Merge branch 'master' into fix/s3-pipeline-action-bucket-key-token

CHANGELOG.md

@@ -2,6 +2,40 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [1.58.0](https://github.com/aws/aws-cdk/compare/v1.57.0...v1.58.0) (2020-08-12)
+
+
+### Features
+
+* **cloudwatch:** alarm status widget ([#9456](https://github.com/aws/aws-cdk/issues/9456)) ([41940d3](https://github.com/aws/aws-cdk/commit/41940d3cfad289cbaed8ff60a21c6c9fa9aad532))
+* **cognito:** better control sms role creation ([#9513](https://github.com/aws/aws-cdk/issues/9513)) ([a772fe8](https://github.com/aws/aws-cdk/commit/a772fe84784e62843ef724a9158fc8cda848c5c9)), closes [#6943](https://github.com/aws/aws-cdk/issues/6943)
+* **core:** deprecate "Construct.node" in favor of "Construct.construct" ([#9557](https://github.com/aws/aws-cdk/issues/9557)) ([aa4c5b7](https://github.com/aws/aws-cdk/commit/aa4c5b7df3a4880638361026ec0f6a77b7476b40)), closes [/github.com/aws/aws-cdk-rfcs/blob/master/text/0192-remove-constructs-compat.md#10](https://github.com/aws//github.com/aws/aws-cdk-rfcs/blob/master/text/0192-remove-constructs-compat.md/issues/10)
+* **core:** local bundling provider ([#9564](https://github.com/aws/aws-cdk/issues/9564)) ([3da0aa9](https://github.com/aws/aws-cdk/commit/3da0aa99d16e908a39f43f463ac2889dd232c611))
+* **core:** new annotations api ([#9563](https://github.com/aws/aws-cdk/issues/9563)) ([ae9ed62](https://github.com/aws/aws-cdk/commit/ae9ed6208dc81a7a38f4b9626c7c30f1811f97a9)), closes [/github.com/aws/aws-cdk-rfcs/blob/master/text/0192-remove-constructs-compat.md#09](https://github.com/aws/aws-cdk-rfcs/blob/master/text/0192-remove-constructs-compat.md#09-logging-logging-api-changes)
+* **core:** new APIs for Aspects and Tags ([#9558](https://github.com/aws/aws-cdk/issues/9558)) ([a311428](https://github.com/aws/aws-cdk/commit/a311428d6013a1486585979a010f4105b0e0f97a)), closes [/github.com/aws/aws-cdk-rfcs/blob/master/text/0192-remove-constructs-compat.md#02](https://github.com/aws/aws-cdk-rfcs/blob/master/text/0192-remove-constructs-compat.md#02-aspects-changes-in-aspects-api)
+* **ecs:** Option to encrypt lifecycle hook SNS Topic ([#9343](https://github.com/aws/aws-cdk/issues/9343)) ([38aad67](https://github.com/aws/aws-cdk/commit/38aad67c5d2db21cfb3660c1574f7fedde9860dc))
+* **events:** use existing Role when running ECS Task ([#8145](https://github.com/aws/aws-cdk/issues/8145)) ([aad951a](https://github.com/aws/aws-cdk/commit/aad951ae5355391463d9af2a49cd890f8d78f2d0)), closes [#7859](https://github.com/aws/aws-cdk/issues/7859)
+* **global-accelerator:** referencing Global Accelerator security group ([#9358](https://github.com/aws/aws-cdk/issues/9358)) ([1fe9684](https://github.com/aws/aws-cdk/commit/1fe9684ea6b2dcaac1d97b64edfd4ef87cc65c0f))
+* **iam:** validate policies for missing resources/principals ([#9269](https://github.com/aws/aws-cdk/issues/9269)) ([60d01b1](https://github.com/aws/aws-cdk/commit/60d01b132b0e76224f7aae6b6caad5d13e7a816b)), closes [#7615](https://github.com/aws/aws-cdk/issues/7615)
+* **lambda:** autoscaling for lambda aliases ([#8883](https://github.com/aws/aws-cdk/issues/8883)) ([d9d9b90](https://github.com/aws/aws-cdk/commit/d9d9b908ca149b189f0e1bde7df0d75afd5b26ff))
+* **readme:** include partitions.io cdk board in "getting help" ([#9541](https://github.com/aws/aws-cdk/issues/9541)) ([f098014](https://github.com/aws/aws-cdk/commit/f098014e0e9e49b2cc6a30922b8b0545e9c45e5e))
+* "stack relative exports" flag ([#9604](https://github.com/aws/aws-cdk/issues/9604)) ([398f872](https://github.com/aws/aws-cdk/commit/398f8720fac6ae7eb663a36c87c1f8f11aa89045))
+* **secretsmanager:** Specify secret value at creation ([#9594](https://github.com/aws/aws-cdk/issues/9594)) ([07fedff](https://github.com/aws/aws-cdk/commit/07fedffadf3900d754b5df5a24cc84622299ede4)), closes [#5810](https://github.com/aws/aws-cdk/issues/5810)
+
+
+### Bug Fixes
+
+* **cfn-include:** allowedValues aren't included when specified by a parameter ([#9532](https://github.com/aws/aws-cdk/issues/9532)) ([e7dc82f](https://github.com/aws/aws-cdk/commit/e7dc82f04d83a7c85131e11e258f3ab031e61eda))
+* **codedeploy:** ServerDeploymentGroup takes AutoScalingGroup instead of IAutoScalingGroup ([#9252](https://github.com/aws/aws-cdk/issues/9252)) ([9ff55ae](https://github.com/aws/aws-cdk/commit/9ff55aeeed49d89bf13b2baf9025a1f4e038aa43)), closes [#9175](https://github.com/aws/aws-cdk/issues/9175)
+* **docdb:** `autoMinorVersionUpgrade` property was not set to `true` by default as stated in the docstring ([#9505](https://github.com/aws/aws-cdk/issues/9505)) ([e878f9c](https://github.com/aws/aws-cdk/commit/e878f9c5fd503615a4d65a3f866e80cff001a309))
+* **ec2:** Volume grants have an overly complicated API ([#9115](https://github.com/aws/aws-cdk/issues/9115)) ([74e8391](https://github.com/aws/aws-cdk/commit/74e839189b2e9b028e6b9944884bf8fe73de2429)), closes [#9114](https://github.com/aws/aws-cdk/issues/9114)
+* **efs:** LifecyclePolicy of AFTER_7_DAYS is not applied ([#9475](https://github.com/aws/aws-cdk/issues/9475)) ([f78c346](https://github.com/aws/aws-cdk/commit/f78c3469522006d38078db6effc4556d44da9747)), closes [#9474](https://github.com/aws/aws-cdk/issues/9474)
+* **eks:** clusters in a FAILED state are not detected ([#9553](https://github.com/aws/aws-cdk/issues/9553)) ([d651948](https://github.com/aws/aws-cdk/commit/d651948b4b4ef43fedbaba69905e860fd595513d))
+* **eks:** private endpoint access doesn't work with `Vpc.fromLookup` ([#9544](https://github.com/aws/aws-cdk/issues/9544)) ([dd0f4cb](https://github.com/aws/aws-cdk/commit/dd0f4cb55bd9d7a95ccc9691ba33dab658d60e97)), closes [#9542](https://github.com/aws/aws-cdk/issues/9542) [#5383](https://github.com/aws/aws-cdk/issues/5383)
+* **lambda:** cannot create lambda in public subnets ([#9468](https://github.com/aws/aws-cdk/issues/9468)) ([b46fdc9](https://github.com/aws/aws-cdk/commit/b46fdc92d3c3cee269bfa7785fa78679aa781880))
+* **pipelines:** CodeBuild images have (too) old Node version ([#9446](https://github.com/aws/aws-cdk/issues/9446)) ([bd45f34](https://github.com/aws/aws-cdk/commit/bd45f3419e24d6a9d9989a0efeacf2233866100b)), closes [#9070](https://github.com/aws/aws-cdk/issues/9070)
+* **pipelines:** manual approval of changeset uses wrong ordering ([#9508](https://github.com/aws/aws-cdk/issues/9508)) ([5c01da8](https://github.com/aws/aws-cdk/commit/5c01da8d82f77e0241890101258aace2dac1902d)), closes [#9101](https://github.com/aws/aws-cdk/issues/9101) [#9101](https://github.com/aws/aws-cdk/issues/9101)
+
 ## [1.57.0](https://github.com/aws/aws-cdk/compare/v1.56.0...v1.57.0) (2020-08-07)
 
 

DESIGN_GUIDELINES.md

@@ -9,9 +9,10 @@ the AWS Construct Library in order to ensure a consistent and integrated
 experience across the entire AWS surface area.
 
 As much as possible, the guidelines in this document are enforced using the
-**awslint** tool which reflects on the APIs and verifies that the APIs adhere to
-the guidelines. When a guideline is backed by a linter rule, the rule name will
-be referenced like this: _[awslint:resource-class-is-construct]_.
+[**awslint** tool](https://www.npmjs.com/package/awslint) which reflects on the
+APIs and verifies that the APIs adhere to the guidelines. When a guideline is
+backed by a linter rule, the rule name will be referenced like this:
+_[awslint:resource-class-is-construct]_.
 
 For the purpose of this document we will use "Foo" to denote the official name
 of the resource as defined in the AWS CloudFormation resource specification
@@ -147,9 +148,9 @@ behavior through interfaces and not through inheritance.
 Construct classes should extend only one of the following classes
 [_awslint:construct-inheritence_]:
 
-* The **Resource** class (if it represents an AWS resource) The **Construct**
-* class (if it represents an abstract component) The **XxxBase** class (which,
-* in turn extends **Resource**)
+* The **Resource** class (if it represents an AWS resource)
+* The **Construct** class (if it represents an abstract component)
+* The **XxxBase** class (which, in turn extends **Resource**)
 
 All constructs must define a static type check method called **isFoo** with the
 following implementation [_awslint:static-type-check_]:

allowed-breaking-changes.txt

@@ -22,3 +22,9 @@ removed:@aws-cdk/cdk-assets-schema.FileAssetPackaging
 
 changed-type:@aws-cdk/aws-codedeploy.IServerDeploymentGroup.autoScalingGroups
 changed-type:@aws-cdk/aws-codedeploy.ServerDeploymentGroup.autoScalingGroups
+
+# We were leaking L1 types in L2 APIs, which now have changed required -> optional
+# when ECS moved to the CloudFormation Registry spec.
+change-return-type:@aws-cdk/aws-ecs.ContainerDefinition.renderContainerDefinition
+change-return-type:@aws-cdk/aws-ecs.FirelensLogRouter.renderContainerDefinition
+change-return-type:@aws-cdk/aws-ecs.LinuxParameters.renderLinuxParameters

git-secrets-scan.sh

@@ -21,10 +21,10 @@ mkdir -p .tools
 git rev-parse --git-dir > /dev/null 2>&1 || {
     git init --quiet
     git add -A .
-
-    # AWS config needs to be added to this fresh repository's config
-    .tools/git-secrets/git-secrets --register-aws
 }
 
+# AWS config needs to be added to this repository's config
+.tools/git-secrets/git-secrets --register-aws
+
 .tools/git-secrets/git-secrets --scan
 echo "git-secrets scan ok"

lerna.json

@@ -10,5 +10,5 @@
     "tools/*"
   ],
   "rejectCycles": "true",
-  "version": "1.57.0"
+  "version": "1.58.0"
 }

packages/@aws-cdk/aws-cloudfront-origins/test/integ.origin-group.expected.json

@@ -72,9 +72,19 @@
             "ForwardedValues": {
               "QueryString": false
             },
-            "TargetOriginId": "cloudfrontorigingroupDistributionOrigin137659A54",
+            "TargetOriginId": "cloudfrontorigingroupDistributionOriginGroup10B57F1D1",
             "ViewerProtocolPolicy": "allow-all"
           },
+          "CacheBehaviors": [
+            {
+              "ForwardedValues": {
+                "QueryString": false
+              },
+              "PathPattern": "/api",
+              "TargetOriginId": "cloudfrontorigingroupDistributionOriginGroup10B57F1D1",
+              "ViewerProtocolPolicy": "allow-all"
+            }
+          ],
           "Enabled": true,
           "HttpVersion": "http2",
           "IPV6Enabled": true,

packages/@aws-cdk/aws-cloudfront-origins/test/integ.origin-group.ts

@@ -17,6 +17,11 @@ const originGroup = new origins.OriginGroup({
 
 new cloudfront.Distribution(stack, 'Distribution', {
   defaultBehavior: { origin: originGroup },
+  additionalBehaviors: {
+    '/api': {
+      origin: originGroup,
+    },
+  },
 });
 
 app.synth();

packages/@aws-cdk/aws-cloudfront-origins/test/origin-group.test.ts

@@ -28,8 +28,12 @@ describe('Origin Groups', () => {
 
     const primaryOriginId = 'DistributionOrigin13547B94F';
     const failoverOriginId = 'DistributionOrigin2C85CC43B';
+    const originGroupId = 'DistributionOriginGroup1A1A31B49';
     expect(stack).toHaveResourceLike('AWS::CloudFront::Distribution', {
       DistributionConfig: {
+        DefaultCacheBehavior: {
+          TargetOriginId: originGroupId,
+        },
         Origins: [
           {
             Id: primaryOriginId,

packages/@aws-cdk/aws-cloudfront/lib/distribution.ts

@@ -57,6 +57,7 @@ export interface DistributionAttributes {
 
 interface BoundOrigin extends OriginBindOptions, OriginBindConfig {
   readonly origin: IOrigin;
+  readonly originGroupId?: string;
 }
 
 /**
@@ -291,38 +292,43 @@ export class Distribution extends Resource implements IDistribution {
   private addOrigin(origin: IOrigin, isFailoverOrigin: boolean = false): string {
     const existingOrigin = this.boundOrigins.find(boundOrigin => boundOrigin.origin === origin);
     if (existingOrigin) {
-      return existingOrigin.originId;
+      return existingOrigin.originGroupId ?? existingOrigin.originId;
     } else {
       const originIndex = this.boundOrigins.length + 1;
       const scope = new Construct(this, `Origin${originIndex}`);
       const originId = scope.node.uniqueId;
       const originBindConfig = origin.bind(scope, { originId });
-      this.boundOrigins.push({ origin, originId, ...originBindConfig });
-      if (originBindConfig.failoverConfig) {
+      if (!originBindConfig.failoverConfig) {
+        this.boundOrigins.push({origin, originId, ...originBindConfig});
+      } else {
         if (isFailoverOrigin) {
           throw new Error('An Origin cannot use an Origin with its own failover configuration as its fallback origin!');
         }
+        const groupIndex = this.originGroups.length + 1;
+        const originGroupId = new Construct(this, `OriginGroup${groupIndex}`).node.uniqueId;
+        this.boundOrigins.push({origin, originId, originGroupId, ...originBindConfig});
+
         const failoverOriginId = this.addOrigin(originBindConfig.failoverConfig.failoverOrigin, true);
-        this.addOriginGroup(originBindConfig.failoverConfig.statusCodes, originId, failoverOriginId);
+        this.addOriginGroup(originGroupId, originBindConfig.failoverConfig.statusCodes, originId, failoverOriginId);
+        return originGroupId;
       }
       return originId;
     }
   }
 
-  private addOriginGroup(statusCodes: number[] | undefined, originId: string, failoverOriginId: string): void {
+  private addOriginGroup(originGroupId: string, statusCodes: number[] | undefined, originId: string, failoverOriginId: string): void {
     statusCodes = statusCodes ?? [500, 502, 503, 504];
     if (statusCodes.length === 0) {
       throw new Error('fallbackStatusCodes cannot be empty');
     }
-    const groupIndex = this.originGroups.length + 1;
     this.originGroups.push({
       failoverCriteria: {
         statusCodes: {
           items: statusCodes,
           quantity: statusCodes.length,
         },
       },
-      id: new Construct(this, `OriginGroup${groupIndex}`).node.uniqueId,
+      id: originGroupId,
       members: {
         items: [
           { originId },

packages/@aws-cdk/aws-codebuild/lib/linux-gpu-build-image.ts

@@ -95,7 +95,7 @@ export class LinuxGpuBuildImage implements IBindableBuildImage {
   private readonly accountExpression: string;
 
   private constructor(private readonly repositoryName: string, tag: string, private readonly account: string | undefined) {
-    this.accountExpression = account ?? core.Fn.findInMap(mappingName, core.Aws.REGION, 'account');
+    this.accountExpression = account ?? core.Fn.findInMap(mappingName, core.Aws.REGION, 'repositoryAccount');
     this.imageId = `${this.accountExpression}.dkr.ecr.${core.Aws.REGION}.${core.Aws.URL_SUFFIX}/${repositoryName}:${tag}`;
   }
 
@@ -109,7 +109,7 @@ export class LinuxGpuBuildImage implements IBindableBuildImage {
         // get the accounts from the region-info module
         const region2Accounts = RegionInfo.regionMap(FactName.DLC_REPOSITORY_ACCOUNT);
         for (const [region, account] of Object.entries(region2Accounts)) {
-          mapping[region] = { account };
+          mapping[region] = { repositoryAccount: account };
         }
         new core.CfnMapping(scopeStack, mappingName, { mapping });
       }

packages/@aws-cdk/aws-codebuild/test/integ.aws-deep-learning-container-build-image.expected.json

@@ -138,7 +138,7 @@
                         {
                           "Ref": "AWS::Region"
                         },
-                        "account"
+                        "repositoryAccount"
                       ]
                     },
                     ":repository/mxnet-training"
@@ -180,7 +180,7 @@
                     {
                       "Ref": "AWS::Region"
                     },
-                    "account"
+                    "repositoryAccount"
                   ]
                 },
                 ".dkr.ecr.",
@@ -214,65 +214,65 @@
   },
   "Mappings": {
     "AwsDeepLearningContainersRepositoriesAccounts": {
-      "us-east-1": {
-        "account": "763104351884"
+      "ap-east-1": {
+        "repositoryAccount": "871362719292"
       },
-      "us-east-2": {
-        "account": "763104351884"
+      "ap-northeast-1": {
+        "repositoryAccount": "763104351884"
       },
-      "us-west-1": {
-        "account": "763104351884"
+      "ap-northeast-2": {
+        "repositoryAccount": "763104351884"
       },
-      "us-west-2": {
-        "account": "763104351884"
+      "ap-south-1": {
+        "repositoryAccount": "763104351884"
       },
-      "ca-central-1": {
-        "account": "763104351884"
+      "ap-southeast-1": {
+        "repositoryAccount": "763104351884"
       },
-      "eu-west-1": {
-        "account": "763104351884"
+      "ap-southeast-2": {
+        "repositoryAccount": "763104351884"
       },
-      "eu-west-2": {
-        "account": "763104351884"
+      "ca-central-1": {
+        "repositoryAccount": "763104351884"
       },
-      "eu-west-3": {
-        "account": "763104351884"
+      "cn-north-1": {
+        "repositoryAccount": "727897471807"
+      },
+      "cn-northwest-1": {
+        "repositoryAccount": "727897471807"
       },
       "eu-central-1": {
-        "account": "763104351884"
+        "repositoryAccount": "763104351884"
       },
       "eu-north-1": {
-        "account": "763104351884"
-      },
-      "sa-east-1": {
-        "account": "763104351884"
+        "repositoryAccount": "763104351884"
       },
-      "ap-south-1": {
-        "account": "763104351884"
+      "eu-west-1": {
+        "repositoryAccount": "763104351884"
       },
-      "ap-northeast-1": {
-        "account": "763104351884"
+      "eu-west-2": {
+        "repositoryAccount": "763104351884"
       },
-      "ap-northeast-2": {
-        "account": "763104351884"
+      "eu-west-3": {
+        "repositoryAccount": "763104351884"
       },
-      "ap-southeast-1": {
-        "account": "763104351884"
+      "me-south-1": {
+        "repositoryAccount": "217643126080"
       },
-      "ap-southeast-2": {
-        "account": "763104351884"
+      "sa-east-1": {
+        "repositoryAccount": "763104351884"
       },
-      "ap-east-1": {
-        "account": "871362719292"
+      "us-east-1": {
+        "repositoryAccount": "763104351884"
       },
-      "me-south-1": {
-        "account": "217643126080"
+      "us-east-2": {
+        "repositoryAccount": "763104351884"
       },
-      "cn-north-1": {
-        "account": "727897471807"
+      "us-west-1": {
+        "repositoryAccount": "763104351884"
       },
-      "cn-northwest-1": {
-        "account": "727897471807"
+      "us-west-2": {
+        "repositoryAccount": "763104351884"
       }
     }
   }