Merge branch 'main' into enum-update/static-mapping-update

Author: mergify[bot]

.github/workflows/README.md

@@ -92,6 +92,12 @@ Owner: CDK support team
 patch file for downloading.
 Owner: Core CDK team
 
+### Yarn Upgrader for deps needing manual work
+
+[yarn-upgrade-need-manual-work.yml](yarn-upgrade-need-manual-work.yml): Upgrades specific dependencies that require manual intervention and creates a PR for review.
+For example, some dependency upgrades require manual updates to the integ test snapshots.
+Owner: Core CDK team
+
 ### AWS Service Spec Update
 
 [spec-update.yml](spec-update.yml): Updates AWS Service Spec and related packages to their latest versions

.github/workflows/yarn-upgrade-need-manual-work.yml

@@ -0,0 +1,120 @@
+name: Yarn Upgrade Dependencies Requiring Intervention
+# This workflow upgrade npm dependencies that will require manual work. For example, `@aws-cdk/asset-awscli-v1` upgrade always require manually updating snapshots.
+# When adding deps in this workflow, we must also exclude them in the Yarn Upgrade workflow. This is so that the PR from that workflow can be kept clean (i.e. does not need manual update).
+# See this line on how to exclude deps: https://github.com/aws/aws-cdk/blob/ce7b30775f354c7de774f73c5f8dedd9ce7530d3/.github/workflows/yarn-upgrade.yml#L61
+# If this proves to be too cumbersome, we can refactor both workflow to reference the deps list from a single place.
+
+on:
+  schedule:
+    # Every wednesday at 13:37 UTC
+    - cron: 37 13 * * 3
+  workflow_dispatch: {}
+
+# For multiple dependencies, do `DEPS_TO_UPGRADE:"p1 p2 p3"`
+env:
+  DEPS_TO_UPGRADE: "@aws-cdk/asset-awscli-v1"
+
+jobs:
+  upgrade:
+    name: Yarn Upgrade
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check Out
+        uses: actions/checkout@v4
+
+      - name: Set up Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: "*"
+        env:
+          NODE_OPTIONS: "--max-old-space-size=8196 --experimental-worker ${NODE_OPTIONS:-}"
+
+      - name: Locate Yarn cache
+        id: yarn-cache
+        run: echo "dir=$(yarn cache dir)" >> $GITHUB_OUTPUT
+
+      - name: Restore Yarn cache
+        uses: actions/cache@v4
+        with:
+          path: ${{ steps.yarn-cache.outputs.dir }}
+          key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |-
+            ${{ runner.os }}-yarn-
+      - name: Yarn Install
+        run: yarn install --frozen-lockfile
+      - name: Install Tools
+        run: |-
+          npm -g install lerna npm-check-updates
+      - name: Run "ncu -u"
+        run: |-
+          # Convert space-separated string to comma-separated string for the filter
+          FILTER=$(echo "$DEPS_TO_UPGRADE" | tr ' ' ',')
+          lerna exec --parallel ncu -- --upgrade --filter="$FILTER" --target=minor
+
+      - name: Run "yarn upgrade"
+        run: |
+          echo "Upgrading dependencies: $DEPS_TO_UPGRADE"
+          yarn upgrade $DEPS_TO_UPGRADE --exact
+
+      # Next, create and upload the changes as a patch file. This will later be downloaded to create a pull request
+      # Creating a pull request requires write permissions and it's best to keep write privileges isolated.
+      - name: Create Patch
+        run: |-
+          git add .
+          git diff --binary --patch --staged > ${{ runner.temp }}/upgrade.patch
+
+      - name: Upload Patch
+        uses: actions/upload-artifact@v4
+        with:
+          name: upgrade.patch
+          path: ${{ runner.temp }}/upgrade.patch
+
+  pr:
+    name: Create Pull Request
+    needs: upgrade
+    permissions:
+      contents: write
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check Out
+        uses: actions/checkout@v4
+
+      - name: Download patch
+        uses: actions/download-artifact@v4
+        with:
+          name: upgrade.patch
+          path: ${{ runner.temp }}
+
+      - name: Apply patch
+        run: '[ -s ${{ runner.temp }}/upgrade.patch ] && git apply --binary ${{ runner.temp
+          }}/upgrade.patch || echo "Empty patch. Skipping."'
+
+      - name: Make Pull Request
+        uses: peter-evans/create-pull-request@v7
+        with:
+          # Git commit details
+          branch: automation/yarn-upgrade-dependencies-requiring-intervention
+          author: aws-cdk-automation <aws-cdk-automation@users.noreply.github.com>
+          commit-message: |-
+            chore: npm-check-updates && yarn upgrade
+            Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.
+          # Pull Request details
+          title: 'chore: yarn upgrade dependencies requiring intervention'
+          body: |-
+            Ran npm-check-updates and yarn upgrade for the following dependencies:
+            ```
+            ${{ env.DEPS_TO_UPGRADE }}
+            ```
+            Checkout this branch and run integration tests locally to update snapshots.
+            ```
+            (cd packages/@aws-cdk-testing/framework-integ && yarn integ --update-on-failed)
+            ```
+            See https://www.npmjs.com/package/@aws-cdk/integ-runner for more integ runner options.
+          labels: contribution/core,dependencies
+          team-reviewers: aws-cdk-team
+          # Github prevents further Github actions to be run if the default Github token is used.
+          # Instead use a privileged token here, so further GH actions can be triggered on this PR.
+          token: ${{ secrets.PROJEN_GITHUB_TOKEN }}

packages/@aws-cdk/aws-ec2-alpha/lib/route.ts

@@ -1,10 +1,11 @@
 import { CfnEIP, CfnEgressOnlyInternetGateway, CfnInternetGateway, CfnNatGateway, CfnVPCPeeringConnection, CfnRoute, CfnRouteTable, CfnVPCGatewayAttachment, CfnVPNGateway, CfnVPNGatewayRoutePropagation, GatewayVpcEndpoint, IRouteTable, IVpcEndpoint, RouterType } from 'aws-cdk-lib/aws-ec2';
 import { Construct, IDependable } from 'constructs';
-import { Annotations, Duration, IResource, Resource, Tags, ValidationError } from 'aws-cdk-lib/core';
+import { Annotations, Duration, FeatureFlags, IResource, Resource, Tags, ValidationError } from 'aws-cdk-lib/core';
 import { IVpcV2, VPNGatewayV2Options } from './vpc-v2-base';
 import { NetworkUtils, allRouteTableIds, CidrBlock } from './util';
 import { ISubnetV2 } from './subnet-v2';
 import { addConstructMetadata, MethodMetadata } from 'aws-cdk-lib/core/lib/metadata-resource';
+import { cx_api } from 'aws-cdk-lib';
 
 /**
  * Indicates whether the NAT gateway supports public or private connectivity.
@@ -289,13 +290,18 @@ export class InternetGateway extends Resource implements IRouteTarget {
     this.resource = new CfnInternetGateway(this, 'IGW', {});
     this.node.defaultChild = this.resource;
 
-    this.routerTargetId = this.resource.attrInternetGatewayId;
+    this.routerTargetId = FeatureFlags.of(this).isEnabled(cx_api.USE_RESOURCEID_FOR_VPCV2_MIGRATION) ?
+      this.resource.ref : this.resource.attrInternetGatewayId;
     this.vpcId = props.vpc.vpcId;
 
     if (props.internetGatewayName) {
       Tags.of(this).add(NAME_TAG, props.internetGatewayName);
     }
 
+    if (props.vpc.vpcName) {
+      Tags.of(this).add('Name', props.vpc.vpcName);
+    }
+
     new CfnVPCGatewayAttachment(this, 'GWAttachment', {
       vpcId: this.vpcId,
       internetGatewayId: this.routerTargetId,
@@ -426,6 +432,11 @@ export class NatGateway extends Resource implements IRouteTarget {
    */
   public readonly resource: CfnNatGateway;
 
+  /**
+   * Elastic IP created for allocation
+   */
+  public readonly eip?: CfnEIP;
+
   constructor(scope: Construct, id: string, props: NatGatewayProps) {
     super(scope, id);
     // Enhanced CDK Analytics Telemetry
@@ -450,10 +461,10 @@ export class NatGateway extends Resource implements IRouteTarget {
     var aId: string | undefined;
     if (this.connectivityType === NatConnectivityType.PUBLIC) {
       if (!props.allocationId) {
-        let eip = new CfnEIP(this, 'EIP', {
+        this.eip = new CfnEIP(this, 'EIP', {
           domain: 'vpc',
         });
-        aId = eip.attrAllocationId;
+        aId = this.eip.attrAllocationId;
       } else {
         aId = props.allocationId;
       }
@@ -466,11 +477,14 @@ export class NatGateway extends Resource implements IRouteTarget {
       secondaryAllocationIds: props.secondaryAllocationIds,
       ...props,
     });
-    this.natGatewayId = this.resource.attrNatGatewayId;
+    this.natGatewayId = FeatureFlags.of(this).isEnabled(cx_api.USE_RESOURCEID_FOR_VPCV2_MIGRATION) ?
+      this.resource.ref : this.resource.attrNatGatewayId;
+
+    this.routerTargetId = FeatureFlags.of(this).isEnabled(cx_api.USE_RESOURCEID_FOR_VPCV2_MIGRATION) ?
+      this.resource.ref : this.resource.attrNatGatewayId;
 
-    this.routerTargetId = this.resource.attrNatGatewayId;
     this.node.defaultChild = this.resource;
-    this.node.addDependency(props.subnet.internetConnectivityEstablished);
+    this.resource.node.addDependency(props.subnet.internetConnectivityEstablished);
   }
 }
 
@@ -809,7 +823,8 @@ export class RouteTable extends Resource implements IRouteTable {
     }
     this.node.defaultChild = this.resource;
 
-    this.routeTableId = this.resource.attrRouteTableId;
+    this.routeTableId = FeatureFlags.of(this).isEnabled(cx_api.USE_RESOURCEID_FOR_VPCV2_MIGRATION) ?
+      this.resource.ref : this.resource.attrRouteTableId;
   }
 
   /**

packages/@aws-cdk/aws-ec2-alpha/lib/subnet-v2.ts

@@ -2,7 +2,7 @@ import { Resource, Names, Lazy, Tags, Token, ValidationError, UnscopedValidation
 import { CfnSubnet, CfnSubnetRouteTableAssociation, INetworkAcl, IRouteTable, ISubnet, NetworkAcl, SubnetNetworkAclAssociation, SubnetType } from 'aws-cdk-lib/aws-ec2';
 import { Construct, DependencyGroup, IDependable } from 'constructs';
 import { IVpcV2 } from './vpc-v2-base';
-import { CidrBlock, CidrBlockIpv6 } from './util';
+import { CidrBlock, CidrBlockIpv6, defaultSubnetName } from './util';
 import { RouteTable } from './route';
 import { addConstructMetadata, MethodMetadata } from 'aws-cdk-lib/core/lib/metadata-resource';
 
@@ -28,14 +28,14 @@ export class IpCidr implements ICidr {
 }
 
 /**
- * Name tag constant
+ * VPC Name tag constant
  */
-const NAME_TAG: string = 'Name';
+const SUBNETTYPE_TAG = 'aws-cdk:subnet-type';
 
 /**
- * VPC Name tag constant
+ * Subnet Name tag constant
  */
-const VPCNAME_TAG: string = 'VpcName';
+const SUBNETNAME_TAG = 'aws-cdk:subnet-name';
 
 /**
  * Properties to define subnet for VPC.
@@ -71,6 +71,13 @@ export interface SubnetV2Props {
    */
   readonly routeTable?: IRouteTable;
 
+  /**
+   * Name of the default RouteTable created by CDK to be used for tagging
+   *
+   * @default - default route table name created by CDK as 'DefaultCDKRouteTable'
+   */
+  readonly defaultRouteTableName ?: string;
+
   /**
    * The type of Subnet to configure.
    *
@@ -307,21 +314,20 @@ export class SubnetV2 extends Resource implements ISubnetV2 {
 
     this._networkAcl = NetworkAcl.fromNetworkAclId(this, 'Acl', subnet.attrNetworkAclAssociationId);
 
+    const includeResourceTypes = [CfnSubnet.CFN_RESOURCE_TYPE_NAME];
     if (props.subnetName) {
-      Tags.of(this).add(NAME_TAG, props.subnetName);
-    }
-
-    if (props.vpc.vpcName) {
-      Tags.of(this).add(VPCNAME_TAG, props.vpc.vpcName);
+      Tags.of(subnet).add(SUBNETNAME_TAG, props.subnetName);
     }
+    const subnetTypeName = defaultSubnetName(props.subnetType) ?? 'undefined';
+    Tags.of(subnet).add(SUBNETTYPE_TAG, subnetTypeName, { includeResourceTypes });
 
     if (props.routeTable) {
       this._routeTable = props.routeTable;
     } else {
       // Assigning a default route table
       this._routeTable = new RouteTable(this, 'RouteTable', {
         vpc: props.vpc,
-        routeTableName: 'DefaultCDKRouteTable',
+        routeTableName: props.defaultRouteTableName ?? 'DefaultCDKRouteTable',
       });
     }
 

packages/@aws-cdk/aws-ec2-alpha/lib/util.ts

@@ -1,6 +1,21 @@
 /* eslint no-bitwise: ["error", { "allow": ["~", "|", "<<", "&"] }] */
 
-import { ISubnet } from 'aws-cdk-lib/aws-ec2';
+import { ISubnet, SubnetType } from 'aws-cdk-lib/aws-ec2';
+
+/**
+ * The default names for every subnet type
+ */
+export function defaultSubnetName(type: SubnetType) {
+  switch (type) {
+    case SubnetType.PUBLIC: return 'Public';
+    case SubnetType.PRIVATE_WITH_NAT:
+    case SubnetType.PRIVATE_WITH_EGRESS:
+      return 'Private';
+    case SubnetType.PRIVATE_ISOLATED:
+      return 'Isolated';
+  }
+  return undefined;
+}
 
 /**
  * Return a subnet name from its construct ID

packages/@aws-cdk/aws-ec2-alpha/lib/vpc-v2.ts

@@ -1,10 +1,10 @@
 import { CfnVPC, CfnVPCCidrBlock, DefaultInstanceTenancy, ISubnet, SubnetType } from 'aws-cdk-lib/aws-ec2';
-import { Arn, CfnResource, Lazy, Names, Resource, Tags } from 'aws-cdk-lib/core';
+import { Arn, CfnResource, FeatureFlags, Lazy, Names, Resource, Tags } from 'aws-cdk-lib/core';
 import { Construct, DependencyGroup, IDependable } from 'constructs';
 import { IpamOptions, IIpamPool } from './ipam';
 import { IVpcV2, VpcV2Base } from './vpc-v2-base';
 import { ISubnetV2, SubnetV2, SubnetV2Attributes } from './subnet-v2';
-import { region_info } from 'aws-cdk-lib';
+import { cx_api, region_info } from 'aws-cdk-lib';
 import { addConstructMetadata } from 'aws-cdk-lib/core/lib/metadata-resource';
 
 /**
@@ -521,7 +521,8 @@ export class VpcV2 extends VpcV2Base {
       this.ipv4CidrBlock = vpcOptions.ipv4CidrBlock;
     }
     this.ipv6CidrBlocks = this.resource.attrIpv6CidrBlocks;
-    this.vpcId = this.resource.attrVpcId;
+    this.vpcId = FeatureFlags.of(this).isEnabled(cx_api.USE_RESOURCEID_FOR_VPCV2_MIGRATION) ?
+      this.resource.ref : this.resource.attrVpcId;
     this.vpcArn = Arn.format({
       service: 'ec2',
       resource: 'vpc',