Merge branch 'main' into rds-support-rolling-instance-updates

packages/@aws-cdk/aws-backup/README.md

@@ -176,6 +176,16 @@ backupVault.blockRecoveryPointDeletion();
 
 By default access is not restricted.
 
+Use the `lockConfiguration` property to enable [AWS Backup Vault Lock](https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html):
+
+```ts
+new BackupVault(stack, 'Vault', {
+  lockConfiguration: {
+    minRetention: Duration.days(30),
+  },
+});
+```
+
 ## Importing existing backup vault
 
 To import an existing backup vault into your CDK application, use the `BackupVault.fromBackupVaultArn` or `BackupVault.fromBackupVaultName`

packages/@aws-cdk/aws-backup/lib/vault.ts

@@ -1,7 +1,7 @@
 import * as iam from '@aws-cdk/aws-iam';
 import * as kms from '@aws-cdk/aws-kms';
 import * as sns from '@aws-cdk/aws-sns';
-import { ArnFormat, IResource, Lazy, Names, RemovalPolicy, Resource, Stack } from '@aws-cdk/core';
+import { ArnFormat, Duration, IResource, Lazy, Names, RemovalPolicy, Resource, Stack } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { CfnBackupVault } from './backup.generated';
 
@@ -91,6 +91,15 @@ export interface BackupVaultProps {
    * @default false
    */
   readonly blockRecoveryPointDeletion?: boolean;
+
+  /**
+   * Configuration for AWS Backup Vault Lock
+   *
+   * @see https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html
+   *
+   * @default - AWS Backup Vault Lock is disabled
+   */
+  readonly lockConfiguration?: LockConfiguration;
 }
 
 /**
@@ -129,6 +138,55 @@ export enum BackupVaultEvents {
   BACKUP_PLAN_MODIFIED = 'BACKUP_PLAN_MODIFIED',
 }
 
+/**
+ * Configuration for AWS Backup Vault Lock
+ *
+ * @see https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html
+ */
+export interface LockConfiguration {
+  /**
+   * The minimum retention period that the vault retains its recovery points.
+   *
+   * If this parameter is specified, any backup or copy job to the vault must
+   * have a lifecycle policy with a retention period equal to or longer than
+   * the minimum retention period. If the job's retention period is shorter than
+   * that minimum retention period, then the vault fails that backup or copy job,
+   * and you should either modify your lifecycle settings or use a different
+   * vault. Recovery points already saved in the vault prior to Vault Lock are
+   * not affected.
+   */
+  readonly minRetention: Duration;
+
+  /**
+   * The maximum retention period that the vault retains its recovery points.
+   *
+   * If this parameter is specified, any backup or copy job to the vault must
+   * have a lifecycle policy with a retention period equal to or shorter than
+   * the maximum retention period. If the job's retention period is longer than
+   * that maximum retention period, then the vault fails the backup or copy job,
+   * and you should either modify your lifecycle settings or use a different
+   * vault. Recovery points already saved in the vault prior to Vault Lock are
+   * not affected.
+   *
+   * @default - Vault Lock does not enforce a maximum retention period
+   */
+  readonly maxRetention?: Duration;
+
+  /**
+   * The duration before the lock date.
+   *
+   * AWS Backup enforces a 72-hour cooling-off period before Vault Lock takes
+   * effect and becomes immutable.
+   *
+   * Before the lock date, you can delete Vault Lock from the vault or change
+   * the Vault Lock configuration. On and after the lock date, the Vault Lock
+   * becomes immutable and cannot be changed or deleted.
+   *
+   * @default - Vault Lock can be deleted or changed at any time
+   */
+  readonly changeableFor?: Duration;
+}
+
 abstract class BackupVaultBase extends Resource implements IBackupVault {
   public abstract readonly backupVaultName: string;
   public abstract readonly backupVaultArn: string;
@@ -226,6 +284,7 @@ export class BackupVault extends BackupVaultBase {
       accessPolicy: Lazy.any({ produce: () => this.accessPolicy.toJSON() }),
       encryptionKeyArn: props.encryptionKey && props.encryptionKey.keyArn,
       notifications,
+      lockConfiguration: renderLockConfiguration(props.lockConfiguration),
     });
     vault.applyRemovalPolicy(props.removalPolicy);
 
@@ -262,3 +321,32 @@ export class BackupVault extends BackupVaultBase {
     return id.substring(Math.max(id.length - 50, 0), id.length);
   }
 }
+
+function renderLockConfiguration(config?: LockConfiguration): CfnBackupVault.LockConfigurationTypeProperty | undefined {
+  if (!config) {
+    return undefined;
+  }
+
+  if (config.changeableFor && config.changeableFor.toHours() < 72) {
+    throw new Error(`AWS Backup enforces a 72-hour cooling-off period before Vault Lock takes effect and becomes immutable, got ${config.changeableFor.toHours()} hours`);
+  }
+
+  if (config.maxRetention) {
+    if (config.maxRetention.toDays() > 36500) {
+      throw new Error(`The longest maximum retention period you can specify is 36500 days, got ${config.maxRetention.toDays()} days`);
+    }
+    if (config.maxRetention.toDays() <= config.minRetention.toDays()) {
+      throw new Error(`The maximum retention period (${config.maxRetention.toDays()} days) must be greater than the minimum retention period (${config.minRetention.toDays()} days)`);
+    }
+  }
+
+  if (config.minRetention.toHours() < 24) {
+    throw new Error(`The shortest minimum retention period you can specify is 1 day, got ${config.minRetention.toHours()} hours`);
+  }
+
+  return {
+    minRetentionDays: config.minRetention.toDays(),
+    maxRetentionDays: config.maxRetention?.toDays(),
+    changeableForDays: config.changeableFor?.toDays(),
+  };
+}

packages/@aws-cdk/aws-backup/test/backup.integ.snapshot/cdk-backup.template.json

@@ -31,7 +31,10 @@
   "Vault23237E5B": {
    "Type": "AWS::Backup::BackupVault",
    "Properties": {
-    "BackupVaultName": "cdkbackupVaultC2A6D3CB"
+    "BackupVaultName": "cdkbackupVaultC2A6D3CB",
+    "LockConfiguration": {
+     "MinRetentionDays": 5
+    }
    },
    "UpdateReplacePolicy": "Delete",
    "DeletionPolicy": "Delete"

packages/@aws-cdk/aws-backup/test/backup.integ.snapshot/cdk.out

@@ -1 +1 @@
-{"version":"17.0.0"}
+{"version":"20.0.0"}

packages/@aws-cdk/aws-backup/test/backup.integ.snapshot/integ.json

@@ -1,7 +1,7 @@
 {
-  "version": "18.0.0",
+  "version": "20.0.0",
   "testCases": {
-    "aws-backup/test/integ.backup": {
+    "integ.backup": {
       "stacks": [
         "cdk-backup"
       ],

packages/@aws-cdk/aws-backup/test/backup.integ.snapshot/manifest.json

@@ -1,5 +1,5 @@
 {
-  "version": "17.0.0",
+  "version": "20.0.0",
   "artifacts": {
     "Tree": {
       "type": "cdk:tree",

packages/@aws-cdk/aws-backup/test/backup.integ.snapshot/tree.json

@@ -8,8 +8,8 @@
         "id": "Tree",
         "path": "Tree",
         "constructInfo": {
-          "fqn": "@aws-cdk/core.Construct",
-          "version": "0.0.0"
+          "fqn": "constructs.Construct",
+          "version": "10.1.33"
         }
       },
       "cdk-backup": {
@@ -85,7 +85,10 @@
                 "attributes": {
                   "aws:cdk:cloudformation:type": "AWS::Backup::BackupVault",
                   "aws:cdk:cloudformation:props": {
-                    "backupVaultName": "cdkbackupVaultC2A6D3CB"
+                    "backupVaultName": "cdkbackupVaultC2A6D3CB",
+                    "lockConfiguration": {
+                      "minRetentionDays": 5
+                    }
                   }
                 },
                 "constructInfo": {

packages/@aws-cdk/aws-backup/test/integ.backup.ts

@@ -1,6 +1,6 @@
 import * as dynamodb from '@aws-cdk/aws-dynamodb';
 import * as efs from '@aws-cdk/aws-efs';
-import { App, RemovalPolicy, Stack, StackProps } from '@aws-cdk/core';
+import { App, Duration, RemovalPolicy, Stack, StackProps } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import * as backup from '../lib';
 
@@ -21,6 +21,9 @@ class TestStack extends Stack {
 
     const vault = new backup.BackupVault(this, 'Vault', {
       removalPolicy: RemovalPolicy.DESTROY,
+      lockConfiguration: {
+        minRetention: Duration.days(5),
+      },
     });
     const plan = backup.BackupPlan.dailyWeeklyMonthly5YearRetention(this, 'Plan', vault);
 

packages/@aws-cdk/aws-backup/test/vault.test.ts

@@ -2,7 +2,7 @@ import { Template } from '@aws-cdk/assertions';
 import * as iam from '@aws-cdk/aws-iam';
 import * as kms from '@aws-cdk/aws-kms';
 import * as sns from '@aws-cdk/aws-sns';
-import { ArnFormat, Stack } from '@aws-cdk/core';
+import { ArnFormat, Duration, Stack } from '@aws-cdk/core';
 import { BackupVault, BackupVaultEvents } from '../lib';
 
 let stack: Stack;
@@ -367,3 +367,58 @@ test('throws with too short name', () => {
     backupVaultName: 'x',
   })).toThrow(/Expected vault name to match pattern/);
 });
+
+test('with lock configuration', () => {
+  // WHEN
+  new BackupVault(stack, 'Vault', {
+    lockConfiguration: {
+      minRetention: Duration.days(30),
+      maxRetention: Duration.days(365),
+      changeableFor: Duration.days(7),
+    },
+  });
+
+  // THEN
+  Template.fromStack(stack).hasResourceProperties('AWS::Backup::BackupVault', {
+    LockConfiguration: {
+      ChangeableForDays: 7,
+      MaxRetentionDays: 365,
+      MinRetentionDays: 30,
+    },
+  });
+});
+
+test('throws with incorrect lock configuration - min retention', () => {
+  expect(() => new BackupVault(stack, 'Vault', {
+    lockConfiguration: {
+      minRetention: Duration.hours(12),
+    },
+  })).toThrow(/The shortest minimum retention period you can specify is 1 day/);
+});
+
+test('throws with incorrect lock configuration - max retention', () => {
+  expect(() => new BackupVault(stack, 'Vault', {
+    lockConfiguration: {
+      minRetention: Duration.days(7),
+      maxRetention: Duration.days(40000),
+    },
+  })).toThrow(/The longest maximum retention period you can specify is 36500 days/);
+});
+
+test('throws with incorrect lock configuration - max and min retention', () => {
+  expect(() => new BackupVault(stack, 'Vault', {
+    lockConfiguration: {
+      minRetention: Duration.days(7),
+      maxRetention: Duration.days(4),
+    },
+  })).toThrow(/The maximum retention period \(4 days\) must be greater than the minimum retention period \(7 days\)/);
+});
+
+test('throws with incorrect lock configuration - changeable for', () => {
+  expect(() => new BackupVault(stack, 'Vault', {
+    lockConfiguration: {
+      minRetention: Duration.days(7),
+      changeableFor: Duration.days(1),
+    },
+  })).toThrow(/AWS Backup enforces a 72-hour cooling-off period before Vault Lock takes effect and becomes immutable/);
+});

packages/@aws-cdk/aws-stepfunctions-tasks/README.md

@@ -1404,6 +1404,25 @@ new tasks.StepFunctionsInvokeActivity(this, 'Submit Job', {
 });
 ```
 
+Use the [Parameters](https://docs.aws.amazon.com/step-functions/latest/dg/input-output-inputpath-params.html#input-output-parameters) field to create a collection of key-value pairs that are passed as input. 
+The values of each can either be static values that you include in your state machine definition, or selected from either the input or the context object with a path. 
+
+```ts
+const submitJobActivity = new sfn.Activity(this, 'SubmitJob');
+
+new tasks.StepFunctionsInvokeActivity(this, 'Submit Job', {
+  activity: submitJobActivity,
+  parameters: {
+    comment: 'Selecting what I care about.',
+    MyDetails: {
+      size: sfn.JsonPath.stringAt('$.product.details.size'),
+      exists: sfn.JsonPath.stringAt('$.product.availability'),
+      StaticValue: 'foo'
+    },
+  },
+});
+```
+
 ## SQS
 
 Step Functions supports [Amazon SQS](https://docs.aws.amazon.com/step-functions/latest/dg/connect-sqs.html)

packages/@aws-cdk/aws-stepfunctions-tasks/lib/stepfunctions/invoke-activity.ts

@@ -11,6 +11,15 @@ export interface StepFunctionsInvokeActivityProps extends sfn.TaskStateBaseProps
    * Step Functions Activity to invoke
    */
   readonly activity: sfn.IActivity
+
+  /**
+   * Parameters pass a collection of key-value pairs, either static values or JSONPath expressions that select from the input.
+   *
+   * @see https://docs.aws.amazon.com/step-functions/latest/dg/input-output-inputpath-params.html#input-output-parameters
+   *
+   * @default No parameters
+   */
+  readonly parameters?: { [name: string]: any };
 }
 
 /**
@@ -39,6 +48,7 @@ export class StepFunctionsInvokeActivity extends sfn.TaskStateBase {
   protected _renderTask(): any {
     return {
       Resource: this.props.activity.activityArn,
+      Parameters: this.props.parameters ? sfn.FieldUtils.renderObject(this.props.parameters) : undefined,
     };
   }
 }

packages/@aws-cdk/aws-stepfunctions-tasks/test/stepfunctions/integ.invoke-activity.ts

@@ -42,6 +42,14 @@ class InvokeActivityStack extends cdk.Stack {
     const finalStatus = new tasks.StepFunctionsInvokeActivity(this, 'Get Final Job Status', {
       activity: checkJobActivity,
       inputPath: '$.guid',
+      parameters: {
+        'input.$': '$',
+        'stringArgument': 'inital-task',
+        'numberArgument': 123,
+        'booleanArgument': true,
+        'arrayArgument': ['a', 'b', 'c'],
+        'jsonPath': sfn.JsonPath.stringAt('$.status'),
+      },
     });
 
     const chain = sfn.Chain

packages/@aws-cdk/aws-stepfunctions-tasks/test/stepfunctions/invoke-activity.integ.snapshot/aws-stepfunctions-integ.assets.json

@@ -0,0 +1,19 @@
+{
+  "version": "20.0.0",
+  "files": {
+    "b9edde5b0344ecb8e67455541ca7cae1ee0b7f594b359920852dcb647be6a6f2": {
+      "source": {
+        "path": "aws-stepfunctions-integ.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "b9edde5b0344ecb8e67455541ca7cae1ee0b7f594b359920852dcb647be6a6f2.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}

packages/@aws-cdk/aws-stepfunctions-tasks/test/stepfunctions/invoke-activity.integ.snapshot/aws-stepfunctions-integ.template.json

@@ -62,7 +62,7 @@
        {
         "Ref": "CheckJob5FFC1D6F"
        },
-       "\"}},\"TimeoutSeconds\":300}"
+       "\",\"Parameters\":{\"input.$\":\"$\",\"stringArgument\":\"inital-task\",\"numberArgument\":123,\"booleanArgument\":true,\"arrayArgument\":[\"a\",\"b\",\"c\"],\"jsonPath.$\":\"$.status\"}}},\"TimeoutSeconds\":300}"
       ]
      ]
     }

packages/@aws-cdk/aws-stepfunctions-tasks/test/stepfunctions/invoke-activity.integ.snapshot/cdk.out

@@ -1 +1 @@
-{"version":"17.0.0"}
+{"version":"20.0.0"}

packages/@aws-cdk/aws-stepfunctions-tasks/test/stepfunctions/invoke-activity.integ.snapshot/integ.json

@@ -1,7 +1,7 @@
 {
-  "version": "18.0.0",
+  "version": "20.0.0",
   "testCases": {
-    "aws-stepfunctions-tasks/test/stepfunctions/integ.invoke-activity": {
+    "stepfunctions/integ.invoke-activity": {
       "stacks": [
         "aws-stepfunctions-integ"
       ],

packages/@aws-cdk/aws-stepfunctions-tasks/test/stepfunctions/invoke-activity.integ.snapshot/manifest.json

@@ -1,5 +1,5 @@
 {
-  "version": "17.0.0",
+  "version": "20.0.0",
   "artifacts": {
     "Tree": {
       "type": "cdk:tree",