From 1255ce3b68341755f1bd8f44d68d0da8558a1a5e Mon Sep 17 00:00:00 2001 From: Tietew Date: Thu, 22 Aug 2024 06:30:20 +0900 Subject: [PATCH 1/4] fix(cloudfront): requirement of domainNames prevents moving a domain name between distributions (#31001) ### Issue # (if applicable) Closes #29960. ### Reason for this change When I want to move a domain name from a distribution to another distribution, I must create a distribution with a certificate associated but no domain names. ### Description of changes Re-submit of previous #29329. Removed the validation that `domainNames` must not be blank when a certificate is associated. ### Description of how you validated changes Updated a unit test to allow absent domainNames when a certificate is associated. See AWS Documentation for details: Using custom URLs by adding alternate domain names (CNAMEs) > Moving an alternate domain name to a different distribution https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-move ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/aws-cdk-lib/aws-cloudfront/README.md | 10 +++++++ .../aws-cloudfront/lib/distribution.ts | 9 +++---- .../aws-cloudfront/test/distribution.test.ts | 27 +++++++++---------- 3 files changed, 27 insertions(+), 19 deletions(-) diff --git a/packages/aws-cdk-lib/aws-cloudfront/README.md b/packages/aws-cdk-lib/aws-cloudfront/README.md index 965e3cbac7f69..69dd28e093cc1 100644 --- a/packages/aws-cdk-lib/aws-cloudfront/README.md +++ b/packages/aws-cdk-lib/aws-cloudfront/README.md @@ -115,6 +115,16 @@ new cloudfront.Distribution(this, 'myDist', { }); ``` +#### Moving an alternate domain name to a different distribution + +When you try to add an alternate domain name to a distribution but the alternate domain name is already in use on a different distribution, you get a `CNAMEAlreadyExists` error (One or more of the CNAMEs you provided are already associated with a different resource). + +In that case, you might want to move the existing alternate domain name from one distribution (the source distribution) to another (the target distribution). The following steps are an overview of the process. For more information, see [Moving an alternate domain name to a different distribution](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/alternate-domain-names-move.html). + +1. Deploy the stack with the target distribution. The `certificate` property must be specified but the `domainNames` should be absent. +2. Move the alternate domain name by running CloudFront `associate-alias` command. For the example and preconditions, see the AWS documentation above. +3. Specify the `domainNames` property with the alternative domain name, then deploy the stack again to resolve the drift at the alternative domain name. + #### Cross Region Certificates > **This feature is currently experimental** diff --git a/packages/aws-cdk-lib/aws-cloudfront/lib/distribution.ts b/packages/aws-cdk-lib/aws-cloudfront/lib/distribution.ts index 336affec8b862..c8f23e40d210f 100644 --- a/packages/aws-cdk-lib/aws-cloudfront/lib/distribution.ts +++ b/packages/aws-cdk-lib/aws-cloudfront/lib/distribution.ts @@ -129,7 +129,10 @@ export interface DistributionProps { * * If you want to use your own domain name, such as www.example.com, instead of the cloudfront.net domain name, * you can add an alternate domain name to your distribution. If you attach a certificate to the distribution, - * you must add (at least one of) the domain names of the certificate to this list. + * you should add (at least one of) the domain names of the certificate to this list. + * + * When you want to move a domain name between distributions, you can associate a certificate without specifying any domain names. + * For more information, see the _Moving an alternate domain name to a different distribution_ section in the README. * * @default - The distribution will only support the default generated name (e.g., d111111abcdef8.cloudfront.net) */ @@ -318,10 +321,6 @@ export class Distribution extends Resource implements IDistribution { if (!Token.isUnresolved(certificateRegion) && certificateRegion !== 'us-east-1') { throw new Error(`Distribution certificates must be in the us-east-1 region and the certificate you provided is in ${certificateRegion}.`); } - - if ((props.domainNames ?? []).length === 0) { - throw new Error('Must specify at least one domain name to use a certificate with a distribution'); - } } const originId = this.addOrigin(props.defaultBehavior.origin); diff --git a/packages/aws-cdk-lib/aws-cloudfront/test/distribution.test.ts b/packages/aws-cdk-lib/aws-cloudfront/test/distribution.test.ts index abd135a418632..7ad33d02a336e 100644 --- a/packages/aws-cdk-lib/aws-cloudfront/test/distribution.test.ts +++ b/packages/aws-cdk-lib/aws-cloudfront/test/distribution.test.ts @@ -457,23 +457,22 @@ describe('certificates', () => { }).toThrow(/Distribution certificates must be in the us-east-1 region and the certificate you provided is in eu-west-1./); }); - test('adding a certificate without a domain name throws', () => { + test('adding a certificate without a domain name', () => { const certificate = acm.Certificate.fromCertificateArn(stack, 'Cert', 'arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012'); - expect(() => { - new Distribution(stack, 'Dist1', { - defaultBehavior: { origin: defaultOrigin() }, - certificate, - }); - }).toThrow(/Must specify at least one domain name/); + new Distribution(stack, 'Dist1', { + defaultBehavior: { origin: defaultOrigin() }, + certificate, + }); - expect(() => { - new Distribution(stack, 'Dist2', { - defaultBehavior: { origin: defaultOrigin() }, - domainNames: [], - certificate, - }); - }).toThrow(/Must specify at least one domain name/); + Template.fromStack(stack).hasResourceProperties('AWS::CloudFront::Distribution', { + DistributionConfig: { + Aliases: Match.absent(), + ViewerCertificate: { + AcmCertificateArn: 'arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012', + }, + }, + }); }); test('use the TLSv1.2_2021 security policy by default', () => { From d23ade7d56c1f5fd8f764935f27a34106866decd Mon Sep 17 00:00:00 2001 From: paulhcsun <47882901+paulhcsun@users.noreply.github.com> Date: Wed, 21 Aug 2024 15:01:34 -0700 Subject: [PATCH 2/4] chore(lambda): add ca-west-1 for Cloudwatch Lambda Insight for x86_64 on available versions (#31156) ### Reason for this change Follow up to https://github.com/aws/aws-cdk/pull/30466. Region `ca-west-1` was left out for the `x86_64` platform on a few versions where it was available according to [region-info docs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Lambda-Insights-extension-versionsx86-64.html). ### Description of changes Uncomment `ca-west-1` for `x86_64` platform for versions: [1.0.317.0](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Lambda-Insights-extension-versionsx86-64.html#Lambda-Insights-extension-1.0.317.0) [1.0.295.0](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Lambda-Insights-extension-versionsx86-64.html#Lambda-Insights-extension-1.0.295.0) [1.0.275.0](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Lambda-Insights-extension-versionsx86-64.html#Lambda-Insights-extension-1.0.275.0) [1.0.273.0](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Lambda-Insights-extension-versionsx86-64.html#Lambda-Insights-extension-1.0.273.0) ### Description of how you validated changes n/a ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../aws-cdk-lib/region-info/build-tools/fact-tables.ts | 8 ++++---- .../test/__snapshots__/region-info.test.ts.snap | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/packages/aws-cdk-lib/region-info/build-tools/fact-tables.ts b/packages/aws-cdk-lib/region-info/build-tools/fact-tables.ts index 55ff8e8e249e8..d6829a4fee8f8 100644 --- a/packages/aws-cdk-lib/region-info/build-tools/fact-tables.ts +++ b/packages/aws-cdk-lib/region-info/build-tools/fact-tables.ts @@ -528,7 +528,7 @@ export const CLOUDWATCH_LAMBDA_INSIGHTS_ARNS: { [key: string]: any } = { 'ap-southeast-2': 'arn:aws:lambda:ap-southeast-2:580247275435:layer:LambdaInsightsExtension:52', 'ap-northeast-1': 'arn:aws:lambda:ap-northeast-1:580247275435:layer:LambdaInsightsExtension:79', 'ca-central-1': 'arn:aws:lambda:ca-central-1:580247275435:layer:LambdaInsightsExtension:51', - // 'ca-west-1': 'arn:aws:lambda:ca-west-1:946466191631:layer:LambdaInsightsExtension:12', + 'ca-west-1': 'arn:aws:lambda:ca-west-1:946466191631:layer:LambdaInsightsExtension:12', 'cn-north-1': 'arn:aws-cn:lambda:cn-north-1:488211338238:layer:LambdaInsightsExtension:42', 'cn-northwest-1': 'arn:aws-cn:lambda:cn-northwest-1:488211338238:layer:LambdaInsightsExtension:42', 'eu-central-1': 'arn:aws:lambda:eu-central-1:580247275435:layer:LambdaInsightsExtension:52', @@ -591,7 +591,7 @@ export const CLOUDWATCH_LAMBDA_INSIGHTS_ARNS: { [key: string]: any } = { 'ap-southeast-2': 'arn:aws:lambda:ap-southeast-2:580247275435:layer:LambdaInsightsExtension:51', 'ap-northeast-1': 'arn:aws:lambda:ap-northeast-1:580247275435:layer:LambdaInsightsExtension:78', 'ca-central-1': 'arn:aws:lambda:ca-central-1:580247275435:layer:LambdaInsightsExtension:50', - // 'ca-west-1': 'arn:aws:lambda:ca-west-1:946466191631:layer:LambdaInsightsExtension:11', + 'ca-west-1': 'arn:aws:lambda:ca-west-1:946466191631:layer:LambdaInsightsExtension:11', 'cn-north-1': 'arn:aws-cn:lambda:cn-north-1:488211338238:layer:LambdaInsightsExtension:41', 'cn-northwest-1': 'arn:aws-cn:lambda:cn-northwest-1:488211338238:layer:LambdaInsightsExtension:41', 'eu-central-1': 'arn:aws:lambda:eu-central-1:580247275435:layer:LambdaInsightsExtension:51', @@ -652,7 +652,7 @@ export const CLOUDWATCH_LAMBDA_INSIGHTS_ARNS: { [key: string]: any } = { 'ap-southeast-2': 'arn:aws:lambda:ap-southeast-2:580247275435:layer:LambdaInsightsExtension:49', 'ap-northeast-1': 'arn:aws:lambda:ap-northeast-1:580247275435:layer:LambdaInsightsExtension:76', 'ca-central-1': 'arn:aws:lambda:ca-central-1:580247275435:layer:LambdaInsightsExtension:48', - // 'ca-west-1': 'arn:aws:lambda:ca-west-1:946466191631:layer:LambdaInsightsExtension:9', + 'ca-west-1': 'arn:aws:lambda:ca-west-1:946466191631:layer:LambdaInsightsExtension:9', 'cn-north-1': 'arn:aws-cn:lambda:cn-north-1:488211338238:layer:LambdaInsightsExtension:39', 'cn-northwest-1': 'arn:aws-cn:lambda:cn-northwest-1:488211338238:layer:LambdaInsightsExtension:39', 'eu-central-1': 'arn:aws:lambda:eu-central-1:580247275435:layer:LambdaInsightsExtension:49', @@ -711,7 +711,7 @@ export const CLOUDWATCH_LAMBDA_INSIGHTS_ARNS: { [key: string]: any } = { 'ap-southeast-2': 'arn:aws:lambda:ap-southeast-2:580247275435:layer:LambdaInsightsExtension:45', 'ap-northeast-1': 'arn:aws:lambda:ap-northeast-1:580247275435:layer:LambdaInsightsExtension:72', 'ca-central-1': 'arn:aws:lambda:ca-central-1:580247275435:layer:LambdaInsightsExtension:44', - // 'ca-west-1': 'arn:aws:lambda:ca-west-1:946466191631:layer:LambdaInsightsExtension:4', + 'ca-west-1': 'arn:aws:lambda:ca-west-1:946466191631:layer:LambdaInsightsExtension:4', 'cn-north-1': 'arn:aws-cn:lambda:cn-north-1:488211338238:layer:LambdaInsightsExtension:36', 'cn-northwest-1': 'arn:aws-cn:lambda:cn-northwest-1:488211338238:layer:LambdaInsightsExtension:36', 'eu-central-1': 'arn:aws:lambda:eu-central-1:580247275435:layer:LambdaInsightsExtension:45', diff --git a/packages/aws-cdk-lib/region-info/test/__snapshots__/region-info.test.ts.snap b/packages/aws-cdk-lib/region-info/test/__snapshots__/region-info.test.ts.snap index 43c20a5f9364d..d571bef521f3a 100644 --- a/packages/aws-cdk-lib/region-info/test/__snapshots__/region-info.test.ts.snap +++ b/packages/aws-cdk-lib/region-info/test/__snapshots__/region-info.test.ts.snap @@ -664,10 +664,10 @@ exports[`built-in data is correct 1`] = ` "1.0.143.0": undefined, "1.0.178.0": undefined, "1.0.229.0": undefined, - "1.0.273.0": undefined, - "1.0.275.0": undefined, - "1.0.295.0": undefined, - "1.0.317.0": undefined, + "1.0.273.0": "arn:aws:lambda:ca-west-1:946466191631:layer:LambdaInsightsExtension:4", + "1.0.275.0": "arn:aws:lambda:ca-west-1:946466191631:layer:LambdaInsightsExtension:9", + "1.0.295.0": "arn:aws:lambda:ca-west-1:946466191631:layer:LambdaInsightsExtension:11", + "1.0.317.0": "arn:aws:lambda:ca-west-1:946466191631:layer:LambdaInsightsExtension:12", "1.0.54.0": undefined, "1.0.86.0": undefined, "1.0.89.0": undefined, From cb9298d18cabc4a58c6659ed84395f6021bc2282 Mon Sep 17 00:00:00 2001 From: Calvin Combs <66279577+comcalvi@users.noreply.github.com> Date: Wed, 21 Aug 2024 17:08:18 -0700 Subject: [PATCH 3/4] chore(custom-resources): add `@experimental` decorator to `CustomResourceConfig` (#31177) ### Reason for this change Follow the style we use for it here, for consistency: https://github.com/aws/aws-cdk/blob/76e7af6f232655fed60619e2a5f9c629f1a46d1c/packages/aws-cdk/lib/api/plugin/plugin.ts#L125 ### Description of changes Added the decorator. ### Description of how you validated changes Comment only change, no tests modified or run. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../lib/custom-resource-config/custom-resource-config.ts | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/packages/aws-cdk-lib/custom-resources/lib/custom-resource-config/custom-resource-config.ts b/packages/aws-cdk-lib/custom-resources/lib/custom-resource-config/custom-resource-config.ts index f0b06aed92745..28ac61df1e716 100644 --- a/packages/aws-cdk-lib/custom-resources/lib/custom-resource-config/custom-resource-config.ts +++ b/packages/aws-cdk-lib/custom-resources/lib/custom-resource-config/custom-resource-config.ts @@ -12,6 +12,7 @@ export const CUSTOM_RESOURCE_SINGLETON_LOG_RETENTION = 'aws:cdk:is-custom-resour /** * Manages AWS-vended Custom Resources + * * This feature is currently experimental. */ export class CustomResourceConfig { @@ -42,6 +43,8 @@ export class CustomResourceConfig { /** * Manages log retention for AWS-vended custom resources. + * + * This feature is currently experimental. */ export class CustomResourceLogRetention implements IAspect { private readonly logRetention: logs.RetentionDays; @@ -89,6 +92,8 @@ export class CustomResourceLogRetention implements IAspect { /** * Manages removal policy for AWS-vended custom resources. + * + * This feature is currently experimental. */ export class CustomResourceRemovalPolicy implements IAspect { private readonly removalPolicy: RemovalPolicy; From 2c0b9c6e3e873a0b2552b3553c3e3c6389ec5332 Mon Sep 17 00:00:00 2001 From: AWS CDK Team Date: Thu, 22 Aug 2024 00:17:01 +0000 Subject: [PATCH 4/4] chore(release): 2.154.0 --- CHANGELOG.v2.alpha.md | 2 +- CHANGELOG.v2.md | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.v2.alpha.md b/CHANGELOG.v2.alpha.md index b275df6e638e8..7587afa210a8f 100644 --- a/CHANGELOG.v2.alpha.md +++ b/CHANGELOG.v2.alpha.md @@ -2,7 +2,7 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. -## [2.154.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.153.0-alpha.0...v2.154.0-alpha.0) (2024-08-21) +## [2.154.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.153.0-alpha.0...v2.154.0-alpha.0) (2024-08-22) ### Features diff --git a/CHANGELOG.v2.md b/CHANGELOG.v2.md index a33e0d1857548..0c94cefe3b723 100644 --- a/CHANGELOG.v2.md +++ b/CHANGELOG.v2.md @@ -2,7 +2,7 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. -## [2.154.0](https://github.com/aws/aws-cdk/compare/v2.153.0...v2.154.0) (2024-08-21) +## [2.154.0](https://github.com/aws/aws-cdk/compare/v2.153.0...v2.154.0) (2024-08-22) ### Features @@ -28,6 +28,7 @@ All notable changes to this project will be documented in this file. See [standa ### Bug Fixes +* **cloudfront:** requirement of domainNames prevents moving a domain name between distributions ([#31001](https://github.com/aws/aws-cdk/issues/31001)) ([acdf7d3](https://github.com/aws/aws-cdk/commit/acdf7d3a1ffe2cbc8239cd0b788dc47b99e35184)), closes [#29960](https://github.com/aws/aws-cdk/issues/29960) [#29329](https://github.com/aws/aws-cdk/issues/29329) * **elasticloadbalancingv2-targets:** add AlbListenerTarget for NLBs, deprecate AlbTarget due to ALB listener race conditions ([#17208](https://github.com/aws/aws-cdk/issues/17208)) ([#30396](https://github.com/aws/aws-cdk/issues/30396)) ([1fca1e5](https://github.com/aws/aws-cdk/commit/1fca1e5b92ba760a33652f39c2345f6aa1eaa9f7)), closes [/github.com/aws/aws-cdk/issues/17208#issuecomment-1681475590](https://github.com/aws//github.com/aws/aws-cdk/issues/17208/issues/issuecomment-1681475590) * **lambda:** validate localMountPath format and length ([#31019](https://github.com/aws/aws-cdk/issues/31019)) ([c159e77](https://github.com/aws/aws-cdk/commit/c159e77ab34701fc6780b9501f1692fbf2366b04)) * **vpc-v2:** fixing default scope id ([#31102](https://github.com/aws/aws-cdk/issues/31102)) ([0007a29](https://github.com/aws/aws-cdk/commit/0007a29714cf04abb307845874dde27c813d45dd))