From 7701a774c74680b8c5849de7f19d2ebc424e9cf0 Mon Sep 17 00:00:00 2001 From: AWS CDK Team Date: Thu, 24 Feb 2022 21:01:56 +0000 Subject: [PATCH 01/74] chore(release): 1.146.0 --- CHANGELOG.md | 27 +++++++++++++++++++++++++++ version.v1.json | 2 +- 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 546daabd60989..14e18e06c3054 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,33 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. +## [1.146.0](https://github.com/aws/aws-cdk/compare/v1.145.0...v1.146.0) (2022-02-24) + + +### Features + +* **apigatewayv2:** Import existing WebSocketApi from attributes ([#18958](https://github.com/aws/aws-cdk/issues/18958)) ([f203845](https://github.com/aws/aws-cdk/commit/f203845d26ae8333f467f1cb91ad965697087d85)) +* **cli:** bundle dependencies ([#18667](https://github.com/aws/aws-cdk/issues/18667)) ([31d135f](https://github.com/aws/aws-cdk/commit/31d135fb51d3cd4e26fbdc132e03815a1416da75)) +* **cli:** support for matching notices with arbitrary module names ([#19088](https://github.com/aws/aws-cdk/issues/19088)) ([a87dee7](https://github.com/aws/aws-cdk/commit/a87dee756057e554909207237b70f80af185b110)) +* **cli:** support for notices ([#18936](https://github.com/aws/aws-cdk/issues/18936)) ([d37fbbb](https://github.com/aws/aws-cdk/commit/d37fbbbb31003d69da88b9340a6a9c9e1e927ac5)) +* **cloudfront-origins:** extend max keepaliveTimeout of HttpOrigin to 180 ([#18837](https://github.com/aws/aws-cdk/issues/18837)) ([171fdcd](https://github.com/aws/aws-cdk/commit/171fdcdf595fcff5b2567b17e6fa73bf0d42e1bc)), closes [#18697](https://github.com/aws/aws-cdk/issues/18697) +* **eks:** Allow helm pull from OCI repositories ([#18547](https://github.com/aws/aws-cdk/issues/18547)) ([7e624d9](https://github.com/aws/aws-cdk/commit/7e624d994c94dbd584643c4cb6e9f8df53dabc18)) +* **lambda:** add a fromFunctionName() method ([#19076](https://github.com/aws/aws-cdk/issues/19076)) ([5b92cc3](https://github.com/aws/aws-cdk/commit/5b92cc3a31eea29b40814498fca614eb1c7c8724)), closes [#18255](https://github.com/aws/aws-cdk/issues/18255) [#19031](https://github.com/aws/aws-cdk/issues/19031) +* **pipelines:** ECR source action ([#16385](https://github.com/aws/aws-cdk/issues/16385)) ([fc11ae2](https://github.com/aws/aws-cdk/commit/fc11ae2c4ec3bd9dfe3ff813aa831c744d8ac444)), closes [#16378](https://github.com/aws/aws-cdk/issues/16378) +* **pipelines:** step outputs ([#19024](https://github.com/aws/aws-cdk/issues/19024)) ([0dec2ee](https://github.com/aws/aws-cdk/commit/0dec2ee78a70832c3a697be26c67498460a587dd)), closes [#17189](https://github.com/aws/aws-cdk/issues/17189) [#18893](https://github.com/aws/aws-cdk/issues/18893) [#15943](https://github.com/aws/aws-cdk/issues/15943) [#16407](https://github.com/aws/aws-cdk/issues/16407) +* **rds:** make VPC optional for serverless Clusters ([#17413](https://github.com/aws/aws-cdk/issues/17413)) ([4f7818d](https://github.com/aws/aws-cdk/commit/4f7818dd76bd48ed652407f4852cc97ba57d7395)), closes [#17401](https://github.com/aws/aws-cdk/issues/17401) +* triggers ([#19011](https://github.com/aws/aws-cdk/issues/19011)) ([11d6c69](https://github.com/aws/aws-cdk/commit/11d6c69a8b1ee70cbea025d134be7702dd804444)) + + +### Bug Fixes + +* **cli:** hotswapping is slow for many resources deployed at once ([#19081](https://github.com/aws/aws-cdk/issues/19081)) ([040238e](https://github.com/aws/aws-cdk/commit/040238e9285945d1c48ef79474e527b871e7824c)), closes [#19021](https://github.com/aws/aws-cdk/issues/19021) +* **s3-notifications:** notifications allowed with imported kms keys ([#18989](https://github.com/aws/aws-cdk/issues/18989)) ([7441418](https://github.com/aws/aws-cdk/commit/7441418fbf9ffdf8d85a573e3c81c45c5648fe8a)) +* API compatibility check fails in CI pipeline ([#19069](https://github.com/aws/aws-cdk/issues/19069)) ([6ec1005](https://github.com/aws/aws-cdk/commit/6ec1005c9cfa9723520885748d759b00be5cd2fa)), closes [#19070](https://github.com/aws/aws-cdk/issues/19070) +* **cloudfront:** trim autogenerated cache policy name ([#18953](https://github.com/aws/aws-cdk/issues/18953)) ([c7394c9](https://github.com/aws/aws-cdk/commit/c7394c96c42cb6a5af1e309bee2a5f11eb3ad35c)), closes [#18918](https://github.com/aws/aws-cdk/issues/18918) +* **elasticloadbalancingv2:** validate port/protocol are not provided for lambda targets ([#19043](https://github.com/aws/aws-cdk/issues/19043)) ([64d26cc](https://github.com/aws/aws-cdk/commit/64d26cc22b1fe456777c3367769ddbe860f26cf3)), closes [#12514](https://github.com/aws/aws-cdk/issues/12514) +* **route53:** fix cross account delegation deployment dependency ([#19047](https://github.com/aws/aws-cdk/issues/19047)) ([692a0d0](https://github.com/aws/aws-cdk/commit/692a0d06f2865503d1d88b0ba8af38ecceaec871)), closes [#19041](https://github.com/aws/aws-cdk/issues/19041) + ## [1.145.0](https://github.com/aws/aws-cdk/compare/v1.144.0...v1.145.0) (2022-02-18) diff --git a/version.v1.json b/version.v1.json index 394fd5b4fff24..d726bab6ab46f 100644 --- a/version.v1.json +++ b/version.v1.json @@ -1,3 +1,3 @@ { - "version": "1.145.0" + "version": "1.146.0" } \ No newline at end of file From 77f1e0b57bd4508ade86be7733e71e94a47d7f4c Mon Sep 17 00:00:00 2001 From: rangerthegood <68432236+rangerthegood@users.noreply.github.com> Date: Thu, 24 Feb 2022 17:16:39 -0500 Subject: [PATCH 02/74] fix(dynamodb): `Table.grantWriteData()` doesn't include enough KMS permissions (#19102) This fix adds the additional KMS actions `KEY_READ_ACTIONS` during calls to `grantWriteData`. This is required when using Tables are using CMKs during write operations such as put_item and batch_write_item. Fixes #10010 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/@aws-cdk/aws-dynamodb/lib/table.ts | 3 +- .../aws-dynamodb/test/dynamodb.test.ts | 32 +++++++++++++++++++ 2 files changed, 34 insertions(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-dynamodb/lib/table.ts b/packages/@aws-cdk/aws-dynamodb/lib/table.ts index bc4b6ce39c9f0..868796644b2be 100644 --- a/packages/@aws-cdk/aws-dynamodb/lib/table.ts +++ b/packages/@aws-cdk/aws-dynamodb/lib/table.ts @@ -732,7 +732,8 @@ abstract class TableBase extends Resource implements ITable { * @param grantee The principal to grant access to */ public grantWriteData(grantee: iam.IGrantable): iam.Grant { - return this.combinedGrant(grantee, { keyActions: perms.KEY_WRITE_ACTIONS, tableActions: perms.WRITE_DATA_ACTIONS }); + const keyActions = perms.KEY_READ_ACTIONS.concat(perms.KEY_WRITE_ACTIONS); + return this.combinedGrant(grantee, { keyActions, tableActions: perms.WRITE_DATA_ACTIONS }); } /** diff --git a/packages/@aws-cdk/aws-dynamodb/test/dynamodb.test.ts b/packages/@aws-cdk/aws-dynamodb/test/dynamodb.test.ts index 6ca8b3bd0cf65..144fe017c6966 100644 --- a/packages/@aws-cdk/aws-dynamodb/test/dynamodb.test.ts +++ b/packages/@aws-cdk/aws-dynamodb/test/dynamodb.test.ts @@ -720,6 +720,38 @@ test('if an encryption key is included, encrypt/decrypt permissions are added to }); }); +test('if an encryption key is included, encrypt/decrypt permissions are added to the principal for grantWriteData', () => { + const stack = new Stack(); + const table = new Table(stack, 'Table A', { + tableName: TABLE_NAME, + partitionKey: TABLE_PARTITION_KEY, + encryption: TableEncryption.CUSTOMER_MANAGED, + }); + const user = new iam.User(stack, 'MyUser'); + table.grantWriteData(user); + + Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([{ + Action: [ + 'kms:Decrypt', + 'kms:DescribeKey', + 'kms:Encrypt', + 'kms:ReEncrypt*', + 'kms:GenerateDataKey*', + ], + Effect: 'Allow', + Resource: { + 'Fn::GetAtt': [ + 'TableAKey07CC09EC', + 'Arn', + ], + }, + }]), + }, + }); +}); + test('when specifying STANDARD_INFREQUENT_ACCESS table class', () => { const stack = new Stack(); new Table(stack, CONSTRUCT_NAME, { From 59ef06ae2a70fcb1800fcc1f40eec671c77440f0 Mon Sep 17 00:00:00 2001 From: cm-iwata <38879253+cm-iwata@users.noreply.github.com> Date: Fri, 25 Feb 2022 07:59:14 +0900 Subject: [PATCH 03/74] fix(apigateway): fix strange vtl template for cors preflight request (#19104) CDK will create this VTL template for OPTIONS method. ``` #set($origin = $input.params("Origin")) #if($origin == "") #set($origin = $input.params("origin")) #end #if($origin.matches("https://www.test-cors.org")) #set($context.responseOverride.header.Access-Control-Allow-Origin = $origin) #end ``` This VTL template use `$input.params` for get origin information. But it's references request parameter from these values - path - query string - header [`$input` Variables](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-mapping-template-reference.html#input-variable-reference) So, this template cause strange behavier like this. ``` $ curl -XOPTIONS https://xxx.execute-api.ap-northeast-1.amazonaws.com/prod/twitch?origin=https://www.test-cors.org -i HTTP/2 204 date: Wed, 23 Feb 2022 06:32:39 GMT x-amzn-requestid: df42e9de-80a4-4db5-985d-5ed8adc40b99 access-control-allow-origin: https://www.test-cors.org ``` [RFC6454](https://datatracker.ietf.org/doc/html/rfc6454#section-7.2) says >the Origin header field indicates > the origin(s) that "caused" the user agent to issue the request its not mention path and querystrings. So VTL template should use only request header for check origin information. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/@aws-cdk/aws-apigateway/lib/resource.ts | 4 ++-- packages/@aws-cdk/aws-apigateway/test/cors.test.ts | 2 +- .../@aws-cdk/aws-apigateway/test/integ.cors.expected.json | 6 +++--- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/packages/@aws-cdk/aws-apigateway/lib/resource.ts b/packages/@aws-cdk/aws-apigateway/lib/resource.ts index 714e99bce7a0b..f843ee1b5e25a 100644 --- a/packages/@aws-cdk/aws-apigateway/lib/resource.ts +++ b/packages/@aws-cdk/aws-apigateway/lib/resource.ts @@ -311,8 +311,8 @@ export abstract class ResourceBase extends ResourceConstruct implements IResourc const template = new Array(); - template.push('#set($origin = $input.params("Origin"))'); - template.push('#if($origin == "") #set($origin = $input.params("origin")) #end'); + template.push('#set($origin = $input.params().header.get("Origin"))'); + template.push('#if($origin == "") #set($origin = $input.params().header.get("origin")) #end'); const condition = origins.map(o => `$origin.matches("${o}")`).join(' || '); diff --git a/packages/@aws-cdk/aws-apigateway/test/cors.test.ts b/packages/@aws-cdk/aws-apigateway/test/cors.test.ts index 581b8af3e6c53..c573e6302589e 100644 --- a/packages/@aws-cdk/aws-apigateway/test/cors.test.ts +++ b/packages/@aws-cdk/aws-apigateway/test/cors.test.ts @@ -290,7 +290,7 @@ describe('cors', () => { 'method.response.header.Access-Control-Allow-Methods': "'OPTIONS,GET,PUT,POST,DELETE,PATCH,HEAD'", }, ResponseTemplates: { - 'application/json': '#set($origin = $input.params("Origin"))\n#if($origin == "") #set($origin = $input.params("origin")) #end\n#if($origin.matches("https://amazon.com") || $origin.matches("https://aws.amazon.com"))\n #set($context.responseOverride.header.Access-Control-Allow-Origin = $origin)\n#end', + 'application/json': '#set($origin = $input.params().header.get("Origin"))\n#if($origin == "") #set($origin = $input.params().header.get("origin")) #end\n#if($origin.matches("https://amazon.com") || $origin.matches("https://aws.amazon.com"))\n #set($context.responseOverride.header.Access-Control-Allow-Origin = $origin)\n#end', }, StatusCode: '204', }, diff --git a/packages/@aws-cdk/aws-apigateway/test/integ.cors.expected.json b/packages/@aws-cdk/aws-apigateway/test/integ.cors.expected.json index 22b5c45a87b53..02d757e898afe 100644 --- a/packages/@aws-cdk/aws-apigateway/test/integ.cors.expected.json +++ b/packages/@aws-cdk/aws-apigateway/test/integ.cors.expected.json @@ -51,7 +51,7 @@ "corsapitest8682546E" ] }, - "corsapitestDeployment2BF1633A228079ea05e5799220dd4ca13512b92d": { + "corsapitestDeployment2BF1633A51392cbce1ac2785bd0e53063423e203": { "Type": "AWS::ApiGateway::Deployment", "Properties": { "RestApiId": { @@ -74,7 +74,7 @@ "Ref": "corsapitest8682546E" }, "DeploymentId": { - "Ref": "corsapitestDeployment2BF1633A228079ea05e5799220dd4ca13512b92d" + "Ref": "corsapitestDeployment2BF1633A51392cbce1ac2785bd0e53063423e203" }, "StageName": "prod" }, @@ -472,7 +472,7 @@ "method.response.header.Access-Control-Allow-Methods": "'OPTIONS,GET,PUT,POST,DELETE,PATCH,HEAD'" }, "ResponseTemplates": { - "application/json": "#set($origin = $input.params(\"Origin\"))\n#if($origin == \"\") #set($origin = $input.params(\"origin\")) #end\n#if($origin.matches(\"https://www.test-cors.org\"))\n #set($context.responseOverride.header.Access-Control-Allow-Origin = $origin)\n#end" + "application/json": "#set($origin = $input.params().header.get(\"Origin\"))\n#if($origin == \"\") #set($origin = $input.params().header.get(\"origin\")) #end\n#if($origin.matches(\"https://www.test-cors.org\"))\n #set($context.responseOverride.header.Access-Control-Allow-Origin = $origin)\n#end" }, "StatusCode": "204" } From 4a44a65bb4634081e04811966d5f4e2fd49bc7c6 Mon Sep 17 00:00:00 2001 From: Chris Smith Date: Thu, 24 Feb 2022 21:24:03 -0500 Subject: [PATCH 04/74] fix(dynamodb): `grant*Data()` methods are missing the `dynamodb:DescribeTable` permission (#19129) Fixes #18773 This allows the high level dynamodb clients to function correctly ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../test/integ.assign-public-ip.expected.json | 3 ++- .../test/integ.api-import.expected.json | 3 ++- .../test/integ.auth-apikey.expected.json | 3 ++- .../test/integ.graphql-iam.expected.json | 3 ++- .../test/integ.graphql-schema.expected.json | 3 ++- .../aws-appsync/test/integ.graphql.expected.json | 9 ++++++--- packages/@aws-cdk/aws-dynamodb/lib/perms.ts | 2 ++ packages/@aws-cdk/aws-dynamodb/lib/table.ts | 14 ++++++++------ .../@aws-cdk/aws-dynamodb/test/dynamodb.test.ts | 13 ++++++++++--- .../aws-dynamodb/test/integ.dynamodb.expected.json | 6 ++++-- .../test/integ.dynamodb.sse.expected.json | 6 ++++-- 11 files changed, 44 insertions(+), 21 deletions(-) diff --git a/packages/@aws-cdk-containers/ecs-service-extensions/test/integ.assign-public-ip.expected.json b/packages/@aws-cdk-containers/ecs-service-extensions/test/integ.assign-public-ip.expected.json index 556524b695267..e9de0e4c0f997 100644 --- a/packages/@aws-cdk-containers/ecs-service-extensions/test/integ.assign-public-ip.expected.json +++ b/packages/@aws-cdk-containers/ecs-service-extensions/test/integ.assign-public-ip.expected.json @@ -766,7 +766,8 @@ "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", - "dynamodb:DeleteItem" + "dynamodb:DeleteItem", + "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ diff --git a/packages/@aws-cdk/aws-appsync/test/integ.api-import.expected.json b/packages/@aws-cdk/aws-appsync/test/integ.api-import.expected.json index e4b54f04116fc..269f986d16838 100644 --- a/packages/@aws-cdk/aws-appsync/test/integ.api-import.expected.json +++ b/packages/@aws-cdk/aws-appsync/test/integ.api-import.expected.json @@ -85,7 +85,8 @@ "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", - "dynamodb:DeleteItem" + "dynamodb:DeleteItem", + "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ diff --git a/packages/@aws-cdk/aws-appsync/test/integ.auth-apikey.expected.json b/packages/@aws-cdk/aws-appsync/test/integ.auth-apikey.expected.json index ed0307de0e72f..2eb81b6793f66 100644 --- a/packages/@aws-cdk/aws-appsync/test/integ.auth-apikey.expected.json +++ b/packages/@aws-cdk/aws-appsync/test/integ.auth-apikey.expected.json @@ -68,7 +68,8 @@ "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", - "dynamodb:DeleteItem" + "dynamodb:DeleteItem", + "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ diff --git a/packages/@aws-cdk/aws-appsync/test/integ.graphql-iam.expected.json b/packages/@aws-cdk/aws-appsync/test/integ.graphql-iam.expected.json index 374a89dc33d14..91af2e3102a2a 100644 --- a/packages/@aws-cdk/aws-appsync/test/integ.graphql-iam.expected.json +++ b/packages/@aws-cdk/aws-appsync/test/integ.graphql-iam.expected.json @@ -99,7 +99,8 @@ "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", - "dynamodb:DeleteItem" + "dynamodb:DeleteItem", + "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ diff --git a/packages/@aws-cdk/aws-appsync/test/integ.graphql-schema.expected.json b/packages/@aws-cdk/aws-appsync/test/integ.graphql-schema.expected.json index a6e5ff5764331..44c75a74f0f8f 100644 --- a/packages/@aws-cdk/aws-appsync/test/integ.graphql-schema.expected.json +++ b/packages/@aws-cdk/aws-appsync/test/integ.graphql-schema.expected.json @@ -67,7 +67,8 @@ "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", - "dynamodb:DeleteItem" + "dynamodb:DeleteItem", + "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ diff --git a/packages/@aws-cdk/aws-appsync/test/integ.graphql.expected.json b/packages/@aws-cdk/aws-appsync/test/integ.graphql.expected.json index e14c0af7a5450..ca8ee1a1c7b5b 100644 --- a/packages/@aws-cdk/aws-appsync/test/integ.graphql.expected.json +++ b/packages/@aws-cdk/aws-appsync/test/integ.graphql.expected.json @@ -147,7 +147,8 @@ "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", - "dynamodb:DeleteItem" + "dynamodb:DeleteItem", + "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ @@ -360,7 +361,8 @@ "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", - "dynamodb:DeleteItem" + "dynamodb:DeleteItem", + "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ @@ -752,7 +754,8 @@ "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", - "dynamodb:DeleteItem" + "dynamodb:DeleteItem", + "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ diff --git a/packages/@aws-cdk/aws-dynamodb/lib/perms.ts b/packages/@aws-cdk/aws-dynamodb/lib/perms.ts index af385e57209f5..29d240d245f75 100644 --- a/packages/@aws-cdk/aws-dynamodb/lib/perms.ts +++ b/packages/@aws-cdk/aws-dynamodb/lib/perms.ts @@ -29,3 +29,5 @@ export const READ_STREAM_DATA_ACTIONS = [ 'dynamodb:GetRecords', 'dynamodb:GetShardIterator', ]; + +export const DESCRIBE_TABLE = 'dynamodb:DescribeTable'; \ No newline at end of file diff --git a/packages/@aws-cdk/aws-dynamodb/lib/table.ts b/packages/@aws-cdk/aws-dynamodb/lib/table.ts index 868796644b2be..00dca8dbe31e3 100644 --- a/packages/@aws-cdk/aws-dynamodb/lib/table.ts +++ b/packages/@aws-cdk/aws-dynamodb/lib/table.ts @@ -679,7 +679,7 @@ abstract class TableBase extends Resource implements ITable { /** * Permits an IAM principal all data read operations from this table: - * BatchGetItem, GetRecords, GetShardIterator, Query, GetItem, Scan. + * BatchGetItem, GetRecords, GetShardIterator, Query, GetItem, Scan, DescribeTable. * * Appropriate grants will also be added to the customer-managed KMS key * if one was configured. @@ -687,7 +687,8 @@ abstract class TableBase extends Resource implements ITable { * @param grantee The principal to grant access to */ public grantReadData(grantee: iam.IGrantable): iam.Grant { - return this.combinedGrant(grantee, { keyActions: perms.KEY_READ_ACTIONS, tableActions: perms.READ_DATA_ACTIONS }); + const tableActions = perms.READ_DATA_ACTIONS.concat(perms.DESCRIBE_TABLE); + return this.combinedGrant(grantee, { keyActions: perms.KEY_READ_ACTIONS, tableActions }); } /** @@ -724,7 +725,7 @@ abstract class TableBase extends Resource implements ITable { /** * Permits an IAM principal all data write operations to this table: - * BatchWriteItem, PutItem, UpdateItem, DeleteItem. + * BatchWriteItem, PutItem, UpdateItem, DeleteItem, DescribeTable. * * Appropriate grants will also be added to the customer-managed KMS key * if one was configured. @@ -732,14 +733,15 @@ abstract class TableBase extends Resource implements ITable { * @param grantee The principal to grant access to */ public grantWriteData(grantee: iam.IGrantable): iam.Grant { + const tableActions = perms.WRITE_DATA_ACTIONS.concat(perms.DESCRIBE_TABLE); const keyActions = perms.KEY_READ_ACTIONS.concat(perms.KEY_WRITE_ACTIONS); - return this.combinedGrant(grantee, { keyActions, tableActions: perms.WRITE_DATA_ACTIONS }); + return this.combinedGrant(grantee, { keyActions, tableActions }); } /** * Permits an IAM principal to all data read/write operations to this table. * BatchGetItem, GetRecords, GetShardIterator, Query, GetItem, Scan, - * BatchWriteItem, PutItem, UpdateItem, DeleteItem + * BatchWriteItem, PutItem, UpdateItem, DeleteItem, DescribeTable * * Appropriate grants will also be added to the customer-managed KMS key * if one was configured. @@ -747,7 +749,7 @@ abstract class TableBase extends Resource implements ITable { * @param grantee The principal to grant access to */ public grantReadWriteData(grantee: iam.IGrantable): iam.Grant { - const tableActions = perms.READ_DATA_ACTIONS.concat(perms.WRITE_DATA_ACTIONS); + const tableActions = perms.READ_DATA_ACTIONS.concat(perms.WRITE_DATA_ACTIONS).concat(perms.DESCRIBE_TABLE); const keyActions = perms.KEY_READ_ACTIONS.concat(perms.KEY_WRITE_ACTIONS); return this.combinedGrant(grantee, { keyActions, tableActions }); } diff --git a/packages/@aws-cdk/aws-dynamodb/test/dynamodb.test.ts b/packages/@aws-cdk/aws-dynamodb/test/dynamodb.test.ts index 144fe017c6966..cb564d875aea5 100644 --- a/packages/@aws-cdk/aws-dynamodb/test/dynamodb.test.ts +++ b/packages/@aws-cdk/aws-dynamodb/test/dynamodb.test.ts @@ -643,6 +643,7 @@ testLegacyBehavior('if an encryption key is included, encrypt/decrypt permission 'dynamodb:PutItem', 'dynamodb:UpdateItem', 'dynamodb:DeleteItem', + 'dynamodb:DescribeTable', ], Effect: 'Allow', Resource: [ @@ -1919,18 +1920,18 @@ describe('grants', () => { test('"grantReadData" allows the principal to read data from the table', () => { testGrant( - ['BatchGetItem', 'GetRecords', 'GetShardIterator', 'Query', 'GetItem', 'Scan', 'ConditionCheckItem'], (p, t) => t.grantReadData(p)); + ['BatchGetItem', 'GetRecords', 'GetShardIterator', 'Query', 'GetItem', 'Scan', 'ConditionCheckItem', 'DescribeTable'], (p, t) => t.grantReadData(p)); }); test('"grantWriteData" allows the principal to write data to the table', () => { testGrant( - ['BatchWriteItem', 'PutItem', 'UpdateItem', 'DeleteItem'], (p, t) => t.grantWriteData(p)); + ['BatchWriteItem', 'PutItem', 'UpdateItem', 'DeleteItem', 'DescribeTable'], (p, t) => t.grantWriteData(p)); }); test('"grantReadWriteData" allows the principal to read/write data', () => { testGrant([ 'BatchGetItem', 'GetRecords', 'GetShardIterator', 'Query', 'GetItem', 'Scan', - 'ConditionCheckItem', 'BatchWriteItem', 'PutItem', 'UpdateItem', 'DeleteItem', + 'ConditionCheckItem', 'BatchWriteItem', 'PutItem', 'UpdateItem', 'DeleteItem', 'DescribeTable', ], (p, t) => t.grantReadWriteData(p)); }); @@ -2092,6 +2093,7 @@ describe('grants', () => { 'dynamodb:GetItem', 'dynamodb:Scan', 'dynamodb:ConditionCheckItem', + 'dynamodb:DescribeTable', ], 'Effect': 'Allow', 'Resource': [ @@ -2244,6 +2246,7 @@ describe('import', () => { 'dynamodb:GetItem', 'dynamodb:Scan', 'dynamodb:ConditionCheckItem', + 'dynamodb:DescribeTable', ], 'Effect': 'Allow', 'Resource': [ @@ -2290,6 +2293,7 @@ describe('import', () => { 'dynamodb:PutItem', 'dynamodb:UpdateItem', 'dynamodb:DeleteItem', + 'dynamodb:DescribeTable', ], 'Effect': 'Allow', 'Resource': [ @@ -2432,6 +2436,7 @@ describe('import', () => { 'dynamodb:GetItem', 'dynamodb:Scan', 'dynamodb:ConditionCheckItem', + 'dynamodb:DescribeTable', ], Resource: [ { @@ -2606,6 +2611,7 @@ describe('global', () => { 'dynamodb:GetItem', 'dynamodb:Scan', 'dynamodb:ConditionCheckItem', + 'dynamodb:DescribeTable', ], Effect: 'Allow', Resource: [ @@ -2760,6 +2766,7 @@ describe('global', () => { 'dynamodb:GetItem', 'dynamodb:Scan', 'dynamodb:ConditionCheckItem', + 'dynamodb:DescribeTable', ], Effect: 'Allow', Resource: [ diff --git a/packages/@aws-cdk/aws-dynamodb/test/integ.dynamodb.expected.json b/packages/@aws-cdk/aws-dynamodb/test/integ.dynamodb.expected.json index d20e923f3d55e..9d33338172a7a 100644 --- a/packages/@aws-cdk/aws-dynamodb/test/integ.dynamodb.expected.json +++ b/packages/@aws-cdk/aws-dynamodb/test/integ.dynamodb.expected.json @@ -387,7 +387,8 @@ "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", - "dynamodb:ConditionCheckItem" + "dynamodb:ConditionCheckItem", + "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ @@ -410,7 +411,8 @@ "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", - "dynamodb:ConditionCheckItem" + "dynamodb:ConditionCheckItem", + "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ diff --git a/packages/@aws-cdk/aws-dynamodb/test/integ.dynamodb.sse.expected.json b/packages/@aws-cdk/aws-dynamodb/test/integ.dynamodb.sse.expected.json index 879532d0a8879..7c07d9a4339c9 100644 --- a/packages/@aws-cdk/aws-dynamodb/test/integ.dynamodb.sse.expected.json +++ b/packages/@aws-cdk/aws-dynamodb/test/integ.dynamodb.sse.expected.json @@ -497,7 +497,8 @@ "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", - "dynamodb:ConditionCheckItem" + "dynamodb:ConditionCheckItem", + "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ @@ -533,7 +534,8 @@ "dynamodb:Query", "dynamodb:GetItem", "dynamodb:Scan", - "dynamodb:ConditionCheckItem" + "dynamodb:ConditionCheckItem", + "dynamodb:DescribeTable" ], "Effect": "Allow", "Resource": [ From 19ead77c6470c0aca4900c4ee200a7c4e66ebbed Mon Sep 17 00:00:00 2001 From: AWS CDK Automation <43080478+aws-cdk-automation@users.noreply.github.com> Date: Fri, 25 Feb 2022 09:45:12 +0000 Subject: [PATCH 05/74] docs(cfnspec): update CloudFormation documentation (#19152) Co-authored-by: AWS CDK Team --- .../spec-source/cfn-docs/cfn-docs.json | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/packages/@aws-cdk/cfnspec/spec-source/cfn-docs/cfn-docs.json b/packages/@aws-cdk/cfnspec/spec-source/cfn-docs/cfn-docs.json index a4e99585786e1..d590cf2497952 100644 --- a/packages/@aws-cdk/cfnspec/spec-source/cfn-docs/cfn-docs.json +++ b/packages/@aws-cdk/cfnspec/spec-source/cfn-docs/cfn-docs.json @@ -5154,7 +5154,7 @@ "properties": { "InstanceRequirements": "The instance requirements. When you specify instance requirements, Amazon EC2 Auto Scaling finds instance types that satisfy your requirements, and then uses your On-Demand and Spot allocation strategies to launch instances from these instance types, in the same way as when you specify a list of specific instance types.\n\n> `InstanceRequirements` are incompatible with the `InstanceType` property. If you specify both of these properties, Amazon EC2 Auto Scaling will return a `ValidationException` exception.", "InstanceType": "The instance type, such as `m3.xlarge` . You must use an instance type that is supported in your requested Region and Availability Zones. For more information, see [Available instance types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#AvailableInstanceTypes) in the *Amazon EC2 User Guide for Linux Instances.*", - "LaunchTemplateSpecification": "Provides the launch template to be used when launching the instance type specified in `InstanceType` . For example, some instance types might require a launch template with a different AMI. If not provided, Amazon EC2 Auto Scaling uses the launch template that's defined for your mixed instances policy. For more information, see [Specifying a different launch template for an instance type](https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-mixed-instances-groups-launch-template-overrides.html) in the *Amazon EC2 Auto Scaling User Guide* .", + "LaunchTemplateSpecification": "Provides a launch template for the specified instance type or instance requirements. For example, some instance types might require a launch template with a different AMI. If not provided, Amazon EC2 Auto Scaling uses the launch template that's defined for your mixed instances policy. For more information, see [Specifying a different launch template for an instance type](https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-mixed-instances-groups-launch-template-overrides.html) in the *Amazon EC2 Auto Scaling User Guide* .", "WeightedCapacity": "The number of capacity units provided by the instance type specified in `InstanceType` in terms of virtual CPUs, memory, storage, throughput, or other relative performance characteristic. When a Spot or On-Demand Instance is provisioned, the capacity units count toward the desired capacity. Amazon EC2 Auto Scaling provisions instances until the desired capacity is totally fulfilled, even if this results in an overage. For example, if there are 2 units remaining to fulfill capacity, and Amazon EC2 Auto Scaling can only provision an instance with a `WeightedCapacity` of 5 units, the instance is provisioned, and the desired capacity is exceeded by 3 units. For more information, see [Instance weighting for Amazon EC2 Auto Scaling](https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-mixed-instances-groups-instance-weighting.html) in the *Amazon EC2 Auto Scaling User Guide* . Value must be in the range of 1-999.\n\n> Every Auto Scaling group has three size parameters ( `DesiredCapacity` , `MaxSize` , and `MinSize` ). Usually, you set these sizes based on a specific number of instances. However, if you configure a mixed instances policy that defines weights for the instance types, you must specify these sizes with the same units that you use for weighting instances." } }, @@ -5459,7 +5459,7 @@ "description": "The `AWS::AutoScaling::WarmPool` resource creates a pool of pre-initialized EC2 instances that sits alongside the Auto Scaling group. Whenever your application needs to scale out, the Auto Scaling group can draw on the warm pool to meet its new desired capacity.\n\nWhen you create a warm pool, you can define a minimum size. When your Auto Scaling group scales out and the size of the warm pool shrinks, Amazon EC2 Auto Scaling launches new instances into the warm pool to maintain its minimum size.\n\nFor more information, see [Warm pools for Amazon EC2 Auto Scaling](https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-warm-pools.html) in the *Amazon EC2 Auto Scaling User Guide* .\n\n> CloudFormation supports the `UpdatePolicy` attribute for Auto Scaling groups. During an update, if `UpdatePolicy` is set to `AutoScalingRollingUpdate` , CloudFormation replaces `InService` instances only. Instances in the warm pool are not replaced. The difference in which instances are replaced can potentially result in different instance configurations after the stack update completes. If `UpdatePolicy` is set to `AutoScalingReplacingUpdate` , you do not encounter this issue because CloudFormation replaces both the Auto Scaling group and the warm pool.", "properties": { "AutoScalingGroupName": "The name of the Auto Scaling group.", - "InstanceReusePolicy": "", + "InstanceReusePolicy": "Indicates whether instances in the Auto Scaling group can be returned to the warm pool on scale in. The default is to terminate instances in the Auto Scaling group when the group scales in.", "MaxGroupPreparedCapacity": "Specifies the maximum number of instances that are allowed to be in the warm pool or in any state except `Terminated` for the Auto Scaling group. This is an optional property. Specify it only if you do not want the warm pool size to be determined by the difference between the group's maximum capacity and its desired capacity.\n\n> If a value for `MaxGroupPreparedCapacity` is not specified, Amazon EC2 Auto Scaling launches and maintains the difference between the group's maximum capacity and its desired capacity. If you specify a value for `MaxGroupPreparedCapacity` , Amazon EC2 Auto Scaling uses the difference between the `MaxGroupPreparedCapacity` and the desired capacity instead.\n> \n> The size of the warm pool is dynamic. Only when `MaxGroupPreparedCapacity` and `MinSize` are set to the same value does the warm pool have an absolute size. \n\nIf the desired capacity of the Auto Scaling group is higher than the `MaxGroupPreparedCapacity` , the capacity of the warm pool is 0, unless you specify a value for `MinSize` . To remove a value that you previously set, include the property but specify -1 for the value.", "MinSize": "Specifies the minimum number of instances to maintain in the warm pool. This helps you to ensure that there is always a certain number of warmed instances available to handle traffic spikes. Defaults to 0 if not specified.", "PoolState": "Sets the instance state to transition to after the lifecycle actions are complete. Default is `Stopped` ." @@ -5467,9 +5467,9 @@ }, "AWS::AutoScaling::WarmPool.InstanceReusePolicy": { "attributes": {}, - "description": "", + "description": "A structure that specifies an instance reuse policy for the `InstanceReusePolicy` property of the [AWS::AutoScaling::WarmPool](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-autoscaling-warmpool.html) resource type.\n\nFor more information, see [Warm pools for Amazon EC2 Auto Scaling](https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-warm-pools.html) in the *Amazon EC2 Auto Scaling User Guide* .", "properties": { - "ReuseOnScaleIn": "" + "ReuseOnScaleIn": "Specifies whether instances in the Auto Scaling group can be returned to the warm pool on scale in." } }, "AWS::AutoScalingPlans::ScalingPlan": { @@ -34214,7 +34214,7 @@ "attributes": {}, "description": "The PublicAccessBlock configuration that you want to apply to this Amazon S3 bucket. You can enable the configuration options in any combination. For more information about when Amazon S3 considers a bucket or object public, see [The Meaning of \"Public\"](https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#access-control-block-public-access-policy-status) in the *Amazon S3 User Guide* .", "properties": { - "BlockPublicAcls": "Specifies whether Amazon S3 should block public access control lists (ACLs) for this bucket and objects in this bucket. Setting this element to `TRUE` causes the following behavior:\n\n- PUT Bucket acl and PUT Object acl calls fail if the specified ACL is public.\n- PUT Object calls fail if the request includes a public ACL.\n- PUT Bucket calls fail if the request includes a public ACL.\n\nEnabling this setting doesn't affect existing policies or ACLs.", + "BlockPublicAcls": "Specifies whether Amazon S3 should block public access control lists (ACLs) for this bucket and objects in this bucket. Setting this element to `TRUE` causes the following behavior:\n\n- PUT Bucket ACL and PUT Object ACL calls fail if the specified ACL is public.\n- PUT Object calls fail if the request includes a public ACL.\n- PUT Bucket calls fail if the request includes a public ACL.\n\nEnabling this setting doesn't affect existing policies or ACLs.", "BlockPublicPolicy": "Specifies whether Amazon S3 should block public bucket policies for this bucket. Setting this element to `TRUE` causes Amazon S3 to reject calls to PUT Bucket policy if the specified bucket policy allows public access.\n\nEnabling this setting doesn't affect existing bucket policies.", "IgnorePublicAcls": "Specifies whether Amazon S3 should ignore public ACLs for this bucket and objects in this bucket. Setting this element to `TRUE` causes Amazon S3 to ignore all public ACLs on this bucket and objects in this bucket.\n\nEnabling this setting doesn't affect the persistence of any existing ACLs and doesn't prevent new public ACLs from being set.", "RestrictPublicBuckets": "Specifies whether Amazon S3 should restrict public bucket policies for this bucket. Setting this element to `TRUE` restricts access to this bucket to only AWS service principals and authorized users within this account if the bucket has a public policy.\n\nEnabling this setting doesn't affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked." @@ -34506,7 +34506,7 @@ "attributes": {}, "description": "The PublicAccessBlock configuration that you want to apply to this Amazon S3 bucket. You can enable the configuration options in any combination. For more information about when Amazon S3 considers a bucket or object public, see [The Meaning of \"Public\"](https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#access-control-block-public-access-policy-status) in the *Amazon S3 User Guide* .", "properties": { - "BlockPublicAcls": "Specifies whether Amazon S3 should block public access control lists (ACLs) for this bucket and objects in this bucket. Setting this element to `TRUE` causes the following behavior:\n\n- PUT Bucket acl and PUT Object acl calls fail if the specified ACL is public.\n- PUT Object calls fail if the request includes a public ACL.\n- PUT Bucket calls fail if the request includes a public ACL.\n\nEnabling this setting doesn't affect existing policies or ACLs.", + "BlockPublicAcls": "Specifies whether Amazon S3 should block public access control lists (ACLs) for this bucket and objects in this bucket. Setting this element to `TRUE` causes the following behavior:\n\n- PUT Bucket ACL and PUT Object ACL calls fail if the specified ACL is public.\n- PUT Object calls fail if the request includes a public ACL.\n- PUT Bucket calls fail if the request includes a public ACL.\n\nEnabling this setting doesn't affect existing policies or ACLs.", "BlockPublicPolicy": "Specifies whether Amazon S3 should block public bucket policies for this bucket. Setting this element to `TRUE` causes Amazon S3 to reject calls to PUT Bucket policy if the specified bucket policy allows public access.\n\nEnabling this setting doesn't affect existing bucket policies.", "IgnorePublicAcls": "Specifies whether Amazon S3 should ignore public ACLs for this bucket and objects in this bucket. Setting this element to `TRUE` causes Amazon S3 to ignore all public ACLs on this bucket and objects in this bucket.\n\nEnabling this setting doesn't affect the persistence of any existing ACLs and doesn't prevent new public ACLs from being set.", "RestrictPublicBuckets": "Specifies whether Amazon S3 should restrict public bucket policies for this bucket. Setting this element to `TRUE` restricts access to this bucket to only AWS service principals and authorized users within this account if the bucket has a public policy.\n\nEnabling this setting doesn't affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked." @@ -34773,7 +34773,7 @@ "attributes": {}, "description": "The PublicAccessBlock configuration that you want to apply to this Amazon S3 Multi-Region Access Point. You can enable the configuration options in any combination. For more information about when Amazon S3 considers an object public, see [The Meaning of \"Public\"](https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#access-control-block-public-access-policy-status) in the *Amazon S3 User Guide* .", "properties": { - "BlockPublicAcls": "Specifies whether Amazon S3 should block public access control lists (ACLs) for this bucket and objects in this bucket. Setting this element to `TRUE` causes the following behavior:\n\n- PUT Bucket acl and PUT Object acl calls fail if the specified ACL is public.\n- PUT Object calls fail if the request includes a public ACL.\n- PUT Bucket calls fail if the request includes a public ACL.\n\nEnabling this setting doesn't affect existing policies or ACLs.", + "BlockPublicAcls": "Specifies whether Amazon S3 should block public access control lists (ACLs) for this bucket and objects in this bucket. Setting this element to `TRUE` causes the following behavior:\n\n- PUT Bucket ACL and PUT Object ACL calls fail if the specified ACL is public.\n- PUT Object calls fail if the request includes a public ACL.\n- PUT Bucket calls fail if the request includes a public ACL.\n\nEnabling this setting doesn't affect existing policies or ACLs.", "BlockPublicPolicy": "Specifies whether Amazon S3 should block public bucket policies for this bucket. Setting this element to `TRUE` causes Amazon S3 to reject calls to PUT Bucket policy if the specified bucket policy allows public access.\n\nEnabling this setting doesn't affect existing bucket policies.", "IgnorePublicAcls": "Specifies whether Amazon S3 should ignore public ACLs for this bucket and objects in this bucket. Setting this element to `TRUE` causes Amazon S3 to ignore all public ACLs on this bucket and objects in this bucket.\n\nEnabling this setting doesn't affect the persistence of any existing ACLs and doesn't prevent new public ACLs from being set.", "RestrictPublicBuckets": "Specifies whether Amazon S3 should restrict public bucket policies for this bucket. Setting this element to `TRUE` restricts access to this bucket to only AWS service principals and authorized users within this account if the bucket has a public policy.\n\nEnabling this setting doesn't affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked." @@ -37355,10 +37355,10 @@ "attributes": { "Ref": "When you pass the logical ID of an `AWS::SecretsManager::RotationSchedule` resource to the intrinsic `Ref` function, the function returns the ARN of the secret being configured, such as:\n\n*arn:aws:secretsmanager: us-west-2* : *123456789012* :secret: *my-path/my-secret-name* - *1a2b3c*\n\nYou can use the ARN to reference a secret you create in one part of the stack template from within the definition of another resource later, in the same template. You typically do this when you define the [AWS::SecretsManager::SecretTargetAttachment](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html) resource type.\n\nFor more information about using the `Ref` function, see [Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html) ." }, - "description": "Configures rotation for a secret. You must already configure the secret with the details of the database or service. If you define both the secret and the database or service in an AWS CloudFormation template, then define the [AWS::SecretsManager::SecretTargetAttachment](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html) resource to populate the secret with the connection details of the database or service before you attempt to configure rotation.\n\n> When you configure rotation for a secret, AWS CloudFormation automatically rotates the secret one time.", + "description": "Configures rotation for a secret. You must already configure the secret with the details of the database or service. If you define both the secret and the database or service in an AWS CloudFormation template, then define the [AWS::SecretsManager::SecretTargetAttachment](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html) resource to populate the secret with the connection details of the database or service before you attempt to configure rotation.", "properties": { "HostedRotationLambda": "To use these values, you must specify `Transform: AWS::SecretsManager-2020-07-23` at the beginning of the CloudFormation template.\n\nWhen you enter valid values for `RotationSchedule.HostedRotationLambda` , Secrets Manager launches a Lambda that performs rotation on the secret specified in the `secret-id` property. The template creates a Lambda as part of a nested stack within the current stack.", - "RotateImmediatelyOnUpdate": "", + "RotateImmediatelyOnUpdate": "Specifies whether to rotate the secret immediately or wait until the next scheduled rotation window. The rotation schedule is defined in `RotationRules` .\n\nIf you don't immediately rotate the secret, Secrets Manager tests the rotation configuration by running the [`testSecret` step](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_how.html) of the Lambda rotation function. The test creates an `AWSPENDING` version of the secret and then removes it.\n\nIf you don't specify this value, then by default, Secrets Manager rotates the secret immediately.", "RotationLambdaARN": "The ARN of the Lambda function that can rotate the secret. If you don't specify this parameter, then the secret must already have the ARN of a Lambda function configured.\n\nTo reference a Lambda function also created in this template, use the [Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html) function with the function's logical ID.", "RotationRules": "A structure that defines the rotation configuration for this secret.", "SecretId": "The ARN or name of the secret to rotate.\n\nTo reference a secret also created in this template, use the [Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html) function with the secret's logical ID." @@ -37384,8 +37384,8 @@ "description": "A structure that defines the rotation configuration for the secret.", "properties": { "AutomaticallyAfterDays": "The number of days between automatic scheduled rotations of the secret. You can use this value to check that your secret meets your compliance guidelines for how often secrets must be rotated.\n\nIn `DescribeSecret` and `ListSecrets` , this value is calculated from the rotation schedule after every successful rotation. In `RotateSecret` , you can set the rotation schedule in `RotationRules` with `AutomaticallyAfterDays` or `ScheduleExpression` , but not both.", - "Duration": "", - "ScheduleExpression": "" + "Duration": "The length of the rotation window in hours, for example `3h` for a three hour window. Secrets Manager rotates your secret at any time during this window. The window must not go into the next UTC day. If you don't specify this value, the window automatically ends at the end of the UTC day. The window begins according to the `ScheduleExpression` . For more information, including examples, see [Schedule expressions in Secrets Manager rotation](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_schedule.html) .", + "ScheduleExpression": "A `cron()` or `rate()` expression that defines the schedule for rotating your secret. Secrets Manager rotation schedules use UTC time zone.\n\nSecrets Manager `rate()` expressions represent the interval in days that you want to rotate your secret, for example `rate(10 days)` . If you use a `rate()` expression, the rotation window opens at midnight, and Secrets Manager rotates your secret any time that day after midnight. You can set a `Duration` to shorten the rotation window.\n\nYou can use a `cron()` expression to create rotation schedules that are more detailed than a rotation interval. For more information, including examples, see [Schedule expressions in Secrets Manager rotation](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_schedule.html) . If you use a `cron()` expression, Secrets Manager rotates your secret any time during that day after the window opens. For example, `cron(0 8 1 * ? *)` represents a rotation window that occurs on the first day of every month beginning at 8:00 AM UTC. Secrets Manager rotates the secret any time that day after 8:00 AM. You can set a `Duration` to shorten the rotation window." } }, "AWS::SecretsManager::Secret": { @@ -37788,7 +37788,7 @@ "AWS::ServiceDiscovery::PrivateDnsNamespace": { "attributes": { "Arn": "The Amazon Resource Name (ARN) of the private namespace.", - "HostedZoneId": "", + "HostedZoneId": "The ID for the Route 53 hosted zone that AWS Cloud Map creates when you create a namespace.", "Id": "The ID of the private namespace.", "Ref": "`Ref` returns the value of `Id` for the namespace, such as `ns-e4anhexample0004` ." }, @@ -37825,7 +37825,7 @@ "AWS::ServiceDiscovery::PublicDnsNamespace": { "attributes": { "Arn": "The Amazon Resource Name (ARN) of the public namespace.", - "HostedZoneId": "", + "HostedZoneId": "The ID for the Route 53 hosted zone that AWS Cloud Map creates when you create a namespace.", "Id": "The ID of the public namespace.", "Ref": "`Ref` returns the value of `Id` for the namespace, such as `ns-e4anhexample0004` ." }, From 96b2034c44b441a96cfe19855d343b0f983c8772 Mon Sep 17 00:00:00 2001 From: Adam Ruka Date: Fri, 25 Feb 2022 11:37:03 -0800 Subject: [PATCH 06/74] fix(rds): MySQL Cluster version 8.0 uses wrong Parameter for S3 import (#19145) There was recently a new major version of the Aurora MySQL released (8.0). Apparently, it requires a different Parameter for S3 imports (`aws_default_s3_role`) than `aurora_load_from_s3_role`, which the pre-8.0 versions use. Fixes #19126 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../@aws-cdk/aws-rds/lib/cluster-engine.ts | 6 ++++- .../@aws-cdk/aws-rds/test/cluster.test.ts | 22 ++++++++++++++++++- 2 files changed, 26 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk/aws-rds/lib/cluster-engine.ts b/packages/@aws-cdk/aws-rds/lib/cluster-engine.ts index 6d7b0d361b4a5..65e7ed6496e97 100644 --- a/packages/@aws-cdk/aws-rds/lib/cluster-engine.ts +++ b/packages/@aws-cdk/aws-rds/lib/cluster-engine.ts @@ -177,7 +177,11 @@ abstract class MySqlClusterEngineBase extends ClusterEngineBase { }) : config.parameterGroup); if (options.s3ImportRole) { - parameterGroup?.addParameter('aurora_load_from_s3_role', options.s3ImportRole.roleArn); + // major version 8.0 uses a different name for the S3 import parameter + const s3ImportParam = this.engineVersion?.majorVersion === '8.0' + ? 'aws_default_s3_role' + : 'aurora_load_from_s3_role'; + parameterGroup?.addParameter(s3ImportParam, options.s3ImportRole.roleArn); } if (options.s3ExportRole) { parameterGroup?.addParameter('aurora_select_into_s3_role', options.s3ExportRole.roleArn); diff --git a/packages/@aws-cdk/aws-rds/test/cluster.test.ts b/packages/@aws-cdk/aws-rds/test/cluster.test.ts index 4ee20a30daffd..bf597d08540e2 100644 --- a/packages/@aws-cdk/aws-rds/test/cluster.test.ts +++ b/packages/@aws-cdk/aws-rds/test/cluster.test.ts @@ -1,6 +1,7 @@ import { Match, Template } from '@aws-cdk/assertions'; import * as ec2 from '@aws-cdk/aws-ec2'; import { ManagedPolicy, Role, ServicePrincipal } from '@aws-cdk/aws-iam'; +import * as iam from '@aws-cdk/aws-iam'; import * as kms from '@aws-cdk/aws-kms'; import * as logs from '@aws-cdk/aws-logs'; import * as s3 from '@aws-cdk/aws-s3'; @@ -953,7 +954,6 @@ describe('cluster', () => { }); }); - test('addRotationSingleUser() with VPC interface endpoint', () => { // GIVEN const stack = new cdk.Stack(); @@ -1707,6 +1707,26 @@ describe('cluster', () => { Template.fromStack(stack).resourceCountIs('AWS::RDS::DBClusterParameterGroup', 0); }); + test('MySQL cluster in version 8.0 uses aws_default_s3_role as a Parameter for S3 import, instead of aurora_load_from_s3_role', () => { + // GIVEN + const stack = testStack(); + const vpc = new ec2.Vpc(stack, 'VPC'); + + // WHEN + new DatabaseCluster(stack, 'Database', { + instanceProps: { vpc }, + engine: DatabaseClusterEngine.auroraMysql({ version: AuroraMysqlEngineVersion.VER_3_01_0 }), + s3ImportRole: iam.Role.fromRoleArn(stack, 'S3ImportRole', 'arn:aws:iam::123456789012:role/my-role'), + }); + + Template.fromStack(stack).hasResourceProperties('AWS::RDS::DBClusterParameterGroup', { + Family: 'aurora-mysql8.0', + Parameters: { + aws_default_s3_role: 'arn:aws:iam::123456789012:role/my-role', + }, + }); + }); + test('throws when s3ExportRole and s3ExportBuckets properties are both specified', () => { // GIVEN const stack = testStack(); From 2ea9da118794809265d215e3d2f554bbcb91b271 Mon Sep 17 00:00:00 2001 From: Calvin Combs <66279577+comcalvi@users.noreply.github.com> Date: Fri, 25 Feb 2022 14:59:07 -0800 Subject: [PATCH 07/74] feat(cli): hotswap support for resources in nested stacks (#18950) Resources in nested stacks can now be hotswapped. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/aws-cdk/README.md | 3 +- .../lib/api/cloudformation-deployments.ts | 108 +- .../api/evaluate-cloudformation-template.ts | 28 +- .../aws-cdk/lib/api/hotswap-deployments.ts | 60 +- .../lib/api/logs/find-cloudwatch-logs.ts | 2 +- .../aws-cdk/lib/api/nested-stack-helpers.ts | 141 +++ .../api/hotswap/hotswap-deployments.test.ts | 41 +- .../test/api/hotswap/hotswap-test-setup.ts | 58 +- .../api/hotswap/nested-stacks-hotswap.test.ts | 974 ++++++++++++++++++ .../state-machine-hotswap-deployments.test.ts | 2 +- ...with-asset-parameters.nested.template.json | 52 + ...ambda-one-stack-stack.nested.template.json | 26 + ...with-asset-parameters.nested.template.json | 29 + .../one-lambda-stack.nested.template.json | 17 + ...-lambda-version-stack.nested.template.json | 20 + ...utput-one-param-stack.nested.template.json | 0 ...ource-one-stack-stack.nested.template.json | 0 .../one-resource-stack.nested.template.json | 0 ...urce-two-stacks-stack.nested.template.json | 0 ...-unnamed-lambda-stack.nested.template.json | 16 + ...mbda-two-stacks-stack.nested.template.json | 34 + packages/aws-cdk/test/util.ts | 2 +- 22 files changed, 1484 insertions(+), 129 deletions(-) create mode 100644 packages/aws-cdk/lib/api/nested-stack-helpers.ts create mode 100644 packages/aws-cdk/test/api/hotswap/nested-stacks-hotswap.test.ts create mode 100644 packages/aws-cdk/test/nested-stack-templates/one-lambda-one-stack-stack-with-asset-parameters.nested.template.json create mode 100644 packages/aws-cdk/test/nested-stack-templates/one-lambda-one-stack-stack.nested.template.json create mode 100644 packages/aws-cdk/test/nested-stack-templates/one-lambda-stack-with-asset-parameters.nested.template.json create mode 100644 packages/aws-cdk/test/nested-stack-templates/one-lambda-stack.nested.template.json create mode 100644 packages/aws-cdk/test/nested-stack-templates/one-lambda-version-stack.nested.template.json rename packages/aws-cdk/test/{diff-nested-stacks-templates => nested-stack-templates}/one-output-one-param-stack.nested.template.json (100%) rename packages/aws-cdk/test/{diff-nested-stacks-templates => nested-stack-templates}/one-resource-one-stack-stack.nested.template.json (100%) rename packages/aws-cdk/test/{diff-nested-stacks-templates => nested-stack-templates}/one-resource-stack.nested.template.json (100%) rename packages/aws-cdk/test/{diff-nested-stacks-templates => nested-stack-templates}/one-resource-two-stacks-stack.nested.template.json (100%) create mode 100644 packages/aws-cdk/test/nested-stack-templates/one-unnamed-lambda-stack.nested.template.json create mode 100644 packages/aws-cdk/test/nested-stack-templates/one-unnamed-lambda-two-stacks-stack.nested.template.json diff --git a/packages/aws-cdk/README.md b/packages/aws-cdk/README.md index 372be74d765b3..54adb46a964bd 100644 --- a/packages/aws-cdk/README.md +++ b/packages/aws-cdk/README.md @@ -348,7 +348,8 @@ $ cdk deploy --hotswap [StackNames] This will attempt to perform a faster, short-circuit deployment if possible (for example, if you only changed the code of a Lambda function in your CDK app, but nothing else in your CDK code), -skipping CloudFormation, and updating the affected resources directly. +skipping CloudFormation, and updating the affected resources directly; +this includes changes to resources in nested stacks. If the tool detects that the change does not support hotswapping, it will fall back and perform a full CloudFormation deployment, exactly like `cdk deploy` does without the `--hotswap` flag. diff --git a/packages/aws-cdk/lib/api/cloudformation-deployments.ts b/packages/aws-cdk/lib/api/cloudformation-deployments.ts index 5b2c120ce8d3d..60b883f13fb40 100644 --- a/packages/aws-cdk/lib/api/cloudformation-deployments.ts +++ b/packages/aws-cdk/lib/api/cloudformation-deployments.ts @@ -1,7 +1,5 @@ -import * as path from 'path'; import * as cxapi from '@aws-cdk/cx-api'; import { AssetManifest } from 'cdk-assets'; -import * as fs from 'fs-extra'; import { Tag } from '../cdk-toolkit'; import { debug, warning } from '../logging'; import { publishAssets } from '../util/asset-publishing'; @@ -9,7 +7,7 @@ import { Mode } from './aws-auth/credentials'; import { ISDK } from './aws-auth/sdk'; import { SdkProvider } from './aws-auth/sdk-provider'; import { deployStack, DeployStackResult, destroyStack } from './deploy-stack'; -import { LazyListStackResources, ListStackResources } from './evaluate-cloudformation-template'; +import { loadCurrentTemplateWithNestedStacks, loadCurrentTemplate } from './nested-stack-helpers'; import { ToolkitInfo } from './toolkit-info'; import { CloudFormationStack, Template } from './util/cloudformation'; import { StackActivityProgress } from './util/cloudformation/stack-activity-monitor'; @@ -283,21 +281,13 @@ export class CloudFormationDeployments { public async readCurrentTemplateWithNestedStacks(rootStackArtifact: cxapi.CloudFormationStackArtifact): Promise