Merge branch 'master' into huijbers/fix-user-context

CHANGELOG.md

@@ -2,6 +2,26 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [1.86.0](https://github.com/aws/aws-cdk/compare/v1.85.0...v1.86.0) (2021-01-21)
+
+
+### Features
+
+* **cfnspec:** cloudformation spec v24.0.0 ([#12615](https://github.com/aws/aws-cdk/issues/12615)) ([98ebe96](https://github.com/aws/aws-cdk/commit/98ebe964fcd1f528fc4796bf39dc574b222b0014)), closes [#12474](https://github.com/aws/aws-cdk/issues/12474)
+* **cognito:** allow to set read and write attributes in Cognito UserPoolClient ([#7607](https://github.com/aws/aws-cdk/issues/7607)) ([552e1e9](https://github.com/aws/aws-cdk/commit/552e1e9d649528875680a8a1cb2aad8f0a0ebcea)), closes [#7407](https://github.com/aws/aws-cdk/issues/7407)
+* **ec2:** Support for new EBS types ([#12074](https://github.com/aws/aws-cdk/issues/12074)) ([6a2ce55](https://github.com/aws/aws-cdk/commit/6a2ce55e7213bb8356f2f37dbd02f1a3d52883be)), closes [#12071](https://github.com/aws/aws-cdk/issues/12071)
+* **elasticsearch:** UltraWarm nodes ([#12265](https://github.com/aws/aws-cdk/issues/12265)) ([3a9056d](https://github.com/aws/aws-cdk/commit/3a9056d87b0c739247013fc74678ab54fd3eb382)), closes [#6462](https://github.com/aws/aws-cdk/issues/6462)
+* **s3:** Bucket keys  ([#12376](https://github.com/aws/aws-cdk/issues/12376)) ([d126fcc](https://github.com/aws/aws-cdk/commit/d126fcca685346c0607babfbbf4d341f669a9e81)), closes [#11828](https://github.com/aws/aws-cdk/issues/11828)
+
+
+### Bug Fixes
+
+* **apigateway:** cannot remove first api key from usage plan ([#12505](https://github.com/aws/aws-cdk/issues/12505)) ([96cbe32](https://github.com/aws/aws-cdk/commit/96cbe32d2399d82a2ad6c3bf6dc1fd65396882d4)), closes [#11876](https://github.com/aws/aws-cdk/issues/11876)
+* **aws-ecs:** Invalid user data defined for windows autoscaling groups ([#12585](https://github.com/aws/aws-cdk/issues/12585)) ([638b995](https://github.com/aws/aws-cdk/commit/638b995cb72b0819a1965a7ccf451b6ed9034a1b)), closes [#12583](https://github.com/aws/aws-cdk/issues/12583)
+* **ec2:** Vpc.fromVpcAttributes cannot be used with EKS ([#12569](https://github.com/aws/aws-cdk/issues/12569)) ([1cdc244](https://github.com/aws/aws-cdk/commit/1cdc244e940396c962147d4e3ada4a0722923321)), closes [#12040](https://github.com/aws/aws-cdk/issues/12040) [#12160](https://github.com/aws/aws-cdk/issues/12160)
+* **iam:** Groups are erroneously accepted as the Principal of a policy ([#11479](https://github.com/aws/aws-cdk/issues/11479)) ([#12549](https://github.com/aws/aws-cdk/issues/12549)) ([c9b0859](https://github.com/aws/aws-cdk/commit/c9b085996319e8d4d7d2db19184fb2f2148889a3))
+* **synthetics:** default execution role breaks in non aws partitions ([#12096](https://github.com/aws/aws-cdk/issues/12096)) ([c01272c](https://github.com/aws/aws-cdk/commit/c01272c14be9b7ff635281952f3cfeed971a352e)), closes [#12094](https://github.com/aws/aws-cdk/issues/12094)
+
 ## [1.85.0](https://github.com/aws/aws-cdk/compare/v1.84.0...v1.85.0) (2021-01-14)
 
 * **s3-deployment**: This version includes an important update, please upgrade to prevent deployment failure. This is in prepartion of Lambda deprecation of the request module in boto, more details are available in [AWS blog](https://aws.amazon.com/blogs/compute/upcoming-changes-to-the-python-sdk-in-aws-lambda/). Note, users of versions < `1.81.0` will not be impacted by this deprecation, but are still encouraged to upgrade to the latest version.

packages/@aws-cdk/app-delivery/package.json

@@ -1,6 +1,7 @@
 {
   "name": "@aws-cdk/app-delivery",
   "description": "Continuous Integration / Continuous Delivery for CDK Applications",
+  "deprecated": "Use the @aws-cdk/pipelines module instead",
   "version": "0.0.0",
   "main": "lib/index.js",
   "types": "lib/index.d.ts",

packages/@aws-cdk/aws-cloudfront-origins/package.json

@@ -71,7 +71,7 @@
   "devDependencies": {
     "@aws-cdk/assert": "0.0.0",
     "@aws-cdk/aws-ec2": "0.0.0",
-    "aws-sdk": "^2.828.0",
+    "aws-sdk": "^2.830.0",
     "cdk-build-tools": "0.0.0",
     "cdk-integ-tools": "0.0.0",
     "pkglint": "0.0.0"

packages/@aws-cdk/aws-cloudfront/package.json

@@ -72,7 +72,7 @@
   "license": "Apache-2.0",
   "devDependencies": {
     "@aws-cdk/assert": "0.0.0",
-    "aws-sdk": "^2.828.0",
+    "aws-sdk": "^2.830.0",
     "cdk-build-tools": "0.0.0",
     "cdk-integ-tools": "0.0.0",
     "cfn2ts": "0.0.0",

packages/@aws-cdk/aws-cloudtrail/package.json

@@ -72,7 +72,7 @@
   "license": "Apache-2.0",
   "devDependencies": {
     "@aws-cdk/assert": "0.0.0",
-    "aws-sdk": "^2.828.0",
+    "aws-sdk": "^2.830.0",
     "cdk-build-tools": "0.0.0",
     "cdk-integ-tools": "0.0.0",
     "cfn2ts": "0.0.0",

packages/@aws-cdk/aws-codebuild/package.json

@@ -78,7 +78,7 @@
     "@aws-cdk/aws-sns": "0.0.0",
     "@aws-cdk/aws-sqs": "0.0.0",
     "@types/nodeunit": "^0.0.31",
-    "aws-sdk": "^2.828.0",
+    "aws-sdk": "^2.830.0",
     "cdk-build-tools": "0.0.0",
     "cdk-integ-tools": "0.0.0",
     "cfn2ts": "0.0.0",

packages/@aws-cdk/aws-codecommit/package.json

@@ -78,7 +78,7 @@
     "@aws-cdk/assert": "0.0.0",
     "@aws-cdk/aws-sns": "0.0.0",
     "@types/nodeunit": "^0.0.31",
-    "aws-sdk": "^2.828.0",
+    "aws-sdk": "^2.830.0",
     "cdk-build-tools": "0.0.0",
     "cdk-integ-tools": "0.0.0",
     "cfn2ts": "0.0.0",

packages/@aws-cdk/aws-codepipeline-actions/README.md

@@ -57,6 +57,26 @@ const sourceAction = new codepipeline_actions.CodeCommitSourceAction({
 });
 ```
 
+If you want to clone the entire CodeCommit repository (only available for CodeBuild actions),
+you can set the `codeBuildCloneOutput` property to `true`:
+
+```ts
+const sourceOutput = new codepipeline.Artifact();
+const sourceAction = new codepipeline_actions.CodeCommitSourceAction({
+  actionName: 'CodeCommit',
+  repository: repo,
+  output: sourceOutput,
+  codeBuildCloneOutput: true,
+});
+
+const buildAction = new codepipeline_actions.CodeBuildAction({
+  actionName: 'CodeBuild',
+  project,
+  input: sourceOutput, // The build action must use the CodeCommitSourceAction output as input.
+  outputs: [new codepipeline.Artifact()], // optional
+});
+```
+
 The CodeCommit source action emits variables:
 
 ```ts

packages/@aws-cdk/aws-codepipeline-actions/lib/codebuild/build-action.ts

@@ -4,6 +4,7 @@ import * as iam from '@aws-cdk/aws-iam';
 import * as cdk from '@aws-cdk/core';
 import { BitBucketSourceAction } from '..';
 import { Action } from '../action';
+import { CodeCommitSourceAction } from '../codecommit/source-action';
 
 // keep this import separate from other imports to reduce chance for merge conflicts with v2-main
 // eslint-disable-next-line no-duplicate-imports, import/order
@@ -176,17 +177,28 @@ export class CodeBuildAction extends Action {
       });
     }
 
-    // if any of the inputs come from the BitBucketSourceAction
-    // with codeBuildCloneOutput=true,
-    // grant the Project's Role to use the connection
     for (const inputArtifact of this.actionProperties.inputs || []) {
+      // if any of the inputs come from the BitBucketSourceAction
+      // with codeBuildCloneOutput=true,
+      // grant the Project's Role to use the connection
       const connectionArn = inputArtifact.getMetadata(BitBucketSourceAction._CONNECTION_ARN_PROPERTY);
       if (connectionArn) {
         this.props.project.addToRolePolicy(new iam.PolicyStatement({
           actions: ['codestar-connections:UseConnection'],
           resources: [connectionArn],
         }));
       }
+
+      // if any of the inputs come from the CodeCommitSourceAction
+      // with codeBuildCloneOutput=true,
+      // grant the Project's Role git pull access to the repository
+      const codecommitRepositoryArn = inputArtifact.getMetadata(CodeCommitSourceAction._FULL_CLONE_ARN_PROPERTY);
+      if (codecommitRepositoryArn) {
+        this.props.project.addToRolePolicy(new iam.PolicyStatement({
+          actions: ['codecommit:GitPull'],
+          resources: [codecommitRepositoryArn],
+        }));
+      }
     }
 
     const configuration: any = {

packages/@aws-cdk/aws-codepipeline-actions/lib/codecommit/source-action.ts

@@ -85,12 +85,33 @@ export interface CodeCommitSourceActionProps extends codepipeline.CommonAwsActio
    * @default a new role will be created.
    */
   readonly eventRole?: iam.IRole;
+
+  /**
+   * Whether the output should be the contents of the repository
+   * (which is the default),
+   * or a link that allows CodeBuild to clone the repository before building.
+   *
+   * **Note**: if this option is true,
+   * then only CodeBuild actions can use the resulting {@link output}.
+   *
+   * @default false
+   * @see https://docs.aws.amazon.com/codepipeline/latest/userguide/action-reference-CodeCommit.html
+   */
+  readonly codeBuildCloneOutput?: boolean;
 }
 
 /**
  * CodePipeline Source that is provided by an AWS CodeCommit repository.
  */
 export class CodeCommitSourceAction extends Action {
+  /**
+   * The name of the property that holds the ARN of the CodeCommit Repository
+   * inside of the CodePipeline Artifact's metadata.
+   *
+   * @internal
+   */
+  public static readonly _FULL_CLONE_ARN_PROPERTY = 'CodeCommitCloneRepositoryArn';
+
   private readonly branch: string;
   private readonly props: CodeCommitSourceActionProps;
 
@@ -100,6 +121,10 @@ export class CodeCommitSourceAction extends Action {
       throw new Error("'branch' parameter cannot be an empty string");
     }
 
+    if (props.codeBuildCloneOutput === true) {
+      props.output.setMetadata(CodeCommitSourceAction._FULL_CLONE_ARN_PROPERTY, props.repository.repositoryArn);
+    }
+
     super({
       ...props,
       resource: props.repository,
@@ -144,14 +169,15 @@ export class CodeCommitSourceAction extends Action {
     options.bucket.grantReadWrite(options.role);
 
     // https://docs.aws.amazon.com/codecommit/latest/userguide/auth-and-access-control-permissions-reference.html#aa-acp
-    options.role.addToPolicy(new iam.PolicyStatement({
+    options.role.addToPrincipalPolicy(new iam.PolicyStatement({
       resources: [this.props.repository.repositoryArn],
       actions: [
         'codecommit:GetBranch',
         'codecommit:GetCommit',
         'codecommit:UploadArchive',
         'codecommit:GetUploadArchiveStatus',
         'codecommit:CancelUploadArchive',
+        ...(this.props.codeBuildCloneOutput === true ? ['codecommit:GetRepository'] : []),
       ],
     }));
 
@@ -160,6 +186,9 @@ export class CodeCommitSourceAction extends Action {
         RepositoryName: this.props.repository.repositoryName,
         BranchName: this.branch,
         PollForSourceChanges: this.props.trigger === CodeCommitTrigger.POLL,
+        OutputArtifactFormat: this.props.codeBuildCloneOutput === true
+          ? 'CODEBUILD_CLONE_REF'
+          : undefined,
       },
     };
   }

packages/@aws-cdk/aws-codepipeline-actions/test/codecommit/test.codecommit-source-action.ts

@@ -1,4 +1,4 @@
-import { countResources, expect, haveResourceLike, not } from '@aws-cdk/assert';
+import { arrayWith, countResources, expect, haveResourceLike, not, objectLike } from '@aws-cdk/assert';
 import * as codebuild from '@aws-cdk/aws-codebuild';
 import * as codecommit from '@aws-cdk/aws-codecommit';
 import * as codepipeline from '@aws-cdk/aws-codepipeline';
@@ -269,6 +269,111 @@ export = {
       test.done();
     },
 
+    'allows to enable full clone'(test: Test) {
+      const stack = new Stack();
+
+      const sourceOutput = new codepipeline.Artifact();
+      new codepipeline.Pipeline(stack, 'P', {
+        stages: [
+          {
+            stageName: 'Source',
+            actions: [
+              new cpactions.CodeCommitSourceAction({
+                actionName: 'CodeCommit',
+                repository: new codecommit.Repository(stack, 'R', {
+                  repositoryName: 'repository',
+                }),
+                branch: Lazy.string({ produce: () => 'my-branch' }),
+                output: sourceOutput,
+                codeBuildCloneOutput: true,
+              }),
+            ],
+          },
+          {
+            stageName: 'Build',
+            actions: [
+              new cpactions.CodeBuildAction({
+                actionName: 'Build',
+                project: new codebuild.PipelineProject(stack, 'CodeBuild'),
+                input: sourceOutput,
+              }),
+            ],
+          },
+        ],
+      });
+
+      expect(stack).to(haveResourceLike('AWS::CodePipeline::Pipeline', {
+        'Stages': [
+          {
+            'Name': 'Source',
+            'Actions': [{
+              'Configuration': {
+                'OutputArtifactFormat': 'CODEBUILD_CLONE_REF',
+              },
+            }],
+          },
+          {
+            'Name': 'Build',
+            'Actions': [
+              {
+                'Name': 'Build',
+              },
+            ],
+          },
+        ],
+      }));
+
+      expect(stack).to(haveResourceLike('AWS::IAM::Policy', {
+        'PolicyDocument': {
+          'Statement': arrayWith(
+            objectLike({
+              'Action': [
+                'logs:CreateLogGroup',
+                'logs:CreateLogStream',
+                'logs:PutLogEvents',
+              ],
+            }),
+            objectLike({
+              'Action': 'codecommit:GitPull',
+              'Effect': 'Allow',
+              'Resource': {
+                'Fn::GetAtt': [
+                  'RC21A1702',
+                  'Arn',
+                ],
+              },
+            }),
+          ),
+        },
+      }));
+
+      expect(stack).to(haveResourceLike('AWS::IAM::Policy', {
+        'PolicyDocument': {
+          'Statement': arrayWith(
+            objectLike({
+              'Action': [
+                'codecommit:GetBranch',
+                'codecommit:GetCommit',
+                'codecommit:UploadArchive',
+                'codecommit:GetUploadArchiveStatus',
+                'codecommit:CancelUploadArchive',
+                'codecommit:GetRepository',
+              ],
+              'Effect': 'Allow',
+              'Resource': {
+                'Fn::GetAtt': [
+                  'RC21A1702',
+                  'Arn',
+                ],
+              },
+            }),
+          ),
+        },
+      }));
+
+      test.done();
+    },
+
     'uses the role when passed'(test: Test) {
       const stack = new Stack();
 

packages/@aws-cdk/aws-dynamodb/package.json

@@ -73,7 +73,7 @@
   "devDependencies": {
     "@aws-cdk/assert": "0.0.0",
     "@types/jest": "^26.0.15",
-    "aws-sdk": "^2.828.0",
+    "aws-sdk": "^2.830.0",
     "aws-sdk-mock": "^5.1.0",
     "cdk-build-tools": "0.0.0",
     "cdk-integ-tools": "0.0.0",

packages/@aws-cdk/aws-ecs/lib/ec2/ec2-service.ts

@@ -250,7 +250,7 @@ export class Ec2Service extends BaseService implements IEc2Service {
   }
 
   /**
-   * Adds one or more placement strategies to use for tasks in the service. For more information, see
+   * Adds one or more placement contstraints to use for tasks in the service. For more information, see
    * [Amazon ECS Task Placement Constraints](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-placement-constraints.html).
    */
   public addPlacementConstraints(...constraints: PlacementConstraint[]) {