Merge branch 'master' into robertd/apigatewayv2-allow-methods

package.json

@@ -21,7 +21,7 @@
     "jsii-diff": "^1.25.0",
     "jsii-pacmak": "^1.25.0",
     "jsii-rosetta": "^1.25.0",
-    "lerna": "^3.22.1",
+    "lerna": "^4.0.0",
     "standard-version": "^9.1.1",
     "typescript": "~3.9.9"
   },

packages/@aws-cdk/aws-codedeploy/lib/server/deployment-group.ts

@@ -269,7 +269,9 @@ export class ServerDeploymentGroup extends ServerDeploymentGroupBase {
       physicalName: props.deploymentGroupName,
     });
 
-    this.application = props.application || new ServerApplication(this, 'Application');
+    this.application = props.application || new ServerApplication(this, 'Application', {
+      applicationName: props.deploymentGroupName === cdk.PhysicalName.GENERATE_IF_NEEDED ? cdk.PhysicalName.GENERATE_IF_NEEDED : undefined,
+    });
 
     this.role = props.role || new iam.Role(this, 'Role', {
       assumedBy: new iam.ServicePrincipal('codedeploy.amazonaws.com'),

packages/@aws-cdk/aws-codedeploy/test/server/test.deployment-group.ts

@@ -1,4 +1,4 @@
-import { expect, haveResource, SynthUtils } from '@aws-cdk/assert';
+import { expect, haveOutput, haveResource, SynthUtils } from '@aws-cdk/assert';
 import * as autoscaling from '@aws-cdk/aws-autoscaling';
 import * as cloudwatch from '@aws-cdk/aws-cloudwatch';
 import * as ec2 from '@aws-cdk/aws-ec2';
@@ -28,6 +28,25 @@ export = {
       test.done();
     },
 
+    'creating an application with physical name if needed'(test: Test) {
+      const stack = new cdk.Stack(undefined, undefined, { env: { account: '12345', region: 'us-test-1' } });
+      const stack2 = new cdk.Stack(undefined, undefined, { env: { account: '12346', region: 'us-test-2' } });
+      const serverDeploymentGroup = new codedeploy.ServerDeploymentGroup(stack, 'MyDG', {
+        deploymentGroupName: cdk.PhysicalName.GENERATE_IF_NEEDED,
+      });
+
+      new cdk.CfnOutput(stack2, 'Output', {
+        value: serverDeploymentGroup.application.applicationName,
+      });
+
+      expect(stack2).to(haveOutput({
+        outputName: 'Output',
+        outputValue: 'defaultmydgapplication78dba0bb0c7580b32033',
+      }));
+
+      test.done();
+    },
+
     'can be imported'(test: Test) {
       const stack = new cdk.Stack();
 

packages/@aws-cdk/aws-ec2/README.md

@@ -678,6 +678,71 @@ Note: The domain name must be owned (registered through Route53) by the account
 The VpcEndpointServiceDomainName will handle the AWS side of domain verification, the process for which can be found
 [here](https://docs.aws.amazon.com/vpc/latest/userguide/endpoint-services-dns-validation.html)
 
+### Client VPN endpoint
+
+AWS Client VPN is a managed client-based VPN service that enables you to securely access your AWS
+resources and resources in your on-premises network. With Client VPN, you can access your resources
+from any location using an OpenVPN-based VPN client.
+
+Use the `addClientVpnEndpoint()` method to add a client VPN endpoint to a VPC:
+
+```ts fixture=client-vpn
+vpc.addClientVpnEndpoint('Endpoint', {
+  cidr: '10.100.0.0/16',
+  serverCertificateArn: 'arn:aws:acm:us-east-1:123456789012:certificate/server-certificate-id',
+  // Mutual authentication
+  clientCertificateArn: 'arn:aws:acm:us-east-1:123456789012:certificate/client-certificate-id',
+  // User-based authentication
+  userBasedAuthentication: ec2.ClientVpnUserBasedAuthentication.federated(samlProvider),
+});
+```
+
+The endpoint must use at least one [authentication method](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html):
+
+* Mutual authentication with a client certificate
+* User-based authentication (directory or federated)
+
+If user-based authentication is used, the [self-service portal URL](https://docs.aws.amazon.com/vpn/latest/clientvpn-user/self-service-portal.html)
+is made available via a CloudFormation output.
+
+By default, a new security group is created and logging is enabled. Moreover, a rule to
+authorize all users to the VPC CIDR is created.
+
+To customize authorization rules, set the `authorizeAllUsersToVpcCidr` prop to `false`
+and use `addaddAuthorizationRule()`:
+
+```ts fixture=client-vpn
+const endpoint = vpc.addClientVpnEndpoint('Endpoint', {
+  cidr: '10.100.0.0/16',
+  serverCertificateArn: 'arn:aws:acm:us-east-1:123456789012:certificate/server-certificate-id',
+  userBasedAuthentication: ec2.ClientVpnUserBasedAuthentication.federated(samlProvider),
+  authorizeAllUsersToVpcCidr: false,
+});
+
+endpoint.addAuthorizationRule('Rule', {
+  cidr: '10.0.10.0/32',
+  groupId: 'group-id',
+});
+```
+
+Use `addRoute()` to configure network routes:
+
+```ts fixture=client-vpn
+const endpoint = vpc.addClientVpnEndpoint('Endpoint', {
+  cidr: '10.100.0.0/16',
+  serverCertificateArn: 'arn:aws:acm:us-east-1:123456789012:certificate/server-certificate-id',
+  userBasedAuthentication: ec2.ClientVpnUserBasedAuthentication.federated(samlProvider),
+});
+
+// Client-to-client access
+endpoint.addRoute('Route', {
+  cidr: '10.100.0.0/16',
+  target: ec2.ClientVpnRouteTarget.local(),
+});
+```
+
+Use the `connections` object of the endpoint to allow traffic to other security groups.
+
 ## Instances
 
 You can use the `Instance` class to start up a single EC2 instance. For production setups, we recommend

packages/@aws-cdk/aws-ec2/lib/client-vpn-authorization-rule.ts

@@ -0,0 +1,57 @@
+import { Resource } from '@aws-cdk/core';
+import { Construct } from 'constructs';
+import { IClientVpnEndpoint } from './client-vpn-endpoint-types';
+import { CfnClientVpnAuthorizationRule } from './ec2.generated';
+
+/**
+ * Options for a ClientVpnAuthorizationRule
+ */
+export interface ClientVpnAuthorizationRuleOptions {
+  /**
+   * The IPv4 address range, in CIDR notation, of the network for which access
+   * is being authorized.
+   */
+  readonly cidr: string;
+
+  /**
+   * The ID of the group to grant access to, for example, the Active Directory
+   * group or identity provider (IdP) group.
+   *
+   * @default - authorize all groups
+   */
+  readonly groupId?: string;
+
+  /**
+   * A brief description of the authorization rule.
+   *
+   * @default - no description
+   */
+  readonly description?: string;
+}
+
+/**
+ * Properties for a ClientVpnAuthorizationRule
+ */
+export interface ClientVpnAuthorizationRuleProps extends ClientVpnAuthorizationRuleOptions {
+  /**
+   * The client VPN endpoint to which to add the rule.
+   */
+  readonly clientVpnEndoint: IClientVpnEndpoint;
+}
+
+/**
+ * A client VPN authorization rule
+ */
+export class ClientVpnAuthorizationRule extends Resource {
+  constructor(scope: Construct, id: string, props: ClientVpnAuthorizationRuleProps) {
+    super(scope, id);
+
+    new CfnClientVpnAuthorizationRule(this, 'Resource', {
+      clientVpnEndpointId: props.clientVpnEndoint.endpointId,
+      targetNetworkCidr: props.cidr,
+      accessGroupId: props.groupId,
+      authorizeAllGroups: !props.groupId,
+      description: props.description,
+    });
+  }
+}

packages/@aws-cdk/aws-ec2/lib/client-vpn-endpoint-types.ts

@@ -0,0 +1,52 @@
+import { IDependable, IResource } from '@aws-cdk/core';
+import { IConnectable } from './connections';
+
+/**
+ * A client VPN endpoint
+ */
+export interface IClientVpnEndpoint extends IResource, IConnectable {
+  /**
+   * The endpoint ID
+   */
+  readonly endpointId: string;
+
+  /**
+   * Dependable that can be depended upon to force target networks associations
+   */
+  readonly targetNetworksAssociated: IDependable;
+}
+
+/**
+ * A connection handler for client VPN endpoints
+ */
+export interface IClientVpnConnectionHandler {
+  /**
+   * The name of the function
+   */
+  readonly functionName: string;
+
+  /**
+   * The ARN of the function.
+   */
+  readonly functionArn: string;
+}
+
+/**
+ * Transport protocol for client VPN
+ */
+export enum TransportProtocol {
+  /** Transmission Control Protocol (TCP) */
+  TCP = 'tcp',
+  /** User Datagram Protocol (UDP) */
+  UDP = 'udp',
+}
+
+/**
+ * Port for client VPN
+ */
+export enum VpnPort {
+  /** HTTPS */
+  HTTPS = 443,
+  /** OpenVPN */
+  OPENVPN = 1194,
+}