Merge branch 'master' into fix-17463

Author: yuth

.mergify.yml

@@ -10,7 +10,7 @@ pull_request_rules:
       label:
         add: [ contribution/core ]
     conditions:
-      - author~=^(eladb|RomainMuller|garnaat|nija-at|skinny85|rix0rrr|NGL321|Jerry-AWS|MrArnoldPalmer|NetaNir|iliapolo|njlynch|ericzbeard|ccfife|fulghum|pkandasamy91|SoManyHs|uttarasridhar|otaviomacedo|BenChaimberg|madeline-k|BryanPan342|kaizen3031593|comcalvi|Chriscbr|corymhall|peterwoodworth|ryparker)$
+      - author~=^(eladb|RomainMuller|garnaat|nija-at|skinny85|rix0rrr|NGL321|Jerry-AWS|MrArnoldPalmer|NetaNir|iliapolo|njlynch|ericzbeard|ccfife|fulghum|pkandasamy91|SoManyHs|uttarasridhar|otaviomacedo|BenChaimberg|madeline-k|BryanPan342|kaizen3031593|comcalvi|Chriscbr|corymhall|peterwoodworth|ryparker|TheRealAmazonKendra)$
       - -label~="contribution/core"
   - name: automatic merge
     actions:

packages/@aws-cdk/aws-eks/README.md

@@ -1144,6 +1144,24 @@ cluster.addHelmChart('test-chart', {
 });
 ```
 
+### OCI Charts
+
+OCI charts are also supported.
+Also replace the `${VARS}` with appropriate values.
+
+```ts
+declare const cluster: eks.Cluster;
+// option 1: use a construct
+new eks.HelmChart(this, 'MyOCIChart', {
+  cluster,
+  chart: 'some-chart',
+  repository: 'oci://${ACCOUNT_ID}.dkr.ecr.${ACCOUNT_REGION}.amazonaws.com/${REPO_NAME}',
+  namespace: 'oci',
+  version: '0.0.1'
+});
+
+```
+
 Helm charts are implemented as CloudFormation resources in CDK.
 This means that if the chart is deleted from your code (or the stack is
 deleted), the next `cdk deploy` will issue a `helm uninstall` command and the

packages/@aws-cdk/aws-eks/lib/kubectl-handler/helm/__init__.py

@@ -1,8 +1,10 @@
 import json
 import logging
 import os
+import re
 import subprocess
 import shutil
+import tempfile
 import zipfile
 from urllib.parse import urlparse, unquote
 
@@ -78,13 +80,71 @@ def helm_handler(event, context):
             # future work: support versions from s3 assets
             chart = get_chart_asset_from_url(chart_asset_url)
 
+        if repository.startswith('oci://'):
+            assert(repository is not None)
+            tmpdir = tempfile.TemporaryDirectory()
+            chart_dir = get_chart_from_oci(tmpdir.name, release, repository, version)
+            chart = chart_dir
+
         helm('upgrade', release, chart, repository, values_file, namespace, version, wait, timeout, create_namespace)
     elif request_type == "Delete":
         try:
             helm('uninstall', release, namespace=namespace, timeout=timeout)
         except Exception as e:
             logger.info("delete error: %s" % e)
 
+
+def get_oci_cmd(repository, version):
+
+    cmnd = []
+    pattern = '\d+.dkr.ecr.[a-z]+-[a-z]+-\d.amazonaws.com'
+
+    registry = repository.rsplit('/', 1)[0].replace('oci://', '')
+
+    if re.fullmatch(pattern, registry) is not None:
+        region = registry.replace('.amazonaws.com', '').split('.')[-1]
+        cmnd = [
+            f"aws ecr get-login-password --region {region} | " \
+            f"helm registry login --username AWS --password-stdin {registry}; helm pull {repository} --version {version} --untar"
+            ]
+    else:
+        logger.info("Non AWS OCI repository found")
+        cmnd = ['HELM_EXPERIMENTAL_OCI=1', 'helm', 'pull', repository, '--version', version, '--untar']
+
+    return cmnd
+
+
+def get_chart_from_oci(tmpdir, release, repository = None, version = None):
+
+    cmnd = get_oci_cmd(repository, version)
+
+    maxAttempts = 3
+    retry = maxAttempts
+    while retry > 0:
+        try:
+            logger.info(cmnd)
+            env = get_env_with_oci_flag()
+            output = subprocess.check_output(cmnd, stderr=subprocess.STDOUT, cwd=tmpdir, env=env, shell=True)
+            logger.info(output)
+
+            return os.path.join(tmpdir, release)
+        except subprocess.CalledProcessError as exc:
+            output = exc.output
+            if b'Broken pipe' in output:
+                retry = retry - 1
+                logger.info("Broken pipe, retries left: %s" % retry)
+            else:
+                raise Exception(output)
+    raise Exception(f'Operation failed after {maxAttempts} attempts: {output}')
+
+
+def get_env_with_oci_flag():
+    env = os.environ.copy()
+    env['HELM_EXPERIMENTAL_OCI'] = '1'
+
+    return env
+
+
 def helm(verb, release, chart = None, repo = None, file = None, namespace = None, version = None, wait = False, timeout = None, create_namespace = None):
     import subprocess
 
@@ -113,7 +173,8 @@ def helm(verb, release, chart = None, repo = None, file = None, namespace = None
     retry = maxAttempts
     while retry > 0:
         try:
-            output = subprocess.check_output(cmnd, stderr=subprocess.STDOUT, cwd=outdir)
+            env = get_env_with_oci_flag()
+            output = subprocess.check_output(cmnd, stderr=subprocess.STDOUT, cwd=outdir, env=env)
             logger.info(output)
             return
         except subprocess.CalledProcessError as exc:

packages/@aws-cdk/aws-eks/lib/kubectl-provider.ts

@@ -168,6 +168,11 @@ export class KubectlProvider extends NestedStack implements IKubectlProvider {
       resources: [cluster.clusterArn],
     }));
 
+    // For OCI helm chart authorization.
+    this.handlerRole.addManagedPolicy(
+      iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonEC2ContainerRegistryReadOnly'),
+    );
+
     // allow this handler to assume the kubectl role
     cluster.kubectlRole.grant(this.handlerRole, 'sts:AssumeRole');
 

packages/@aws-cdk/aws-eks/test/cluster.test.ts

@@ -2107,7 +2107,41 @@ describe('cluster', () => {
         ],
       });
 
-
+      Template.fromStack(providerStack).hasResourceProperties('AWS::IAM::Role', {
+        AssumeRolePolicyDocument: {
+          Statement: [
+            {
+              Action: 'sts:AssumeRole',
+              Effect: 'Allow',
+              Principal: { Service: 'lambda.amazonaws.com' },
+            },
+          ],
+          Version: '2012-10-17',
+        },
+        ManagedPolicyArns: [
+          {
+            'Fn::Join': ['', [
+              'arn:',
+              { Ref: 'AWS::Partition' },
+              ':iam::aws:policy/service-role/AWSLambdaBasicExecutionRole',
+            ]],
+          },
+          {
+            'Fn::Join': ['', [
+              'arn:',
+              { Ref: 'AWS::Partition' },
+              ':iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole',
+            ]],
+          },
+          {
+            'Fn::Join': ['', [
+              'arn:',
+              { Ref: 'AWS::Partition' },
+              ':iam::aws:policy/AmazonEC2ContainerRegistryReadOnly',
+            ]],
+          },
+        ],
+      });
     });
 
     test('coreDnsComputeType will patch the coreDNS configuration to use a "fargate" compute type and restore to "ec2" upon removal', () => {
@@ -2274,8 +2308,42 @@ describe('cluster', () => {
         },
       });
 
+      Template.fromStack(providerStack).hasResourceProperties('AWS::IAM::Role', {
+        AssumeRolePolicyDocument: {
+          Statement: [
+            {
+              Action: 'sts:AssumeRole',
+              Effect: 'Allow',
+              Principal: { Service: 'lambda.amazonaws.com' },
+            },
+          ],
+          Version: '2012-10-17',
+        },
+        ManagedPolicyArns: [
+          {
+            'Fn::Join': ['', [
+              'arn:',
+              { Ref: 'AWS::Partition' },
+              ':iam::aws:policy/service-role/AWSLambdaBasicExecutionRole',
+            ]],
+          },
+          {
+            'Fn::Join': ['', [
+              'arn:',
+              { Ref: 'AWS::Partition' },
+              ':iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole',
+            ]],
+          },
+          {
+            'Fn::Join': ['', [
+              'arn:',
+              { Ref: 'AWS::Partition' },
+              ':iam::aws:policy/AmazonEC2ContainerRegistryReadOnly',
+            ]],
+          },
+        ],
+      });
     });
-
   });
 
   test('kubectl provider passes security group to provider', () => {

packages/@aws-cdk/cfnspec/spec-source/cfn-docs/cfn-docs.json

@@ -11527,7 +11527,7 @@
       "description": "Specifies a VPC flow log that captures IP traffic for a specified network interface, subnet, or VPC. To view the log data, use Amazon CloudWatch Logs (CloudWatch Logs) to help troubleshoot connection issues. For example, you can use a flow log to investigate why certain traffic isn't reaching an instance, which can help you diagnose overly restrictive security group rules. For more information, see [VPC Flow Logs](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html) in the *Amazon VPC User Guide* .",
       "properties": {
         "DeliverLogsPermissionArn": "The ARN for the IAM role that permits Amazon EC2 to publish flow logs to a CloudWatch Logs log group in your account.\n\nIf you specify `LogDestinationType` as `s3` , do not specify `DeliverLogsPermissionArn` or `LogGroupName` .",
-        "DestinationOptions": "The destination options.",
+        "DestinationOptions": "The destination options. The following options are supported:\n\n- `FileFormat` - The format for the flow log ( `plain-text` | `parquet` ). The default is `plain-text` .\n- `HiveCompatiblePartitions` - Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3 ( `true` | `false` ). The default is `false` .\n- `PerHourPartition` - Indicates whether to partition the flow log per hour ( `true` | `false` ). The default is `false` .",
         "LogDestination": "The destination to which the flow log data is to be published. Flow log data can be published to a CloudWatch Logs log group or an Amazon S3 bucket. The value specified for this parameter depends on the value specified for `LogDestinationType` .\n\nIf `LogDestinationType` is not specified or `cloud-watch-logs` , specify the Amazon Resource Name (ARN) of the CloudWatch Logs log group. For example, to publish to a log group called `my-logs` , specify `arn:aws:logs:us-east-1:123456789012:log-group:my-logs` . Alternatively, use `LogGroupName` instead.\n\nIf LogDestinationType is `s3` , specify the ARN of the Amazon S3 bucket. You can also specify a subfolder in the bucket. To specify a subfolder in the bucket, use the following ARN format: `bucket_ARN/subfolder_name/` . For example, to specify a subfolder named `my-logs` in a bucket named `my-bucket` , use the following ARN: `arn:aws:s3:::my-bucket/my-logs/` . You cannot use `AWSLogs` as a subfolder name. This is a reserved term.",
         "LogDestinationType": "The type of destination to which the flow log data is to be published. Flow log data can be published to CloudWatch Logs or Amazon S3. To publish flow log data to CloudWatch Logs, specify `cloud-watch-logs` . To publish flow log data to Amazon S3, specify `s3` .\n\nIf you specify `LogDestinationType` as `s3` , do not specify `DeliverLogsPermissionArn` or `LogGroupName` .\n\nDefault: `cloud-watch-logs`",
         "LogFormat": "The fields to include in the flow log record, in the order in which they should appear. For a list of available fields, see [Flow Log Records](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html#flow-log-records) . If you omit this parameter, the flow log is created using the default format. If you specify this parameter, you must specify at least one field.\n\nSpecify the fields using the `${field-id}` format, separated by spaces.",
@@ -12312,7 +12312,7 @@
         "Ref": "`Ref` returns the ID of the network insights scope.",
         "UpdatedDate": "The last updated date."
       },
-      "description": "Describes a Network Access Scope.",
+      "description": "Describes a Network Access Scope. A Network Access Scope defines outbound (egress) and inbound (ingress) traffic patterns, including sources, destinations, paths, and traffic types.\n\nNetwork Access Analyzer identifies unintended network access to your resources on AWS . When you start an analysis on a Network Access Scope, Network Access Analyzer produces findings. For more information, see the [Network Access Analyzer User Guide](https://docs.aws.amazon.com/vpc/latest/network-access-analyzer/) .",
       "properties": {
         "ExcludePaths": "The paths to exclude.",
         "MatchPaths": "The paths to match.",
@@ -22316,8 +22316,9 @@
     },
     "AWS::IoTSiteWise::Asset": {
       "attributes": {
-        "AssetId": "",
-        "Ref": "`Ref` returns the `AssetId` ."
+        "AssetArn": "The ARN of the asset.",
+        "AssetId": "The ID of the asset.",
+        "Ref": "`Ref` returns `AssetId` and `AssetArn` ."
       },
       "description": "Creates an asset from an existing asset model. For more information, see [Creating assets](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/create-assets.html) in the *AWS IoT SiteWise User Guide* .",
       "properties": {
@@ -22445,7 +22446,7 @@
       "description": "Contains a tumbling window, which is a repeating fixed-sized, non-overlapping, and contiguous time window. You can use this window in metrics to aggregate data from properties and other assets.\n\nYou can use `m` , `h` , `d` , and `w` when you specify an interval or offset. Note that `m` represents minutes, `h` represents hours, `d` represents days, and `w` represents weeks. You can also use `s` to represent seconds in `offset` .\n\nThe `interval` and `offset` parameters support the [ISO 8601 format](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/ISO_8601) . For example, `PT5S` represents 5 seconds, `PT5M` represents 5 minutes, and `PT5H` represents 5 hours.",
       "properties": {
         "Interval": "The time interval for the tumbling window. The interval time must be between 1 minute and 1 week.\n\nAWS IoT SiteWise computes the `1w` interval the end of Sunday at midnight each week (UTC), the `1d` interval at the end of each day at midnight (UTC), the `1h` interval at the end of each hour, and so on.\n\nWhen AWS IoT SiteWise aggregates data points for metric computations, the start of each interval is exclusive and the end of each interval is inclusive. AWS IoT SiteWise places the computed data point at the end of the interval.",
-        "Offset": ""
+        "Offset": "The offset for the tumbling window. The `offset` parameter accepts the following:\n\n- The offset time.\n\nFor example, if you specify `18h` for `offset` and `1d` for `interval` , AWS IoT SiteWise aggregates data in one of the following ways:\n\n- If you create the metric before or at 6 PM (UTC), you get the first aggregation result at 6 PM (UTC) on the day when you create the metric.\n- If you create the metric after 6 PM (UTC), you get the first aggregation result at 6 PM (UTC) the next day.\n- The ISO 8601 format.\n\nFor example, if you specify `PT18H` for `offset` and `1d` for `interval` , AWS IoT SiteWise aggregates data in one of the following ways:\n\n- If you create the metric before or at 6 PM (UTC), you get the first aggregation result at 6 PM (UTC) on the day when you create the metric.\n- If you create the metric after 6 PM (UTC), you get the first aggregation result at 6 PM (UTC) the next day.\n- The 24-hour clock.\n\nFor example, if you specify `00:03:00` for `offset` , `5m` for `interval` , and you create the metric at 2 PM (UTC), you get the first aggregation result at 2:03 PM (UTC). You get the second aggregation result at 2:08 PM (UTC).\n- The offset time zone.\n\nFor example, if you specify `2021-07-23T18:00-08` for `offset` and `1d` for `interval` , AWS IoT SiteWise aggregates data in one of the following ways:\n\n- If you create the metric before or at 6 PM (PST), you get the first aggregation result at 6 PM (PST) on the day when you create the metric.\n- If you create the metric after 6 PM (PST), you get the first aggregation result at 6 PM (PST) the next day."
       }
     },
     "AWS::IoTSiteWise::AssetModel.VariableValue": {
@@ -22497,7 +22498,7 @@
       "description": "Contains a gateway's platform information.",
       "properties": {
         "Greengrass": "A gateway that runs on AWS IoT Greengrass .",
-        "GreengrassV2": ""
+        "GreengrassV2": "A gateway that runs on AWS IoT Greengrass V2."
       }
     },
     "AWS::IoTSiteWise::Gateway.Greengrass": {
@@ -22509,9 +22510,9 @@
     },
     "AWS::IoTSiteWise::Gateway.GreengrassV2": {
       "attributes": {},
-      "description": "",
+      "description": "Contains details for a gateway that runs on AWS IoT Greengrass V2. To create a gateway that runs on AWS IoT Greengrass V2, you must deploy the IoT SiteWise Edge component to your gateway device. Your [Greengrass device role](https://docs.aws.amazon.com/greengrass/v2/developerguide/device-service-role.html) must use the `AWSIoTSiteWiseEdgeAccess` policy. For more information, see [Using AWS IoT SiteWise at the edge](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/sw-gateways.html) in the *AWS IoT SiteWise User Guide* .",
       "properties": {
-        "CoreDeviceThingName": ""
+        "CoreDeviceThingName": "The name of the AWS IoT thing for your AWS IoT Greengrass V2 core device."
       }
     },
     "AWS::IoTSiteWise::Portal": {
@@ -22542,7 +22543,7 @@
       },
       "description": "Creates a project in the specified portal.\n\n> Make sure that the project name and description don't contain confidential information.",
       "properties": {
-        "AssetIds": "",
+        "AssetIds": "A list that contains the IDs of each asset associated with the project.",
         "PortalId": "The ID of the portal in which to create the project.",
         "ProjectDescription": "A description for the project.",
         "ProjectName": "A friendly name for the project.",
@@ -32195,7 +32196,7 @@
         "Permissions": "A list of resource permissions on the data source.",
         "SslProperties": "Secure Socket Layer (SSL) properties that apply when Amazon QuickSight connects to your underlying source.",
         "Tags": "Contains a map of the key-value pairs for the resource tag or tags assigned to the data source.",
-        "Type": "The type of the data source. To return a list of all data sources, use `ListDataSources` .\n\nUse `AMAZON_ELASTICSEARCH` for Amazon OpenSearch Service.",
+        "Type": "The type of the data source. To return a list of all data sources, use `ListDataSources` .\n\nUse `AMAZON_ELASTICSEARCH` for Amazon OpenSearch Service .",
         "VpcConnectionProperties": "Use this parameter only when you want Amazon QuickSight to use a VPC connection when connecting to your underlying source."
       }
     },

packages/@aws-cdk/cloudformation-diff/lib/format-table.ts

@@ -1,5 +1,5 @@
 import * as chalk from 'chalk';
-import * as stringWidth from 'string-width';
+import stringWidth from 'string-width';
 import * as table from 'table';
 
 /**

packages/@aws-cdk/cloudformation-diff/lib/iam/statement.ts

@@ -1,6 +1,9 @@
-import * as deepEqual from 'fast-deep-equal';
 import { deepRemoveUndefined } from '../util';
 
+// namespace object imports won't work in the bundle for function exports
+// eslint-disable-next-line @typescript-eslint/no-require-imports
+const deepEqual = require('fast-deep-equal');
+
 export class Statement {
   /**
    * Statement ID

packages/aws-cdk/NOTICE

@@ -1,2 +1,16 @@
 AWS Cloud Development Kit (AWS CDK)
 Copyright 2018-2022 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Third party attributions of this package can be found in the THIRD_PARTY_LICENSES file