-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(aws-lambda): allow placing Lambda in VPC #598
Conversation
Well then.
|
This is because otherwise the new dependency of aws-lambda => aws-ec2 would introduce the following cycle: Cycle: @aws-cdk/aws-ec2 => @aws-cdk/aws-sns => @aws-cdk/aws-lambda => @aws-cdk/aws-ec2
} | ||
|
||
export abstract class FunctionRef extends cdk.Construct | ||
implements events.IEventRuleTarget, logs.ILogSubscriptionDestination, s3n.IBucketNotificationDestination { | ||
implements events.IEventRuleTarget, logs.ILogSubscriptionDestination, s3n.IBucketNotificationDestination, | ||
ec2.IConnectable { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do whatever you want with that comment:
I'm not a huge fan of this indentation right here. I would prefer some column-aligned. No hard feelings.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is what my autoformatter made of it, but I guess I'm in board with you
*/ | ||
public get connections(): ec2.Connections { | ||
if (!this._connections) { | ||
throw new Error('Only VPC-associated Lambda Functions can have their security groups managed.'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Somehow I am bummed out by the fact this seems to expect anything to know up-front whether a function is in-VPC or not... At lease should provide a property to verify this (public get isVpcBound(): boolean
or something?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wouldn't you know since you were building the model yourself?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The error message should tell the user how to fix the problem? (i.e. how to add the lambda to a VPC)
* | ||
* @default Private subnets | ||
*/ | ||
vpcPlacement?: ec2.VpcPlacementStrategy; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Uh? I thought Lambdas could only be in private subnets?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why would that be? I mean, it might be true, but since it's just an ENI I'm guessing you can place it anywhere.
How would such a restriction even work? If the routing table points to an IGW instead of an NGW, the Lambda will not work?
We also still have isolated subnets that need to be selectable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This blog post seems to imply you need to do something different for public and private subnets, thereby implying it could be in a public subnet: https://aws.amazon.com/premiumsupport/knowledge-center/internet-access-lambda-function/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe unsolicited feedback but I've been browsing the PRs to learn some CDK aspects..
While Lambda can technically be in a public subnet, invocations will fail if the function attempts to reach any publicly routable IP (ie 0.0.0.0 -> VPC internet gateway).
Therefore, our recommendation is to always add functions in a Private Subnet with NAT Gateway should they need to reach any publicly routable IP.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the clarification @heitorlessa. I guess I was wrong.
That still leaves the opportunity to have Private
(NAT routed) and Isolated
(nonrouted) subnets, so we still need a placement argument, but now complicated by the fact that selecting public subnets is an error, and we might not know a priori what the selection is going to match.
For the moment, I'll propose to fix this with docs. Everyone okay with this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed it with a post-selection check.
managedPolicyArns.push(cdk.Arn.fromComponents({ | ||
service: "iam", | ||
region: "", // no region for managed policy | ||
account: "aws", // the account for a managed policy is 'aws' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this also true in other partitions?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Gooooooooood question.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, it is. It's not the partition identifier, it's an abstraction of the account number.
*/ | ||
public get connections(): ec2.Connections { | ||
if (!this._connections) { | ||
throw new Error('Only VPC-associated Lambda Functions can have their security groups managed.'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The error message should tell the user how to fix the problem? (i.e. how to add the lambda to a VPC)
@@ -261,6 +296,9 @@ export abstract class FunctionRef extends cdk.Construct | |||
public export(): FunctionRefProps { | |||
return { | |||
functionArn: new cdk.Output(this, 'FunctionArn', { value: this.functionArn }).makeImportValue(), | |||
securityGroupId: this._connections && this._connections.securityGroup |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the rational of exporting the security group ID of the Lambda? Is it in order to be able to use connections on an imported lambda? Maybe worth explaining in the docs
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's exactly it.
* Only used if 'vpc' is supplied. Note: internet access for Lambdas | ||
* requires a NAT gateway, so picking Public subnets is not allowed. | ||
* | ||
* @default Private subnets |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"all private subnets"
* | ||
* Only used if 'vpc' is supplied. | ||
* | ||
* @default A unique security group is created for this Lambda function. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would be a bit more descriptive here: "If the function is placed within a VPC and a security group is not specified, a dedicated security group will be created for this function"
resource: "policy", | ||
resourceName: "service-role/AWSLambdaBasicExecutionRole", | ||
})], | ||
managedPolicyArns, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe role.addManagedPolicy('service-role/xxx')
would be nicer?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, but you can have your own managed policies that you can attach, and they'll have a different account ('12345' vs 'aws'). Let's use ARNs to be safe.
Ultimately, this should be just "the object", not "the ARN", but I just wanted to make this copy/pasted code slighly better, not introduce a new modeling of ManagedPolicies as part of this CR.
* Returns the VpcConfig that should be added to the | ||
* Lambda creation properties. | ||
*/ | ||
private addToVpc(props: FunctionProps): cloudformation.FunctionResource.VpcConfigProperty | undefined { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rename to renderVpcConfig
or something like that
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's private, and it does more than just render.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So maybe configureVpc
const subnets = props.vpc.subnets(props.vpcPlacement); | ||
for (const subnet of subnets) { | ||
if (props.vpc.publicSubnets.indexOf(subnet) > -1) { | ||
throw new Error('Not possible to place Lambda Functions in a Public subnet'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
mention what are the legal options (private/internal) and also why is this not possible
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can't mention Internal because in this PR support for selecting internal subnets hasn't landed yet.
Also I'm told that my understanding of this is incomplete (by someone from the Lambda team), AND they're changing it early next year, AND we never explicate the reason on any other of our public documentation pages, we just say "no public for you". I don't want us to be the single source of truth for a factoid that's going to become wrong in a short while.
@eladb ping? |
The headliners of this release are __.NET support__, and a wealth of commits by external contributors who are stepping up to fix the CDK for their use cases! Thanks all for the effort put into this release! * Add strongly-named .NET targets, and a `cdk init` template for C# projects ([@mpiroc] in [#617](#617), [#643](#643)). * __@aws-cdk/aws-autoscaling__: Allow attaching additional security groups to Launch Configuration ([@moofish32] in [#636](#636)). * __@aws-cdk/aws-autoscaling__: Support update and creation policies on AutoScalingGroups ([@rix0rrr] in [#595](#595)). * __@aws-cdk/aws-codebuild__: Add support for running script from an asset ([@rix0rrr] in [#677](#677)). * __@aws-cdk/aws-codebuild__: New method `addBuildToPipeline` on Project ([@skinny85] in [783dcb3](783dcb3)). * __@aws-cdk/aws-codecommit__: New method `addToPipeline` on Repository ([@skinny85] in [#616](#616)). * __@aws-cdk/aws-codedeploy__: Add initial support for CodeDeploy ([@skinny85] in [#593](#593), [#641](#641)). * __@aws-cdk/aws-dynamodb__: Add support for DynamoDB autoscaling ([@SeekerWing] in [#637](#637)). * __@aws-cdk/aws-dynamodb__: Add support for DynamoDB streams ([@rhboyd] in [#633](#633)). * __@aws-cdk/aws-dynamodb__: Add support for server-side encryption ([@jungseoklee] in [#684](#864)). * __@aws-cdk/aws-ec2__ (_**BREAKING**_): SecurityGroup can now be used as a Connectable [#582](#582)). * __@aws-cdk/aws-ec2__: Add VPC tagging ([@moofish] in [#538](#538)). * __@aws-cdk/aws-ec2__: Add support for `InstanceSize.Nano` ([@rix0rrr] in [#581](#581)) * __@aws-cdk/aws-lambda__: Add support for dead letter queues ([@SeekerWing] in [#663](#663)). * __@aws-cdk/aws-lambda__: Add support for placing a Lambda in a VPC ([@rix0rrr] in [#598](#598)). * __@aws-cdk/aws-logs__: Add `extractMetric()` helper function ([@rix0rrr] in [#676](#676)). * __@aws-cdk/aws-rds__: Add support for Aurora PostreSQL/MySQL engines ([@cookejames] in [#586](#586)) * __@aws-cdk/aws-s3__: Additional grant methods for Buckets ([@eladb] in [#591](#591)) * __@aws-cdk/aws-s3__: New method `addToPipeline` on Bucket ([@skinny85] in [c8b7a49](c8b7a49)). * __aws-cdk__: Add support for HTTP proxies ([@rix0rrr] in [#666](#666)). * __aws-cdk__: Toolkit now shows failure reason if stack update fails ([@rix0rrr] in [#609](#609)). * __cdk-build-tools__: Add support for running experiment JSII versions ([@RomainMuller] in [#649](#649)). * _**BREAKING**_: Generate classes and types for the CloudFormation resource `.ref` attributes ([@rix0rrr] in [#627](#627)). * _**BREAKING**_: Make types accepted in Policy-related classes narrower (from `any` to `Arn`, for example) to reduce typing mistakes ([@rix0rrr] in [#629](#629)). * __@aws-cdk/aws-codepipeline__ (_**BREAKING**_): Align the CodePipeline APIs ([@skinny85] in [#492](#492), [#568](#568)) * __@aws-cdk/aws-ec2__ (_**BREAKING**_): Move Fleet/AutoScalingGroup to its own package ([@rix0rrr] in [#608](#608)). * __aws-cdk__: Simplify plugin protocol ([@RomainMuller] in [#646](#646)). * __@aws-cdk/aws-cloudfront__: Fix CloudFront behavior for ViewerProtocolPolicy ([@mindstorms6] in [#615](#615)). * __@aws-cdk/aws-ec2__: VPC Placement now supports picking Isolated subnets ([@rix0rrr] in [#610](#610)). * __@aws-cdk/aws-logs__: Add `export()/import()` capabilities ([@rix0rrr] in [#630](#630)). * __@aws-cdk/aws-rds__: Fix a bug where a cluster with 1 instance could not be created ([@cookejames] in [#578](#578)) * __@aws-cdk/aws-s3__: Bucket notifications can now add dependencies, fixing creation order ([@eladb] in [#584](#584)). * __@aws-cdk/aws-s3__: Remove useless bucket name validation ([@rix0rrr] in [#628](#628)). * __@aws-cdk/aws-sqs__: Make `QueueRef.encryptionMasterKey` readonly ([@RomainMuller] in [#650](#650)). * __assets__: S3 read permissions are granted on a prefix to fix lost permissions during asset update ([@rix0rrr] in [#510](#510)). * __aws-cdk__: Remove bootstrapping error if multiple stacks are in the same environment ([@RomainMuller] in [#625](#625)). * __aws-cdk__: Report and continue if git throws errors during `cdk init` ([@rix0rrr] in [#587](#587)). * __@aws-cdk/cfnspec__: Updated [CloudFormation resource specification] to `v2.6.0` ([@RomainMuller] in [#594](#594)) + **New AWS Construct Library** - `@aws-cdk/aws-sagemaker` supports AWS::SageMaker resources + **New Resource Types** - AWS::AmazonMQ::Broker - AWS::AmazonMQ::Configuration - AWS::CodePipeline::Webhook - AWS::Config::AggregationAuthorization - AWS::Config::ConfigurationAggregator - AWS::EC2::VPCEndpointConnectionNotification - AWS::EC2::VPCEndpointServicePermissions - AWS::IAM::ServiceLinkedRole - AWS::SSM::ResourceDataSync - AWS::SageMaker::Endpoint - AWS::SageMaker::EndpointConfig - AWS::SageMaker::Model - AWS::SageMaker::NotebookInstance - AWS::SageMaker::NotebookInstanceLifecycleConfig + **Attribute Changes** - AWS::CodePipeline::Pipeline Version (__added__) + **Property Changes** - AWS::AppSync::DataSource HttpConfig (__added__) - AWS::DAX::Cluster SSESpecification (__added__) - AWS::DynamoDB::Table Stream (__added__) - AWS::DynamoDB::Table AutoScalingSupport (__added__) - AWS::EC2::VPCEndpoint IsPrivateDnsEnabled (__added__) - AWS::EC2::VPCEndpoint SecurityGroupIds (__added__) - AWS::EC2::VPCEndpoint SubnetIds (__added__) - AWS::EC2::VPCEndpoint VPCEndpointType (__added__) - AWS::EC2::VPCEndpoint RouteTableIds.DuplicatesAllowed (__deleted__) - AWS::EC2::VPCPeeringConnection PeerRegion (__added__) - AWS::EFS::FileSystem ProvisionedThroughputInMibps (__added__) - AWS::EFS::FileSystem ThroughputMode (__added__) - AWS::EMR::Cluster KerberosAttributes (__added__) - AWS::Glue::Classifier JsonClassifier (__added__) - AWS::Glue::Classifier XMLClassifier (__added__) - AWS::Glue::Crawler Configuration (__added__) - AWS::Lambda::Lambda DLQConfigurationSupport (__added__) - AWS::Neptune::DBInstance DBSubnetGroupName.UpdateType (__changed__) - Old: Mutable - New: Immutable - AWS::SNS::Subscription DeliveryPolicy (__added__) - AWS::SNS::Subscription FilterPolicy (__added__) - AWS::SNS::Subscription RawMessageDelivery (__added__) - AWS::SNS::Subscription Region (__added__) - AWS::SQS::Queue Tags (__added__) - AWS::ServiceDiscovery::Service HealthCheckCustomConfig (__added__) + **Property Type Changes** - AWS::AppSync::DataSource.HttpConfig (__added__) - AWS::DAX::Cluster.SSESpecification (__added__) - AWS::EMR::Cluster.KerberosAttributes (__added__) - AWS::Glue::Classifier.JsonClassifier (__added__) - AWS::Glue::Classifier.XMLClassifier (__added__) - AWS::ServiceDiscovery::Service.HealthCheckCustomConfig (__added__) - AWS::CloudFront::Distribution.CacheBehavior FieldLevelEncryptionId (__added__) - AWS::CloudFront::Distribution.DefaultCacheBehavior FieldLevelEncryptionId (__added__) - AWS::CodeBuild::Project.Artifacts EncryptionDisabled (__added__) - AWS::CodeBuild::Project.Artifacts OverrideArtifactName (__added__) - AWS::CodeBuild::Project.Environment Certificate (__added__) - AWS::CodeBuild::Project.Source ReportBuildStatus (__added__) - AWS::ServiceDiscovery::Service.DnsConfig RoutingPolicy (__added__) - AWS::WAF::WebACL.ActivatedRule Action.Required (__changed__) - Old: true - New: false * __@aws-cdk/cfnspec__: Updated Serverless Application Model (SAM) Resource Specification ([@RomainMuller] in [#594](#594)) + **Property Changes** - AWS::Serverless::Api MethodSettings (__added__) + **Property Type Changes** - AWS::Serverless::Function.SQSEvent (__added__) - AWS::Serverless::Function.EventSource Properties.Types (__changed__) - Added SQSEvent
The headliners of this release are __.NET support__, and a wealth of commits by external contributors who are stepping up to fix the CDK for their use cases! Thanks all for the effort put into this release! * Add strongly-named .NET targets, and a `cdk init` template for C# projects ([@mpiroc] in [#617](#617), [#643](#643)). * __@aws-cdk/aws-autoscaling__: Allow attaching additional security groups to Launch Configuration ([@moofish32] in [#636](#636)). * __@aws-cdk/aws-autoscaling__: Support update and creation policies on AutoScalingGroups ([@rix0rrr] in [#595](#595)). * __@aws-cdk/aws-codebuild__: Add support for running script from an asset ([@rix0rrr] in [#677](#677)). * __@aws-cdk/aws-codebuild__: New method `addBuildToPipeline` on Project ([@skinny85] in [783dcb3](783dcb3)). * __@aws-cdk/aws-codecommit__: New method `addToPipeline` on Repository ([@skinny85] in [#616](#616)). * __@aws-cdk/aws-codedeploy__: Add initial support for CodeDeploy ([@skinny85] in [#593](#593), [#641](#641)). * __@aws-cdk/aws-dynamodb__: Add support for DynamoDB autoscaling ([@SeekerWing] in [#637](#637)). * __@aws-cdk/aws-dynamodb__: Add support for DynamoDB streams ([@rhboyd] in [#633](#633)). * __@aws-cdk/aws-dynamodb__: Add support for server-side encryption ([@jungseoklee] in [#684](#864)). * __@aws-cdk/aws-ec2__ (_**BREAKING**_): SecurityGroup can now be used as a Connectable [#582](#582)). * __@aws-cdk/aws-ec2__: Add VPC tagging ([@moofish] in [#538](#538)). * __@aws-cdk/aws-ec2__: Add support for `InstanceSize.Nano` ([@rix0rrr] in [#581](#581)) * __@aws-cdk/aws-lambda__: Add support for dead letter queues ([@SeekerWing] in [#663](#663)). * __@aws-cdk/aws-lambda__: Add support for placing a Lambda in a VPC ([@rix0rrr] in [#598](#598)). * __@aws-cdk/aws-logs__: Add `extractMetric()` helper function ([@rix0rrr] in [#676](#676)). * __@aws-cdk/aws-rds__: Add support for Aurora PostreSQL/MySQL engines ([@cookejames] in [#586](#586)) * __@aws-cdk/aws-s3__: Additional grant methods for Buckets ([@eladb] in [#591](#591)) * __@aws-cdk/aws-s3__: New method `addToPipeline` on Bucket ([@skinny85] in [c8b7a49](c8b7a49)). * __aws-cdk__: Add support for HTTP proxies ([@rix0rrr] in [#666](#666)). * __aws-cdk__: Toolkit now shows failure reason if stack update fails ([@rix0rrr] in [#609](#609)). * __cdk-build-tools__: Add support for running experiment JSII versions ([@RomainMuller] in [#649](#649)). * _**BREAKING**_: Generate classes and types for the CloudFormation resource `.ref` attributes ([@rix0rrr] in [#627](#627)). * _**BREAKING**_: Make types accepted in Policy-related classes narrower (from `any` to `Arn`, for example) to reduce typing mistakes ([@rix0rrr] in [#629](#629)). * __@aws-cdk/aws-codepipeline__ (_**BREAKING**_): Align the CodePipeline APIs ([@skinny85] in [#492](#492), [#568](#568)) * __@aws-cdk/aws-ec2__ (_**BREAKING**_): Move Fleet/AutoScalingGroup to its own package ([@rix0rrr] in [#608](#608)). * __aws-cdk__: Simplify plugin protocol ([@RomainMuller] in [#646](#646)). * __@aws-cdk/aws-cloudfront__: Fix CloudFront behavior for ViewerProtocolPolicy ([@mindstorms6] in [#615](#615)). * __@aws-cdk/aws-ec2__: VPC Placement now supports picking Isolated subnets ([@rix0rrr] in [#610](#610)). * __@aws-cdk/aws-logs__: Add `export()/import()` capabilities ([@rix0rrr] in [#630](#630)). * __@aws-cdk/aws-rds__: Fix a bug where a cluster with 1 instance could not be created ([@cookejames] in [#578](#578)) * __@aws-cdk/aws-s3__: Bucket notifications can now add dependencies, fixing creation order ([@eladb] in [#584](#584)). * __@aws-cdk/aws-s3__: Remove useless bucket name validation ([@rix0rrr] in [#628](#628)). * __@aws-cdk/aws-sqs__: Make `QueueRef.encryptionMasterKey` readonly ([@RomainMuller] in [#650](#650)). * __assets__: S3 read permissions are granted on a prefix to fix lost permissions during asset update ([@rix0rrr] in [#510](#510)). * __aws-cdk__: Remove bootstrapping error if multiple stacks are in the same environment ([@RomainMuller] in [#625](#625)). * __aws-cdk__: Report and continue if git throws errors during `cdk init` ([@rix0rrr] in [#587](#587)). * __@aws-cdk/cfnspec__: Updated [CloudFormation resource specification] to `v2.6.0` ([@RomainMuller] in [#594](#594)) + **New AWS Construct Library** - `@aws-cdk/aws-sagemaker` supports AWS::SageMaker resources + **New Resource Types** - AWS::AmazonMQ::Broker - AWS::AmazonMQ::Configuration - AWS::CodePipeline::Webhook - AWS::Config::AggregationAuthorization - AWS::Config::ConfigurationAggregator - AWS::EC2::VPCEndpointConnectionNotification - AWS::EC2::VPCEndpointServicePermissions - AWS::IAM::ServiceLinkedRole - AWS::SSM::ResourceDataSync - AWS::SageMaker::Endpoint - AWS::SageMaker::EndpointConfig - AWS::SageMaker::Model - AWS::SageMaker::NotebookInstance - AWS::SageMaker::NotebookInstanceLifecycleConfig + **Attribute Changes** - AWS::CodePipeline::Pipeline Version (__added__) + **Property Changes** - AWS::AppSync::DataSource HttpConfig (__added__) - AWS::DAX::Cluster SSESpecification (__added__) - AWS::DynamoDB::Table Stream (__added__) - AWS::DynamoDB::Table AutoScalingSupport (__added__) - AWS::EC2::VPCEndpoint IsPrivateDnsEnabled (__added__) - AWS::EC2::VPCEndpoint SecurityGroupIds (__added__) - AWS::EC2::VPCEndpoint SubnetIds (__added__) - AWS::EC2::VPCEndpoint VPCEndpointType (__added__) - AWS::EC2::VPCEndpoint RouteTableIds.DuplicatesAllowed (__deleted__) - AWS::EC2::VPCPeeringConnection PeerRegion (__added__) - AWS::EFS::FileSystem ProvisionedThroughputInMibps (__added__) - AWS::EFS::FileSystem ThroughputMode (__added__) - AWS::EMR::Cluster KerberosAttributes (__added__) - AWS::Glue::Classifier JsonClassifier (__added__) - AWS::Glue::Classifier XMLClassifier (__added__) - AWS::Glue::Crawler Configuration (__added__) - AWS::Lambda::Lambda DLQConfigurationSupport (__added__) - AWS::Neptune::DBInstance DBSubnetGroupName.UpdateType (__changed__) - Old: Mutable - New: Immutable - AWS::SNS::Subscription DeliveryPolicy (__added__) - AWS::SNS::Subscription FilterPolicy (__added__) - AWS::SNS::Subscription RawMessageDelivery (__added__) - AWS::SNS::Subscription Region (__added__) - AWS::SQS::Queue Tags (__added__) - AWS::ServiceDiscovery::Service HealthCheckCustomConfig (__added__) + **Property Type Changes** - AWS::AppSync::DataSource.HttpConfig (__added__) - AWS::DAX::Cluster.SSESpecification (__added__) - AWS::EMR::Cluster.KerberosAttributes (__added__) - AWS::Glue::Classifier.JsonClassifier (__added__) - AWS::Glue::Classifier.XMLClassifier (__added__) - AWS::ServiceDiscovery::Service.HealthCheckCustomConfig (__added__) - AWS::CloudFront::Distribution.CacheBehavior FieldLevelEncryptionId (__added__) - AWS::CloudFront::Distribution.DefaultCacheBehavior FieldLevelEncryptionId (__added__) - AWS::CodeBuild::Project.Artifacts EncryptionDisabled (__added__) - AWS::CodeBuild::Project.Artifacts OverrideArtifactName (__added__) - AWS::CodeBuild::Project.Environment Certificate (__added__) - AWS::CodeBuild::Project.Source ReportBuildStatus (__added__) - AWS::ServiceDiscovery::Service.DnsConfig RoutingPolicy (__added__) - AWS::WAF::WebACL.ActivatedRule Action.Required (__changed__) - Old: true - New: false * __@aws-cdk/cfnspec__: Updated Serverless Application Model (SAM) Resource Specification ([@RomainMuller] in [#594](#594)) + **Property Changes** - AWS::Serverless::Api MethodSettings (__added__) + **Property Type Changes** - AWS::Serverless::Function.SQSEvent (__added__) - AWS::Serverless::Function.EventSource Properties.Types (__changed__) - Added SQSEvent
Fixes #580.
Checkpointing my work.
TODO
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license.