chore: forward merge 'master' into 'v2-main' #18679
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Co-authored-by: AWS CDK Team <aws-cdk@amazon.com>
---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
- cognito - acmpca - codeguruprofiler - cloud9 - signer ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ore customization (#18561) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
When using synthetics runtime "syn-nodejs-puppeteer-3.1" the default role tries to call s3:getBucketLocation on the artifacts bucket, but the policy is incorrect to allow that action. The policy should allow for that call directly on the bucket arn. fixes #13572 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Looking to unblock users who want to use assertions with annotations added on a stack. Fixes #18347 Example: ```ts class MyAspect implements IAspect { public visit(node: IConstruct): void { if (node instanceof CfnResource) { this.warn(node, 'insert message here', } } protected warn(node: IConstruct, message: string): void { Annotations.of(node).addWarning(message); } } const app = new App(); const stack = new Stack(app); new CfnResource(stack, 'Foo', { type: 'Foo::Bar', properties: { Baz: 'Qux', }, }); Aspects.of(stack).add(new MyAspect()); AssertAnnotations.fromStack(stack).hasMessage({ level: 'warning', entry: { data: 'insert message here', }, }); ``` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Migrates all of comcalvi's modules to assertions. PR is complete when these modules are migrated: - [x] autoscaling - [x] application autoscaling - [x] autoscaling common - [x] autoscaling hooktargets - [x] cloudtrail - [x] cloudformation-include - [x] logs ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…18590) Add support for session timeout and client login banner for Client VPN endpoints. Modeled the session timeout as an `enum` and not a `Duration` because it only accepts a sets of values (comparable to `RetentionDays` in `aws-logs`). ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
could pass another bucket, but automatically created buckets are convenient/popular, so worth improving defaults https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudtrail.Trail.html https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.Bucket.html --- ```sh # updated integ snapshots packages/@aws-cdk/aws-cloudtrail $ /workspace/aws-cdk/tools/\@aws-cdk/cdk-integ-tools/bin/cdk-integ --dry-run packages/@aws-cdk/aws-codepipeline-actions $ /workspace/aws-cdk/tools/\@aws-cdk/cdk-integ-tools/bin/cdk-integ --dry-run ``` --- ```sh # eslint fix /workspace/aws-cdk/node_modules/eslint/bin/eslint.js packages/@aws-cdk/aws-cloudtrail/test/ --ext=.ts --fix ``` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…es not grant all necessary permissions (#18558) `ALB.logAccessLogs` today grants the ELB account Put/Abort on the bucket. The NLB code extends this to also grant permissions to the `delivery.logs.amazonaws.com` service principal. The ALB documentation now states that the permissions required for ALB are the same as NLB, so consolidating the code back into the base. fixes #18367 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…reating QueueProcessingFargateService (#18219) The `QueueProcessingFargateService` construct internally creates a service Container with the default healthcheck that cannot currently be overriden by the user. This change allows users to optionally provide a custom healthcheck that can be passed on to the internal ECS container definition. fixes #15636 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
We forgot to remove this dependency when we migrated over to assertions. The assertions dependency is already added, so just removing this one. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Fixes: [#17753](#17753) Previously TagOptions were defined via an interface and we only created the underlying resources upon an association. This broke CX if tagoptions were mangaged centrally. We move to make the TagOptions class a wrapper around aggregate individual TagOptions. BREAKING CHANGE: `TagOptions` now have `scope` and `props` argument in constructor, and data is now passed via a `allowedValueForTags` field in props ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Co-authored-by: AWS CDK Team <aws-cdk@amazon.com>
…ncorrect permissions (#18567) The SecretRotation class currently always grants permissions to `secret.secretArn`; the correct value actually should either by the `secretFullArn` or `secretPartialArn` plus a suffix. This logic is currently covered by `SecretBase.arnForPolicies`. I opted to copy the logic rather than expose the member on both `SecretBase` and `ISecret`, but if more of these cases rise up, that may be the right solution. fixes #18424 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…18311) Adds an option to DnsValidatedCertificate to automatically cleanup the related DNS validation records when the Certificate is deleted. This is an opt-in property and discouraged for production use, as there are edge cases that can cause unintended side effects. The most obvious is that if two or more certificates exist with the same domain, the same validation record is used for both. If one certificate is deleted (and deletes the validation record), the second certificate (with the same domain name) will be unable to automatically renew. closes #3333 closes #7063 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
In "special" regions (GovCloud, US-ISO), the CodeDeploy service principal uses the `amazonaws.com` DNS suffix. In fact, that is true of all regions, in all partitions, with the notable exception of `aws-cn` which uses the `amazonaws.com.cn` suffix instead. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
* feat: cloudformation spec v53.1.0 * chore(servicediscovery): adding awslint exception Co-authored-by: AWS CDK Team <aws-cdk@amazon.com> Co-authored-by: Nick Lynch <nlynch@amazon.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Closes #18175 - see #18175 (comment) for details. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Amazon RDS for PostgreSQL supports new minor versions 13.5, 12.9, 11.14, 10.19, and 9.6.24. https://aws.amazon.com/about-aws/whats-new/2022/01/amazon-rds-postgresql-amazon-rds-outposts-postgresql-minor-versions/ ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…/assert (#18634) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
We're about to deprecate `assert-internal` and `cdk-integ-tools` only uses `canonicalizeTemplates`. There is an argument for canonicalizing assets by default in `assertions` as well, but I am putting that on the backlog for now. For now, just copying over the relevant function which will remove the dependency to `assert-internal`. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…teway (#18595) To pass the Task Token in headers to an API Gateway, the token must be wrapped in an array (because that's the value type of headers). Because JSONPath evaluation needs to happen to resolve the token, we need to use the `States.Array()` function in a `JsonPathToken` to properly resolve this. However, doing that makes the existing validation code fail the validation checking that you are passing the task token somewhere. Add convenience methods for the intrinsics, and update the checker to also find paths referenced inside intrinsic functions. Fixes #14184, fixes #14181. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…nd `grantPut` methods (#18494) In this pull request I try to fix a big behavioral change in the bucket grant methods for write actions. This change was introduced due to security issues as stated in [this pull request](#12391) and substituted the `s3:PutObject*` action glob pattern with the simple `s3:PutObject` to exclude the dangerous `s3:PutObjectAcl` and `s3:PutObjectVersionAcl` from the equation. While I agree about the security issues, I think that other useful actions - if safe, obviously - should be added when calling the `grantWrite`, `grantReadWrite` and `grantPut` methods. This pull request adds the following actions: * s3:PutObjectLegalHold * s3:PutObjectRetention * s3:PutObjectTagging * s3:PutObjectVersionTagging I also added the `s3:PutObjectVersionAcl` action to the `grantPutAcl` method, along with the existing `s3:PutObjectAcl`. I adapted existing unit and integ tests to accept these new actions. Fixes #13616 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
We implemented TagOptions as a full construct, and created its own unit test suite. We are moving some of the basic validation tests out of the other resources unit tests, and then the cross resource association tests as well. The only TagOption tests that remain in portfolio/product are for testing the association and adding as a prop, validation and multi resource tests will be in the `tag-option` test suite. The removed validation tests are already in the `tag-option` test suite. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
The autolabeler will now do different things depending on how the issue comes in. If it's guidance, it's automatically assigned to OSDS. If it's a PR, the autolabeler will not continue to work if the PR has `contribution/core`. For issues, the autolabeler will not continue to work on the issue if `needs-triage` is removed. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Co-authored-by: AWS CDK Team <aws-cdk@amazon.com>
…pOriginProps` (#18697) This pull request extends the maximum value of the `readTimeout` property for `HttpOriginProps` up to 180 seconds. This allows the use of the construct also in the case that a limit increase has been approved for CloudFront [origin request timeout quota](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cloudfront-limits.html#limits-web-distributions). The 180 seconds cap should be AWS hard limit for that quota. Closes #18628 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…18635) While using the Python Lambda with Code Artifact, discovered that Code Artifact was still inaccessible because bundling occurs at _run_ time, which can only access env vars, not build args. This is not a security issue because bundled output doesn't contain any of the secret values. **Note:** Without this, using Code Artifact (or any other private packaging for Python Lambdas) is currently broken. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…8062) Revamped the logic of running `tsc`, previously we were running `tsc` once for the whole project and due to this logic, `tsc` was not running as on the first run as `createBundlingCommand` first prepare command to execute on Docker and then for local bundling and on the first run we already updated the flag to not run `tsc` now. Closes [#18002](#18002) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
A dependency cycle was inadvertently introduced to CDK Pipelines in #18492. Fix that dependency cycle, and also one in Cognito IdentityPools. Add facilities to the `assertions` library to automatically detect this in the future, to stop errors like this from slipping in. We could make it a separate assertion method (`Template.fromStack().assertNoCycles()`), but the only thing that will do is give you an opportunity to forget to put the test in. Instead, we just check it by default for every generated template. Fixes #18673. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Publishing our internal migration script written by @rix0rrr for others to benefit. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Fixes #4159 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
`Pillow` is an image processing library that we don't need at all, but our tests use. It has a high priority CVE reported against it. Since we don't actually need it, away it goes. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
The version of PyYAML that comes wit the AWS CLI we use has a CVE reported against it: CVE-2020-14343 Upgrade to a version of AWS CLI that has PyYAML >= 5.4. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be automatically updated and merged without squashing (do not update manually, and be sure to allow changes to be pushed to your fork). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Automated action from aws/cdk-ops