Merge branch 'master' into issue-13444

CHANGELOG.md

@@ -2,6 +2,42 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [1.93.0](https://github.com/aws/aws-cdk/compare/v1.92.0...v1.93.0) (2021-03-11)
+
+
+### Features
+
+* **amplify-domain:** Added config for auto subdomain creation ([#13342](https://github.com/aws/aws-cdk/issues/13342)) ([4c63f09](https://github.com/aws/aws-cdk/commit/4c63f09f1e9644877eaffbe78eede3854bec08ab))
+* **appmesh:** add route retry policies ([#13353](https://github.com/aws/aws-cdk/issues/13353)) ([66f7053](https://github.com/aws/aws-cdk/commit/66f7053a6c1f5cab540e975b30f5a2c6e35df58a)), closes [#11642](https://github.com/aws/aws-cdk/issues/11642)
+* **cfnspec:** cloudformation spec v30.1.0 ([#13519](https://github.com/aws/aws-cdk/issues/13519)) ([7711981](https://github.com/aws/aws-cdk/commit/7711981ea30bfdffd21dd840d676be4a2b45c9ba))
+* **codebuild:** allow setting queued timeout ([#13467](https://github.com/aws/aws-cdk/issues/13467)) ([e09250b](https://github.com/aws/aws-cdk/commit/e09250bc92c62cb8ee0a8706ce90d0e82faf2d84)), closes [#11364](https://github.com/aws/aws-cdk/issues/11364)
+* **dynamodb:** custom timeout for replication operation ([#13354](https://github.com/aws/aws-cdk/issues/13354)) ([6a5a4f2](https://github.com/aws/aws-cdk/commit/6a5a4f2d9bb6b09ad0d10066200fe53bb45f0737)), closes [#10249](https://github.com/aws/aws-cdk/issues/10249)
+* **ec2:** ESP and AH IPsec protocols for Security Groups ([#13471](https://github.com/aws/aws-cdk/issues/13471)) ([f5a6647](https://github.com/aws/aws-cdk/commit/f5a6647bbe1885ba86029d10550a3ffaf80b6561)), closes [#13403](https://github.com/aws/aws-cdk/issues/13403)
+* **ec2:** multipart user data ([#11843](https://github.com/aws/aws-cdk/issues/11843)) ([ed94c5e](https://github.com/aws/aws-cdk/commit/ed94c5ef1b9dd3042128b0e0c5bb14b3d9c7d497)), closes [#8315](https://github.com/aws/aws-cdk/issues/8315)
+* **ecr:** add imageTagMutability prop ([#10557](https://github.com/aws/aws-cdk/issues/10557)) ([c4dc3bc](https://github.com/aws/aws-cdk/commit/c4dc3bce02790903593d80b070fca81fe7b7f08c)), closes [#4640](https://github.com/aws/aws-cdk/issues/4640)
+* **ecs:** ability to access tag parameter value of TagParameterContainerImage ([#13340](https://github.com/aws/aws-cdk/issues/13340)) ([e567a41](https://github.com/aws/aws-cdk/commit/e567a410d47366855ee3e6011aa096ba987b8099)), closes [#13202](https://github.com/aws/aws-cdk/issues/13202)
+* **ecs:** allow users to provide a CloudMap service to associate with an ECS service ([#13192](https://github.com/aws/aws-cdk/issues/13192)) ([a7d314c](https://github.com/aws/aws-cdk/commit/a7d314c73b9473208d94bac29ad9bd8018e00204)), closes [#10057](https://github.com/aws/aws-cdk/issues/10057)
+* **events:** `EventBus.grantPutEventsTo` method for granular grants ([#13429](https://github.com/aws/aws-cdk/issues/13429)) ([122a232](https://github.com/aws/aws-cdk/commit/122a232343699304d8f206d3024fcddfb2a94bc8)), closes [#11228](https://github.com/aws/aws-cdk/issues/11228)
+* **events:** dead-letter queue support for CodeBuild ([#13448](https://github.com/aws/aws-cdk/issues/13448)) ([abfc0ea](https://github.com/aws/aws-cdk/commit/abfc0ea63c10d8033a529b7497cf093e318fdf12)), closes [#13447](https://github.com/aws/aws-cdk/issues/13447)
+* **events:** dead-letter queue support for StepFunctions ([#13450](https://github.com/aws/aws-cdk/issues/13450)) ([0ebcb41](https://github.com/aws/aws-cdk/commit/0ebcb4160ee16f0f7ff1072a40c8951f9a983048)), closes [#13449](https://github.com/aws/aws-cdk/issues/13449)
+* **events,applicationautoscaling:** schedule can be a token ([#13064](https://github.com/aws/aws-cdk/issues/13064)) ([b1449a1](https://github.com/aws/aws-cdk/commit/b1449a178b0f9a8a951c2546428f8d75c6431f0f))
+* **iam:** SAML identity provider ([#13393](https://github.com/aws/aws-cdk/issues/13393)) ([faa0c06](https://github.com/aws/aws-cdk/commit/faa0c060dad9a5045495707e28fc85f223d4db5d)), closes [#5320](https://github.com/aws/aws-cdk/issues/5320)
+* **neptune:** Support IAM authentication ([#13462](https://github.com/aws/aws-cdk/issues/13462)) ([6c5b1f4](https://github.com/aws/aws-cdk/commit/6c5b1f42fb73a132d47945b529bab73557f2b9d8)), closes [#13461](https://github.com/aws/aws-cdk/issues/13461)
+* **region-info:** added AppMesh ECR account for af-south-1 region ([#12814](https://github.com/aws/aws-cdk/issues/12814)) ([b3fba43](https://github.com/aws/aws-cdk/commit/b3fba43a047df61e713e8d2271d6deee7e07b716))
+* **stepfunctions-tasks:** Support calling ApiGateway REST and HTTP APIs ([#13033](https://github.com/aws/aws-cdk/issues/13033)) ([cc608d0](https://github.com/aws/aws-cdk/commit/cc608d055ffefb798ad6378ab07f36cb241897da)), closes [#11565](https://github.com/aws/aws-cdk/issues/11565) [#11566](https://github.com/aws/aws-cdk/issues/11566) [#11565](https://github.com/aws/aws-cdk/issues/11565)
+
+
+### Bug Fixes
+
+* **cfn-include:** allow boolean values for string-typed properties ([#13508](https://github.com/aws/aws-cdk/issues/13508)) ([e5dab7c](https://github.com/aws/aws-cdk/commit/e5dab7cbc67c234d191c38a8b8b84b634070b15b))
+* **ec2:** fix typo's in WindowsImage constants ([#13446](https://github.com/aws/aws-cdk/issues/13446)) ([781aa97](https://github.com/aws/aws-cdk/commit/781aa97d53fdb7511c34ddde884fdcd84c3f68a6))
+* **elasticloadbalancingv2:** upgrade to v1.92.0 drops certificates on ALB if more than 2 certificates exist ([#13490](https://github.com/aws/aws-cdk/issues/13490)) ([01b94f8](https://github.com/aws/aws-cdk/commit/01b94f8aa6c88b5e676c784aec4c879acddc042f)), closes [#13332](https://github.com/aws/aws-cdk/issues/13332) [#13437](https://github.com/aws/aws-cdk/issues/13437)
+* **events:** imported EventBus does not correctly register source account ([#13481](https://github.com/aws/aws-cdk/issues/13481)) ([57e5404](https://github.com/aws/aws-cdk/commit/57e540432c1446f2233a9b0c0f4caba4e9e155d9)), closes [#13469](https://github.com/aws/aws-cdk/issues/13469)
+* **iam:** oidc-provider can't pull from hosts requiring SNI ([#13397](https://github.com/aws/aws-cdk/issues/13397)) ([90dbfb5](https://github.com/aws/aws-cdk/commit/90dbfb5eec19559717ac6b30f25451461027e731))
+* **iam:** policy statement tries to validate tokens ([#13493](https://github.com/aws/aws-cdk/issues/13493)) ([8d592ea](https://github.com/aws/aws-cdk/commit/8d592ea89c0eda19329d5a31517522ec02ceb874)), closes [#13479](https://github.com/aws/aws-cdk/issues/13479)
+* **init:** Python init template's stack ID doesn't match other languages ([#13480](https://github.com/aws/aws-cdk/issues/13480)) ([3f1c02d](https://github.com/aws/aws-cdk/commit/3f1c02dac7a50ce7caebce1e7f8953f6e4937e6b))
+* **stepfunctions:** no validation on state machine name ([#13387](https://github.com/aws/aws-cdk/issues/13387)) ([6c3d407](https://github.com/aws/aws-cdk/commit/6c3d4071746179dde30f615602592c2523daa56e)), closes [#13289](https://github.com/aws/aws-cdk/issues/13289)
+
 ## [1.92.0](https://github.com/aws/aws-cdk/compare/v1.91.0...v1.92.0) (2021-03-06)
 
 * **ecs-patterns**: the `desiredCount` property stored on the above constructs will be optional, allowing them to be undefined. This is enabled through the `@aws-cdk/aws-ecs-patterns:removeDefaultDesiredCount` feature flag. We would recommend all CDK users to set the `@aws-cdk/aws-ecs-patterns:removeDefaultDesiredCount` flag to `true` for all of their existing applications. 

link-all.sh

@@ -26,7 +26,7 @@ for module in ${modules}; do
  # according to spec (we look in the bin/ directory instead of the { "scripts"
  # } entry in package.json but it's quite a bit easier.
  if [[ -d $module/bin ]]; then
- for script in $(find $module/bin -perm /111); do
+ for script in $(find $module/bin -perm +111); do
  echo "${script} => node_modules/.bin/$(basename $script)"
  ln -fs ${script} node_modules/.bin
  done

packages/@aws-cdk-containers/ecs-service-extensions/lib/extensions/appmesh.ts

@@ -347,7 +347,7 @@ export class AppMeshExtension extends ServiceExtension {
  // Next update the app mesh config so that the local Envoy
  // proxy on this service knows how to route traffic to
  // nodes from the other service.
- this.virtualNode.addBackend(otherAppMesh.virtualService);
+ this.virtualNode.addBackend(appmesh.Backend.virtualService(otherAppMesh.virtualService));
  }
 
  private routeSpec(weightedTargets: appmesh.WeightedTarget[], serviceName: string): appmesh.RouteSpec {

packages/@aws-cdk/aws-amplify/README.md

@@ -122,7 +122,10 @@ mySinglePageApp.addCustomRule(amplify.CustomRule.SINGLE_PAGE_APPLICATION_REDIREC
 Add a domain and map sub domains to branches:
 
 ```ts
-const domain = amplifyApp.addDomain('example.com');
+const domain = amplifyApp.addDomain('example.com', {
+ enableAutoSubdomain: true, // in case subdomains should be auto registered for branches
+ autoSubdomainCreationPatterns: ['*', 'pr*'], // regex for branches that should auto register subdomains
+});
 domain.mapRoot(master); // map master branch to domain root
 domain.mapSubDomain(master, 'www');
 domain.mapSubDomain(dev); // sub domain prefix defaults to branch name

packages/@aws-cdk/aws-amplify/lib/app.ts

@@ -289,6 +289,7 @@ export class App extends Resource implements IApp, iam.IGrantable {
  return new Domain(this, id, {
  ...options,
  app: this,
+ autoSubDomainIamRole: this.grantPrincipal as iam.IRole,
  });
  }
 }

packages/@aws-cdk/aws-amplify/lib/domain.ts

@@ -1,3 +1,4 @@
+import * as iam from '@aws-cdk/aws-iam';
 import { Lazy, Resource, IResolvable } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { CfnDomain } from './amplify.generated';
@@ -21,6 +22,20 @@ export interface DomainOptions {
  * @default - use `addSubDomain()` to add subdomains
  */
  readonly subDomains?: SubDomain[];
+
+ /**
+ * Automatically create subdomains for connected branches
+ *
+ * @default false
+ */
+ readonly enableAutoSubdomain?: boolean;
+
+ /**
+ * Branches which should automatically create subdomains
+ *
+ * @default - all repository branches ['*', 'pr*']
+ */
+ readonly autoSubdomainCreationPatterns?: string[];
 }
 
 /**
@@ -31,6 +46,12 @@ export interface DomainProps extends DomainOptions {
  * The application to which the domain must be connected
  */
  readonly app: IApp;
+
+ /**
+ * The IAM role with access to Route53 when using enableAutoSubdomain
+ * @default the IAM role from App.grantPrincipal
+ */
+ readonly autoSubDomainIamRole?: iam.IRole;
 }
 
 /**
@@ -106,6 +127,9 @@ export class Domain extends Resource {
  appId: props.app.appId,
  domainName,
  subDomainSettings: Lazy.any({ produce: () => this.renderSubDomainSettings() }, { omitEmptyArray: true }),
+ enableAutoSubDomain: !!props.enableAutoSubdomain,
+ autoSubDomainCreationPatterns: props.autoSubdomainCreationPatterns || ['*', 'pr*'],
+ autoSubDomainIamRole: props.autoSubDomainIamRole?.roleArn,
  });
 
  this.arn = domain.attrArn;

packages/@aws-cdk/aws-amplify/test/domain.test.ts

@@ -1,3 +1,4 @@
+import * as iam from '@aws-cdk/aws-iam';
 import '@aws-cdk/assert/jest';
 import { App, SecretValue, Stack } from '@aws-cdk/core';
 import * as amplify from '../lib';
@@ -120,3 +121,113 @@ test('throws at synthesis without subdomains', () => {
  // THEN
  expect(() => app.synth()).toThrow(/The domain doesn't contain any subdomains/);
 });
+
+test('auto subdomain all branches', () => {
+ // GIVEN
+ const stack = new Stack();
+ const app = new amplify.App(stack, 'App', {
+ sourceCodeProvider: new amplify.GitHubSourceCodeProvider({
+ owner: 'aws',
+ repository: 'aws-cdk',
+ oauthToken: SecretValue.plainText('secret'),
+ }),
+ });
+ const prodBranch = app.addBranch('master');
+
+ // WHEN
+ const domain = app.addDomain('amazon.com', {
+ enableAutoSubdomain: true,
+ });
+ domain.mapRoot(prodBranch);
+
+ // THEN
+ expect(stack).toHaveResource('AWS::Amplify::Domain', {
+ EnableAutoSubDomain: true,
+ AutoSubDomainCreationPatterns: [
+ '*',
+ 'pr*',
+ ],
+ AutoSubDomainIAMRole: {
+ 'Fn::GetAtt': [
+ 'AppRole1AF9B530',
+ 'Arn',
+ ],
+ },
+ });
+});
+
+test('auto subdomain some branches', () => {
+ // GIVEN
+ const stack = new Stack();
+ const app = new amplify.App(stack, 'App', {
+ sourceCodeProvider: new amplify.GitHubSourceCodeProvider({
+ owner: 'aws',
+ repository: 'aws-cdk',
+ oauthToken: SecretValue.plainText('secret'),
+ }),
+ });
+ const prodBranch = app.addBranch('master');
+
+ // WHEN
+ const domain = app.addDomain('amazon.com', {
+ enableAutoSubdomain: true,
+ autoSubdomainCreationPatterns: ['features/**'],
+ });
+ domain.mapRoot(prodBranch);
+
+ // THEN
+ expect(stack).toHaveResource('AWS::Amplify::Domain', {
+ EnableAutoSubDomain: true,
+ AutoSubDomainCreationPatterns: ['features/**'],
+ AutoSubDomainIAMRole: {
+ 'Fn::GetAtt': [
+ 'AppRole1AF9B530',
+ 'Arn',
+ ],
+ },
+ });
+});
+
+test('auto subdomain with IAM role', () => {
+ // GIVEN
+ const stack = new Stack();
+ const app = new amplify.App(stack, 'App', {
+ sourceCodeProvider: new amplify.GitHubSourceCodeProvider({
+ owner: 'aws',
+ repository: 'aws-cdk',
+ oauthToken: SecretValue.plainText('secret'),
+ }),
+ role: iam.Role.fromRoleArn(
+ stack,
+ 'AmplifyRole',
+ `arn:aws:iam::${Stack.of(stack).account}:role/AmplifyRole`,
+ { mutable: false },
+ ),
+ });
+ const prodBranch = app.addBranch('master');
+
+ // WHEN
+ const domain = app.addDomain('amazon.com', {
+ enableAutoSubdomain: true,
+ autoSubdomainCreationPatterns: ['features/**'],
+ });
+ domain.mapRoot(prodBranch);
+
+ // THEN
+ expect(stack).toHaveResource('AWS::Amplify::Domain', {
+ EnableAutoSubDomain: true,
+ AutoSubDomainCreationPatterns: ['features/**'],
+ AutoSubDomainIAMRole: {
+ 'Fn::Join': [
+ '',
+ [
+ 'arn:aws:iam::',
+ {
+ Ref: 'AWS::AccountId',
+ },
+ ':role/AmplifyRole',
+ ],
+ ],
+ },
+ });
+});

packages/@aws-cdk/aws-appmesh/README.md

@@ -186,9 +186,11 @@ const node = new VirtualNode(this, 'node', {
  idle: cdk.Duration.seconds(5),
  },
  })],
- backendsDefaultClientPolicy: appmesh.ClientPolicy.fileTrust({
- certificateChain: '/keys/local_cert_chain.pem',
- }),
+ backendDefaults: {
+ clientPolicy: appmesh.ClientPolicy.fileTrust({
+ certificateChain: '/keys/local_cert_chain.pem',
+ }),
+ },
  accessLog: appmesh.AccessLog.fromFilePath('/dev/stdout'),
 });
 
@@ -230,14 +232,14 @@ const virtualService = new appmesh.VirtualService(stack, 'service-1', {
  }),
 });
 
-node.addBackend(virtualService);
+node.addBackend(appmesh.Backend.virtualService(virtualService));
 ```
 
 The `listeners` property can be left blank and added later with the `node.addListener()` method. The `healthcheck` and `timeout` properties are optional but if specifying a listener, the `port` must be added.
 
 The `backends` property can be added with `node.addBackend()`. We define a virtual service and add it to the virtual node to allow egress traffic to other node.
 
-The `backendsDefaultClientPolicy` property are added to the node while creating the virtual node. These are virtual node's service backends client policy defaults.
+The `backendDefaults` property are added to the node while creating the virtual node. These are virtual node's default settings for all backends.
 
 ## Adding TLS to a listener
 
@@ -298,6 +300,30 @@ router.addRoute('route-http', {
 });
 ```
 
+Add an HTTP2 route that matches based on method, scheme and header:
+
+```ts
+router.addRoute('route-http2', {
+ routeSpec: appmesh.RouteSpec.http2({
+ weightedTargets: [
+ {
+ virtualNode: node,
+ },
+ ],
+ match: {
+ prefixPath: '/',
+ method: appmesh.HttpRouteMatchMethod.POST,
+ protocol: appmesh.HttpRouteProtocol.HTTPS,
+ headers: [
+ // All specified headers must match for the route to match.
+ appmesh.HttpHeaderMatch.valueIs('Content-Type', 'application/json'),
+ appmesh.HttpHeaderMatch.valueIsNot('Content-Type', 'application/json'),
+ ]
+ },
+ }),
+});
+```
+
 Add a single route with multiple targets and split traffic 50/50
 
 ```ts
@@ -320,6 +346,50 @@ router.addRoute('route-http', {
 });
 ```
 
+Add an http2 route with retries:
+
+```ts
+router.addRoute('route-http2-retry', {
+ routeSpec: appmesh.RouteSpec.http2({
+ weightedTargets: [{ virtualNode: node }],
+ retryPolicy: {
+ // Retry if the connection failed
+ tcpRetryEvents: [appmesh.TcpRetryEvent.CONNECTION_ERROR],
+ // Retry if HTTP responds with a gateway error (502, 503, 504)
+ httpRetryEvents: [appmesh.HttpRetryEvent.GATEWAY_ERROR],
+ // Retry five times
+ retryAttempts: 5,
+ // Use a 1 second timeout per retry
+ retryTimeout: cdk.Duration.seconds(1),
+ },
+ }),
+});
+```
+
+Add a gRPC route with retries:
+
+```ts
+router.addRoute('route-grpc-retry', {
+ routeSpec: appmesh.RouteSpec.grpc({
+ weightedTargets: [{ virtualNode: node }],
+ match: { serviceName: 'servicename' },
+ retryPolicy: {
+ tcpRetryEvents: [appmesh.TcpRetryEvent.CONNECTION_ERROR],
+ httpRetryEvents: [appmesh.HttpRetryEvent.GATEWAY_ERROR],
+ // Retry if gRPC responds that the request was cancelled, a resource
+ // was exhausted, or if the service is unavailable
+ grpcRetryEvents: [
+ appmesh.GrpcRetryEvent.CANCELLED,
+ appmesh.GrpcRetryEvent.RESOURCE_EXHAUSTED,
+ appmesh.GrpcRetryEvent.UNAVAILABLE,
+ ],
+ retryAttempts: 5,
+ retryTimeout: cdk.Duration.seconds(1),
+ },
+ }),
+});
+```
+
 The _RouteSpec_ class provides an easy interface for defining new protocol specific route specs.
 The `tcp()`, `http()` and `http2()` methods provide the spec necessary to define a protocol specific spec.
 
@@ -369,10 +439,12 @@ const gateway = new appmesh.VirtualGateway(stack, 'gateway', {
  interval: cdk.Duration.seconds(10),
  },
  })],
- backendsDefaultClientPolicy: appmesh.ClientPolicy.acmTrust({
- certificateAuthorities: [acmpca.CertificateAuthority.fromCertificateAuthorityArn(stack, 'certificate', certificateAuthorityArn)],
- ports: [8080, 8081],
- }),
+ backendDefaults: {
+ clientPolicy: appmesh.ClientPolicy.acmTrust({
+ certificateAuthorities: [acmpca.CertificateAuthority.fromCertificateAuthorityArn(stack, 'certificate', certificateAuthorityArn)],
+ ports: [8080, 8081],
+ }),
+ },
  accessLog: appmesh.AccessLog.fromFilePath('/dev/stdout'),
  virtualGatewayName: 'virtualGateway',
 });
@@ -396,7 +468,7 @@ const gateway = mesh.addVirtualGateway('gateway', {
 The listeners field can be omitted which will default to an HTTP Listener on port 8080.
 A gateway route can be added using the `gateway.addGatewayRoute()` method.
 
-The `backendsDefaultClientPolicy` property are added to the node while creating the virtual gateway. These are virtual gateway's service backends client policy defaults.
+The `backendDefaults` property is added to the node while creating the virtual gateway. These are virtual gateway's default settings for all backends.
 
 ## Adding a Gateway Route