Merge branch 'master' into epolon/add-auto-approve-label-to-dependabot

packages/@aws-cdk/aws-certificatemanager/README.md

@@ -113,6 +113,21 @@ new acm.DnsValidatedCertificate(this, 'CrossRegionCertificate', {
 });
 ```
 
+## Requesting private certificates
+
+AWS Certificate Manager can create [private certificates](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-private.html) issued by [Private Certificate Authority (PCA)](https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaWelcome.html). Validation of private certificates is not necessary.
+
+```ts
+import * as acmpca from '@aws-cdk/aws-acmpca';
+
+new acm.PrivateCertificate(stack, 'PrivateCertificate', {
+  domainName: 'test.example.com',
+  subjectAlternativeNames: ['cool.example.com', 'test.example.net'], // optional
+  certificateAuthority: acmpca.CertificateAuthority.fromCertificateAuthorityArn(stack, 'CA',
+    'arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/023077d8-2bfa-4eb0-8f22-05c96deade77'),
+});
+```
+
 ## Importing
 
 If you want to import an existing certificate, you can do so from its ARN:

packages/@aws-cdk/aws-certificatemanager/lib/index.ts

@@ -1,5 +1,6 @@
 export * from './certificate';
 export * from './dns-validated-certificate';
+export * from './private-certificate';
 export * from './util';
 
 // AWS::CertificateManager CloudFormation Resources:

packages/@aws-cdk/aws-certificatemanager/lib/private-certificate.ts

@@ -0,0 +1,66 @@
+import * as acmpca from '@aws-cdk/aws-acmpca';
+import { Construct } from 'constructs';
+import { ICertificate } from './certificate';
+import { CertificateBase } from './certificate-base';
+import { CfnCertificate } from './certificatemanager.generated';
+
+/**
+ * Properties for your private certificate
+ */
+export interface PrivateCertificateProps {
+  /**
+   * Fully-qualified domain name to request a private certificate for.
+   *
+   * May contain wildcards, such as ``*.domain.com``.
+   */
+  readonly domainName: string;
+
+  /**
+   * Alternative domain names on your private certificate.
+   *
+   * Use this to register alternative domain names that represent the same site.
+   *
+   * @default - No additional FQDNs will be included as alternative domain names.
+   */
+  readonly subjectAlternativeNames?: string[];
+
+  /**
+   * Private certificate authority (CA) that will be used to issue the certificate.
+   */
+  readonly certificateAuthority: acmpca.ICertificateAuthority;
+}
+
+/**
+ * A private certificate managed by AWS Certificate Manager
+ *
+ * @resource AWS::CertificateManager::Certificate
+ */
+export class PrivateCertificate extends CertificateBase implements ICertificate {
+  /**
+   * Import a certificate
+   */
+  public static fromCertificateArn(scope: Construct, id: string, certificateArn: string): ICertificate {
+    class Import extends CertificateBase {
+      public readonly certificateArn = certificateArn;
+    }
+
+    return new Import(scope, id);
+  }
+
+  /**
+   * The certificate's ARN
+   */
+  public readonly certificateArn: string;
+
+  constructor(scope: Construct, id: string, props: PrivateCertificateProps) {
+    super(scope, id);
+
+    const cert = new CfnCertificate(this, 'Resource', {
+      domainName: props.domainName,
+      subjectAlternativeNames: props.subjectAlternativeNames,
+      certificateAuthorityArn: props.certificateAuthority.certificateAuthorityArn,
+    });
+
+    this.certificateArn = cert.ref;
+  }
+}

packages/@aws-cdk/aws-certificatemanager/package.json

@@ -79,6 +79,7 @@
     "@types/jest": "^26.0.24"
   },
   "dependencies": {
+    "@aws-cdk/aws-acmpca": "0.0.0",
     "@aws-cdk/aws-cloudwatch": "0.0.0",
     "@aws-cdk/aws-iam": "0.0.0",
     "@aws-cdk/aws-lambda": "0.0.0",
@@ -88,6 +89,7 @@
   },
   "homepage": "https://github.com/aws/aws-cdk",
   "peerDependencies": {
+    "@aws-cdk/aws-acmpca": "0.0.0",
     "@aws-cdk/aws-cloudwatch": "0.0.0",
     "@aws-cdk/aws-iam": "0.0.0",
     "@aws-cdk/aws-lambda": "0.0.0",
@@ -101,7 +103,8 @@
   "awslint": {
     "exclude": [
       "props-physical-name:@aws-cdk/aws-certificatemanager.CertificateProps",
-      "props-physical-name:@aws-cdk/aws-certificatemanager.DnsValidatedCertificateProps"
+      "props-physical-name:@aws-cdk/aws-certificatemanager.DnsValidatedCertificateProps",
+      "props-physical-name:@aws-cdk/aws-certificatemanager.PrivateCertificateProps"
     ]
   },
   "stability": "stable",

packages/@aws-cdk/aws-certificatemanager/test/private-certificate.test.ts

@@ -0,0 +1,102 @@
+import '@aws-cdk/assert-internal/jest';
+import * as acmpca from '@aws-cdk/aws-acmpca';
+import { Duration, Lazy, Stack } from '@aws-cdk/core';
+import { PrivateCertificate } from '../lib';
+
+test('private certificate authority', () => {
+  const stack = new Stack();
+
+  new PrivateCertificate(stack, 'Certificate', {
+    domainName: 'test.example.com',
+    certificateAuthority: acmpca.CertificateAuthority.fromCertificateAuthorityArn(stack, 'CA',
+      'arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/023077d8-2bfa-4eb0-8f22-05c96deade77'),
+  });
+
+  expect(stack).toHaveResource('AWS::CertificateManager::Certificate', {
+    DomainName: 'test.example.com',
+    CertificateAuthorityArn: 'arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/023077d8-2bfa-4eb0-8f22-05c96deade77',
+  });
+});
+
+test('private certificate authority with subjectAlternativeNames', () => {
+  const stack = new Stack();
+
+  new PrivateCertificate(stack, 'Certificate', {
+    domainName: 'test.example.com',
+    subjectAlternativeNames: ['extra.example.com'],
+    certificateAuthority: acmpca.CertificateAuthority.fromCertificateAuthorityArn(stack, 'CA',
+      'arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/023077d8-2bfa-4eb0-8f22-05c96deade77'),
+  });
+
+  expect(stack).toHaveResource('AWS::CertificateManager::Certificate', {
+    DomainName: 'test.example.com',
+    SubjectAlternativeNames: ['extra.example.com'],
+    CertificateAuthorityArn: 'arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/023077d8-2bfa-4eb0-8f22-05c96deade77',
+  });
+});
+
+test('private certificate authority with multiple subjectAlternativeNames', () => {
+  const stack = new Stack();
+
+  new PrivateCertificate(stack, 'Certificate', {
+    domainName: 'test.example.com',
+    subjectAlternativeNames: ['*.test.example.com', '*.foo.test.example.com', 'bar.test.example.com'],
+    certificateAuthority: acmpca.CertificateAuthority.fromCertificateAuthorityArn(stack, 'CA',
+      'arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/023077d8-2bfa-4eb0-8f22-05c96deade77'),
+  });
+
+  expect(stack).toHaveResource('AWS::CertificateManager::Certificate', {
+    DomainName: 'test.example.com',
+    SubjectAlternativeNames: ['*.test.example.com', '*.foo.test.example.com', 'bar.test.example.com'],
+    CertificateAuthorityArn: 'arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/023077d8-2bfa-4eb0-8f22-05c96deade77',
+  });
+});
+
+test('private certificate authority with tokens', () => {
+  const stack = new Stack();
+
+  const certificateAuthority = Lazy.string({
+    produce: () => 'arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/023077d8-2bfa-4eb0-8f22-05c96deade77',
+  });
+
+  const domainName = Lazy.string({
+    produce: () => 'test.example.com',
+  });
+
+  const domainNameAlternative = Lazy.string({
+    produce: () => 'extra.example.com',
+  });
+
+  new PrivateCertificate(stack, 'Certificate', {
+    domainName,
+    subjectAlternativeNames: [domainNameAlternative],
+    certificateAuthority: acmpca.CertificateAuthority.fromCertificateAuthorityArn(stack, 'CA', certificateAuthority),
+  });
+
+  expect(stack).toHaveResource('AWS::CertificateManager::Certificate', {
+    DomainName: 'test.example.com',
+    SubjectAlternativeNames: ['extra.example.com'],
+    CertificateAuthorityArn: 'arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/023077d8-2bfa-4eb0-8f22-05c96deade77',
+  });
+});
+
+test('metricDaysToExpiry', () => {
+  const stack = new Stack();
+
+  const certificate = new PrivateCertificate(stack, 'Certificate', {
+    domainName: 'test.example.com',
+    certificateAuthority: acmpca.CertificateAuthority.fromCertificateAuthorityArn(stack, 'CA',
+      'arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/023077d8-2bfa-4eb0-8f22-05c96deade77'),
+  });
+
+  expect(stack.resolve(certificate.metricDaysToExpiry().toMetricConfig())).toEqual({
+    metricStat: {
+      dimensions: [{ name: 'CertificateArn', value: stack.resolve(certificate.certificateArn) }],
+      metricName: 'DaysToExpiry',
+      namespace: 'AWS/CertificateManager',
+      period: Duration.days(1),
+      statistic: 'Minimum',
+    },
+    renderingProperties: expect.anything(),
+  });
+});

packages/@aws-cdk/aws-ec2/lib/instance-types.ts

@@ -208,6 +208,16 @@ export enum InstanceClass {
    */
   C5 = 'c5',
 
+  /**
+   * Compute optimized instances, 6th generation
+   */
+  COMPUTE6_INTEL = 'c6i',
+
+  /**
+   * Compute optimized instances, 6th generation
+   */
+  C6I = 'c6i',
+
   /**
    * Compute optimized instances with local NVME drive, 5th generation
    */

packages/@aws-cdk/aws-iot/README.md

@@ -59,6 +59,8 @@ const func = new lambda.Function(this, 'MyFunction', {
 });
 
 new iot.TopicRule(this, 'TopicRule', {
+  topicRuleName: 'MyTopicRule', // optional
+  description: 'invokes the lambda finction', // optional
   sql: iot.IotSql.fromStringAsVer20160323("SELECT topic(2) as device_id, timestamp() as timestamp FROM 'device/+/data'"),
   actions: [new actions.LambdaFunctionAction(func)],
 });
@@ -72,3 +74,12 @@ const topicRule = new iot.TopicRule(this, 'TopicRule', {
 });
 topicRule.addAction(new actions.LambdaFunctionAction(func))
 ```
+
+If you wanna make the topic rule disable, add property `enabled: false` as following:
+
+```ts
+new iot.TopicRule(this, 'TopicRule', {
+  sql: iot.IotSql.fromStringAsVer20160323("SELECT topic(2) as device_id, timestamp() as timestamp FROM 'device/+/data'"),
+  enabled: false,
+});
+```

packages/@aws-cdk/aws-iot/lib/topic-rule.ts

@@ -41,6 +41,20 @@ export interface TopicRuleProps {
    */
   readonly actions?: IAction[];
 
+  /**
+   * A textual description of the topic rule.
+   *
+   * @default None
+   */
+  readonly description?: string;
+
+  /**
+   * Specifies whether the rule is enabled.
+   *
+   * @default true
+   */
+  readonly enabled?: boolean
+
   /**
    * A simplified SQL syntax to filter messages received on an MQTT topic and push the data elsewhere.
    *
@@ -102,6 +116,8 @@ export class TopicRule extends Resource implements ITopicRule {
       topicRulePayload: {
         actions: Lazy.any({ produce: () => this.actions }),
         awsIotSqlVersion: sqlConfig.awsIotSqlVersion,
+        description: props.description,
+        ruleDisabled: props.enabled === undefined ? undefined : !props.enabled,
         sql: sqlConfig.sql,
       },
     });

packages/@aws-cdk/aws-iot/test/topic-rule.test.ts

@@ -71,6 +71,36 @@ test('can set physical name', () => {
   });
 });
 
+test('can set description', () => {
+  const stack = new cdk.Stack();
+
+  new iot.TopicRule(stack, 'MyTopicRule', {
+    description: 'test-description',
+    sql: iot.IotSql.fromStringAsVer20151008("SELECT topic(2) as device_id, temperature FROM 'device/+/data'"),
+  });
+
+  Template.fromStack(stack).hasResourceProperties('AWS::IoT::TopicRule', {
+    TopicRulePayload: {
+      Description: 'test-description',
+    },
+  });
+});
+
+test('can set ruleDisabled', () => {
+  const stack = new cdk.Stack();
+
+  new iot.TopicRule(stack, 'MyTopicRule', {
+    enabled: false,
+    sql: iot.IotSql.fromStringAsVer20151008("SELECT topic(2) as device_id, temperature FROM 'device/+/data'"),
+  });
+
+  Template.fromStack(stack).hasResourceProperties('AWS::IoT::TopicRule', {
+    TopicRulePayload: {
+      RuleDisabled: true,
+    },
+  });
+});
+
 test.each([
   ['fromStringAsVer20151008', iot.IotSql.fromStringAsVer20151008, '2015-10-08'],
   ['fromStringAsVer20160323', iot.IotSql.fromStringAsVer20160323, '2016-03-23'],

packages/@aws-cdk/aws-logs/README.md

@@ -48,6 +48,44 @@ By default, the log group will be created in the same region as the stack. The `
 log groups in other regions. This is typically useful when controlling retention for log groups auto-created by global services that
 publish their log group to a specific region, such as AWS Chatbot creating a log group in `us-east-1`.
 
+## Resource Policy
+
+CloudWatch Resource Policies allow other AWS services or IAM Principals to put log events into the log groups.
+A resource policy is automatically created when `addToResourcePolicy` is called on the LogGroup for the first time.
+
+`ResourcePolicy` can also be created manually.
+
+```ts
+const logGroup = new LogGroup(this, 'LogGroup');
+const resourcePolicy = new ResourcePolicy(this, 'ResourcePolicy');
+resourcePolicy.document.addStatements(new iam.PolicyStatement({
+    actions: ['logs:CreateLogStream', 'logs:PutLogEvents'],
+    principals: [new iam.ServicePrincipal('es.amazonaws.com')],
+    resources: [logGroup.logGroupArn],
+}));
+```
+
+Or more conveniently, write permissions to the log group can be granted as follows which gives same result as in the above example.
+
+```ts
+const logGroup = new LogGroup(this, 'LogGroup');
+logGroup.grantWrite(iam.ServicePrincipal('es.amazonaws.com'));
+```
+
+Optionally name and policy statements can also be passed on `ResourcePolicy` construction.
+
+```ts
+const policyStatement = new new iam.PolicyStatement({
+    resources: ["*"],
+    actions: ['logs:PutLogEvents'],
+    principals: [new iam.ArnPrincipal('arn:aws:iam::123456789012:user/user-name')],
+});
+const resourcePolicy = new ResourcePolicy(this, 'ResourcePolicy', {
+    policyName: 'myResourcePolicy',
+    policyStatements: [policyStatement],
+});
+```
+
 ## Encrypting Log Groups
 
 By default, log group data is always encrypted in CloudWatch Logs. You have the
@@ -182,7 +220,6 @@ line.
   all of the terms in any of the groups (specified as arrays) matches. This is
   an OR match.
 
-
 Examples:
 
 ```ts
@@ -231,7 +268,6 @@ and then descending into it, such as `$.field` or `$.list[0].field`.
   given JSON patterns match. This makes an OR combination of the given
   patterns.
 
-
 Example:
 
 ```ts