.0...v1.61.0) (2020-08-27)
 
 
@@ -39,7 +46,7 @@ All notable changes to this project will be documented in this file. See [standa
 ### ⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES
 
 * **cloudfront:** Distribution: `.domains` must be specified if `certificate` is provided.
-* **appsync:** **appsync.addXxxDataSource** `name` and `description` props are now optional and in an `DataSourceOptions` interface. 
+* **appsync:** **appsync.addXxxDataSource** `name` and `description` props are now optional and in an `DataSourceOptions` interface.
 - **appsync**:  the props `name` and `description` in `addXxxDataSource` have been moved into new props `options`  of type `DataSourceOptions`
 - **appsync**: `DataSourceOptions.name` defaults to id
 - **appsync**: `DataSourceOptions.description` defaults to undefined

lerna.json

@@ -10,5 +10,5 @@
     "tools/*"
   ],
   "rejectCycles": "true",
-  "version": "1.61.0"
+  "version": "1.61.1"
 }

packages/@aws-cdk/aws-appsync/lib/graphqlapi.ts

@@ -533,7 +533,7 @@ export class GraphQLApi extends GraphqlApiBase {
       userPoolId: config.userPool.userPoolId,
       awsRegion: config.userPool.stack.region,
       appIdClientRegex: config.appIdClientRegex,
-      defaultAction: config.defaultAction,
+      defaultAction: config.defaultAction || UserPoolDefaultAction.ALLOW,
     };
   }
 

packages/@aws-cdk/aws-appsync/test/appsync-auth.test.ts

@@ -250,6 +250,7 @@ describe('AppSync User Pool Authorization', () => {
       AuthenticationType: 'AMAZON_COGNITO_USER_POOLS',
       UserPoolConfig: {
         AwsRegion: { Ref: 'AWS::Region' },
+        DefaultAction: 'ALLOW',
         UserPoolId: { Ref: 'pool056F3F7E' },
       },
     });
@@ -371,6 +372,7 @@ describe('AppSync User Pool Authorization', () => {
       AuthenticationType: 'AMAZON_COGNITO_USER_POOLS',
       UserPoolConfig: {
         AwsRegion: { Ref: 'AWS::Region' },
+        DefaultAction: 'ALLOW',
         UserPoolId: { Ref: 'pool056F3F7E' },
       },
       AdditionalAuthenticationProviders: [

packages/@aws-cdk/aws-appsync/test/integ.graphql.ts

@@ -9,7 +9,6 @@ import {
   MappingTemplate,
   PrimaryKey,
   Schema,
-  UserPoolDefaultAction,
   Values,
 } from '../lib';
 
@@ -42,7 +41,6 @@ const api = new GraphQLApi(stack, 'Api', {
       authorizationType: AuthorizationType.USER_POOL,
       userPoolConfig: {
         userPool,
-        defaultAction: UserPoolDefaultAction.ALLOW,
       },
     },
     additionalAuthorizationModes: [

packages/@aws-cdk/aws-cloudfront/README.md

@@ -82,7 +82,7 @@ new cloudfront.Distribution(this, 'myDist', {
 });
 ```
 
-## From an HTTP endpoint
+#### From an HTTP endpoint
 
 Origins can also be created from any other HTTP endpoint, given the domain name, and optionally, other origin properties.
 
@@ -207,6 +207,7 @@ new cloudfront.Distribution(this, 'myDist', {
         {
           functionVersion: myFunc.currentVersion,
           eventType: cloudfront.LambdaEdgeEventType.ORIGIN_REQUEST,
+          includeBody: true, // Optional - defaults to false
         },
       ],
     },
@@ -246,6 +247,18 @@ new cloudfront.Distribution(this, 'myDist', {
 });
 ```
 
+### Importing Distributions
+
+Existing distributions can be imported as well; note that like most imported constructs, an imported distribution cannot be modified.
+However, it can be used as a reference for other higher-level constructs.
+
+```ts
+const distribution = cloudfront.Distribution.fromDistributionAttributes(scope, 'ImportedDist', {
+  domainName: 'd111111abcdef8.cloudfront.net',
+  distributionId: '012345ABCDEF',
+});
+```
+
 ## CloudFrontWebDistribution API - Stable
 
 ![cdk-constructs: Stable](https://img.shields.io/badge/cdk--constructs-stable-success.svg?style=for-the-badge)
@@ -305,7 +318,7 @@ Example:
 
 [create a distrubution with an iam certificate example](test/example.iam-cert-alias.lit.ts)
 
-#### Restrictions
+### Restrictions
 
 CloudFront supports adding restrictions to your distribution.
 

packages/@aws-cdk/aws-cloudfront/lib/distribution.ts

@@ -621,6 +621,15 @@ export interface EdgeLambda {
 
   /** The type of event in response to which should the function be invoked. */
   readonly eventType: LambdaEdgeEventType;
+
+  /**
+   * Allows a Lambda function to have read access to the body content.
+   * Only valid for "request" event types (`ORIGIN_REQUEST` or `VIEWER_REQUEST`).
+   * See https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-include-body-access.html
+   *
+   * @default false
+   */
+  readonly includeBody?: boolean;
 }
 
 /**

packages/@aws-cdk/aws-cloudfront/lib/private/cache-behavior.ts

@@ -1,5 +1,6 @@
+import * as iam from '@aws-cdk/aws-iam';
 import { CfnDistribution } from '../cloudfront.generated';
-import { AddBehaviorOptions, ViewerProtocolPolicy } from '../distribution';
+import { AddBehaviorOptions, EdgeLambda, LambdaEdgeEventType, ViewerProtocolPolicy } from '../distribution';
 
 /**
  * Properties for specifying custom behaviors for origins.
@@ -24,6 +25,9 @@ export class CacheBehavior {
 
   constructor(originId: string, private readonly props: CacheBehaviorProps) {
     this.originId = originId;
+
+    this.validateEdgeLambdas(props.edgeLambdas);
+    this.grantEdgeLambdaFunctionExecutionRole(props.edgeLambdas);
   }
 
   /**
@@ -51,8 +55,29 @@ export class CacheBehavior {
         ? this.props.edgeLambdas.map(edgeLambda => ({
           lambdaFunctionArn: edgeLambda.functionVersion.edgeArn,
           eventType: edgeLambda.eventType.toString(),
+          includeBody: edgeLambda.includeBody,
         }))
         : undefined,
     };
   }
+
+  private validateEdgeLambdas(edgeLambdas?: EdgeLambda[]) {
+    const includeBodyEventTypes = [LambdaEdgeEventType.ORIGIN_REQUEST, LambdaEdgeEventType.VIEWER_REQUEST];
+    if (edgeLambdas && edgeLambdas.some(lambda => lambda.includeBody && !includeBodyEventTypes.includes(lambda.eventType))) {
+      throw new Error('\'includeBody\' can only be true for ORIGIN_REQUEST or VIEWER_REQUEST event types.');
+    }
+  }
+
+  private grantEdgeLambdaFunctionExecutionRole(edgeLambdas?: EdgeLambda[]) {
+    if (!edgeLambdas || edgeLambdas.length === 0) { return; }
+    edgeLambdas.forEach((edgeLambda) => {
+      const role = edgeLambda.functionVersion.role;
+      if (role && role instanceof iam.Role && role.assumeRolePolicy) {
+        role.assumeRolePolicy.addStatements(new iam.PolicyStatement({
+          actions: ['sts:AssumeRole'],
+          principals: [new iam.ServicePrincipal('edgelambda.amazonaws.com')],
+        }));
+      }
+    });
+  }
 }

packages/@aws-cdk/aws-cloudfront/lib/web_distribution.ts

@@ -424,6 +424,15 @@ export interface LambdaFunctionAssociation {
    * A version of the lambda to associate
    */
   readonly lambdaFunction: lambda.IVersion;
+
+  /**
+   * Allows a Lambda function to have read access to the body content.
+   * Only valid for "request" event types (`ORIGIN_REQUEST` or `VIEWER_REQUEST`).
+   * See https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-include-body-access.html
+   *
+   * @default false
+   */
+  readonly includeBody?: boolean;
 }
 
 export interface ViewerCertificateOptions {
@@ -628,6 +637,27 @@ interface BehaviorWithOrigin extends Behavior {
   readonly targetOriginId: string;
 }
 
+/**
+ * Attributes used to import a Distribution.
+ *
+ * @experimental
+ */
+export interface CloudFrontWebDistributionAttributes {
+  /**
+   * The generated domain name of the Distribution, such as d111111abcdef8.cloudfront.net.
+   *
+   * @attribute
+   */
+  readonly domainName: string;
+
+  /**
+   * The distribution ID for this distribution.
+   *
+   * @attribute
+   */
+  readonly distributionId: string;
+}
+
 /**
  * Amazon CloudFront is a global content delivery network (CDN) service that securely delivers data, videos,
  * applications, and APIs to your viewers with low latency and high transfer speeds.
@@ -659,6 +689,25 @@ interface BehaviorWithOrigin extends Behavior {
  * @resource AWS::CloudFront::Distribution
  */
 export class CloudFrontWebDistribution extends cdk.Resource implements IDistribution {
+
+  /**
+   * Creates a construct that represents an external (imported) distribution.
+   */
+  public static fromDistributionAttributes(scope: cdk.Construct, id: string, attrs: CloudFrontWebDistributionAttributes): IDistribution {
+    return new class extends cdk.Resource implements IDistribution {
+      public readonly domainName: string;
+      public readonly distributionDomainName: string;
+      public readonly distributionId: string;
+
+      constructor() {
+        super(scope, id);
+        this.domainName = attrs.domainName;
+        this.distributionDomainName = attrs.domainName;
+        this.distributionId = attrs.distributionId;
+      }
+    }();
+  }
+
   /**
    * The logging bucket for this CloudFront distribution.
    * If logging is not enabled for this distribution - this property will be undefined.
@@ -892,11 +941,17 @@ export class CloudFrontWebDistribution extends cdk.Resource implements IDistribu
       toReturn = Object.assign(toReturn, { pathPattern: input.pathPattern });
     }
     if (input.lambdaFunctionAssociations) {
+      const includeBodyEventTypes = [LambdaEdgeEventType.ORIGIN_REQUEST, LambdaEdgeEventType.VIEWER_REQUEST];
+      if (input.lambdaFunctionAssociations.some(fna => fna.includeBody && !includeBodyEventTypes.includes(fna.eventType))) {
+        throw new Error('\'includeBody\' can only be true for ORIGIN_REQUEST or VIEWER_REQUEST event types.');
+      }
+
       toReturn = Object.assign(toReturn, {
         lambdaFunctionAssociations: input.lambdaFunctionAssociations
           .map(fna => ({
             eventType: fna.eventType,
             lambdaFunctionArn: fna.lambdaFunction && fna.lambdaFunction.edgeArn,
+            includeBody: fna.includeBody,
           })),
       });
 

packages/@aws-cdk/aws-cloudfront/test/distribution.test.ts

@@ -468,6 +468,7 @@ describe('with Lambda@Edge functions', () => {
           {
             functionVersion: lambdaFunction.currentVersion,
             eventType: LambdaEdgeEventType.ORIGIN_REQUEST,
+            includeBody: true,
           },
         ],
       },
@@ -479,6 +480,7 @@ describe('with Lambda@Edge functions', () => {
           LambdaFunctionAssociations: [
             {
               EventType: 'origin-request',
+              IncludeBody: true,
               LambdaFunctionARN: {
                 Ref: 'FunctionCurrentVersion4E2B2261477a5ae8059bbaa7813f752292c0f65e',
               },
@@ -489,6 +491,42 @@ describe('with Lambda@Edge functions', () => {
     });
   });
 
+  test('edgelambda.amazonaws.com is added to the trust policy of lambda', () => {
+    new Distribution(stack, 'MyDist', {
+      defaultBehavior: {
+        origin,
+        edgeLambdas: [
+          {
+            functionVersion: lambdaFunction.currentVersion,
+            eventType: LambdaEdgeEventType.ORIGIN_REQUEST,
+          },
+        ],
+      },
+    });
+
+    expect(stack).toHaveResource('AWS::IAM::Role', {
+      AssumeRolePolicyDocument: {
+        Statement: [
+          {
+            Action: 'sts:AssumeRole',
+            Effect: 'Allow',
+            Principal: {
+              Service: 'lambda.amazonaws.com',
+            },
+          },
+          {
+            Action: 'sts:AssumeRole',
+            Effect: 'Allow',
+            Principal: {
+              Service: 'edgelambda.amazonaws.com',
+            },
+          },
+        ],
+        Version: '2012-10-17',
+      },
+    });
+  });
+
   test('can add an edge lambdas to additional behaviors', () => {
     new Distribution(stack, 'MyDist', {
       defaultBehavior: { origin },