Alvazjor/backup main #34696
Merged
Alvazjor/backup main #34696
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Adds a clarification note that these properties are not strictly enforced at runtime, but are still required nonetheless. ### Issue #34645 Fixes #34645. ### Reason for this change [ECS docs](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size) was recently updated to state that the CPU/Memory property is not enforced on Windows platforms, but are still required nonetheless. ### Description of changes Add note to the CPU and memory property of Fargate task definitions. ### Describe any new or updated permissions being added No permissions added or updated. ### Description of how you validated changes No tests needed as this is a documentation change. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec`
…34691) ### Issue #34690 Closes #34690 ### Reason for this change PR #33384 released in version `2.200.1` of `@aws-cdk/region-info` imported `UnscopedValidationError` from `aws-cdk-lib/core/lib/errors`, but did not export `errors.js` properly from `aws-cdk-lib`. This resulted in the following error message when attempting to `import { Fact } from '@aws-cdk/region-info'` (`fact.ts` imports `UnscopedValidationError`). ``` ❯ node test.js node:internal/modules/cjs/loader:1228 throw err; ^ Error: Cannot find module 'aws-cdk-lib/core/lib/errors' Require stack: - /Volumes/workplace/test-region-info-app/node_modules/@aws-cdk/region-info/lib/fact.js - /Volumes/workplace/test-region-info-app/node_modules/@aws-cdk/region-info/lib/index.js - /Volumes/workplace/test-region-info-app/test.js at Module._resolveFilename (node:internal/modules/cjs/loader:1225:15) at Module._load (node:internal/modules/cjs/loader:1051:27) at Module.require (node:internal/modules/cjs/loader:1311:19) at require (node:internal/modules/helpers:179:18) at Object.<anonymous> (/Volumes/workplace/test-region-info-app/node_modules/@aws-cdk/region-info/lib/fact.js:8:18) at Module._compile (node:internal/modules/cjs/loader:1469:14) at Module._extensions..js (node:internal/modules/cjs/loader:1548:10) at Module.load (node:internal/modules/cjs/loader:1288:32) at Module._load (node:internal/modules/cjs/loader:1104:12) at Module.require (node:internal/modules/cjs/loader:1311:19) { code: 'MODULE_NOT_FOUND', requireStack: [ '/Volumes/workplace/test-region-info-app/node_modules/@aws-cdk/region-info/lib/fact.js', '/Volumes/workplace/test-region-info-app/node_modules/@aws-cdk/region-info/lib/index.js', '/Volumes/workplace/test-region-info-app/test.js' ] } Node.js v20.17.0 ``` ### Description of changes Exported `errors.js` from `packages/aws-cdk-lib/package.json`, which makes it available to `@aws-cdk/region-info`. ### Describe any new or updated permissions being added None. ### Description of how you validated changes Tested by hand after making this code change, using example code from the linked issue. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…penSearch domains (#34660) ## Description This PR fixes the issue where OpenSearch domains were not getting a default TLS security policy, causing inconsistent behavior between the CDK construct and the actual AWS service default. ### Previous behavior: - CDK construct: No `tlsSecurityPolicy` specified → `TLSSecurityPolicy.TLS_1_0` - AWS service: Defaults to TLS 1.2 when TLSSecurityPolicy is not specified in CloudFormation ### New behavior: - CDK construct: No `tlsSecurityPolicy` specified → CDK explicitly sets TLSSecurityPolicy: `Policy-Min-TLS-1-2-2019-07` - Result: Consistent TLS 1.2 behavior between CDK construct and AWS service ## Changes Made 1. Updated `domain.ts`: Modified the `DomainEndpointOptions` configuration to use `TLSSecurityPolicy.TLS_1_2` as the default when `props.tlsSecurityPolicy` is undefined: ```ts tlsSecurityPolicy: props.tlsSecurityPolicy ?? TLSSecurityPolicy.TLS_1_2, ``` 3. Added comprehensive tests: Created a new test suite covering: - Default TLS 1.2 behavior when no policy is specified - Explicit TLS policy values (1.0, 1.2, 1.2 PFS) - Interaction with enforceHttps setting - Backward compatibility scenarios 4. Add a new integ test that checks DomainEndpointOptions to include the expected `TLSSecurityPolicy` assertion, ensuring they reflect the new default behavior. ### Approach Rationale This approach is simpler and more predictable: - CDK-controlled defaults: We simply change the implicit default from TLS 1.0 to TLS 1.2, ensuring the default value is fully controlled by CDK even when undefined - Breaking change: This changes the default TLS security policy behavior and should be called out in release notes - Matches integration test expectations: Aligns with existing integration test assertions that expect `TLSSecurityPolicy: Policy-Min-TLS-1-2-2019-07` - Follows AWS best practices: TLS 1.2 is the recommended minimum security standard ### Testing - ✅ All existing OpenSearch domain tests pass (1,616 tests) - ✅ New comprehensive TLS security policy test suite - ✅ Integration test integ.opensearch.https.ts continues to pass - ✅ No linting issues ## Related Issues Closes #34658 ## Breaking Changes OpenSearch Domain TLS Security Policy Default Changed - The default TLS security policy for OpenSearch domains has changed from TLS 1.0 to TLS 1.2 - Impact: Domains created without an explicit tlsSecurityPolicy will now use TLS 1.2 instead of TLS 1.0 - Migration: If you require TLS 1.0 for backward compatibility, explicitly set `tlsSecurityPolicy: TLSSecurityPolicy.TLS_1_0` --- By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license
Contributor
|
|
leonmk-aws
merged commit fa2fcf5
into
alvazjor/main-backup-untoucheed
47 of 48 checks passed
aws-cdk-automation
requested changes
Jun 12, 2025
Collaborator
aws-cdk-automation
left a comment
aws-cdk-automation
left a comment
There was a problem hiding this comment.
The pull request linter fails with the following errors:
❌ The title prefix of this pull request must be one of "feat|fix|build|chore|ci|docs|style|refactor|perf|test|revert"
If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.
Contributor
|
Comments on closed issues and PRs are hard for our team to see. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
6 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue # (if applicable)
Closes #.
Reason for this change
Description of changes
Describe any new or updated permissions being added
Description of how you validated changes
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license