From adf761d61d7aec9d93afde39cf391c0ada279bee Mon Sep 17 00:00:00 2001 From: Ashwin Rabindran Date: Thu, 29 Jun 2023 16:26:14 -0700 Subject: [PATCH 1/3] fix logical id validation --- packages/aws-cdk-lib/core/lib/private/logical-id.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/aws-cdk-lib/core/lib/private/logical-id.ts b/packages/aws-cdk-lib/core/lib/private/logical-id.ts index 1a9051ebb1790..2929fbfdfb8b5 100644 --- a/packages/aws-cdk-lib/core/lib/private/logical-id.ts +++ b/packages/aws-cdk-lib/core/lib/private/logical-id.ts @@ -69,7 +69,7 @@ export class LogicalIDs { } } -const VALID_LOGICALID_REGEX = /^[A-Za-z][A-Za-z0-9]{1,254}$/; +const VALID_LOGICALID_REGEX = /^[A-Za-z0-9]{1,254}$/; /** * Validate logical ID is valid for CloudFormation From c41b0cd19ed34067edb848815bf71e8d36a2094e Mon Sep 17 00:00:00 2001 From: Ashwin Rabindran Date: Wed, 5 Jul 2023 22:44:17 +0000 Subject: [PATCH 2/3] add new test to logical id suite --- .../core/lib/private/logical-id.ts | 2 +- .../aws-cdk-lib/core/test/logical-id.test.ts | 27 ++++++- packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md | 80 ------------------- 3 files changed, 27 insertions(+), 82 deletions(-) diff --git a/packages/aws-cdk-lib/core/lib/private/logical-id.ts b/packages/aws-cdk-lib/core/lib/private/logical-id.ts index 2929fbfdfb8b5..f7ac42990252b 100644 --- a/packages/aws-cdk-lib/core/lib/private/logical-id.ts +++ b/packages/aws-cdk-lib/core/lib/private/logical-id.ts @@ -69,7 +69,7 @@ export class LogicalIDs { } } -const VALID_LOGICALID_REGEX = /^[A-Za-z0-9]{1,254}$/; +const VALID_LOGICALID_REGEX = /^[A-Za-z0-9]{1,255}$/; /** * Validate logical ID is valid for CloudFormation diff --git a/packages/aws-cdk-lib/core/test/logical-id.test.ts b/packages/aws-cdk-lib/core/test/logical-id.test.ts index 2edc32d6120c4..df34ddb8d5fcf 100644 --- a/packages/aws-cdk-lib/core/test/logical-id.test.ts +++ b/packages/aws-cdk-lib/core/test/logical-id.test.ts @@ -161,6 +161,25 @@ describe('logical id', () => { expect(() => toCloudFormation(stack)).toThrow(/Logical ID must adhere to the regular expression/); }); + test('any alphaneumeric logical id is allowed', () => { + // GIVEN + const stack = new Stack(); + + // WHEN + const validLogicalIdAlpha = generateString(200); + const validLogicalIdNumber = generateNumberString(200); + new CfnResource(stack, validLogicalIdAlpha, { type: 'R' }); + new CfnResource(stack, validLogicalIdNumber, { type: 'R' } ); + + // THEN + expect(toCloudFormation(stack)).toEqual({ + Resources: { + [validLogicalIdAlpha]: { Type: 'R' }, + [validLogicalIdNumber]: { Type: 'R' }, + }, + }); + }); + test('too large identifiers are truncated yet still remain unique', () => { // GIVEN const stack = new Stack(); @@ -253,7 +272,13 @@ describe('logical id', () => { }).toThrow(/section 'Resources' already contains 'C'/); }); }); - +function generateNumberString(chars: number) { + let s = ''; + for (let i = 0; i < chars; ++i) { + s += Math.floor(Math.random() * 9); + } + return s; +} function generateString(chars: number) { let s = ''; for (let i = 0; i < chars; ++i) { diff --git a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md index 2acd23b556a2f..901042138a6ee 100644 --- a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md +++ b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md @@ -17,10 +17,6 @@ Flags come in three types: | Flag | Summary | Since | Type | | ----- | ----- | ----- | ----- | -| [@aws-cdk/aws-apigateway:requestValidatorUniqueId](#aws-cdkaws-apigatewayrequestvalidatoruniqueid) | Generate a unique id for each RequestValidator added to a method | V2·NEXT | (fix) | -| [@aws-cdk/aws-ec2:restrictDefaultSecurityGroup](#aws-cdkaws-ec2restrictdefaultsecuritygroup) | Restrict access to the VPC default security group | V2·NEXT | (default) | -| [@aws-cdk/aws-kms:aliasNameRef](#aws-cdkaws-kmsaliasnameref) | KMS Alias name and keyArn will have implicit reference to KMS Key | V2·NEXT | (fix) | -| [@aws-cdk/aws-route53-patters:useCertificate](#aws-cdkaws-route53-pattersusecertificate) | Use the official `Certificate` resource instead of `DnsValidatedCertificate` | V2·NEXT | (default) | | [@aws-cdk/core:newStyleStackSynthesis](#aws-cdkcorenewstylestacksynthesis) | Switch to new stack synthesis method which enables CI/CD | 2.0.0 | (fix) | | [@aws-cdk/core:stackRelativeExports](#aws-cdkcorestackrelativeexports) | Name exports based on the construct paths relative to the stack, rather than the global construct path | 2.0.0 | (fix) | | [@aws-cdk/aws-rds:lowercaseDbIdentifier](#aws-cdkaws-rdslowercasedbidentifier) | Force lowercasing of RDS Cluster names in CDK | 2.0.0 | (fix) | @@ -332,82 +328,6 @@ Encryption can also be configured explicitly using the `encrypted` property. **Compatibility with old behavior:** Pass the `encrypted: false` property to the `FileSystem` construct to disable encryption. -### @aws-cdk/aws-apigateway:requestValidatorUniqueId - -*Generate a unique id for each RequestValidator added to a method* (fix) - -This flag allows multiple RequestValidators to be added to a RestApi when -providing the `RequestValidatorOptions` in the `addMethod()` method. - -If the flag is not set then only a single RequestValidator can be added in this way. -Any additional RequestValidators have to be created directly with `new RequestValidator`. - - -| Since | Default | Recommended | -| ----- | ----- | ----- | -| (not in v1) | | | -| V2·NEXT | `false` | `true` | - - -### @aws-cdk/aws-ec2:restrictDefaultSecurityGroup - -*Restrict access to the VPC default security group* (default) - -Enable this feature flag to remove the default ingress/egress rules from the -VPC default security group. - -When a VPC is created, a default security group is created as well and this cannot -be deleted. The default security group is created with ingress/egress rules that allow -_all_ traffic. [AWS Security best practices recommend](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-2) -removing these ingress/egress rules in order to restrict access to the default security group. - - -| Since | Default | Recommended | -| ----- | ----- | ----- | -| (not in v1) | | | -| V2·NEXT | `false` | `true` | - -**Compatibility with old behavior:** - To allow all ingress/egress traffic to the VPC default security group you - can set the `restrictDefaultSecurityGroup: false`. - - - -### @aws-cdk/aws-kms:aliasNameRef - -*KMS Alias name and keyArn will have implicit reference to KMS Key* (fix) - -This flag allows an implicit dependency to be created between KMS Alias and KMS Key -when referencing key.aliasName or key.keyArn. - -If the flag is not set then a raw string is passed as the Alias name and no -implicit dependencies will be set. - - -| Since | Default | Recommended | -| ----- | ----- | ----- | -| (not in v1) | | | -| V2·NEXT | `false` | `true` | - - -### @aws-cdk/aws-route53-patters:useCertificate - -*Use the official `Certificate` resource instead of `DnsValidatedCertificate`* (default) - -Enable this feature flag to use the official CloudFormation supported `Certificate` resource instead -of the deprecated `DnsValidatedCertificate` construct. If this flag is enabled and you are creating -the stack in a region other than us-east-1 then you must also set `crossRegionReferences=true` on the -stack. - - -| Since | Default | Recommended | -| ----- | ----- | ----- | -| (not in v1) | | | -| V2·NEXT | `false` | `true` | - -**Compatibility with old behavior:** Define a `DnsValidatedCertificate` explicitly and pass in the `certificate` property - - ### @aws-cdk/core:newStyleStackSynthesis *Switch to new stack synthesis method which enables CI/CD* (fix) From c29b8878a58ae1872624c79642c09a068c2b68b0 Mon Sep 17 00:00:00 2001 From: Ashwin Rabindran Date: Wed, 5 Jul 2023 23:54:49 +0000 Subject: [PATCH 3/3] Revert unnessecary change --- packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md | 80 ++++++++++++++++++++ 1 file changed, 80 insertions(+) diff --git a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md index 901042138a6ee..2acd23b556a2f 100644 --- a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md +++ b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md @@ -17,6 +17,10 @@ Flags come in three types: | Flag | Summary | Since | Type | | ----- | ----- | ----- | ----- | +| [@aws-cdk/aws-apigateway:requestValidatorUniqueId](#aws-cdkaws-apigatewayrequestvalidatoruniqueid) | Generate a unique id for each RequestValidator added to a method | V2·NEXT | (fix) | +| [@aws-cdk/aws-ec2:restrictDefaultSecurityGroup](#aws-cdkaws-ec2restrictdefaultsecuritygroup) | Restrict access to the VPC default security group | V2·NEXT | (default) | +| [@aws-cdk/aws-kms:aliasNameRef](#aws-cdkaws-kmsaliasnameref) | KMS Alias name and keyArn will have implicit reference to KMS Key | V2·NEXT | (fix) | +| [@aws-cdk/aws-route53-patters:useCertificate](#aws-cdkaws-route53-pattersusecertificate) | Use the official `Certificate` resource instead of `DnsValidatedCertificate` | V2·NEXT | (default) | | [@aws-cdk/core:newStyleStackSynthesis](#aws-cdkcorenewstylestacksynthesis) | Switch to new stack synthesis method which enables CI/CD | 2.0.0 | (fix) | | [@aws-cdk/core:stackRelativeExports](#aws-cdkcorestackrelativeexports) | Name exports based on the construct paths relative to the stack, rather than the global construct path | 2.0.0 | (fix) | | [@aws-cdk/aws-rds:lowercaseDbIdentifier](#aws-cdkaws-rdslowercasedbidentifier) | Force lowercasing of RDS Cluster names in CDK | 2.0.0 | (fix) | @@ -328,6 +332,82 @@ Encryption can also be configured explicitly using the `encrypted` property. **Compatibility with old behavior:** Pass the `encrypted: false` property to the `FileSystem` construct to disable encryption. +### @aws-cdk/aws-apigateway:requestValidatorUniqueId + +*Generate a unique id for each RequestValidator added to a method* (fix) + +This flag allows multiple RequestValidators to be added to a RestApi when +providing the `RequestValidatorOptions` in the `addMethod()` method. + +If the flag is not set then only a single RequestValidator can be added in this way. +Any additional RequestValidators have to be created directly with `new RequestValidator`. + + +| Since | Default | Recommended | +| ----- | ----- | ----- | +| (not in v1) | | | +| V2·NEXT | `false` | `true` | + + +### @aws-cdk/aws-ec2:restrictDefaultSecurityGroup + +*Restrict access to the VPC default security group* (default) + +Enable this feature flag to remove the default ingress/egress rules from the +VPC default security group. + +When a VPC is created, a default security group is created as well and this cannot +be deleted. The default security group is created with ingress/egress rules that allow +_all_ traffic. [AWS Security best practices recommend](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-2) +removing these ingress/egress rules in order to restrict access to the default security group. + + +| Since | Default | Recommended | +| ----- | ----- | ----- | +| (not in v1) | | | +| V2·NEXT | `false` | `true` | + +**Compatibility with old behavior:** + To allow all ingress/egress traffic to the VPC default security group you + can set the `restrictDefaultSecurityGroup: false`. + + + +### @aws-cdk/aws-kms:aliasNameRef + +*KMS Alias name and keyArn will have implicit reference to KMS Key* (fix) + +This flag allows an implicit dependency to be created between KMS Alias and KMS Key +when referencing key.aliasName or key.keyArn. + +If the flag is not set then a raw string is passed as the Alias name and no +implicit dependencies will be set. + + +| Since | Default | Recommended | +| ----- | ----- | ----- | +| (not in v1) | | | +| V2·NEXT | `false` | `true` | + + +### @aws-cdk/aws-route53-patters:useCertificate + +*Use the official `Certificate` resource instead of `DnsValidatedCertificate`* (default) + +Enable this feature flag to use the official CloudFormation supported `Certificate` resource instead +of the deprecated `DnsValidatedCertificate` construct. If this flag is enabled and you are creating +the stack in a region other than us-east-1 then you must also set `crossRegionReferences=true` on the +stack. + + +| Since | Default | Recommended | +| ----- | ----- | ----- | +| (not in v1) | | | +| V2·NEXT | `false` | `true` | + +**Compatibility with old behavior:** Define a `DnsValidatedCertificate` explicitly and pass in the `certificate` property + + ### @aws-cdk/core:newStyleStackSynthesis *Switch to new stack synthesis method which enables CI/CD* (fix)