Merge pull request #1046 from awslabs/bump/2.48.0

chore(release): 2.48.0

CHANGELOG.md

@@ -2,6 +2,19 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.48.0](https://github.com/awslabs/aws-solutions-constructs/compare/v2.47.0...v2.48.0) (2024-01-09)
+
+Built on CDK v2.111.0
+
+### ⚠ BREAKING CHANGES
+
+* **aws-cloudfront-apigateway-lambda:** require explicit authentication type ([#1044](https://github.com/awslabs/aws-solutions-constructs/issues/1044)) ([720dec5](https://github.com/awslabs/aws-solutions-constructs/commit/720dec500a728a3c57832b7e479ee8eca1f08056))
+
+### Features
+
+* **aws-cloudfront-s3:** update construct to use origin access controls; add support for CMK-encrypted buckets ([#1038](https://github.com/awslabs/aws-solutions-constructs/issues/1038)) ([012f9e7](https://github.com/awslabs/aws-solutions-constructs/commit/012f9e7b6ebd3a717ff120941131a84e803b2922)), closes [#1037](https://github.com/awslabs/aws-solutions-constructs/issues/1037)
+* **cloudfront constructs:** add s3 access logging to cloudfront access log buckets by default ([#1042](https://github.com/awslabs/aws-solutions-constructs/issues/1042)) ([51ec028](https://github.com/awslabs/aws-solutions-constructs/commit/51ec028ebd4763965671483e74924e3b8e328337))
+
 ## [2.47.0](https://github.com/awslabs/aws-solutions-constructs/compare/v2.46.0...v2.47.0) (2023-12-01)
 
 Built on CDK v2.111.0

deployment/v2/refresh-multiple-tests.sh

@@ -0,0 +1,140 @@
+# How to use this script
+#
+# This script will refresh integration tests for multiple
+# Solutions Constructs sequentially and unattended. If you're 
+# doing a release and have to update many integration tests, this is
+# for you.
+
+# Open a docker build environment
+# List all the constructs whose integration tests you want to refresh in the
+#   export constructs list (you can delete the examples that are there)
+# Run this script from the top level aws-solutions-constructs folder.
+#
+# Options to accelerate
+# * adding --no-clean to the cdk-integ command will allow it to 
+#   finish without destroying the stack. You can then destroy the stack manually
+#   from the console or command line so the stack destruction does not slow the process
+# * adding & to the end of the cdk-integ command will execute it asynchronously. This 
+#   allows you to refresh MANY constructs' tests simultaneously. Probably good to add
+#   a sleep 10 command before the end of the loop to keep from overwhelming CloudFormation
+
+export constructs="
+aws-alb-fargate
+aws-alb-lambda
+aws-apigateway-dynamodb
+aws-apigateway-iot
+aws-apigateway-kinesisstreams
+aws-apigateway-lambda
+aws-apigateway-sagemakerendpoint
+aws-apigateway-sqs
+aws-cloudfront-apigateway
+aws-cloudfront-apigateway-lambda
+aws-cloudfront-mediastore
+aws-cloudfront-s3
+aws-cognito-apigateway-lambda
+aws-dynamodbstreams-lambda
+aws-dynamodbstreams-lambda-elasticsearch-kibana
+aws-eventbridge-kinesisfirehose-s3
+aws-eventbridge-kinesisstreams
+aws-eventbridge-lambda
+aws-eventbridge-sns
+aws-eventbridge-sqs
+aws-eventbridge-stepfunctions
+aws-fargate-dynamodb
+aws-fargate-eventbridge
+aws-fargate-kinesisfirehose
+aws-fargate-kinesisstreams
+aws-fargate-opensearch
+aws-fargate-s3
+aws-fargate-secretsmanager
+aws-fargate-sns
+aws-fargate-sqs
+aws-fargate-ssmstringparameter
+aws-fargate-stepfunctions
+aws-iot-kinesisfirehose-s3
+aws-iot-kinesisstreams
+aws-iot-lambda
+aws-iot-lambda-dynamodb
+aws-iot-s3
+aws-iot-sqs
+aws-kinesisfirehose-s3
+aws-kinesisstreams-gluejob
+aws-kinesisstreams-kinesisfirehose-s3
+aws-kinesisstreams-lambda
+aws-lambda-dynamodb
+aws-lambda-elasticachememcached
+aws-lambda-elasticsearch-kibana
+aws-lambda-eventbridge
+aws-lambda-kendra
+aws-lambda-kinesisfirehose
+aws-lambda-kinesisstreams
+aws-lambda-opensearch
+aws-lambda-s3
+aws-lambda-sagemakerendpoint
+aws-lambda-secretsmanager
+aws-lambda-sns
+aws-lambda-sqs
+aws-lambda-sqs-lambda
+aws-lambda-ssmstringparameter
+aws-lambda-stepfunctions
+aws-openapigateway-lambda
+aws-route53-alb
+aws-route53-apigateway
+aws-s3-lambda
+aws-s3-sns
+aws-s3-sqs
+aws-s3-stepfunctions
+aws-sns-lambda
+aws-sns-sqs
+aws-sqs-lambda
+aws-wafwebacl-alb
+aws-wafwebacl-apigateway
+aws-wafwebacl-appsync
+aws-wafwebacl-cloudfront
+"
+
+deployment_dir=$(cd $(dirname $0) && pwd)
+constructs_root_dir="$deployment_dir/../.."
+source_dir="$deployment_dir/../../source"
+
+echo "============================================================================================="
+echo "aligning versions and updating package.json for CDK v2..."
+/bin/bash $constructs_root_dir/deployment/v2/align-version.sh
+
+bail="--bail"
+runtarget="jsii"
+cd $source_dir/
+
+export PATH=$source_dir/node_modules/.bin:$PATH
+export NODE_OPTIONS="--max-old-space-size=4096 ${NODE_OPTIONS:-}"
+
+echo "============================================================================================="
+echo "installing..."
+yarn install --frozen-lockfile
+
+# echo "============================================================================================="
+# echo "updating Import statements for CDK v2..."
+# /bin/bash $constructs_root_dir/rewrite-imports.sh
+
+echo "============================================================================================="
+echo "building cdk-integ-tools..."
+cd $source_dir/tools/cdk-integ-tools
+npm install
+npm run build
+npm link
+
+cd $source_dir
+echo "============================================================================================="
+echo "building..."
+time lerna run $bail --stream $runtarget || fail
+
+for construct in $constructs; do
+
+  cd $constructs_root_dir/source/patterns/@aws-solutions-constructs/$construct
+  echo Running in $PWD
+  cdk-integ --no-clean &
+  sleep 10
+  cd $constructs_root_dir/source/patterns/@aws-solutions-constructs
+done
+cd $constructs_root_dir
+./deployment/v2/align-version.sh revert

source/lerna.json

@@ -6,5 +6,5 @@
     "./patterns/@aws-solutions-constructs/*"
   ],
   "rejectCycles": "true",
-  "version": "2.47.0"
+  "version": "2.48.0"
 }

source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway-lambda/README.md

@@ -35,7 +35,12 @@ new CloudFrontToApiGatewayToLambda(this, 'test-cloudfront-apigateway-lambda', {
     code: lambda.Code.fromAsset(`lambda`),
     runtime: lambda.Runtime.NODEJS_16_X,
     handler: 'index.handler'
-  }
+  },
+  apiGatewayProps: {
+    defaultMethodOptions: {
+      authorizationType: api.AuthorizationType.NONE
+    }
+  },
 });
 ```
 
@@ -44,17 +49,28 @@ Python
 from aws_solutions_constructs.aws_cloudfront_apigateway_lambda import CloudFrontToApiGatewayToLambda
 from aws_cdk import (
   aws_lambda as _lambda,
+  aws_apigateway as apigw,
   Stack
 )
 from constructs import Construct
 
-CloudFrontToApiGatewayToLambda(self, 'test-cloudfront-apigateway-lambda',
-                            lambda_function_props=_lambda.FunctionProps(
-                                code=_lambda.Code.from_asset('lambda'),
-                                runtime=_lambda.Runtime.PYTHON_3_9,
-                                handler='index.handler'
-                            )
-                            )
+        CloudFrontToApiGatewayToLambda(
+            self, 'CloudFrontApiGatewayToLambda',
+            lambda_function_props=_lambda.FunctionProps(
+                runtime=_lambda.Runtime.PYTHON_3_7,
+                code=_lambda.Code.from_asset('lambda'),
+                handler='hello.handler',
+            ),
+            # NOTE - we use RestApiProps here because the actual type, LambdaRestApiProps requires
+            # the handler function which does not yet exist. As RestApiProps is a subset of of LambdaRestApiProps
+            # (although does not *extend* that interface) this works fine when the props object reaches the 
+            # underlying TypeScript code that implements Constructs
+            api_gateway_props=apigw.RestApiProps(
+                default_method_options=apigw.MethodOptions(
+                    authorization_type=apigw.AuthorizationType.NONE
+                )
+            )
+        )
 ```
 
 Java
@@ -66,25 +82,33 @@ import software.amazon.awscdk.StackProps;
 import software.amazon.awscdk.services.lambda.*;
 import software.amazon.awscdk.services.lambda.Runtime;
 import software.amazon.awsconstructs.services.cloudfrontapigatewaylambda.*;
-
-new CloudFrontToApiGatewayToLambda(this, "test-cloudfront-apigateway-lambda",
-        new CloudFrontToApiGatewayToLambdaProps.Builder()
-                .lambdaFunctionProps(new FunctionProps.Builder()
-                        .runtime(Runtime.NODEJS_16_X)
-                        .code(Code.fromAsset("lambda"))
-                        .handler("index.handler")
+import software.amazon.awsconstructs.services.cloudfrontapigatewaylambda.CloudFrontToApiGatewayToLambdaProps;
+
+new CloudFrontToApiGatewayToLambda(this, "ApiGatewayToLambdaPattern", new CloudFrontToApiGatewayToLambdaProps.Builder()
+        .lambdaFunctionProps(new FunctionProps.Builder()
+                .runtime(Runtime.NODEJS_16_X) // execution environment
+                .code(Code.fromAsset("lambda")) // code loaded from the `lambda` directory (under root, next to `src`)
+                .handler("hello.handler") // file is `hello`, function is `handler`
+                .build())
+        // NOTE - we use RestApiProps here because the actual type, LambdaRestApiProps requires
+        // the handler function which does not yet exist. As RestApiProps is a subset of of LambdaRestApiProps
+        // (although does not *extend* that interface) this works fine when the props object reaches the 
+        // underlying TypeScript code that implements Constructs
+        .apiGatewayProps(new RestApiProps.Builder()
+                .defaultMethodOptions(new MethodOptions.Builder()
+                        .authorizationType(AuthorizationType.NONE)
                         .build())
-                .build());
+                .build())
+        .build());
 ```
 
-
 ## Pattern Construct Props
 
 | **Name**     | **Type**        | **Description** |
 |:-------------|:----------------|-----------------|
 |existingLambdaObj?|[`lambda.Function`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html)|Existing instance of Lambda Function object, providing both this and `lambdaFunctionProps` will cause an error.|
 |lambdaFunctionProps?|[`lambda.FunctionProps`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html)|Optional user provided props to override the default props for the Lambda function.|
-|apiGatewayProps?|[`api.LambdaRestApiProps`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.LambdaRestApiProps.html)|Optional user provided props to override the default props for API Gateway|
+|apiGatewayProps?|[`api.LambdaRestApiProps`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.LambdaRestApiProps.html)|User provided props to override the default props for the API Gateway. As of release 2.48.0, clients must include this property with `defaultMethodOptions: { authorizationType: string }` specified. See Issue1043 in the github repo https://github.com/awslabs/aws-solutions-constructs/issues/1043 |
 |cloudFrontDistributionProps?|[`cloudfront.DistributionProps`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.DistributionProps.html)|Optional user provided props to override the default props for CloudFront Distribution|
 |insertHttpSecurityHeaders?|`boolean`|Optional user provided props to turn on/off the automatic injection of best practice HTTP security headers in all responses from CloudFront|
 | responseHeadersPolicyProps?   | [`cloudfront.ResponseHeadersPolicyProps`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.ResponseHeadersPolicyProps.html) | Optional user provided configuration that cloudfront applies to all http responses.                                                         |

source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway-lambda/lib/index.ts

@@ -39,11 +39,14 @@ export interface CloudFrontToApiGatewayToLambdaProps {
    */
   readonly lambdaFunctionProps?: lambda.FunctionProps
   /**
-   * Optional user provided props to override the default props for the API Gateway.
+   * User provided props to override the default props for the API Gateway. As of release
+   * 2.48.0, clients must include this property with defaultMethodOptions: { authorizationType: string } specified.
+   * See Issue1043 in the github repo https://github.com/awslabs/aws-solutions-constructs/issues/1043
    *
-   * @default - Default props are used
+   * @default - defaultMethodOptions/authorizationType is required, for other, unspecified values the
+   * default props are used
    */
-  readonly apiGatewayProps?: api.LambdaRestApiProps | any
+  readonly apiGatewayProps: api.LambdaRestApiProps | any
   /**
    * Optional user provided props to override the default props
    *
@@ -106,33 +109,35 @@ export class CloudFrontToApiGatewayToLambda extends Construct {
     super(scope, id);
     defaults.CheckLambdaProps(props);
     // CheckCloudFrontProps() is called by internal aws-cloudfront-apigateway construct
+    if (!props.apiGatewayProps?.defaultMethodOptions?.authorizationType) {
+      defaults.printWarning('As of v2.48.0, apiGatewayProps.defaultMethodOptions.authorizationType is\
+      required. To update your instantiation call, add the following to your CloudFrontToApiGatewayToLambdaProps argument\
+      \n\napiGatewayProps: { defaultMethodOptions: { authorizationType: api.AuthorizationType.NONE }},\n\nSee Issue1043 for an explanation.');
+      throw new Error('As of v2.48.0, an explicit authorization type is required for CloudFront/API Gateway patterns');
+    } else if (props.apiGatewayProps.defaultMethodOptions.authorizationType === "AWS_IAM") {
+      throw new Error('Amazon API Gateway Rest APIs integrated with Amazon CloudFront do not support AWS_IAM authorization');
+    }
+
+    // All our tests are based upon this behavior being on, so we're setting
+    // context here rather than assuming the client will set it
+    this.node.setContext("@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy", true);
 
     this.lambdaFunction = defaults.buildLambdaFunction(this, {
       existingLambdaObj: props.existingLambdaObj,
       lambdaFunctionProps: props.lambdaFunctionProps
     });
 
-    const regionalLambdaRestApiResponse = defaults.RegionalLambdaRestApi(this, this.lambdaFunction, props.apiGatewayProps, props.logGroupProps);
+    // We can't default to IAM authentication with a CloudFront distribution, so
+    // we'll instruct core to not use any default auth to avoid override warnings
+    const regionalLambdaRestApiResponse = defaults.RegionalLambdaRestApi(this,
+      this.lambdaFunction,
+      props.apiGatewayProps,
+      props.logGroupProps,
+      false);
     this.apiGateway = regionalLambdaRestApiResponse.api;
     this.apiGatewayCloudWatchRole = regionalLambdaRestApiResponse.role;
     this.apiGatewayLogGroup = regionalLambdaRestApiResponse.group;
 
-    this.apiGateway.methods.forEach((apiMethod) => {
-      // Override the API Gateway Authorization Type from AWS_IAM to NONE
-      const child = apiMethod.node.findChild('Resource') as api.CfnMethod;
-      if (child.authorizationType === 'AWS_IAM') {
-        child.addPropertyOverride('AuthorizationType', 'NONE');
-
-        defaults.addCfnSuppressRules(apiMethod, [
-          {
-            id: 'W59',
-            reason: `AWS::ApiGateway::Method AuthorizationType is set to 'NONE' because API Gateway behind CloudFront does not support AWS_IAM authentication`
-          },
-        ]);
-
-      }
-    });
-
     const apiCloudfront: CloudFrontToApiGateway = new CloudFrontToApiGateway(this, 'CloudFrontToApiGateway', {
       existingApiGatewayObj: this.apiGateway,
       cloudFrontDistributionProps: props.cloudFrontDistributionProps,