chore(release): 1.88.0 (#12859)

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/bump/1.88.0/CHANGELOG.md)
aws · Feb 3, 2021 · f65009b · f65009b
2 parents 8990e8f + 208a7c1
commit f65009b
Show file tree

Hide file tree

Showing 123 changed files with 4,873 additions and 1,199 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,43 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [1.88.0](https://github.com/aws/aws-cdk/compare/v1.87.1...v1.88.0) (2021-02-03)
+
+
+### ⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES
+
+* **appmesh:** the properties virtualRouter and virtualNode of VirtualServiceProps have been replaced with the union-like class VirtualServiceProvider 
+* **appmesh**: the method `addVirtualService` has been removed from `IMesh`
+* **cloudfront:** experimental EdgeFunction stack names have changed from 'edge-lambda-stack-${region}' to 'edge-lambda-stack-${stackid}' to support multiple independent CloudFront distributions with EdgeFunctions.
+
+### Features
+
+* **apigateway:** cognito user pool authorizer ([#12786](https://github.com/aws/aws-cdk/issues/12786)) ([ff1e5b3](https://github.com/aws/aws-cdk/commit/ff1e5b3c580119c107fe26c67fe3cc220f9ee7c9)), closes [#5618](https://github.com/aws/aws-cdk/issues/5618)
+* **apigateway:** import an existing Resource ([#12785](https://github.com/aws/aws-cdk/issues/12785)) ([8a1a9b8](https://github.com/aws/aws-cdk/commit/8a1a9b82a36e681334fd45be595f6ecdf904ad34)), closes [#4432](https://github.com/aws/aws-cdk/issues/4432)
+* **appmesh:** change VirtualService provider to a union-like class ([#11978](https://github.com/aws/aws-cdk/issues/11978)) ([dfc765a](https://github.com/aws/aws-cdk/commit/dfc765af44c755f10be8f6c1c2eae55f62e2aa08)), closes [#9490](https://github.com/aws/aws-cdk/issues/9490)
+* **aws-route53:** cross account DNS delegations ([#12680](https://github.com/aws/aws-cdk/issues/12680)) ([126a693](https://github.com/aws/aws-cdk/commit/126a6935cacc1f68b1d1155e484912d4ed6978f2)), closes [#8776](https://github.com/aws/aws-cdk/issues/8776)
+* **cloudfront:** add PublicKey and KeyGroup L2 constructs ([#12743](https://github.com/aws/aws-cdk/issues/12743)) ([59cb6d0](https://github.com/aws/aws-cdk/commit/59cb6d032a55515ec5e9903f899de588d18d4cb5))
+* **core:** `stack.exportValue()` can be used to solve "deadly embrace" ([#12778](https://github.com/aws/aws-cdk/issues/12778)) ([3b66088](https://github.com/aws/aws-cdk/commit/3b66088010b6f2315a215e92505d5279680f16d4)), closes [#7602](https://github.com/aws/aws-cdk/issues/7602) [#2036](https://github.com/aws/aws-cdk/issues/2036)
+* **ecr:** Public Gallery authorization token ([#12775](https://github.com/aws/aws-cdk/issues/12775)) ([8434294](https://github.com/aws/aws-cdk/commit/84342943ad9f2ea8a83773f00816a0b8117c4d17))
+* **ecs-patterns:** Add PlatformVersion option to ScheduledFargateTask props ([#12676](https://github.com/aws/aws-cdk/issues/12676)) ([3cbf38b](https://github.com/aws/aws-cdk/commit/3cbf38b09a9e66a6c009f833481fb25b8c5fc26c)), closes [#12623](https://github.com/aws/aws-cdk/issues/12623)
+* **elbv2:** support for 2020 SSL policy ([#12710](https://github.com/aws/aws-cdk/issues/12710)) ([1dd3d05](https://github.com/aws/aws-cdk/commit/1dd3d0518dc2a70c725f87dd5d4377338389125c)), closes [#12595](https://github.com/aws/aws-cdk/issues/12595)
+* **iam:** Permissions Boundaries ([#12777](https://github.com/aws/aws-cdk/issues/12777)) ([415eb86](https://github.com/aws/aws-cdk/commit/415eb861c65829cc53eabbbb8706f83f08c74570)), closes [aws/aws-cdk-rfcs#5](https://github.com/aws/aws-cdk-rfcs/issues/5) [#3242](https://github.com/aws/aws-cdk/issues/3242)
+* **lambda:** inline code for Python 3.8 ([#12788](https://github.com/aws/aws-cdk/issues/12788)) ([8d3aaba](https://github.com/aws/aws-cdk/commit/8d3aabaffe436e6a3eebc0a58fe361c5b4b93f08)), closes [#6503](https://github.com/aws/aws-cdk/issues/6503)
+
+
+### Bug Fixes
+
+* **apigateway:** stack update fails to replace api key ([#12745](https://github.com/aws/aws-cdk/issues/12745)) ([ffe7e42](https://github.com/aws/aws-cdk/commit/ffe7e425e605144a465cea9befa68d4fe19f9d8c)), closes [#12698](https://github.com/aws/aws-cdk/issues/12698)
+* **cfn-include:** AWS::CloudFormation resources fail in monocdk ([#12758](https://github.com/aws/aws-cdk/issues/12758)) ([5060782](https://github.com/aws/aws-cdk/commit/5060782b00e17bdf44e225f8f5ef03344be238c7)), closes [#11595](https://github.com/aws/aws-cdk/issues/11595)
+* **cli, codepipeline:** renamed bootstrap stack still not supported ([#12771](https://github.com/aws/aws-cdk/issues/12771)) ([40b32bb](https://github.com/aws/aws-cdk/commit/40b32bbda272b6e2f92fd5dd8de7ca5bf405ce52)), closes [#12594](https://github.com/aws/aws-cdk/issues/12594) [#12732](https://github.com/aws/aws-cdk/issues/12732)
+* **cloudfront:** use node addr for edgeStackId name ([#12702](https://github.com/aws/aws-cdk/issues/12702)) ([c429bb7](https://github.com/aws/aws-cdk/commit/c429bb7df2406346426dce22d716cabc484ec7e6)), closes [#12323](https://github.com/aws/aws-cdk/issues/12323)
+* **codedeploy:** wrong syntax on Windows 'installAgent' flag ([#12736](https://github.com/aws/aws-cdk/issues/12736)) ([238742e](https://github.com/aws/aws-cdk/commit/238742e4323310ce850d8edc70abe4b0e9f53186)), closes [#12734](https://github.com/aws/aws-cdk/issues/12734)
+* **codepipeline:** permission denied for Action-level environment variables ([#12761](https://github.com/aws/aws-cdk/issues/12761)) ([99fd074](https://github.com/aws/aws-cdk/commit/99fd074a07ead624f64d3fe64685ba67c798976e)), closes [#12742](https://github.com/aws/aws-cdk/issues/12742)
+* **ec2:** ARM-backed bastion hosts try to run x86-based Amazon Linux AMI ([#12280](https://github.com/aws/aws-cdk/issues/12280)) ([1a73d76](https://github.com/aws/aws-cdk/commit/1a73d761ad2363842567a1b6e0488ceb093e70b2)), closes [#12279](https://github.com/aws/aws-cdk/issues/12279)
+* **efs:** EFS fails to create when using a VPC with multiple subnets per availability zone ([#12097](https://github.com/aws/aws-cdk/issues/12097)) ([889d673](https://github.com/aws/aws-cdk/commit/889d6734c10174f2661e45057c345cd112a44187)), closes [#10170](https://github.com/aws/aws-cdk/issues/10170)
+* **iam:** cannot use the same Role for multiple Config Rules ([#12724](https://github.com/aws/aws-cdk/issues/12724)) ([2f6521a](https://github.com/aws/aws-cdk/commit/2f6521a1d8670b2653f7dee281309351181cf918)), closes [#12714](https://github.com/aws/aws-cdk/issues/12714)
+* **lambda:** codeguru profiler not set up for Node runtime ([#12712](https://github.com/aws/aws-cdk/issues/12712)) ([59db763](https://github.com/aws/aws-cdk/commit/59db763e7d05d68fd85b6fd37246d69d4670d7d5)), closes [#12624](https://github.com/aws/aws-cdk/issues/12624)
+
 ## [1.87.1](https://github.com/aws/aws-cdk/compare/v1.87.0...v1.87.1) (2021-01-28)
 
 

diff --git a/packages/@aws-cdk-containers/ecs-service-extensions/lib/extensions/appmesh.ts b/packages/@aws-cdk-containers/ecs-service-extensions/lib/extensions/appmesh.ts
@@ -316,8 +316,7 @@ export class AppMeshExtension extends ServiceExtension {
  // Now create a virtual service. Relationship goes like this:
  // virtual service -> virtual router -> virtual node
  this.virtualService = new appmesh.VirtualService(this.scope, `${this.parentService.id}-virtual-service`, {
- mesh: this.mesh,
- virtualRouter: this.virtualRouter,
+ virtualServiceProvider: appmesh.VirtualServiceProvider.virtualRouter(this.virtualRouter),
  virtualServiceName: serviceName,
  });
  }

diff --git a/packages/@aws-cdk/assert/lib/assertions/have-resource.ts b/packages/@aws-cdk/assert/lib/assertions/have-resource.ts
@@ -66,7 +66,7 @@ export class HaveResourceAssertion extends JestFriendlyAssertion<StackInspector>
  for (const logicalId of Object.keys(inspector.value.Resources || {})) {
  const resource = inspector.value.Resources[logicalId];
  if (resource.Type === this.resourceType) {
- const propsToCheck = this.part === ResourcePart.Properties ? resource.Properties : resource;
+ const propsToCheck = this.part === ResourcePart.Properties ? (resource.Properties ?? {}) : resource;
 
  // Pass inspection object as 2nd argument, initialize failure with default string,
  // to maintain backwards compatibility with old predicate API.

diff --git a/packages/@aws-cdk/aws-apigateway/README.md b/packages/@aws-cdk/aws-apigateway/README.md
@@ -32,6 +32,7 @@ running on AWS Lambda, or any web application.
  - [IAM-based authorizer](#iam-based-authorizer)
  - [Lambda-based token authorizer](#lambda-based-token-authorizer)
  - [Lambda-based request authorizer](#lambda-based-request-authorizer)
+ - [Cognito User Pools authorizer](#cognito-user-pools-authorizer)
 - [Mutual TLS](#mutal-tls-mtls)
 - [Deployments](#deployments)
  - [Deep dive: Invalidation of deployments](#deep-dive-invalidation-of-deployments)
@@ -580,6 +581,25 @@ Authorizers can also be passed via the `defaultMethodOptions` property within th
 explicitly overridden, the specified defaults will be applied across all `Method`s across the `RestApi` or across all `Resource`s,
 depending on where the defaults were specified.
 
+### Cognito User Pools authorizer
+
+API Gateway also allows [Amazon Cognito user pools as authorizer](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html)
+
+The following snippet configures a Cognito user pool as an authorizer:
+
+```ts
+const userPool = new cognito.UserPool(stack, 'UserPool');
+
+const auth = new apigateway.CognitoUserPoolsAuthorizer(this, 'booksAuthorizer', {
+ cognitoUserPools: [userPool]
+});
+
+books.addMethod('GET', new apigateway.HttpIntegration('http://amazon.com'), {
+ authorizer: auth,
+ authorizationType: apigateway.AuthorizationType.COGNITO,
+});
+```
+
 ## Mutual TLS (mTLS)
 
 Mutual TLS can be configured to limit access to your API based by using client certificates instead of (or as an extension of) using authorization headers.

diff --git a/packages/@aws-cdk/aws-apigateway/lib/authorizers/cognito.ts b/packages/@aws-cdk/aws-apigateway/lib/authorizers/cognito.ts
@@ -0,0 +1,115 @@
+import * as cognito from '@aws-cdk/aws-cognito';
+import { Duration, Lazy, Names, Stack } from '@aws-cdk/core';
+import { Construct } from 'constructs';
+import { CfnAuthorizer } from '../apigateway.generated';
+import { Authorizer, IAuthorizer } from '../authorizer';
+import { AuthorizationType } from '../method';
+import { IRestApi } from '../restapi';
+
+/**
+ * Properties for CognitoUserPoolsAuthorizer
+ */
+export interface CognitoUserPoolsAuthorizerProps {
+ /**
+ * An optional human friendly name for the authorizer. Note that, this is not the primary identifier of the authorizer.
+ *
+ * @default - the unique construct ID
+ */
+ readonly authorizerName?: string;
+
+ /**
+ * The user pools to associate with this authorizer.
+ */
+ readonly cognitoUserPools: cognito.IUserPool[];
+
+ /**
+ * How long APIGateway should cache the results. Max 1 hour.
+ * Disable caching by setting this to 0.
+ *
+ * @default Duration.minutes(5)
+ */
+ readonly resultsCacheTtl?: Duration;
+
+ /**
+ * The request header mapping expression for the bearer token. This is typically passed as part of the header, in which case
+ * this should be `method.request.header.Authorizer` where Authorizer is the header containing the bearer token.
+ * @see https://docs.aws.amazon.com/apigateway/api-reference/link-relation/authorizer-create/#identitySource
+ * @default `IdentitySource.header('Authorization')`
+ */
+ readonly identitySource?: string;
+}
+
+/**
+ * Cognito user pools based custom authorizer
+ *
+ * @resource AWS::ApiGateway::Authorizer
+ */
+export class CognitoUserPoolsAuthorizer extends Authorizer implements IAuthorizer {
+ /**
+ * The id of the authorizer.
+ * @attribute
+ */
+ public readonly authorizerId: string;
+
+ /**
+ * The ARN of the authorizer to be used in permission policies, such as IAM and resource-based grants.
+ * @attribute
+ */
+ public readonly authorizerArn: string;
+
+ /**
+ * The authorization type of this authorizer.
+ */
+ public readonly authorizationType?: AuthorizationType;
+
+ private restApiId?: string;
+
+ constructor(scope: Construct, id: string, props: CognitoUserPoolsAuthorizerProps) {
+ super(scope, id);
+
+ const restApiId = this.lazyRestApiId();
+ const resource = new CfnAuthorizer(this, 'Resource', {
+ name: props.authorizerName ?? Names.uniqueId(this),
+ restApiId,
+ type: 'COGNITO_USER_POOLS',
+ providerArns: props.cognitoUserPools.map(userPool => userPool.userPoolArn),
+ authorizerResultTtlInSeconds: props.resultsCacheTtl?.toSeconds(),
+ identitySource: props.identitySource || 'method.request.header.Authorization',
+ });
+
+ this.authorizerId = resource.ref;
+ this.authorizerArn = Stack.of(this).formatArn({
+ service: 'execute-api',
+ resource: restApiId,
+ resourceName: `authorizers/${this.authorizerId}`,
+ });
+ this.authorizationType = AuthorizationType.COGNITO;
+ }
+
+ /**
+ * Attaches this authorizer to a specific REST API.
+ * @internal
+ */
+ public _attachToApi(restApi: IRestApi): void {
+ if (this.restApiId && this.restApiId !== restApi.restApiId) {
+ throw new Error('Cannot attach authorizer to two different rest APIs');
+ }
+
+ this.restApiId = restApi.restApiId;
+ }
+
+ /**
+ * Returns a token that resolves to the Rest Api Id at the time of synthesis.
+ * Throws an error, during token resolution, if no RestApi is attached to this authorizer.
+ */
+ private lazyRestApiId() {
+ return Lazy.string({
+ produce: () => {
+ if (!this.restApiId) {
+ throw new Error(`Authorizer (${this.node.path}) must be attached to a RestApi`);
+ }
+ return this.restApiId;
+ },
+ });
+ }
+}
diff --git a/packages/@aws-cdk/aws-apigateway/lib/authorizers/index.ts b/packages/@aws-cdk/aws-apigateway/lib/authorizers/index.ts
@@ -1,2 +1,3 @@
 export * from './lambda';
 export * from './identity-source';
+export * from './cognito';
diff --git a/packages/@aws-cdk/aws-apigateway/lib/resource.ts b/packages/@aws-cdk/aws-apigateway/lib/resource.ts
@@ -373,7 +373,51 @@ export abstract class ResourceBase extends ResourceConstruct implements IResourc
  }
 }
 
+/**
+ * Attributes that can be specified when importing a Resource
+ */
+export interface ResourceAttributes {
+ /**
+ * The ID of the resource.
+ */
+ readonly resourceId: string;
+
+ /**
+ * The rest API that this resource is part of.
+ */
+ readonly restApi: IRestApi;
+
+ /**
+ * The full path of this resource.
+ */
+ readonly path: string;
+}
+
 export class Resource extends ResourceBase {
+ /**
+ * Import an existing resource
+ */
+ public static fromResourceAttributes(scope: Construct, id: string, attrs: ResourceAttributes): IResource {
+ class Import extends ResourceBase {
+ public readonly api = attrs.restApi;
+ public readonly resourceId = attrs.resourceId;
+ public readonly path = attrs.path;
+ public readonly defaultIntegration?: Integration = undefined;
+ public readonly defaultMethodOptions?: MethodOptions = undefined;
+ public readonly defaultCorsPreflightOptions?: CorsOptions = undefined;
+
+ public get parentResource(): IResource {
+ throw new Error('parentResource is not configured for imported resource.');
+ }
+
+ public get restApi(): RestApi {
+ throw new Error('restApi is not configured for imported resource.');
+ }
+ }
+
+ return new Import(scope, id);
+ }
+
  public readonly parentResource?: IResource;
  public readonly api: IRestApi;
  public readonly resourceId: string;

diff --git a/packages/@aws-cdk/aws-apigateway/package.json b/packages/@aws-cdk/aws-apigateway/package.json
@@ -80,6 +80,7 @@
  "dependencies": {
  "@aws-cdk/aws-certificatemanager": "0.0.0",
  "@aws-cdk/aws-cloudwatch": "0.0.0",
+ "@aws-cdk/aws-cognito": "0.0.0",
  "@aws-cdk/aws-ec2": "0.0.0",
  "@aws-cdk/aws-elasticloadbalancingv2": "0.0.0",
  "@aws-cdk/aws-iam": "0.0.0",
@@ -95,6 +96,7 @@
  "peerDependencies": {
  "@aws-cdk/aws-certificatemanager": "0.0.0",
  "@aws-cdk/aws-cloudwatch": "0.0.0",
+ "@aws-cdk/aws-cognito": "0.0.0",
  "@aws-cdk/aws-ec2": "0.0.0",
  "@aws-cdk/aws-elasticloadbalancingv2": "0.0.0",
  "@aws-cdk/aws-iam": "0.0.0",

diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/cognito.test.ts b/packages/@aws-cdk/aws-apigateway/test/authorizers/cognito.test.ts
@@ -0,0 +1,66 @@
+import '@aws-cdk/assert/jest';
+import * as cognito from '@aws-cdk/aws-cognito';
+import { Duration, Stack } from '@aws-cdk/core';
+import { AuthorizationType, CognitoUserPoolsAuthorizer, RestApi } from '../../lib';
+
+describe('Cognito Authorizer', () => {
+ test('default cognito authorizer', () => {
+ // GIVEN
+ const stack = new Stack();
+ const userPool = new cognito.UserPool(stack, 'UserPool');
+
+ // WHEN
+ const authorizer = new CognitoUserPoolsAuthorizer(stack, 'myauthorizer', {
+ cognitoUserPools: [userPool],
+ });
+
+ const restApi = new RestApi(stack, 'myrestapi');
+ restApi.root.addMethod('ANY', undefined, {
+ authorizer,
+ authorizationType: AuthorizationType.COGNITO,
+ });
+
+ // THEN
+ expect(stack).toHaveResource('AWS::ApiGateway::Authorizer', {
+ Type: 'COGNITO_USER_POOLS',
+ RestApiId: stack.resolve(restApi.restApiId),
+ IdentitySource: 'method.request.header.Authorization',
+ ProviderARNs: [stack.resolve(userPool.userPoolArn)],
+ });
+
+ expect(authorizer.authorizerArn.endsWith(`/authorizers/${authorizer.authorizerId}`)).toBeTruthy();
+ });
+
+ test('cognito authorizer with all parameters specified', () => {
+ // GIVEN
+ const stack = new Stack();
+ const userPool1 = new cognito.UserPool(stack, 'UserPool1');
+ const userPool2 = new cognito.UserPool(stack, 'UserPool2');
+
+ // WHEN
+ const authorizer = new CognitoUserPoolsAuthorizer(stack, 'myauthorizer', {
+ cognitoUserPools: [userPool1, userPool2],
+ identitySource: 'method.request.header.whoami',
+ authorizerName: 'myauthorizer',
+ resultsCacheTtl: Duration.minutes(1),
+ });
+
+ const restApi = new RestApi(stack, 'myrestapi');
+ restApi.root.addMethod('ANY', undefined, {
+ authorizer,
+ authorizationType: AuthorizationType.COGNITO,
+ });
+
+ // THEN
+ expect(stack).toHaveResource('AWS::ApiGateway::Authorizer', {
+ Type: 'COGNITO_USER_POOLS',
+ Name: 'myauthorizer',
+ RestApiId: stack.resolve(restApi.restApiId),
+ IdentitySource: 'method.request.header.whoami',
+ AuthorizerResultTtlInSeconds: 60,
+ ProviderARNs: [stack.resolve(userPool1.userPoolArn), stack.resolve(userPool2.userPoolArn)],
+ });
+
+ expect(authorizer.authorizerArn.endsWith(`/authorizers/${authorizer.authorizerId}`)).toBeTruthy();
+ });
+});