Merge branch 'master' into pr/removal-policy

.github/workflows/yarn-upgrade.yml

@@ -18,7 +18,7 @@ jobs:
         uses: actions/checkout@v2
 
       - name: Set up Node
-        uses: actions/setup-node@v2.2.0
+        uses: actions/setup-node@v2.3.0
         with:
           node-version: 10
 

CHANGELOG.md

@@ -2,6 +2,31 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [1.116.0](https://github.com/aws/aws-cdk/compare/v1.115.0...v1.116.0) (2021-07-28)
+
+
+### Features
+
+* **assertions:** retrieve matching resources from the template ([#15642](https://github.com/aws/aws-cdk/issues/15642)) ([a8b1c47](https://github.com/aws/aws-cdk/commit/a8b1c471b7058bbf739a1d4f5b4860656ebd5432))
+* **aws-kinesisfirehose:** DeliveryStream API and basic S3 destination ([#15544](https://github.com/aws/aws-cdk/issues/15544)) ([1b5d525](https://github.com/aws/aws-cdk/commit/1b5d525cef8ef4209074156c56077eebaa38d57c)), closes [#10810](https://github.com/aws/aws-cdk/issues/10810) [#15499](https://github.com/aws/aws-cdk/issues/15499)
+* **cfnspec:** cloudformation spec v39.7.0 ([#15719](https://github.com/aws/aws-cdk/issues/15719)) ([2c4ef01](https://github.com/aws/aws-cdk/commit/2c4ef0131893e77d373c52b41c62d31847023446))
+* **cfnspec:** cloudformation spec v39.7.0 ([#15796](https://github.com/aws/aws-cdk/issues/15796)) ([dbe4641](https://github.com/aws/aws-cdk/commit/dbe4641666c918c7bba36010fb4656d050ef5556))
+* **codebuild:** add support for setting a BuildEnvironment Certificate ([#15738](https://github.com/aws/aws-cdk/issues/15738)) ([76fb481](https://github.com/aws/aws-cdk/commit/76fb4811bb9f5d5fc1bd340954840032cb23698b)), closes [#15701](https://github.com/aws/aws-cdk/issues/15701)
+* **core:** lazy mappings will only synthesize if keys are unresolved ([#15617](https://github.com/aws/aws-cdk/issues/15617)) ([32ed229](https://github.com/aws/aws-cdk/commit/32ed2290f8efb27bf622998f98808ff18a8cdef1))
+* **pipelines:** CDK Pipelines is now Generally Available ([#15667](https://github.com/aws/aws-cdk/issues/15667)) ([2e4cfae](https://github.com/aws/aws-cdk/commit/2e4cfaeb8612179c79e293ba52a8afcdcfd6ef52))
+* **servicecatalog:** add ability to set launch Role and deploy with StackSets ([#15678](https://github.com/aws/aws-cdk/issues/15678)) ([c92548b](https://github.com/aws/aws-cdk/commit/c92548b2242478d22db030842014e7646715c2ef))
+* **stepfunctions:** allow intrinsic functions for json path ([#15320](https://github.com/aws/aws-cdk/issues/15320)) ([d9285cb](https://github.com/aws/aws-cdk/commit/d9285cb75745028ede8c36afcee34f7a53d27993))
+
+
+### Bug Fixes
+
+* **aws-cloudwatch:** unable to use generic extended statistics for cloudwatch alarms ([#15720](https://github.com/aws/aws-cdk/issues/15720)) ([f593311](https://github.com/aws/aws-cdk/commit/f59331193b5a2cc4a33d71d775f6650d66bb1bf8))
+* **elasticsearch:** advancedOptions in domain has no effect ([#15330](https://github.com/aws/aws-cdk/issues/15330)) ([81cbfec](https://github.com/aws/aws-cdk/commit/81cbfec5ddf065aac442d925484a358ee8cd26a1)), closes [#14067](https://github.com/aws/aws-cdk/issues/14067)
+* **elasticsearch:** slow logs incorrectly disabled for Elasticsearch versions lower than 5.1 ([#15714](https://github.com/aws/aws-cdk/issues/15714)) ([91cf79b](https://github.com/aws/aws-cdk/commit/91cf79bc55ffd72b1c79e2218eb76921fbac32b4)), closes [#15532](https://github.com/aws/aws-cdk/issues/15532) [#15532](https://github.com/aws/aws-cdk/issues/15532)
+* **pipelines:** Secrets Manager permissions not added to asset projects ([#15718](https://github.com/aws/aws-cdk/issues/15718)) ([7668400](https://github.com/aws/aws-cdk/commit/7668400ec8d4e6ee042c05976f95e42147993375)), closes [#15628](https://github.com/aws/aws-cdk/issues/15628)
+* **stepfunctions:** non-object arguments to recurseObject are incorrectly treated as objects ([#14631](https://github.com/aws/aws-cdk/issues/14631)) ([e133bca](https://github.com/aws/aws-cdk/commit/e133bca61b95b71d51b509b646ff1720099ee31e)), closes [#12935](https://github.com/aws/aws-cdk/issues/12935) [aws-cdk/aws-stepfunctions/lib/input.ts#L65](https://github.com/aws-cdk/aws-stepfunctions/lib/input.ts/issues/L65)
+* **stepfunctions-tasks:** instance type cannot be provided to SageMakerCreateTransformJob as input path ([#15726](https://github.com/aws/aws-cdk/issues/15726)) ([6f2384d](https://github.com/aws/aws-cdk/commit/6f2384ddc180e944c9564a543351b8df2f75c1a7))
+
 ## [1.115.0](https://github.com/aws/aws-cdk/compare/v1.114.0...v1.115.0) (2021-07-21)
 
 

docs/DESIGN_GUIDELINES.md

@@ -610,14 +610,14 @@ A pattern for an "Enum-like Class" should be used in such cases:
 
 ```ts
 export interface MyProps {
-  option: MyOption;
+  readonly option: MyOption;
 }
 
 export class MyOption {
   public static COMMON_OPTION_1 = new MyOption('common.option-1');
   public static COMMON_OPTION_2 = new MyOption('common.option-2');
 
-  public MyOption(public readonly customValue: string) { }
+  public constructor(public readonly customValue: string) { }
 }
 ```
 
@@ -644,7 +644,7 @@ export class MyOption {
 
   // 'protected' iso. 'private' so that someone that really wants to can still
   // do subclassing. But maybe might as well be private.
-  protected MyOption(public readonly value: string) { }
+  protected constructor(public readonly value: string) { }
 }
 
 // Usage

packages/@aws-cdk/assert/package.json

@@ -53,7 +53,7 @@
   "peerDependencies": {
     "@aws-cdk/core": "0.0.0",
     "constructs": "^3.3.69",
-    "jest": "^26.6.3"
+    "jest": ">=26.6.3 <28.0.0"
   },
   "repository": {
     "url": "https://github.com/aws/aws-cdk.git",

packages/@aws-cdk/aws-appsync/lib/graphqlapi.ts

@@ -492,10 +492,10 @@ export class GraphqlApi extends GraphqlApiBase {
   private validateAuthorizationProps(modes: AuthorizationMode[]) {
     modes.map((mode) => {
       if (mode.authorizationType === AuthorizationType.OIDC && !mode.openIdConnectConfig) {
-        throw new Error('Missing default OIDC Configuration');
+        throw new Error('Missing OIDC Configuration');
       }
       if (mode.authorizationType === AuthorizationType.USER_POOL && !mode.userPoolConfig) {
-        throw new Error('Missing default OIDC Configuration');
+        throw new Error('Missing User Pool Configuration');
       }
     });
     if (modes.filter((mode) => mode.authorizationType === AuthorizationType.API_KEY).length > 1) {

packages/@aws-cdk/aws-cloudfront/README.md

@@ -590,13 +590,15 @@ new CloudFrontWebDistribution(stack, 'ADistribution', {
         originHeaders: {
           'myHeader': '42',
         },
+        originShieldRegion: 'us-west-2'
       },
       failoverS3OriginSource: {
         s3BucketSource: s3.Bucket.fromBucketName(stack, 'aBucketFallback', 'myoriginbucketfallback'),
         originPath: '/somewhere',
         originHeaders: {
           'myHeader2': '21',
         },
+        originShieldRegion: 'us-east-1'
       },
       failoverCriteriaStatusCodes: [FailoverStatusCode.INTERNAL_SERVER_ERROR],
       behaviors: [

packages/@aws-cdk/aws-cloudfront/lib/origin.ts

@@ -83,6 +83,15 @@ export interface OriginProps {
    * @default {}
    */
   readonly customHeaders?: Record<string, string>;
+
+  /**
+   * When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance
+   *
+   * @see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/origin-shield.html
+   *
+   * @default - origin shield not enabled
+   */
+  readonly originShieldRegion?: string;
 }
 
 /**
@@ -106,6 +115,7 @@ export abstract class OriginBase implements IOrigin {
   private readonly connectionTimeout?: Duration;
   private readonly connectionAttempts?: number;
   private readonly customHeaders?: Record<string, string>;
+  private readonly originShieldRegion?: string
 
   protected constructor(domainName: string, props: OriginProps = {}) {
     validateIntInRangeOrUndefined('connectionTimeout', 1, 10, props.connectionTimeout?.toSeconds());
@@ -116,6 +126,7 @@ export abstract class OriginBase implements IOrigin {
     this.connectionTimeout = props.connectionTimeout;
     this.connectionAttempts = props.connectionAttempts;
     this.customHeaders = props.customHeaders;
+    this.originShieldRegion = props.originShieldRegion;
   }
 
   /**
@@ -139,6 +150,7 @@ export abstract class OriginBase implements IOrigin {
         originCustomHeaders: this.renderCustomHeaders(),
         s3OriginConfig,
         customOriginConfig,
+        originShield: this.renderOriginShield(this.originShieldRegion),
       },
     };
   }
@@ -172,6 +184,15 @@ export abstract class OriginBase implements IOrigin {
     if (path.endsWith('/')) { path = path.substr(0, path.length - 1); }
     return path;
   }
+
+  /**
+   * Takes origin shield region and converts to CfnDistribution.OriginShieldProperty
+   */
+  private renderOriginShield(originShieldRegion?: string): CfnDistribution.OriginShieldProperty | undefined {
+    return originShieldRegion
+      ? { enabled: true, originShieldRegion }
+      : undefined;
+  }
 }
 
 /**

packages/@aws-cdk/aws-cloudfront/lib/web-distribution.ts

@@ -123,6 +123,7 @@ interface SourceConfigurationRender {
   readonly customOriginSource?: CustomOriginConfig;
   readonly originPath?: string;
   readonly originHeaders?: { [key: string]: string };
+  readonly originShieldRegion?: string
 }
 
 /**
@@ -202,6 +203,15 @@ export interface SourceConfiguration {
    * @deprecated Use originHeaders on s3OriginSource or customOriginSource
    */
   readonly originHeaders?: { [key: string]: string };
+
+  /**
+   * When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance
+   *
+   * @see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/origin-shield.html
+   *
+   * @default - origin shield not enabled
+   */
+  readonly originShieldRegion?: string;
 }
 
 /**
@@ -268,6 +278,13 @@ export interface CustomOriginConfig {
    * @default - No additional headers are passed.
    */
   readonly originHeaders?: { [key: string]: string };
+
+  /**
+   * When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance
+   *
+   * @default - origin shield not enabled
+   */
+  readonly originShieldRegion?: string;
 }
 
 export enum OriginSslPolicy {
@@ -306,6 +323,13 @@ export interface S3OriginConfig {
    * @default - No additional headers are passed.
    */
   readonly originHeaders?: { [key: string]: string };
+
+  /**
+   * When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance
+   *
+   * @default - origin shield not enabled
+   */
+  readonly originShieldRegion?: string;
 }
 
 /**
@@ -557,6 +581,13 @@ export interface CloudFrontWebDistributionProps {
    */
   readonly comment?: string;
 
+  /**
+   * Enable or disable the distribution.
+   *
+   * @default true
+   */
+  readonly enabled?: boolean;
+
   /**
    * The default object to serve.
    *
@@ -785,7 +816,7 @@ export class CloudFrontWebDistribution extends cdk.Resource implements IDistribu
 
     let distributionConfig: CfnDistribution.DistributionConfigProperty = {
       comment: trimmedComment,
-      enabled: true,
+      enabled: props.enabled ?? true,
       defaultRootObject: props.defaultRootObject ?? 'index.html',
       httpVersion: props.httpVersion || HttpVersion.HTTP2,
       priceClass: props.priceClass || PriceClass.PRICE_CLASS_100,
@@ -814,6 +845,7 @@ export class CloudFrontWebDistribution extends cdk.Resource implements IDistribu
             customOriginSource: originConfig.failoverCustomOriginSource,
             originPath: originConfig.originPath,
             originHeaders: originConfig.originHeaders,
+            originShieldRegion: originConfig.originShieldRegion,
           },
           originSecondaryId,
         );
@@ -1032,6 +1064,14 @@ export class CloudFrontWebDistribution extends cdk.Resource implements IDistribu
       throw new Error('Only one originPath field allowed across origin and failover origins');
     }
 
+    if ([
+      originConfig.originShieldRegion,
+      originConfig.s3OriginSource?.originShieldRegion,
+      originConfig.customOriginSource?.originShieldRegion,
+    ].filter(x => x).length > 1) {
+      throw new Error('Only one originShieldRegion field allowed across origin and failover origins');
+    }
+
     const headers = originConfig.originHeaders ?? originConfig.s3OriginSource?.originHeaders ?? originConfig.customOriginSource?.originHeaders;
 
     const originHeaders: CfnDistribution.OriginCustomHeaderProperty[] = [];
@@ -1087,6 +1127,7 @@ export class CloudFrontWebDistribution extends cdk.Resource implements IDistribu
       originCustomHeaders:
         originHeaders.length > 0 ? originHeaders : undefined,
       s3OriginConfig,
+      originShield: this.toOriginShieldProperty(originConfig),
       customOriginConfig: originConfig.customOriginSource
         ? {
           httpPort: originConfig.customOriginSource.httpPort || 80,
@@ -1112,4 +1153,16 @@ export class CloudFrontWebDistribution extends cdk.Resource implements IDistribu
 
     return originProperty;
   }
+
+  /**
+   * Takes origin shield region from props and converts to CfnDistribution.OriginShieldProperty
+   */
+  private toOriginShieldProperty(originConfig:SourceConfigurationRender): CfnDistribution.OriginShieldProperty | undefined {
+    const originShieldRegion = originConfig.originShieldRegion ??
+    originConfig.customOriginSource?.originShieldRegion ??
+    originConfig.s3OriginSource?.originShieldRegion;
+    return originShieldRegion
+      ? { enabled: true, originShieldRegion }
+      : undefined;
+  }
 }

packages/@aws-cdk/aws-cloudfront/test/integ.distribution-extensive.expected.json

@@ -36,7 +36,11 @@
                 "OriginProtocolPolicy": "https-only"
               },
               "DomainName": "www.example.com",
-              "Id": "integdistributionextensiveMyDistOrigin185F089B3"
+              "Id": "integdistributionextensiveMyDistOrigin185F089B3",
+              "OriginShield": {
+                "Enabled": true,
+                "OriginShieldRegion": "us-west-2"
+              }
             }
           ],
           "PriceClass": "PriceClass_100",

packages/@aws-cdk/aws-cloudfront/test/integ.distribution-extensive.ts

@@ -6,7 +6,11 @@ const app = new cdk.App();
 const stack = new cdk.Stack(app, 'integ-distribution-extensive');
 
 new cloudfront.Distribution(stack, 'MyDist', {
-  defaultBehavior: { origin: new TestOrigin('www.example.com') },
+  defaultBehavior: {
+    origin: new TestOrigin('www.example.com', {
+      originShieldRegion: 'us-west-2',
+    }),
+  },
   comment: 'a test',
   defaultRootObject: 'index.html',
   enabled: true,

packages/@aws-cdk/aws-cloudfront/test/origin.test.ts

@@ -44,3 +44,17 @@ test.each(['api', '/api', '/api/', 'api/'])
 
   expect(originBindConfig.originProperty?.originPath).toEqual('/api');
 });
+
+
+test.each(['us-east-1', 'ap-southeast-2', 'eu-west-3', 'me-south-1'])
+('ensures that originShieldRegion is a valid aws region', (originShieldRegion) => {
+  const origin = new TestOrigin('www.example.com', {
+    originShieldRegion,
+  });
+  const originBindConfig = origin.bind(stack, { originId: '0' });
+
+  expect(originBindConfig.originProperty?.originShield).toEqual({
+    enabled: true,
+    originShieldRegion,
+  });
+});