Merge branch 'master' into s3-object-size-less-than

aws · May 31, 2022 · 0f2631f · 0f2631f
2 parents 3b54c4c + 27fdaf1
commit 0f2631f
Show file tree

Hide file tree

Showing 69 changed files with 2,042 additions and 383 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,28 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [1.158.0](https://github.com/aws/aws-cdk/compare/v1.157.0...v1.158.0) (2022-05-27)
+
+
+### Features
+
+* **apprunner:** VpcConnector construct ([#20471](https://github.com/aws/aws-cdk/issues/20471)) ([5052191](https://github.com/aws/aws-cdk/commit/50521911f22f433323d700db77530e883762138a))
+* **aws-ecr-assets:** support the --platform option when building docker images ([#20439](https://github.com/aws/aws-cdk/issues/20439)) ([adc0368](https://github.com/aws/aws-cdk/commit/adc0368dc1f137aeaa4bd92de77028269e3a48f4)), closes [#12472](https://github.com/aws/aws-cdk/issues/12472) [#16770](https://github.com/aws/aws-cdk/issues/16770) [#16858](https://github.com/aws/aws-cdk/issues/16858)
+* **lambda:** validate function description length ([#20476](https://github.com/aws/aws-cdk/issues/20476)) ([de027e2](https://github.com/aws/aws-cdk/commit/de027e28ce5c95e70fed8874e6531eabba24521c)), closes [#20475](https://github.com/aws/aws-cdk/issues/20475)
+* **s3:** adds objectSizeGreaterThan property for s3 lifecycle rule ([#20425](https://github.com/aws/aws-cdk/issues/20425)) ([23690e4](https://github.com/aws/aws-cdk/commit/23690e40b1604839f99da8b8f96168dda8679c47)), closes [#20372](https://github.com/aws/aws-cdk/issues/20372)
+* **servicecatalog:** ProductStackHistory can retain old ProductStack iterations ([#20244](https://github.com/aws/aws-cdk/issues/20244)) ([1037b8c](https://github.com/aws/aws-cdk/commit/1037b8c7f58ccd162491b49d75954c38d685d67f))
+
+
+### Bug Fixes
+
+* **core:** NestedStack defaultChild is undefined ([#20450](https://github.com/aws/aws-cdk/issues/20450)) ([0a49927](https://github.com/aws/aws-cdk/commit/0a49927e9e5bc250f339f664fa843fae2fab92ec)), closes [#11221](https://github.com/aws/aws-cdk/issues/11221)
+* **iam:** Role policies cannot grow beyond 10k ([#20400](https://github.com/aws/aws-cdk/issues/20400)) ([75bfce7](https://github.com/aws/aws-cdk/commit/75bfce70dbc57fe688c96b3c5cbb67fc4e6fcc56)), closes [#19276](https://github.com/aws/aws-cdk/issues/19276) [#19939](https://github.com/aws/aws-cdk/issues/19939) [#19835](https://github.com/aws/aws-cdk/issues/19835)
+* **integ-runner:** always resynth on deploy ([#20508](https://github.com/aws/aws-cdk/issues/20508)) ([7138057](https://github.com/aws/aws-cdk/commit/71380571b878a50fe4b754c7dac78da075a98242))
+* **integ-tests:** DeployAssert should be private ([#20466](https://github.com/aws/aws-cdk/issues/20466)) ([0f52813](https://github.com/aws/aws-cdk/commit/0f52813bcf6a48c352f697004a899461dd06935d))
+* **lambda:** Fix typo in public subnet warning ([#20470](https://github.com/aws/aws-cdk/issues/20470)) ([85f4e29](https://github.com/aws/aws-cdk/commit/85f4e29e0551d71dd5f2f588584785cbc1ae7b72))
+* **pipelines:** too many CodeBuild steps inflate policy size ([#20396](https://github.com/aws/aws-cdk/issues/20396)) ([f334060](https://github.com/aws/aws-cdk/commit/f334060fca02e928bc4f5fdcfd45244060731d78)), closes [#20189](https://github.com/aws/aws-cdk/issues/20189) [#19276](https://github.com/aws/aws-cdk/issues/19276) [#19939](https://github.com/aws/aws-cdk/issues/19939) [#19835](https://github.com/aws/aws-cdk/issues/19835)
+* **s3-deployment:** default role does not get `PutAcl` permissions on… ([#20492](https://github.com/aws/aws-cdk/issues/20492)) ([3e6ec5c](https://github.com/aws/aws-cdk/commit/3e6ec5c48cff41cec2b32566990046fd704f4ec1))
+
 ## [1.157.0](https://github.com/aws/aws-cdk/compare/v1.156.1...v1.157.0) (2022-05-20)
 
 

diff --git a/README.md b/README.md
@@ -25,7 +25,6 @@ The CDK is available in the following languages:
 * Java ([Java ≥ 8](https://www.oracle.com/technetwork/java/javase/downloads/index.html) and [Maven ≥ 3.5.4](https://maven.apache.org/download.cgi))
 * .NET ([.NET Core ≥ 3.1](https://dotnet.microsoft.com/download))
 * Go ([Go ≥ 1.16.4](https://golang.org/))
-  - Go is currently in developer preview and is not recommended for production use.
 
 \
 Jump To:

diff --git a/packages/@aws-cdk/aws-cognito/README.md b/packages/@aws-cdk/aws-cognito/README.md
@@ -503,6 +503,7 @@ The following third-party identity providers are currently supported in the CDK
 - [Facebook Login](https://developers.facebook.com/docs/facebook-login/)
 - [Google Login](https://developers.google.com/identity/sign-in/web/sign-in)
 - [Sign In With Apple](https://developer.apple.com/sign-in-with-apple/get-started/)
+- [OpenID Connect](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-oidc-idp.html)
 
 The following code configures a user pool to federate with the third party provider, 'Login with Amazon'. The identity
 provider needs to be configured with a set of credentials that the Cognito backend can use to federate with the

diff --git a/packages/@aws-cdk/aws-cognito/lib/user-pool-idps/index.ts b/packages/@aws-cdk/aws-cognito/lib/user-pool-idps/index.ts
@@ -2,4 +2,5 @@ export * from './base';
 export * from './apple';
 export * from './amazon';
 export * from './facebook';
-export * from './google';
+export * from './google';
+export * from './oidc';
diff --git a/packages/@aws-cdk/aws-cognito/lib/user-pool-idps/oidc.ts b/packages/@aws-cdk/aws-cognito/lib/user-pool-idps/oidc.ts
@@ -0,0 +1,157 @@
+import { Names, Token } from '@aws-cdk/core';
+import { Construct } from 'constructs';
+import { CfnUserPoolIdentityProvider } from '../cognito.generated';
+import { UserPoolIdentityProviderProps } from './base';
+import { UserPoolIdentityProviderBase } from './private/user-pool-idp-base';
+
+/**
+ * Properties to initialize UserPoolIdentityProviderOidc
+ */
+export interface UserPoolIdentityProviderOidcProps extends UserPoolIdentityProviderProps {
+  /**
+   * The client id
+   */
+  readonly clientId: string;
+
+  /**
+   * The client secret
+   */
+  readonly clientSecret: string;
+
+  /**
+   * Issuer URL
+   */
+  readonly issuerUrl: string;
+
+  /**
+   * The name of the provider
+   *
+   * @default - the unique ID of the construct
+   */
+  readonly name?: string;
+
+  /**
+   * The OAuth 2.0 scopes that you will request from OpenID Connect. Scopes are
+   * groups of OpenID Connect user attributes to exchange with your app.
+   *
+   * @default ['openid']
+   */
+  readonly scopes?: string[];
+
+  /**
+   * Identifiers
+   *
+   * Identifiers can be used to redirect users to the correct IdP in multitenant apps.
+   *
+   * @default - no identifiers used
+   */
+  readonly identifiers?: string[]
+
+  /**
+   * The method to use to request attributes
+   *
+   * @default OidcAttributeRequestMethod.GET
+   */
+  readonly attributeRequestMethod?: OidcAttributeRequestMethod
+
+  /**
+   * OpenID connect endpoints
+   *
+   * @default - auto discovered with issuer URL
+   */
+  readonly endpoints?: OidcEndpoints;
+}
+
+/**
+ * OpenID Connect endpoints
+ */
+export interface OidcEndpoints {
+  /**
+   * Authorization endpoint
+   */
+  readonly authorization: string;
+
+  /**
+    * Token endpoint
+    */
+  readonly token: string;
+
+  /**
+    * UserInfo endpoint
+    */
+  readonly userInfo: string;
+
+  /**
+    * Jwks_uri endpoint
+   */
+  readonly jwksUri: string;
+}
+
+/**
+ * The method to use to request attributes
+ */
+export enum OidcAttributeRequestMethod {
+  /** GET */
+  GET = 'GET',
+  /** POST */
+  POST = 'POST'
+}
+
+/**
+ * Represents a identity provider that integrates with OpenID Connect
+ * @resource AWS::Cognito::UserPoolIdentityProvider
+ */
+export class UserPoolIdentityProviderOidc extends UserPoolIdentityProviderBase {
+  public readonly providerName: string;
+
+  constructor(scope: Construct, id: string, props: UserPoolIdentityProviderOidcProps) {
+    super(scope, id, props);
+
+    if (props.name && !Token.isUnresolved(props.name) && (props.name.length < 3 || props.name.length > 32)) {
+      throw new Error(`Expected provider name to be between 3 and 32 characters, received ${props.name} (${props.name.length} characters)`);
+    }
+
+    const scopes = props.scopes ?? ['openid'];
+
+    const resource = new CfnUserPoolIdentityProvider(this, 'Resource', {
+      userPoolId: props.userPool.userPoolId,
+      providerName: this.getProviderName(props.name),
+      providerType: 'OIDC',
+      providerDetails: {
+        client_id: props.clientId,
+        client_secret: props.clientSecret,
+        authorize_scopes: scopes.join(' '),
+        attributes_request_method: props.attributeRequestMethod ?? OidcAttributeRequestMethod.GET,
+        oidc_issuer: props.issuerUrl,
+        authorize_url: props.endpoints?.authorization,
+        token_url: props.endpoints?.token,
+        attributes_url: props.endpoints?.userInfo,
+        jwks_uri: props.endpoints?.jwksUri,
+      },
+      idpIdentifiers: props.identifiers,
+      attributeMapping: super.configureAttributeMapping(),
+    });
+
+    this.providerName = super.getResourceNameAttribute(resource.ref);
+  }
+
+  private getProviderName(name?: string): string {
+    if (name) {
+      if (!Token.isUnresolved(name) && (name.length < 3 || name.length > 32)) {
+        throw new Error(`Expected provider name to be between 3 and 32 characters, received ${name} (${name.length} characters)`);
+      }
+      return name;
+    }
+
+    const uniqueId = Names.uniqueId(this);
+
+    if (uniqueId.length < 3) {
+      return `${uniqueId}oidc`;
+    }
+
+    if (uniqueId.length > 32) {
+      return uniqueId.substring(0, 16) + uniqueId.substring(uniqueId.length - 16);
+    }
+    return uniqueId;
+  }
+}
diff --git a/packages/@aws-cdk/aws-cognito/package.json b/packages/@aws-cdk/aws-cognito/package.json
@@ -122,7 +122,8 @@
       "props-physical-name:@aws-cdk/aws-cognito.UserPoolIdentityProviderFacebookProps",
       "props-physical-name:@aws-cdk/aws-cognito.UserPoolIdentityProviderAmazonProps",
       "props-physical-name:@aws-cdk/aws-cognito.UserPoolIdentityProviderGoogleProps",
-      "props-physical-name:@aws-cdk/aws-cognito.UserPoolIdentityProviderAppleProps"
+      "props-physical-name:@aws-cdk/aws-cognito.UserPoolIdentityProviderAppleProps",
+      "props-physical-name:@aws-cdk/aws-cognito.UserPoolIdentityProviderOidcProps"
     ]
   },
   "stability": "stable",

diff --git a/packages/@aws-cdk/aws-cognito/test/integ.user-pool-idp.oidc.ts b/packages/@aws-cdk/aws-cognito/test/integ.user-pool-idp.oidc.ts
@@ -0,0 +1,45 @@
+import { App, CfnOutput, RemovalPolicy, Stack } from '@aws-cdk/core';
+import { ProviderAttribute, UserPool, UserPoolIdentityProviderOidc } from '../lib';
+
+/*
+ * Stack verification steps
+ * * Visit the URL provided by stack output 'SignInLink' in a browser, and verify the 'cdk' sign in link shows up.
+ */
+const app = new App();
+const stack = new Stack(app, 'integ-user-pool-idp-google');
+
+const userpool = new UserPool(stack, 'pool', {
+  removalPolicy: RemovalPolicy.DESTROY,
+});
+
+new UserPoolIdentityProviderOidc(stack, 'cdk', {
+  userPool: userpool,
+  name: 'cdk',
+  clientId: 'client-id',
+  clientSecret: 'client-secret',
+  issuerUrl: 'https://www.issuer-url.com',
+  endpoints: {
+    authorization: 'https://www.issuer-url.com/authorize',
+    token: 'https://www.issuer-url.com/token',
+    userInfo: 'https://www.issuer-url.com/userinfo',
+    jwksUri: 'https://www.issuer-url.com/jwks',
+  },
+  scopes: ['openid', 'phone'],
+  attributeMapping: {
+    phoneNumber: ProviderAttribute.other('phone_number'),
+  },
+});
+
+const client = userpool.addClient('client');
+
+const domain = userpool.addDomain('domain', {
+  cognitoDomain: {
+    domainPrefix: 'cdk-test-pool',
+  },
+});
+
+new CfnOutput(stack, 'SignInLink', {
+  value: domain.signInUrl(client, {
+    redirectUri: 'https://example.com',
+  }),
+});
diff --git a/packages/@aws-cdk/aws-cognito/test/user-pool-idp.oidc.integ.snapshot/cdk.out b/packages/@aws-cdk/aws-cognito/test/user-pool-idp.oidc.integ.snapshot/cdk.out
@@ -0,0 +1 @@
+{"version":"18.0.0"}
diff --git a/...s-cognito/test/user-pool-idp.oidc.integ.snapshot/integ-user-pool-idp-google.template.json b/...s-cognito/test/user-pool-idp.oidc.integ.snapshot/integ-user-pool-idp-google.template.json
@@ -0,0 +1,121 @@
+{
+ "Resources": {
+  "pool056F3F7E": {
+   "Type": "AWS::Cognito::UserPool",
+   "Properties": {
+    "AccountRecoverySetting": {
+     "RecoveryMechanisms": [
+      {
+       "Name": "verified_phone_number",
+       "Priority": 1
+      },
+      {
+       "Name": "verified_email",
+       "Priority": 2
+      }
+     ]
+    },
+    "AdminCreateUserConfig": {
+     "AllowAdminCreateUserOnly": true
+    },
+    "EmailVerificationMessage": "The verification code to your new account is {####}",
+    "EmailVerificationSubject": "Verify your new account",
+    "SmsVerificationMessage": "The verification code to your new account is {####}",
+    "VerificationMessageTemplate": {
+     "DefaultEmailOption": "CONFIRM_WITH_CODE",
+     "EmailMessage": "The verification code to your new account is {####}",
+     "EmailSubject": "Verify your new account",
+     "SmsMessage": "The verification code to your new account is {####}"
+    }
+   },
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  },
+  "poolclient2623294C": {
+   "Type": "AWS::Cognito::UserPoolClient",
+   "Properties": {
+    "UserPoolId": {
+     "Ref": "pool056F3F7E"
+    },
+    "AllowedOAuthFlows": [
+     "implicit",
+     "code"
+    ],
+    "AllowedOAuthFlowsUserPoolClient": true,
+    "AllowedOAuthScopes": [
+     "profile",
+     "phone",
+     "email",
+     "openid",
+     "aws.cognito.signin.user.admin"
+    ],
+    "CallbackURLs": [
+     "https://example.com"
+    ],
+    "SupportedIdentityProviders": [
+     {
+      "Ref": "cdk52888317"
+     },
+     "COGNITO"
+    ]
+   }
+  },
+  "pooldomain430FA744": {
+   "Type": "AWS::Cognito::UserPoolDomain",
+   "Properties": {
+    "Domain": "cdk-test-pool",
+    "UserPoolId": {
+     "Ref": "pool056F3F7E"
+    }
+   }
+  },
+  "cdk52888317": {
+   "Type": "AWS::Cognito::UserPoolIdentityProvider",
+   "Properties": {
+    "ProviderName": "cdk",
+    "ProviderType": "OIDC",
+    "UserPoolId": {
+     "Ref": "pool056F3F7E"
+    },
+    "AttributeMapping": {
+     "phone_number": "phone_number"
+    },
+    "ProviderDetails": {
+     "client_id": "client-id",
+     "client_secret": "client-secret",
+     "authorize_scopes": "openid phone",
+     "attributes_request_method": "GET",
+     "oidc_issuer": "https://www.issuer-url.com",
+     "authorize_url": "https://www.issuer-url.com/authorize",
+     "token_url": "https://www.issuer-url.com/token",
+     "attributes_url": "https://www.issuer-url.com/userinfo",
+     "jwks_uri": "https://www.issuer-url.com/jwks"
+    }
+   }
+  }
+ },
+ "Outputs": {
+  "SignInLink": {
+   "Value": {
+    "Fn::Join": [
+     "",
+     [
+      "https://",
+      {
+       "Ref": "pooldomain430FA744"
+      },
+      ".auth.",
+      {
+       "Ref": "AWS::Region"
+      },
+      ".amazoncognito.com/login?client_id=",
+      {
+       "Ref": "poolclient2623294C"
+      },
+      "&response_type=code&redirect_uri=https://example.com"
+     ]
+    ]
+   }
+  }
+ }
+}