Merge branch 'master' into expires

Author: mergify[bot]

package.json

@@ -69,6 +69,18 @@
       "@aws-cdk/core/minimatch/**",
       "@aws-cdk/cx-api/semver",
       "@aws-cdk/cx-api/semver/**",
+      "aws-cdk-lib/case",
+      "aws-cdk-lib/case/**",
+      "aws-cdk-lib/fs-extra",
+      "aws-cdk-lib/fs-extra/**",
+      "aws-cdk-lib/jsonschema",
+      "aws-cdk-lib/jsonschema/**",
+      "aws-cdk-lib/minimatch",
+      "aws-cdk-lib/minimatch/**",
+      "aws-cdk-lib/semver",
+      "aws-cdk-lib/semver/**",
+      "aws-cdk-lib/yaml",
+      "aws-cdk-lib/yaml/**",
       "monocdk-experiment/case",
       "monocdk-experiment/case/**",
       "monocdk-experiment/fs-extra",

packages/@aws-cdk/aws-autoscaling/lib/auto-scaling-group.ts

@@ -6,7 +6,7 @@ import * as iam from '@aws-cdk/aws-iam';
 import * as sns from '@aws-cdk/aws-sns';
 
 import {
-  CfnAutoScalingRollingUpdate, Construct, Duration, Fn, IResource, Lazy, PhysicalName, Resource, Stack,
+  Annotations, CfnAutoScalingRollingUpdate, Construct, Duration, Fn, IResource, Lazy, PhysicalName, Resource, Stack,
   Tokenization, withResolved, Tags,
 } from '@aws-cdk/core';
 import { CfnAutoScalingGroup, CfnAutoScalingGroupProps, CfnLaunchConfiguration } from './autoscaling.generated';
@@ -659,7 +659,7 @@ export class AutoScalingGroup extends AutoScalingGroupBase implements
     });
 
     if (desiredCapacity !== undefined) {
-      this.node.addWarning('desiredCapacity has been configured. Be aware this will reset the size of your AutoScalingGroup on every deployment. See https://github.com/aws/aws-cdk/issues/5215');
+      Annotations.of(this).addWarning('desiredCapacity has been configured. Be aware this will reset the size of your AutoScalingGroup on every deployment. See https://github.com/aws/aws-cdk/issues/5215');
     }
 
     this.maxInstanceLifetime = props.maxInstanceLifetime;
@@ -1259,7 +1259,7 @@ function synthesizeBlockDeviceMappings(construct: Construct, blockDevices: Block
           throw new Error('iops property is required with volumeType: EbsDeviceVolumeType.IO1');
         }
       } else if (volumeType !== EbsDeviceVolumeType.IO1) {
-        construct.node.addWarning('iops will be ignored without volumeType: EbsDeviceVolumeType.IO1');
+        Annotations.of(construct).addWarning('iops will be ignored without volumeType: EbsDeviceVolumeType.IO1');
       }
     }
 

packages/@aws-cdk/aws-cognito/test/integ.user-pool-domain-cfdist.expected.json

@@ -78,7 +78,10 @@
         "InstallLatestAwsSdk": true
       },
       "UpdateReplacePolicy": "Delete",
-      "DeletionPolicy": "Delete"
+      "DeletionPolicy": "Delete",
+      "DependsOn": [
+        "UserPoolDomainCloudFrontDomainNameCustomResourcePolicy7DE54188"
+      ]
     },
     "AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2": {
       "Type": "AWS::IAM::Role",
@@ -111,25 +114,21 @@
         ]
       }
     },
-    "AWS679f53fac002430cb0da5b7982bd2287ServiceRoleDefaultPolicyD28E1A5E": {
+    "UserPoolDomainCloudFrontDomainNameCustomResourcePolicy7DE54188": {
       "Type": "AWS::IAM::Policy",
       "Properties": {
         "PolicyDocument": {
           "Statement": [
             {
-              "Action": "cognito-idp:DescribeUserPoolDomain",
-              "Effect": "Allow",
+              "Action":"cognito-idp:DescribeUserPoolDomain",
+              "Effect":"Allow",
               "Resource": "*"
             }
           ],
           "Version": "2012-10-17"
         },
-        "PolicyName": "AWS679f53fac002430cb0da5b7982bd2287ServiceRoleDefaultPolicyD28E1A5E",
-        "Roles": [
-          {
-            "Ref": "AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2"
-          }
-        ]
+        "PolicyName": "UserPoolDomainCloudFrontDomainNameCustomResourcePolicy7DE54188",
+        "Roles": [{"Ref":"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2"}]
       }
     },
     "AWS679f53fac002430cb0da5b7982bd22872D164C4C": {
@@ -184,7 +183,6 @@
         "Timeout": 120
       },
       "DependsOn": [
-        "AWS679f53fac002430cb0da5b7982bd2287ServiceRoleDefaultPolicyD28E1A5E",
         "AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2"
       ]
     }

packages/@aws-cdk/aws-dynamodb-global/lib/aws-dynamodb-global.ts

@@ -40,7 +40,7 @@ export class GlobalTable extends cdk.Construct {
   constructor(scope: cdk.Construct, id: string, props: GlobalTableProps) {
     super(scope, id);
 
-    this.node.addWarning('The @aws-cdk/aws-dynamodb-global module has been deprecated in favor of @aws-cdk/aws-dynamodb.Table.replicationRegions');
+    cdk.Annotations.of(this).addWarning('The @aws-cdk/aws-dynamodb-global module has been deprecated in favor of @aws-cdk/aws-dynamodb.Table.replicationRegions');
 
     this._regionalTables = [];
 

packages/@aws-cdk/aws-ec2/lib/cfn-init-elements.ts

@@ -432,6 +432,7 @@ export abstract class InitFile extends InitElement {
             source: asset.httpUrl,
           }),
           authentication: standardS3Auth(bindOptions.instanceRole, asset.s3BucketName),
+          assetHash: asset.assetHash,
         };
       }
     }(targetFileName, options);
@@ -449,6 +450,7 @@ export abstract class InitFile extends InitElement {
             source: asset.httpUrl,
           }),
           authentication: standardS3Auth(bindOptions.instanceRole, asset.s3BucketName),
+          assetHash: asset.assetHash,
         };
       }
     }(targetFileName, options);
@@ -899,6 +901,7 @@ export abstract class InitSource extends InitElement {
         return {
           config: { [this.targetDirectory]: asset.httpUrl },
           authentication: standardS3Auth(bindOptions.instanceRole, asset.s3BucketName),
+          assetHash: asset.assetHash,
         };
       }
     }(targetDirectory, options.serviceRestartHandles);
@@ -915,6 +918,7 @@ export abstract class InitSource extends InitElement {
         return {
           config: { [this.targetDirectory]: asset.httpUrl },
           authentication: standardS3Auth(bindOptions.instanceRole, asset.s3BucketName),
+          assetHash: asset.assetHash,
         };
       }
     }(targetDirectory, options.serviceRestartHandles);

packages/@aws-cdk/aws-ec2/lib/cfn-init.ts

@@ -97,7 +97,12 @@ export class CloudFormationInit {
     // Note: This will not reflect mutations made after attaching.
     const bindResult = this.bind(attachedResource.stack, attachOptions);
     attachedResource.addMetadata('AWS::CloudFormation::Init', bindResult.configData);
-    const fingerprint = contentHash(JSON.stringify(bindResult.configData)).substr(0, 16);
+
+    // Need to resolve the various tokens from assets in the config,
+    // as well as include any asset hashes provided so the fingerprint is accurate.
+    const resolvedConfig = attachedResource.stack.resolve(bindResult.configData);
+    const fingerprintInput = { config: resolvedConfig, assetHash: bindResult.assetHash };
+    const fingerprint = contentHash(JSON.stringify(fingerprintInput)).substr(0, 16);
 
     attachOptions.instanceRole.addToPolicy(new iam.PolicyStatement({
       actions: ['cloudformation:DescribeStackResource', 'cloudformation:SignalResource'],
@@ -140,7 +145,7 @@ export class CloudFormationInit {
     }
   }
 
-  private bind(scope: Construct, options: AttachInitOptions): { configData: any, authData: any } {
+  private bind(scope: Construct, options: AttachInitOptions): { configData: any, authData: any, assetHash?: any } {
     const nonEmptyConfigs = mapValues(this._configs, c => c.isEmpty() ? undefined : c);
 
     const configNameToBindResult = mapValues(nonEmptyConfigs, c => c._bind(scope, options));
@@ -151,6 +156,7 @@ export class CloudFormationInit {
         ...mapValues(configNameToBindResult, c => c.config),
       },
       authData: Object.values(configNameToBindResult).map(c => c.authentication).reduce(deepMerge, undefined),
+      assetHash: combineAssetHashesOrUndefined(Object.values(configNameToBindResult).map(c => c.assetHash)),
     };
   }
 
@@ -201,9 +207,9 @@ export class InitConfig {
     // Must be last!
     const servicesConfig = this.bindForType(InitElementType.SERVICE, bindOptions);
 
-    const authentication = [packageConfig, groupsConfig, usersConfig, sourcesConfig, filesConfig, commandsConfig, servicesConfig]
-      .map(c => c?.authentication)
-      .reduce(deepMerge, undefined);
+    const allConfig = [packageConfig, groupsConfig, usersConfig, sourcesConfig, filesConfig, commandsConfig, servicesConfig];
+    const authentication = allConfig.map(c => c?.authentication).reduce(deepMerge, undefined);
+    const assetHash = combineAssetHashesOrUndefined(allConfig.map(c => c?.assetHash));
 
     return {
       config: {
@@ -216,6 +222,7 @@ export class InitConfig {
         services: servicesConfig?.config,
       },
       authentication,
+      assetHash,
     };
   }
 
@@ -228,6 +235,7 @@ export class InitConfig {
     return {
       config: bindResults.map(r => r.config).reduce(deepMerge, undefined) ?? {},
       authentication: bindResults.map(r => r.authentication).reduce(deepMerge, undefined),
+      assetHash: combineAssetHashesOrUndefined(bindResults.map(r => r.assetHash)),
     };
   }
 
@@ -310,6 +318,12 @@ function mapValues<A, B>(xs: Record<string, A>, fn: (x: A) => B | undefined): Re
   return ret;
 }
 
+// Combines all input asset hashes into one, or if no hashes are present, returns undefined.
+function combineAssetHashesOrUndefined(hashes: (string | undefined)[]): string | undefined {
+  const hashArray = hashes.filter((x): x is string => x !== undefined);
+  return hashArray.length > 0 ? hashArray.join('') : undefined;
+}
+
 function contentHash(content: string) {
   return crypto.createHash('sha256').update(content).digest('hex');
 }

packages/@aws-cdk/aws-ec2/lib/instance.ts

@@ -1,7 +1,7 @@
 import * as crypto from 'crypto';
 import * as iam from '@aws-cdk/aws-iam';
 
-import { Construct, Duration, Fn, IResource, Lazy, Resource, Stack, Tags } from '@aws-cdk/core';
+import { Annotations, Construct, Duration, Fn, IResource, Lazy, Resource, Stack, Tags } from '@aws-cdk/core';
 import { CloudFormationInit } from './cfn-init';
 import { Connections, IConnectable } from './connections';
 import { CfnInstance } from './ec2.generated';
@@ -333,13 +333,13 @@ export class Instance extends Resource implements IInstance {
       if (selected.length === 1) {
         subnet = selected[0];
       } else {
-        this.node.addError(`Need exactly 1 subnet to match AZ '${props.availabilityZone}', found ${selected.length}. Use a different availabilityZone.`);
+        Annotations.of(this).addError(`Need exactly 1 subnet to match AZ '${props.availabilityZone}', found ${selected.length}. Use a different availabilityZone.`);
       }
     } else {
       if (subnets.length > 0) {
         subnet = subnets[0];
       } else {
-        this.node.addError(`Did not find any subnets matching '${JSON.stringify(props.vpcSubnets)}', please use a different selection.`);
+        Annotations.of(this).addError(`Did not find any subnets matching '${JSON.stringify(props.vpcSubnets)}', please use a different selection.`);
       }
     }
     if (!subnet) {

packages/@aws-cdk/aws-ec2/lib/private/cfn-init-internal.ts

@@ -72,6 +72,13 @@ export interface InitElementConfig {
    * @default - No authentication associated with the config
    */
   readonly authentication?: Record<string, any>;
+
+  /**
+   * Optional string representing a hash of the asset associated with this element (if any).
+   *
+   * @default - No hash is provided
+   */
+  readonly assetHash?: string;
 }
 
 /**

packages/@aws-cdk/aws-ec2/lib/security-group.ts

@@ -1,4 +1,4 @@
-import { Construct, IResource, Lazy, Resource, ResourceProps, Stack, Token } from '@aws-cdk/core';
+import { Annotations, Construct, IResource, Lazy, Resource, ResourceProps, Stack, Token } from '@aws-cdk/core';
 import { Connections } from './connections';
 import { CfnSecurityGroup, CfnSecurityGroupEgress, CfnSecurityGroupIngress } from './ec2.generated';
 import { IPeer } from './peer';
@@ -404,7 +404,7 @@ export class SecurityGroup extends SecurityGroupBase {
       // In the case of "allowAllOutbound", we don't add any more rules. There
       // is only one rule which allows all traffic and that subsumes any other
       // rule.
-      this.node.addWarning('Ignoring Egress rule since \'allowAllOutbound\' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup');
+      Annotations.of(this).addWarning('Ignoring Egress rule since \'allowAllOutbound\' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup');
       return;
     } else {
       // Otherwise, if the bogus rule exists we can now remove it because the

packages/@aws-cdk/aws-ec2/lib/volume.ts

@@ -2,7 +2,7 @@ import * as crypto from 'crypto';
 
 import { AccountRootPrincipal, Grant, IGrantable } from '@aws-cdk/aws-iam';
 import { IKey, ViaServicePrincipal } from '@aws-cdk/aws-kms';
-import { Construct, IResource, Resource, Size, SizeRoundingBehavior, Stack, Token, Tags } from '@aws-cdk/core';
+import { Annotations, Construct, IResource, Resource, Size, SizeRoundingBehavior, Stack, Token, Tags } from '@aws-cdk/core';
 import { CfnInstance, CfnVolume } from './ec2.generated';
 import { IInstance } from './instance';
 
@@ -176,7 +176,7 @@ export function synthesizeBlockDeviceMappings(construct: Construct, blockDevices
           throw new Error('iops property is required with volumeType: EbsDeviceVolumeType.IO1');
         }
       } else if (volumeType !== EbsDeviceVolumeType.IO1) {
-        construct.node.addWarning('iops will be ignored without volumeType: EbsDeviceVolumeType.IO1');
+        Annotations.of(construct).addWarning('iops will be ignored without volumeType: EbsDeviceVolumeType.IO1');
       }
     }
 

packages/@aws-cdk/aws-ec2/lib/vpc.ts

@@ -1,6 +1,6 @@
 import * as cxschema from '@aws-cdk/cloud-assembly-schema';
 import {
-  ConcreteDependable, Construct, ContextProvider, DependableTrait, IConstruct,
+  Annotations, ConcreteDependable, Construct, ContextProvider, DependableTrait, IConstruct,
   IDependable, IResource, Lazy, Resource, Stack, Token, Tags,
 } from '@aws-cdk/core';
 import * as cxapi from '@aws-cdk/cx-api';
@@ -380,7 +380,7 @@ abstract class VpcBase extends Resource implements IVpc {
     const routeTableIds = allRouteTableIds(flatten(vpnRoutePropagation.map(s => this.selectSubnets(s).subnets)));
 
     if (routeTableIds.length === 0) {
-      this.node.addError(`enableVpnGateway: no subnets matching selection: '${JSON.stringify(vpnRoutePropagation)}'. Select other subnets to add routes to.`);
+      Annotations.of(this).addError(`enableVpnGateway: no subnets matching selection: '${JSON.stringify(vpnRoutePropagation)}'. Select other subnets to add routes to.`);
     }
 
     const routePropagation = new CfnVPNGatewayRoutePropagation(this, 'RoutePropagation', {
@@ -1899,7 +1899,7 @@ class ImportedSubnet extends Resource implements ISubnet, IPublicSubnet, IPrivat
         ? `at '${scope.node.path}/${id}'`
         : `'${attrs.subnetId}'`;
       // eslint-disable-next-line max-len
-      scope.node.addWarning(`No routeTableId was provided to the subnet ${ref}. Attempting to read its .routeTable.routeTableId will return null/undefined. (More info: https://github.com/aws/aws-cdk/pull/3171)`);
+      Annotations.of(this).addWarning(`No routeTableId was provided to the subnet ${ref}. Attempting to read its .routeTable.routeTableId will return null/undefined. (More info: https://github.com/aws/aws-cdk/pull/3171)`);
     }
 
     this._availabilityZone = attrs.availabilityZone;