Merge branch 'master' into robertd/integ-test-cleanup

aws · May 5, 2022 · dde576f · dde576f
2 parents b1aaa70 + 8795b85
commit dde576f
Show file tree

Hide file tree

Showing 23 changed files with 144 additions and 55 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,24 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [1.155.0](https://github.com/aws/aws-cdk/compare/v1.154.0...v1.155.0) (2022-05-04)
+
+
+### Features
+
+* **cfnspec:** cloudformation spec v68.0.0 ([#20065](https://github.com/aws/aws-cdk/issues/20065)) ([f199fad](https://github.com/aws/aws-cdk/commit/f199faddc0b8e565aa413e480e51d25fed5321bf))
+* **cloudwatch:** Add CustomWidget ([#19327](https://github.com/aws/aws-cdk/issues/19327)) ([489340e](https://github.com/aws/aws-cdk/commit/489340ea383c9130c315853afae0137b1fa03eb0)), closes [#17579](https://github.com/aws/aws-cdk/issues/17579)
+* **ec2:** add i4i instance type ([#20134](https://github.com/aws/aws-cdk/issues/20134)) ([64c5064](https://github.com/aws/aws-cdk/commit/64c50640e7f5897f08af3f86cd28a1dab3cd2430))
+* **iam:** add convenience method `inOrganization` to ArnPrincipal ([#20109](https://github.com/aws/aws-cdk/issues/20109)) ([c545bfe](https://github.com/aws/aws-cdk/commit/c545bfe2a3ccb53fa5ae2eb725a1696677703c0a)), closes [/github.com/aws/aws-cdk/pull/19975#discussion_r857385168](https://github.com/aws//github.com/aws/aws-cdk/pull/19975/issues/discussion_r857385168) [#19975](https://github.com/aws/aws-cdk/issues/19975)
+* **lambda:** `function.addAlias()` simplifies Alias creation ([#20034](https://github.com/aws/aws-cdk/issues/20034)) ([a79bc47](https://github.com/aws/aws-cdk/commit/a79bc47aaa6737628562c251e2f1990b2c7b88ef))
+* **rds:** add secret rotation to `DatabaseClusterFromSnapshot` ([#20020](https://github.com/aws/aws-cdk/issues/20020)) ([abc3502](https://github.com/aws/aws-cdk/commit/abc3502eef9b1b950f4e9d2c3f5f44b7e2f6476d)), closes [#12877](https://github.com/aws/aws-cdk/issues/12877)
+
+
+### Bug Fixes
+
+* **lambda:** grant invoke twice with different principals ([#20174](https://github.com/aws/aws-cdk/issues/20174)) ([bb4c950](https://github.com/aws/aws-cdk/commit/bb4c9506c7395fc3c84725fb8e6054ac23ca2bf7))
+* **ubergen:** expose exports in core module for v2 ([#20176](https://github.com/aws/aws-cdk/issues/20176)) ([fc2cd48](https://github.com/aws/aws-cdk/commit/fc2cd48a3aabaf0d5214b322794c6a49d9c700c9)), closes [#19773](https://github.com/aws/aws-cdk/issues/19773)
+
 ## [1.154.0](https://github.com/aws/aws-cdk/compare/v1.153.1...v1.154.0) (2022-04-27)
 
 

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -136,7 +136,7 @@ To package a specific module, say the `@aws-cdk/aws-ec2` module:
 
 ```console
 $ cd <root-of-cdk-repo>
-$ docker run --rm --net=host -it -v $PWD:$PWD -w $PWD jsii/superchain
+$ docker run --rm --net=host -it -v $PWD:$PWD -w $PWD jsii/superchain:1-buster-slim
 docker$ cd packages/@aws-cdk/aws-ec2
 docker$ ../../../scripts/foreach.sh --up yarn run package
 docker$ exit
@@ -352,7 +352,7 @@ $ yarn watch & # runs in the background
 * Once the pull request is submitted, a reviewer will be assigned by the maintainers.
 
 * If the PR build is failing, update the PR with fixes until the build succeeds. You may have trouble getting attention
-  from maintainers if your build is failing, and after 4 weeks of staleness, your PR will be automatically closed. 
+  from maintainers if your build is failing, and after 4 weeks of staleness, your PR will be automatically closed.
 
 * Discuss review comments and iterate until you get at least one "Approve". When iterating, push new commits to the
   same branch. Usually all these are going to be squashed when you merge to master. The commit messages should be hints
@@ -367,13 +367,13 @@ $ yarn watch & # runs in the background
 `package.json` file.**
 
 Sometimes constructs introduce new unconventional dependencies.  Any new unconventional dependency that is introduced needs to have
-an auto upgrade process in place. The recommended way to update dependencies is through [dependabot](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates). 
+an auto upgrade process in place. The recommended way to update dependencies is through [dependabot](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates).
 You can find the dependabot config file [here](./.github/dependabot.yml).
 
 An example of this is the [@aws-cdk/lambda-layer-awscli](packages/@aws-cdk/lambda-layer-awscli) module.
 This module creates a lambda layer that bundles the AWS CLI. This is considered an unconventional
 dependency because the AWS CLI is bundled into the CDK as part of the build, and the version
-of the AWS CLI that is bundled is not managed by the `package.json` file. 
+of the AWS CLI that is bundled is not managed by the `package.json` file.
 
 In order to automatically update the version of the AWS CLI, a custom build process was
 created that takes upgrades into consideration. You can take a look at the files in
@@ -666,7 +666,7 @@ cases where some of those do not apply - good judgement is to be applied):
   // An example about adding a stage to a pipeline in the @aws-cdk/pipelines library
   declare const pipeline: pipelines.CodePipeline;
   declare const myStage: Stage;
-  pipeline.addStage(myStage);   
+  pipeline.addStage(myStage);
   ```
 
 - Utilize the `default.ts-fixture` that already exists rather than writing new

diff --git a/packages/@aws-cdk/aws-apigatewayv2/lib/http/route.ts b/packages/@aws-cdk/aws-apigatewayv2/lib/http/route.ts
@@ -236,7 +236,7 @@ export class HttpRoute extends Resource implements IHttpRoute {
     // path variable and all that follows with a wildcard.
     const iamPath = path.replace(/\{.*?\}.*/, '*');
 
-    return `arn:aws:execute-api:${this.stack.region}:${this.stack.account}:${this.httpApi.apiId}/${stage}/${iamHttpMethod}${iamPath}`;
+    return `arn:aws:execute-api:${this.env.region}:${this.env.account}:${this.httpApi.apiId}/${stage}/${iamHttpMethod}${iamPath}`;
   }
 
   public grantInvoke(grantee: iam.IGrantable, options: GrantInvokeOptions = {}): iam.Grant {

diff --git a/packages/@aws-cdk/aws-appsync/lib/data-source.ts b/packages/@aws-cdk/aws-appsync/lib/data-source.ts
@@ -219,7 +219,7 @@ export class DynamoDbDataSource extends BackedDataSource {
       type: 'AMAZON_DYNAMODB',
       dynamoDbConfig: {
         tableName: props.table.tableName,
-        awsRegion: props.table.stack.region,
+        awsRegion: props.table.env.region,
         useCallerCredentials: props.useCallerCredentials,
       },
     });
@@ -337,7 +337,7 @@ export class RdsDataSource extends BackedDataSource {
       type: 'RELATIONAL_DATABASE',
       relationalDatabaseConfig: {
         rdsHttpEndpointConfig: {
-          awsRegion: props.serverlessCluster.stack.region,
+          awsRegion: props.serverlessCluster.env.region,
           dbClusterIdentifier: Lazy.string({
             produce: () => {
               return Stack.of(this).formatArn({
@@ -399,7 +399,7 @@ export class ElasticsearchDataSource extends BackedDataSource {
     super(scope, id, props, {
       type: 'AMAZON_ELASTICSEARCH',
       elasticsearchConfig: {
-        awsRegion: props.domain.stack.region,
+        awsRegion: props.domain.env.region,
         endpoint: `https://${props.domain.domainEndpoint}`,
       },
     });
@@ -426,7 +426,7 @@ export class OpenSearchDataSource extends BackedDataSource {
     super(scope, id, props, {
       type: 'AMAZON_OPENSEARCH_SERVICE',
       openSearchServiceConfig: {
-        awsRegion: props.domain.stack.region,
+        awsRegion: props.domain.env.region,
         endpoint: `https://${props.domain.domainEndpoint}`,
       },
     });

diff --git a/packages/@aws-cdk/aws-appsync/lib/graphqlapi.ts b/packages/@aws-cdk/aws-appsync/lib/graphqlapi.ts
@@ -633,7 +633,7 @@ export class GraphqlApi extends GraphqlApiBase {
     if (!config) return undefined;
     return {
       userPoolId: config.userPool.userPoolId,
-      awsRegion: config.userPool.stack.region,
+      awsRegion: config.userPool.env.region,
       appIdClientRegex: config.appIdClientRegex,
       defaultAction: config.defaultAction || UserPoolDefaultAction.ALLOW,
     };

diff --git a/packages/@aws-cdk/aws-batch/lib/compute-environment.ts b/packages/@aws-cdk/aws-batch/lib/compute-environment.ts
@@ -581,7 +581,7 @@ export class ComputeEnvironment extends Resource implements IComputeEnvironment
         return props.computeResources.spotFleetRole;
       } else if (props.computeResources.type === ComputeResourceType.SPOT) {
         return iam.Role.fromRoleArn(this, 'Resource-SpotFleet-Role',
-          `arn:${this.stack.partition}:iam::${this.stack.account}:role/aws-service-role/spotfleet.amazonaws.com/AWSServiceRoleForEC2SpotFleet`);
+          `arn:${this.stack.partition}:iam::${this.env.account}:role/aws-service-role/spotfleet.amazonaws.com/AWSServiceRoleForEC2SpotFleet`);
       }
     }
 

diff --git a/packages/@aws-cdk/aws-cloud9/lib/environment.ts b/packages/@aws-cdk/aws-cloud9/lib/environment.ts
@@ -143,7 +143,7 @@ export class Ec2Environment extends cdk.Resource implements IEc2Environment {
     this.environmentId = c9env.ref;
     this.ec2EnvironmentArn = c9env.getAtt('Arn').toString();
     this.ec2EnvironmentName = c9env.getAtt('Name').toString();
-    this.ideUrl = `https://${this.stack.region}.console.aws.amazon.com/cloud9/ide/${this.environmentId}`;
+    this.ideUrl = `https://${this.env.region}.console.aws.amazon.com/cloud9/ide/${this.environmentId}`;
   }
 }
 

diff --git a/packages/@aws-cdk/aws-cloudfront/lib/experimental/edge-function.ts b/packages/@aws-cdk/aws-cloudfront/lib/experimental/edge-function.ts
@@ -55,7 +55,7 @@ export class EdgeFunction extends Resource implements lambda.IVersion {
     super(scope, id);
 
     // Create a simple Function if we're already in us-east-1; otherwise create a cross-region stack.
-    const regionIsUsEast1 = !Token.isUnresolved(this.stack.region) && this.stack.region === 'us-east-1';
+    const regionIsUsEast1 = !Token.isUnresolved(this.env.region) && this.env.region === 'us-east-1';
     const { edgeFunction, edgeArn } = regionIsUsEast1
       ? this.createInRegionFunction(props)
       : this.createCrossRegionFunction(id, props);

diff --git a/packages/@aws-cdk/aws-cognito/lib/user-pool-domain.ts b/packages/@aws-cdk/aws-cognito/lib/user-pool-domain.ts
@@ -152,18 +152,21 @@ export class UserPoolDomain extends Resource implements IUserPoolDomain {
 
   /**
    * The URL to the hosted UI associated with this domain
+   *
+   * @param options options to customize baseUrl
    */
-  public baseUrl(): string {
+  public baseUrl(options?: BaseUrlOptions): string {
     if (this.isCognitoDomain) {
-      return `https://${this.domainName}.auth.${Stack.of(this).region}.amazoncognito.com`;
+      const authDomain = 'auth' + (options?.fips ? '-fips' : '');
+      return `https://${this.domainName}.${authDomain}.${Stack.of(this).region}.amazoncognito.com`;
     }
     return `https://${this.domainName}`;
   }
 
   /**
    * The URL to the sign in page in this domain using a specific UserPoolClient
    * @param client [disable-awslint:ref-via-interface] the user pool client that the UI will use to interact with the UserPool
-   * @param options options to customize the behaviour of this method.
+   * @param options options to customize signInUrl.
    */
   public signInUrl(client: UserPoolClient, options: SignInUrlOptions): string {
     let responseType: string;
@@ -175,14 +178,26 @@ export class UserPoolDomain extends Resource implements IUserPoolDomain {
       throw new Error('signInUrl is not supported for clients without authorizationCodeGrant or implicitCodeGrant flow enabled');
     }
     const path = options.signInPath ?? '/login';
-    return `${this.baseUrl()}${path}?client_id=${client.userPoolClientId}&response_type=${responseType}&redirect_uri=${options.redirectUri}`;
+    return `${this.baseUrl(options)}${path}?client_id=${client.userPoolClientId}&response_type=${responseType}&redirect_uri=${options.redirectUri}`;
   }
 }
 
+/**
+ * Options to customize the behaviour of `baseUrl()`
+ */
+export interface BaseUrlOptions {
+  /**
+   * Whether to return the FIPS-compliant endpoint
+   *
+   * @default return the standard URL
+   */
+  readonly fips?: boolean;
+}
+
 /**
  * Options to customize the behaviour of `signInUrl()`
  */
-export interface SignInUrlOptions {
+export interface SignInUrlOptions extends BaseUrlOptions {
   /**
    * Where to redirect to after sign in
    */

diff --git a/packages/@aws-cdk/aws-cognito/test/user-pool-domain.test.ts b/packages/@aws-cdk/aws-cognito/test/user-pool-domain.test.ts
@@ -164,6 +164,62 @@ describe('User Pool Client', () => {
     Template.fromStack(stack).resourceCountIs('AWS::Cognito::UserPoolDomain', 0);
   });
 
+  describe('baseUrl', () => {
+    test('returns the expected standard URL', () => {
+      // GIVEN
+      const stack = new Stack();
+      const pool = new UserPool(stack, 'Pool');
+      const domain = pool.addDomain('Domain', {
+        cognitoDomain: {
+          domainPrefix: 'cognito-domain-prefix',
+        },
+      });
+
+      // WHEN
+      const baseUrl = domain.baseUrl();
+
+      // THEN
+      expect(stack.resolve(baseUrl)).toEqual({
+        'Fn::Join': [
+          '', [
+            'https://',
+            { Ref: 'PoolDomainCFC71F56' },
+            '.auth.',
+            { Ref: 'AWS::Region' },
+            '.amazoncognito.com',
+          ],
+        ],
+      });
+    });
+
+    test('returns the expected FIPS-compliant endpoint URL', () => {
+      // GIVEN
+      const stack = new Stack();
+      const pool = new UserPool(stack, 'Pool');
+      const domain = pool.addDomain('Domain', {
+        cognitoDomain: {
+          domainPrefix: 'cognito-domain-prefix',
+        },
+      });
+
+      // WHEN
+      const baseUrl = domain.baseUrl({ fips: true });
+
+      // THEN
+      expect(stack.resolve(baseUrl)).toEqual({
+        'Fn::Join': [
+          '', [
+            'https://',
+            { Ref: 'PoolDomainCFC71F56' },
+            '.auth-fips.',
+            { Ref: 'AWS::Region' },
+            '.amazoncognito.com',
+          ],
+        ],
+      });
+    });
+  });
+
   describe('signInUrl', () => {
     test('returns the expected URL', () => {
       // GIVEN

diff --git a/packages/@aws-cdk/aws-ec2/lib/vpc-endpoint.ts b/packages/@aws-cdk/aws-ec2/lib/vpc-endpoint.ts
@@ -612,8 +612,8 @@ export class InterfaceVpcEndpoint extends VpcEndpoint implements IInterfaceVpcEn
   private validateCanLookupSupportedAzs(subnets: ISubnet[], serviceName: string) {
 
     // Having any of these be true will cause the AZ lookup to fail at synthesis time
-    const agnosticAcct = Token.isUnresolved(this.stack.account);
-    const agnosticRegion = Token.isUnresolved(this.stack.region);
+    const agnosticAcct = Token.isUnresolved(this.env.account);
+    const agnosticRegion = Token.isUnresolved(this.env.region);
     const agnosticService = Token.isUnresolved(serviceName);
 
     // Having subnets with Token AZs can cause the endpoint to be created with no subnets, failing at deployment time

diff --git a/packages/@aws-cdk/aws-ecs/lib/base/base-service.ts b/packages/@aws-cdk/aws-ecs/lib/base/base-service.ts
@@ -510,7 +510,7 @@ export abstract class BaseService extends Resource
       resources: ['*'],
     }));
 
-    const logGroupArn = logConfiguration?.cloudWatchLogGroup ? `arn:${this.stack.partition}:logs:${this.stack.region}:${this.stack.account}:log-group:${logConfiguration.cloudWatchLogGroup.logGroupName}:*` : '*';
+    const logGroupArn = logConfiguration?.cloudWatchLogGroup ? `arn:${this.stack.partition}:logs:${this.env.region}:${this.env.account}:log-group:${logConfiguration.cloudWatchLogGroup.logGroupName}:*` : '*';
     this.taskDefinition.addToTaskRolePolicy(new iam.PolicyStatement({
       actions: [
         'logs:CreateLogStream',
@@ -558,7 +558,7 @@ export abstract class BaseService extends Resource
         'kms:*',
       ],
       resources: ['*'],
-      principals: [new iam.ArnPrincipal(`arn:${this.stack.partition}:iam::${this.stack.account}:root`)],
+      principals: [new iam.ArnPrincipal(`arn:${this.stack.partition}:iam::${this.env.account}:root`)],
     }));
 
     if (logging === ExecuteCommandLogging.DEFAULT || this.cluster.executeCommandConfiguration?.logConfiguration?.cloudWatchEncryptionEnabled) {
@@ -571,9 +571,9 @@ export abstract class BaseService extends Resource
           'kms:Describe*',
         ],
         resources: ['*'],
-        principals: [new iam.ServicePrincipal(`logs.${this.stack.region}.amazonaws.com`)],
+        principals: [new iam.ServicePrincipal(`logs.${this.env.region}.amazonaws.com`)],
         conditions: {
-          ArnLike: { 'kms:EncryptionContext:aws:logs:arn': `arn:${this.stack.partition}:logs:${this.stack.region}:${this.stack.account}:*` },
+          ArnLike: { 'kms:EncryptionContext:aws:logs:arn': `arn:${this.stack.partition}:logs:${this.env.region}:${this.env.account}:*` },
         },
       }));
     }

diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/shared/base-load-balancer.ts b/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/shared/base-load-balancer.ts
@@ -266,7 +266,7 @@ export abstract class BaseLoadBalancer extends Resource {
         actions: ['s3:PutObject'],
         principals: [logsDeliveryServicePrincipal],
         resources: [
-          bucket.arnForObjects(`${prefix ? prefix + '/' : ''}AWSLogs/${this.stack.account}/*`),
+          bucket.arnForObjects(`${prefix ? prefix + '/' : ''}AWSLogs/${this.env.account}/*`),
         ],
         conditions: {
           StringEquals: { 's3:x-amz-acl': 'bucket-owner-full-control' },

diff --git a/packages/@aws-cdk/aws-elasticsearch/lib/domain.ts b/packages/@aws-cdk/aws-elasticsearch/lib/domain.ts
@@ -1110,7 +1110,7 @@ abstract class DomainBase extends cdk.Resource implements IDomain {
       metricName,
       dimensionsMap: {
         DomainName: this.domainName,
-        ClientId: this.stack.account,
+        ClientId: this.env.account,
       },
       ...props,
     }).attachTo(this);

diff --git a/packages/@aws-cdk/aws-fsx/lib/lustre-file-system.ts b/packages/@aws-cdk/aws-fsx/lib/lustre-file-system.ts
@@ -206,7 +206,7 @@ export class LustreFileSystem extends FileSystemBase {
     this.fileSystem.applyRemovalPolicy(props.removalPolicy);
 
     this.fileSystemId = this.fileSystem.ref;
-    this.dnsName = `${this.fileSystemId}.fsx.${this.stack.region}.${Aws.URL_SUFFIX}`;
+    this.dnsName = `${this.fileSystemId}.fsx.${this.env.region}.${Aws.URL_SUFFIX}`;
     this.mountName = this.fileSystem.attrLustreMountName;
   }
 

diff --git a/packages/@aws-cdk/aws-opensearchservice/lib/domain.ts b/packages/@aws-cdk/aws-opensearchservice/lib/domain.ts
@@ -883,7 +883,7 @@ abstract class DomainBase extends cdk.Resource implements IDomain {
       metricName,
       dimensionsMap: {
         DomainName: this.domainName,
-        ClientId: this.stack.account,
+        ClientId: this.env.account,
       },
       ...props,
     }).attachTo(this);

diff --git a/packages/@aws-cdk/aws-s3-assets/README.md b/packages/@aws-cdk/aws-s3-assets/README.md
@@ -18,7 +18,7 @@ will first upload all the assets to S3, and only then deploy the stacks. The S3
 locations of the uploaded assets will be passed in as CloudFormation Parameters
 to the relevant stacks.
 
-The following JavaScript example defines an directory asset which is archived as
+The following JavaScript example defines a directory asset which is archived as
 a .zip file and uploaded to S3 during deployment.
 
 [Example of a ZipDirectoryAsset](./test/integ.assets.directory.lit.ts)
@@ -46,7 +46,7 @@ In the following example, the various asset attributes are exported as stack out
 IAM roles, users or groups which need to be able to read assets in runtime will should be
 granted IAM permissions. To do that use the `asset.grantRead(principal)` method:
 
-The following examples grants an IAM group read permissions on an asset:
+The following example grants an IAM group read permissions on an asset:
 
 [Example of granting read access to an asset](./test/integ.assets.permissions.lit.ts)
 

diff --git a/packages/@aws-cdk/aws-s3objectlambda/lib/access-point.ts b/packages/@aws-cdk/aws-s3objectlambda/lib/access-point.ts
@@ -101,14 +101,14 @@ abstract class AccessPointBase extends core.Resource implements IAccessPoint {
   /** Implement the {@link IAccessPoint.domainName} field. */
   get domainName(): string {
     const urlSuffix = this.stack.urlSuffix;
-    return `${this.accessPointName}-${this.stack.account}.s3-object-lambda.${urlSuffix}`;
+    return `${this.accessPointName}-${this.env.account}.s3-object-lambda.${urlSuffix}`;
   }
 
   /** Implement the {@link IAccessPoint.regionalDomainName} field. */
   get regionalDomainName(): string {
     const urlSuffix = this.stack.urlSuffix;
-    const region = this.stack.region;
-    return `${this.accessPointName}-${this.stack.account}.s3-object-lambda.${region}.${urlSuffix}`;
+    const region = this.env.region;
+    return `${this.accessPointName}-${this.env.account}.s3-object-lambda.${region}.${urlSuffix}`;
   }
 
   /** Implement the {@link IAccessPoint.virtualHostedUrlForObject} method. */
@@ -252,4 +252,4 @@ export class AccessPoint extends AccessPointBase {
       }),
     );
   }
-}
+}
diff --git a/packages/@aws-cdk/aws-sns-subscriptions/lib/lambda.ts b/packages/@aws-cdk/aws-sns-subscriptions/lib/lambda.ts
@@ -59,9 +59,9 @@ export class LambdaSubscription implements sns.ITopicSubscription {
       if (topic.stack !== this.fn.stack) {
         // only if we know the region, will not work for
         // env agnostic stacks
-        if (!Token.isUnresolved(topic.stack.region) &&
-          (topic.stack.region !== this.fn.stack.region)) {
-          return topic.stack.region;
+        if (!Token.isUnresolved(topic.env.region) &&
+          (topic.env.region !== this.fn.env.region)) {
+          return topic.env.region;
         }
       }
       return undefined;