Merge #26

---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Co-authored-by: Noah Litov <noahlitov@gmail.com>

Automatically retry on Lambda service exceptions for `LambdaInvoke`. Follows the best practice from https://docs.aws.amazon.com/step-functions/latest/dg/bp-lambda-serviceexception.html ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Patches partially inspired by: - https://github.com/aws-cloudformation/cfn-python-lint/pull/1697/files - aws-cloudformation/cfn-lint#1671 BREAKING CHANGE: Fixed ECS task definition within the L1 layer. Fixed the casing of the `efsVolumeConfiguration` property to match the spec published by cloudformation. Fixed the type of the `DockerVolumeConfiguration.labels` property to allow users to properly apply labels. * **ecs**: Task definitions configured with an `efsVolumeConfiguration` will incur a resource replacement due to wrong casing of the underlying resources introduced in this [PR](https://github.com/aws/aws-cdk/pull/8467/files). This replacement will in turn cause a rolling update to any running tasks that use that definition. * **ecs**: `DockerVolumeConfiguration.labels` changed from an **array** to a **map**. This was a long standing latent bug and in fact configuring labels in the old format would have resulted in the wrong behavior.

…rd (#10404) This will allow upcoming major versions of the dotnet runtime to be used if the current target runtime (`netcoreapp3.1`) is not available; for example it will allow using `netcoreapp5` whent his becomes available. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ostgres (#10132) When the `s3ImportBuckets` or `s3ExportBuckets` properties are set, we also need to include the name of the feature for the DB instance that the IAM role is to be associated with. Excluding the feature name causes a deploy-time failure as follows: > The feature-name parameter must be provided with the current operation ... Added an `EngineFeatures` struct to specify the feature name for `s3Import` and `s3Export` Closes #4419 Closes #8201 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

The modern bootstrap stack used to unconditionally create a KMS Customer Master Key (CMK) for users. This incurs a $1/month charge for every user of the CDK for every region and account they want to deploy in, which is not acceptable if we're going to make this the default bootstrapping experience in the future. This PR switches off the creation of the CMK by default for new bootstrap stacks. Bootstrap stacks that already exist can remove the existing CMK by running: ``` cdk bootstrap --bootstrap-customer-key=false [aws://...] ``` This change is backwards compatible: updates to existing (modern) bootstrap stacks will leave the current KMS key in place. To achieve this, the new default is encoded into the CLI, not into the template. Fixes #10115. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Add missing braces around `if` added in #10386 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Added the following Conditons: * `Condition.isPresent` - matches if a json path is present * `Condition.isNotPresent` - matches if a json path is not present * `Condition.isString` - matches if a json path contains a string * `Condition.isNotString` - matches if a json path is not a string * `Condition.isNumeric` - matches if a json path is numeric * `Condition.isNotNumeric` - matches if a json path is not numeric * `Condition.isBoolean` - matches if a json path is boolean * `Condition.isNotBoolean` - matches if a json path is not boolean * `Condition.isTimestamp` - matches if a json path is a timestamp * `Condition.isNotTimestamp` - matches if a json path is not a timestamp * `Condition.isNotNull` - matches if a json path is not null * `Condition.isNull` - matches if a json path is null * `Condition.booleanEqualsJsonPath` - matches if a boolean field equals a value in a given mapping path * `Condition.stringEqualsJsonPath` - matches if a string field equals a given mapping path * `Condition.stringLessThanJsonPath` - Matches if a string field sorts before a value at given mapping path * `Condition.stringLessThanEqualsJsonPath` - Matches if a string field sorts equal to or before a given mapping * `Condition.stringGreaterThanJsonPath` - Matches if a string field sorts after a value at a given mapping path * `Condition.stringGreaterThanEqualsJsonPath` - Matches if a string field sorts after or equal to value at a given mapping path * `Condition.numberEqualsJsonPath` - matches if a numeric field has the value in a given mapping path * `Condition.numberLessThan` - matches if a numeric field is less than the given value * `Condition.numberLessThanJsonPath` - matches if a numeric field is less than the value at the given mapping path * `Condition.numberLessThanEqualsJsonPath` - matches if a numeric field is less than or equal to the numeric value at given mapping path * `Condition.numberGreaterThanJsonPath` - matches if a numeric field is greater than the value at a given mapping path * `Condition.numberGreaterThanEqualsJsonPath` - matches if a numeric field is greater than or equal to the value at a given mapping path * `Condition.timestampEqualsJsonPath` - matches if a timestamp field is the same time as the timestamp at a given mapping path * `Condition.timestampLessThanJsonPath` - matches if a timestamp field is before the timestamp at a given mapping path * `Condition.timestampLessThanEqualsJsonPath` - matches if a timestamp field is before or equal to the timestamp at a given mapping path * `Condition.timestampGreaterThanJsonPath` - matches if a timestamp field is after the timestamp at a given mapping path * `Condition.timestampGreaterThanEqualsJsonPath` - matches if a timestamp field is after or equal to the timestamp at a given mapping path * `Condition.stringMatches` - matches a field with the ability to use as a wild card e.g: log-.txt or LATEST. No other characters other than "*" have any special meaning (* can be escaped: \\*) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…EADME (#10411) ---- removing the partitions.io board link and replacing with the cdk.dev slack channel. *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

As it turns out, there's one more resource attribute that we don't support currently: Version, used for custom CloudFormation resources. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

In #10309, secretName was added to SecretAttributes, but given the ARN is always required, it's fairly redundant. Removing to reduce public API surface area. Not a breaking change, as #10309 has not yet been released. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…0394) Fixes #10322 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…10408) Avoid things like #10406 See https://eslint.org/docs/rules/curly#multi-line ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

In order to reduce the likelihood that subtle breakage happens due to behavioral changes introduced across major version bumps, all updates performed by `ncu` are now limited to the `--target=minor` setting (meaning the major version will not be changed by `ncu`). Co-authored-by: Mitchell Valine <valinm@amazon.com>

* feat(rds): S3 import and export for DatabaseInstances This change introduces S3 import/export for DatabaseInstances, the same as what currently exists today for DatabaseClusters. This change was heavily influenced by #10132 (the work to introduce feature names for DatabaseCluster), and steals patterns and names heavily from it. **Implementation Notes:** * Unlike for clusters, for instances, the feature names are required; if the feature name doesn't exist, we shouldn't be creating the role. * For both Oracle and SQL Server, all current/active versions support the same feature names. This simplified the implementation quite a bit. * I opted **not** to support features for the deprecated Oracle versions. * I moved the `setupS3ImportExport` helper function into a utils class. One quirk of the SQL Server requirement is that you must create an OptionGroup with only one role (for both import & export). Oracle, likewise, has a single feature for both import and export. So I opted to default to creating a single role (if necessary) for both import and export. Open to challenges on this. * The `OptionGroup` class needed some rework to be able to make the list of configurations dynamic. I then had to do some light tweaking to ensure backwards compatibility with the connections property. fixes #4419

Currently, database instances and clusters have different behaviors for removal policies and deletion protection. This fix standardizes the behavior and logical code paths so RDS behaves consistently. The new logic is that we will only set `deletionProtection` if the RemovalPolicy has been set to RETAIN. Otherwise (with SNAPSHOT or DELETE), deletion protection will be disabled (by default). BREAKING CHANGE: Cluster now has deletionProtection enabled if its removal policy is `RETAIN` * **rds**: Instance now has deletionProtection enabled by default only if its removal policy is `RETAIN` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Enable users with existing cluster subnet groups to specify an existing group, rather than creating a new group. _Note: Marked as exempt-readme because I don't think this deserves its own README section. Feel free to disagree._ fixes #9991 BREAKING CHANGE: removed protected member `subnetGroup` from DatabaseCluster classes ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…0422) CloudFormation allows for parameters of type 'Number' to be referenced, using the 'Ref' keyword, into properties that are of type 'String'. This will let customers now use CloudFormation maximum and minimum constraints on the number parameter type, and still use the resulting value in a property of string type. fixes #10228 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Upgrade dependency versions when available. Change the yarn-upgrade workflow to only upgrade minor versions automatically. This will prevent major version dependency upgrades from happening automatically in the future. Exclude `aws-sdk` from automatic upgrades temporarily due to changes in TS type definitions that removed `ConfigurationOptions` from the `aws-sdk/lib/config` entrypoint. See aws/aws-sdk-js#3453 for details.

Add a method that allows you to load a nested stack after the CfnInclude object has been instantiated. To make this consistent in nested stack handling, rename the 'nestedStacks' property to 'loadNestedStacks'. BREAKING CHANGE: the construction property 'nestedStacks' of class 'CfnInclude' has been renamed to 'loadNestedStacks' ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

closes #10371 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…er Preview' (#10436) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…8450) When a table was deployed with `serverSideEncryption` set to `true` (by requesting `AWS_MANAGED` or `CUSTOM` server side encryption), it was not possible to switch back to `DEFAULT` as this could drop the `serverSideEncryption` configuration altogether, which CloudFormation will not allow. This changes makes `Table` continue to not set the `serverSideEncryption` configuration if nothing was configured (the user chose the implicit default behavior), but to actually set the value explicitly to `false` if the user *explicitly* requests `DEFAULT` encryption. This makes it possible to flip away from `AWS_MANAGED` and `CUSTOM` encryption to the cheaper alternative that is `DEFAULT`. Fixes #8286 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Add the amzn scope to our version reporting, owned by Amazon: https://www.npmjs.com/org/amzn ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

) By default asset bundling is skipped for `cdk list` and `cdk destroy`. For `cdk deploy`, `cdk diff` and `cdk synthesize` the default is to bundle assets for all stacks unless `exclusively` is specified. In this case, only the listed stacks will have their assets bundled. Closes #9540 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Support VPC property in ShellScriptAction. Partially fixes #9982 . ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

When running `cdk deploy` the stack outputs to the terminal are currently returned in the same order as the `describe stacks` API call, which does not seem to provide a contract on ordering, per the [docs](https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_Stack.html). This change sorts the keys of the stack outputs before display, which is consistent with "outputs" tab in the AWS CloudFormation console. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

This PR adds a machine image that is backed by a custom SSM parameter. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

@rix0rrr

In PR #10148, @rix0rrr made it possible to provide a custom CodePipeline pipeline instance to CdkPipeline. This also made the `sourceAction` (Source stage) and `synthAction` (Build stage) props optional. However, validation was added to ensure that if `synthAction` is not provided, the pipeline already contains at least two stages (assuming that would be Source and Build). Logically though, CdkPipeline works perfectly fine without Build stage, if an already-built cloud assembly is provided in the source stage (e.g. S3 source action). A use case for this is, for example, separating CI and CD logic, where CDK synthesis happens within the CI build and the assembly is stored as an artefact to be deployed by a pipeline. This PR makes the Build stage optional, to allow this use case without a need for a dummy build stage. Example pipeline code: ```ts export class PipelineStack extends cdk.Stack { constructor(scope: cdk.Construct, id: string, props: cdk.StackProps) { super(scope, id, props); const versionsBucket = new s3.Bucket(this, 'VersionsBucket', { bucketName: 's3pipeline-app-versions', versioned: true, }); // The CodePipeline const cloudAssemblyArtifact = new codepipeline.Artifact() const codePipeline = new codepipeline.Pipeline(this, 'CodePipeline', { pipelineName: 'S3Pipeline', restartExecutionOnUpdate: true, stages: [{ stageName: 'Source', actions: [new actions.S3SourceAction({ actionName: 'S3', bucket: versionsBucket, bucketKey: 'cloudassembly.zip', output: cloudAssemblyArtifact })] }] }); // CDK Pipeline const cdkPipeline = new pipelines.CdkPipeline(this, 'CdkPipeline', { codePipeline, cloudAssemblyArtifact, }); // Add application stage cdkPipeline.addApplicationStage(new MyAppStage(this, "PreProd")); } } ``` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…source' resource type (#10415) The resource type 'AWS::CloudFormation::CustomResource' corresponds to the class CfnCustomResource. However, that class is automatically generated, and quite useless; it only supports one property, ServiceToken. It does not support passing in an arbitrary collection of properties, like custom resources in CloudFormation do. As a result, cfn-include would "lose" all properties of resources of type 'AWS::CloudFormation::CustomResource' other than ServiceToken. Fix the problem by handling this resource type with the CfnResource class, that does support an arbitrary collection of properties. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Fixes #10390. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…cy when bucket and lambda are in different stacks (#10426) When the bucket and function are in two different stacks, the following stacks are created: ### Bucket Stack - `s3.Bucket` - `s3.BucketNotificationHandler` (creates a dependency on **lambda stack** since it configures the target of the trigger) ### Lambda Stack - `lambda.Function` - `lambda.Permission` (creates a dependency on the **bucket stack** since it configures the lambda to allow invocations from that specific bucket) The solution is to switch up the `lambda.Permission` scope and use the bucket instead of the function, so that it is added to the bucket stack, leaving the lambda stack independent. Fixes #5760 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

- Fixed incorrect comparison operator (LTE) string from '>=' to '<=' - fixes #8913 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…8828) **[ISSUE]** Imported Lambda functions unable to add new resource policy **[APPROACH]** Add a check for imported Lambda Functions between the account id and the account id from imported Lambda Function. If they match, imported function can add permissions. Fixes #7588 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

One of the contributors of longer runtimes, and we definitely don't need stack traces in it. Relates to #10213. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Fix Parcel detection for non JS/TS CDK projects. For those projects the module `@aws-cdk/aws-lambda-nodejs` is not installed in a `node_modules` folder inside the project. Change the detection logic to `require.resolve` from the project root. Also in this fix: ensure that the Parcel version that is run inside the container is the one installed at `/`. Previously, if an incorrect version of Parcel was detected bundling would happen in a container as expected but with the incorrect version because project root is mounted at `/asset-input` and in this case it contains the incorrect Parcel version at `/asset-input/node_modules`. Again change the `require.resolve` paths to avoid this. Addresses #10123 (not sure yet if it closes it) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Closes #10443 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

CloudFormation allows using short-form versions of intrinsic functions like `!GetAtt`. We handled them correctly in the `@aws-cdk/cloudformation-include` module, so extract that logic to a common package, and use it from the CLI in the `diff` command as well. Fixes #6537 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…nets` (#10459) Don't use the subnet id as the construct id as it may be a token. Fixes #10287 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…10440) There's been some confusion around how to set `GitHubSourceActionProps`'s `oauthToken` property to a github token that was stored as a JSON key-value pair in Secrets Manager. - Updating the [Github Source](https://docs.aws.amazon.com/cdk/api/latest/docs/aws-codepipeline-actions-readme.html#github) section of the docs to clarify how to do so. Closes #8731 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

… to AWSCodeDeployRoleForLambdaLimited (#10276) The managed policy `AWSCodeDeployRoleForLambda` used for Lambda deployments has broad permissions, providing publish access to all SNS topics within the customer's accounts. This change replaces that with a new policy `AWSCodeDeployRoleForLambdaLimited` which removes those permissions. This should be safe, as the SNS publish permission is only ever used when setting up `triggers`, and we don't support that feature in `LambdaDeploymentGroup`. BREAKING CHANGE: the default policy for `LambdaDeploymentGroup` no longer contains `sns:Publish` on `*` permissions ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…roviding locations at construction (#10460) Fixes #10442 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…andardNpmSynth, and standardYarnSynth (#10453) feat(pipelines): Allow specifying a VPC for pipelines.CdkPipeline, standardNpmSynth, and standardYarnSynth. Fixes #9982. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Add function to Fn class to parse the domain name given an URL. Fixes #5433 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

When assuming a role for uploading assets in the new-style synthesized stacks, the OS username was used to build the session name out of. OS usernames have a character set that is wider than the allowed characters in `RoleSessionName` though, so we needed to sanitize them. Fixes #10401. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Deprecate `AssetHashType.BUNDLE` in favor of `AssetHashType.OUTPUT`. Improve JSDoc for `AssetHashType`. Closes #9861 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Lambda recently added support for MSK as an event source (https://aws.amazon.com/about-aws/whats-new/2020/08/aws-lambda-now-supports-amazon-managed-streaming-for-apache-kafka-as-an-event-source/), and there's now a "Topics" property on the CloudFormation resource definition (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-eventsourcemapping.html#cfn-lambda-eventsourcemapping-topics). Closes #10138 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Add `.devcontainer.json` referencing the existing `.gitpod.yml` for supporting GitHub codespaces closes #10447 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

chore(rds): add additional aurora mysql engine versions Closes: #10476 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…#10463) When using the EVENTS trigger, an event is created based on the branch name of the event, however this is not possible if the branch name is an unresolved value. Therefore generate a unique event name if this is the case. Fixes #10263 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…anges (#10483) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

chore(release): 1.64.0

A few readme touchups and clarifications. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…odule (#10472) Introduce an environment variable - `AWSLINT_BASE_CONSTRUCT` recognized by `awslint`. This environment variable indicates that the module has [migrated][compat-rfc] away from construct classes and interfaces from `@aws-cdk/core` module to those in `constructs` module. Specific rules in the linter recognize this variable and modify their expectations. Motivation The primary motivation is to move the code base towards [removal of the construct compat layer][compat-rfc] as part of [CDKv2]. A large number of code changes to adopt "constructs" module can already be done as part of CDKv1 without incurring breaking changes to the API. This change enables these changes to be performed module-by-module. As modules are migrated, this flag will be enabled, to ensure no regression. [CDKv2]: https://github.com/aws/aws-cdk-rfcs/blob/master/text/0079-cdk-2.0.md [compat-rfc]: https://github.com/aws/aws-cdk-rfcs/blob/master/text/0192-remove-constructs-compat.md ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

#10458) See #7927 (comment) for motivation and design. The current way of specifying master user logins for `DatabaseInstance` and `DatabaseCluster` is inconsistent between the two and introduces some awkward usage when creating a login from an existing `Secret`. This change converts the existing `Login` interface (used by the `DatabaseCluster`) into a class with factory methods for username/password or secret-based logins. This also then re-uses that same interface for `DatabaseInstance`. The one exception now will be `DatabaseInstanceFromSnapshot`, which has specific requirements that deserved its own interface (`SnapshotLogin`). As a side effect of this approach, existing `DatabaseCluster` users -- in Typescript at least -- will not be broken. For example, the following are equivalent: ```ts new rds.DatabaseCluster(this, 'Cluster1', { // Existing usage masterUser: { username: 'admin', }, // New usage masterUser: Login.fromUsername('admin'), }); ``` Lastly, this change makes the whole `masterUser` prop optional, as there's no good reason why we can't default a username. fixes #7927 BREAKING CHANGE: `DatabaseInstanceProps` and `DatabaseInstanceFromSnapshotProps` - `masterUsername`, `masterUserPassword` and `masterUserPasswordEncryptionKey` moved to `credentials` as a new `Credentials` class. * **rds:** `Login` renamed to `Credentials`. Use `Credentials.fromUsername` to replace existing usage. * **rds:** `DatabaseClusterProps` `masterUser` renamed to `credentials`. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

The current ProxyTarget relied on the underlying L1s to get the engine type for a given Cluster/Instance. Change IDatabaseCluster and IInstanceEngine to add an (optional) `engine` property that is used instead. Allow the user to specify the engine when importing a Cluster or Instance. Also move the logic of determining the engine family into `IEngine`. Fixes #9195 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…build (#10502) Caused by JSII issue: aws/jsii#2040 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/1.64.0/CHANGELOG.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Now that we suppress output of non-failing tests, it becomes all the more important to have detailed information for failing tests. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…0507) The change introduced in #9576 did not handle the "staging disabled" case. As a consequence, when bundling the staged path was always relative. Revert to the behavior that was present before this change: when staging is disabled the staged path is absolute (whether bundling or not). Closes #10367 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Reverts #10503 We can't actually do this. There are tests that check that the output of the `cdk` command is *exactly* "some value", and adding the logging in breaks the expectation. Revert the `-v` to allow the tests to go back to passing 90% of the time.

…stances (#10324) fixes #9926 Added the following parameters to DatabaseCluster. * AutoMinorVersionUpgrade * AllowMajorVersionUpgrade * DeleteAutomatedBackups #10092 as a reference, only defined simple parameters. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…10501) Closes #8953 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ependency and breaks deployment (#10536) In version [`1.62.0`](https://github.com/aws/aws-cdk/releases/tag/v1.62.0) we introduced the ability to run `kubectl` commands on imported clusters. (See #9802). Part of this change included some refactoring with regards to how we use and create the `KubectlProvider`. Looks like we didn't consistently apply the same logic across all constructs that use it. Case in point: https://github.com/aws/aws-cdk/blob/e349004a522e2123c1e93bd3402dd7c3f9c5c17c/packages/%40aws-cdk/aws-eks/lib/k8s-manifest.ts#L58 Notice that here we use `this` as the scope to the `getOrCreate` call. Same goes for: https://github.com/aws/aws-cdk/blob/e349004a522e2123c1e93bd3402dd7c3f9c5c17c/packages/%40aws-cdk/aws-eks/lib/k8s-object-value.ts#L64 However, `KubernetesPatch` use `scope` instead. https://github.com/aws/aws-cdk/blob/e349004a522e2123c1e93bd3402dd7c3f9c5c17c/packages/%40aws-cdk/aws-eks/lib/k8s-patch.ts#L74 This means that the entire `scope` of the `KubernetesPatch` now depends, among others, on the `kubectlBarrier`. The scope will usually be either the cluster itself (when using `FargateCluster`), or the entire stack (when using `new KubernetesPatch`). In any case, the scope will most likely contain the cluster VPC. This creates the following dependency cycle: `Cluster => ClusterVpc => KubectlBarrier => Cluster`. The fix aligns the `KubernetesPatch` behavior to all other `kubectl` constructs and uses `this` as the scope, which will only add dependency on the barrier to the custom resource representing the patch. Fixes #10528 Fixes #10537 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Following up on #10503, enabling verbose logging for integ tests. opt out for tests that relies on exact match of the output: * 'cdk synth' - match the output of `synth`. * 'Two ways of shoing the version' - This one is tricker. Since `--version` is implemnted using `.version()` of `yargs` it ignores the `-v` argument, but `version` (no dash) which is our implementation respect it. ``` $cdk version -v CDK toolkit version: 1.63.0 (build 7a68125) .... blah blah ``` vs: ``` $cdk --version -v 1.63.0 (build 7a68125) ``` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ependency and breaks deployment (#10536) In version [`1.62.0`](https://github.com/aws/aws-cdk/releases/tag/v1.62.0) we introduced the ability to run `kubectl` commands on imported clusters. (See #9802). Part of this change included some refactoring with regards to how we use and create the `KubectlProvider`. Looks like we didn't consistently apply the same logic across all constructs that use it. Case in point: https://github.com/aws/aws-cdk/blob/e349004a522e2123c1e93bd3402dd7c3f9c5c17c/packages/%40aws-cdk/aws-eks/lib/k8s-manifest.ts#L58 Notice that here we use `this` as the scope to the `getOrCreate` call. Same goes for: https://github.com/aws/aws-cdk/blob/e349004a522e2123c1e93bd3402dd7c3f9c5c17c/packages/%40aws-cdk/aws-eks/lib/k8s-object-value.ts#L64 However, `KubernetesPatch` use `scope` instead. https://github.com/aws/aws-cdk/blob/e349004a522e2123c1e93bd3402dd7c3f9c5c17c/packages/%40aws-cdk/aws-eks/lib/k8s-patch.ts#L74 This means that the entire `scope` of the `KubernetesPatch` now depends, among others, on the `kubectlBarrier`. The scope will usually be either the cluster itself (when using `FargateCluster`), or the entire stack (when using `new KubernetesPatch`). In any case, the scope will most likely contain the cluster VPC. This creates the following dependency cycle: `Cluster => ClusterVpc => KubectlBarrier => Cluster`. The fix aligns the `KubernetesPatch` behavior to all other `kubectl` constructs and uses `this` as the scope, which will only add dependency on the barrier to the custom resource representing the patch. Fixes #10528 Fixes #10537 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/patch/v1.64.1/CHANGELOG.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/1.64.1/CHANGELOG.md)

---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…10546) As it turns out, `Fn::GetAtt` can be passed a string argument not only in YAML, but in JSON CloudFormation templates as well. Handle that case in our template parser for `cfn-include`. This handling allows us to stop special-casing transforming the short-form `!GetAtt` in our YAML parsing. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

One more resource attribute that we missed, and that is needed for cfn-include to be able to handle ingesting all templates. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Because of a limitation of the CodeBuild Service API and its CloudFormation implementation, it is not possible to disable the encryption key used to encrypt uploaded artifacts after having deployed a Project once that uses a key (the update back to "no key" is ignored). Work around this by explicitly always selecting the default `alias/aws/s3` key. This is the same one CodeBuild would have used if no key was given, except it doesn't suffer from the "property cannot be made empty" problem. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

The feature to support importing secrets by name (#10309) failed to handle scenarios where the secret ARN is a token, due to parsing the ARN to retrieve the secret name. fixes #10520 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Apply stack tags to the stacks deployed using CDK Pipelines. Taking this opportunity to make tags easier to work with -- move them from metadata into cloud artifact properties. Fixes #9260. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Configure the `jsii` targets for Python so that the `Framework :: AWS CDK` and `Framework :: AWS CDK :: 1` trove classifiers are present on the package metadata, for easier discovery in PyPI. See: https://pypi.org/search/?q=&o=&c=Framework+%3A%3A+AWS+CDK Fixes aws/cdk-ops#393 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

The Metadata resource used to be added by the CLI, which led to a bug. The better, less error-prone way to do it is to have the framework add the metadata resource to the stack template upon synthesis. The resources need to be added just-in-time (before synthesis), because if we do it in the constructor `node.setContext()` will stop working (for the `Stack` already having children). We only add the Metadata resource if we're running via the CLI. If we did not do this, all unit tests everywhere that use `toMatchTemplate()`/`toExactlyMatchTemplate()`/`toMatch()` will break. There are hundreds alone in our codebase, nevermind however many other ones are out there. The consequences of this are that we [still] will not record users who are doing in-memory synthesis. The CLI only does the work when the `runtimeInfo` field of the assembly is filled, which we just never do anymore. However, the code cannot be removed from the CLI because old versions of the framework might still set that field and expect the resource to be added to the template. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

When generating a new module, add `junit.xml` to `.npmignore` and `.gitignore`, this is required by `aws-lint` rule. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

This commits expands on a previous [commit]. A few CDK modules have been migrated to use the `Construct` and `IConstruct` from the "constructs" module instead of the "@aws-cdk/core" module. Migrating modules to use the "constructs" module, prevents merge conflicts from arising in these files when the construct compatibility layer in "@aws-cdk/core" module is removed in the v2 branch. [commit]: c179699 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

… arrays (#10538) Validate that `States.ALL` is not combined with other errors in `Retry` and `Catch` arrays and sort those arrays so that `States.ALL` appears last. Closes #10530 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…, CreateEndpointConfig, CreateModel, and UpdateEndpoint (#10187) **Implementation** Update package `@aws-cdk/aws-stepfunctions-tasks` to include support for SageMaker **CreateEndpoint**, **CreateEndpointConfig**, **CreateModel**, **UpdateEndpoint** API as per documentation here: https://docs.aws.amazon.com/step-functions/latest/dg/connect-sagemaker.html Includes support for the following Amazon SageMaker API calls: * `CreateEndpoint` * `CreateEndpointConfig` * `CreateModel` * `UpdateEndpoint` Closes #6572

…10587) The switch `versionReporting` was renamed to `analyticsReporting` in the framework in order to be more generic. However, this rename was carried through in parts of the CLI as well, especially in parts of the settings handling. This part is however not strongly typed but *stringly* typed (remember that settings are also read from `cdk.json`) and it's rather tricky to change there. Undo this change as it's breaking the integration tests; for now, the switch will still be called `versionReporting` in the CLI. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Fix JsonPath not supporting array paths closes #9403 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

KMS keys for cross-account actions used to be created automatically, but incur a $1/month charge for every region, adding a charge you don't need if you don't plan to deploy in to cross-account destinations. Add the option `crossAccountKeys: false` to allow users to switch off the KMS keys and avoid the charge if they don't need it. Relates to #10115. Must not be merged before #10474. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ECS (#10129) This PR implements [RFC 219](https://github.com/nathanpeck/aws-cdk-rfcs/blob/master/text/0219-ecs-service-extensions.md) It adds a new module called "@aws-containers/aws-ecs-builder" (Name proposed but not final) with following new constructs: - `Environment` - A deploy environment for a service which by default supplies its own VPC, and ECS cluster with Fargate capacity - `Service` - An ECS service And supporting classes: - `ServiceDescription` - Defines the application to run as a service, and any features it needs - `ServiceExtension` - Defines an optional extension that may be added to a service to enhance it with new capabilities or connect it to other ECS adjacent features This PR comes with a `ServiceExtension` for each of the following ECS adjacent features: - AppMesh - X-Ray - CloudWatch Agent - Application Load Balancer - FireLens Developers can use this new extendable `Service` class to build a `ServiceDescription` that defines their application and as many optional service extensions as they want. The `ServiceDescription` is used to build out a `Service` inside an `Environment` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…words for Cluster, Instance, DatabaseSecret Change the default excludeCharacters for Cluster, Instance and DatabaseSecret to the character set ``" %+~`#$&*()|[]{}:;<>?!'/@\"\\"``, as the previous set (`'"@/\\'`) had a tendency to generate problematic passwords that wouldn't work in the shell, or with services like DMS. Do the same for single- and multi-user rotations in Cluster and Instance as well. Also allow passing a custom excludeCharacters for Credentials and SnapshotCredentials, and also in addSingleUserRotation and addMultiUserRotation. Fixes #4144 BREAKING CHANGE: the default generated password exclude characters set for Instance, Cluster and `DatabaseSecret` is now ``" %+~`#$&*()|[]{}:;<>?!'/@\"\\"`` * **rds**: the default generated password exclude characters for `addSingleUserRotation()` and `addMultiUserRotation()` in Cluster and Instance is now ``" %+~`#$&*()|[]{}:;<>?!'/@\"\\"`` * **rds**: `Instance.addSingleUserRotation()` now takes options object as the first argument, instead of just `Duration` * **rds**: `Cluster.addSingleUserRotation()` now takes options object as the first argument, instead of just `Duration` * **rds**: `SnapshotCredentials.fromGeneratedPassword()` now takes an option object as the second argument, instead of just `IKey` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Removing an extra closing parenthesis `)`. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Graduate the module to *Developer Preview*. This PR also includes some last minute API changes we feel make it a little more semantically clear. In addition, the README was restructured to be more coherent. See [rendered version](https://github.com/aws/aws-cdk/blob/epolon/10364-eks-dev-preview/packages/%40aws-cdk/aws-eks/README.md). Happy to break this down to multiple PR's if you find it hard to review. BREAKING CHANGE: `cluster.addChart` renamed to `cluster.addHelmChart` * **eks:** `NodegroupOptions.launchTemplate` renamed to `NodegroupOptions.launchTemplateSpec` * **eks:** `cluster.addAutoScalingGroup` renamed to `cluster.connectAutoScalingGroupCapacity` * **eks:** `cluster.addNodegroup` renamed to `cluster.addNoedgroupCapacity` * **eks:** `cluster.addCapacity` renamed to `cluster.addAutoScalingGroupCapacity` * **eks:** `CapacityOptions` renamed to `AutoScalingGroupCapacityOptions`. Resolves #10364 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

`syn-nodejs-2.0` is the latest runtime. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_Library.html BREAKING CHANGE: the default runtime is now `syn-nodejs-2.0` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

@mauricioharley

…#10552) Adding support for [additional S3 notification event types](https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html#supported-notification-event-types), including 's3:ObjectRestore:Completed' recently raised by @mauricioharley as a feature request. Closes #10498 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

According to the CloudFront docs, the logging bucket should be specified as the bucket domain name. #2554 updated origin buckets to use the regional bucket domain names -- which is correct -- but also incorrectly updated the logging bucket specifications as well. This has a minor impact of being unable to navigate to the logging bucket from the CloudFront console, but otherwise the logs are stored correctly. fixes #10512 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

We are currently on a pre-release version, and `ncu` will "upgrade" to the nightly builds, which is undesirable. Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>

…10539) Any CloudFormation resource that defines a single boolean property set to false is not rendered to the CloudFormation template. The bug is in implementation of `_toCloudFormation()` API in `CfnResource`. It treated `false` and `undefined` the same way. fixes #10455 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Adding support for [EC2 C6g](https://aws.amazon.com/ec2/instance-types/c6/) instance classes. Closes #10372 --- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Fixes listing same stack multiple times fails for cdk commands closes #9667 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…nitionName` (#10448) Add `fromJobDefinitionName` for `JobDefinition` construct. Ref: https://stackoverflow.com/a/55031183 closes #7172 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Add fromDomainName import helper to UserPoolDomain construct closes #9988 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ns event source (#10567) This change allows `SnsEventSource` to be configured in the same way as its reverse construct, `LambdaSubscription`. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…user pool clients (#10588) When the `UserPoolClient` property `disableOAuth` is set, callback URLs should not be rendered as it represents a list of allowed redirects for identity providers. Added in a condition that only renders the callback URL default of `https://example.com` if OAuth is enabled. Closes #10311 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

refreshToken always allowed when authFlows present in UserPoolClient BREAKING CHANGE: `refreshToken` property is now removed from UserPoolClient. It will be included if any other `authFlow` is enabled. closes #7625 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

The default value was incorrectly documented as 10000, while in fact, it is infinite. Ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-eventsourcemapping.html#cfn-lambda-eventsourcemapping-maximumretryattempts closes #10486 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

In #10458, we started to default the master user name to 'admin'. As it turns out, that actually doesn't work with PostgreSQL, as 'admin' is a reserved word there. Add a new optional property to IEngine called defaultUsername that allows overriding the global 'admin' default on a per-Engine basis. Set it to 'adminuser' for the Aurora Postgres Cluster engine and the Postgres Instance engine. Fixes #10579 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…recated (#10605) The static constants in the DatabaseClusterEngine class were all deprecated in favor of using versioned engines. However, it turns out that it's very common to use the unversioned engines for serverless Clusters, for which the instances are fully managed, so updates are a lot less risky. Because of that, un-deprecate the constants, instead adding a note that we don't recommend using them for non-serverless Clusters. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

) An overly-strict validation on secret ARNs prevented valid use cases where a customer provides a secret ARN without the SecretsManager-suffix. fixes #10604 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Make the GraphQL Schema construct multiple interface implementation in the following manner: ```gql type Object implements Interface1 & interface2 { ... } ``` Fixes #10479 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

I was using cdk to stand up an Elasticsearch domain and thought I might as well generalise the effort. Can I please get some feedback on the current implementation and if it is something you are happy to accept? This implementation is still missing tests, more documentation and features like importing the resource. I will add them once I know I'm on the right track. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Adds a new construct to specify Aurora Serverless clusters This is largely a stripped down version of `Cluster` as there are many properties within clusters that do not apply to Aurora Serverless. Some of the notable exclusions are: * backup windows * maintenance windows * associated roles (as S3 import/exports are not supported) * iam database authentication * exporting cloudwatch log exports * storage encryption is always true in Aurora serverless Added: * Scaling options which only apply to Aurora serverless and cannot be used for provisioned clusters * Enum `AuroraCapacityUnit` to specify the provisioned capacity * Enable http endpoint for a serverless cluster Closes #929 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…#10490) Addresses the first point on #9490 by allow access logging to be configured through props 1. Introduces a new `AccessLog` shared-interface as it can be reused in Virtual Gateways and Virtual Nodes 1. Removes the default access logging to stdout in Virtual Nodes and allows it to be configured via props BREAKING CHANGE: VirtualNode no longer has accessLog set to "/dev/stdout" by default ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…the StepFunctions State Machine target (#10551) Add option to use existing role for SfnStateMachine closes #8255 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/bump/1.65.0/CHANGELOG.md)

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/1.65.0/CHANGELOG.md)

* feat: cloudformation spec v18.4.0 * add junit.xml to ignore * adding a linter exclusion for attribute added in APIGatewayv2 that is not yet exposed through the CDK * added a patch to rename AwsVpcConfiguration back to AwsvpcConfiguration to avoid breaking ECS users * add appflow to cloudformation-include * add appflow as peerDependencies in cloudformation-include * add appflow to aws-cdk-lib dependencies * update monocdk-experiment package.json * add python classifiers for appflow * adding patches for properties that cause compatibility checker to fail Co-authored-by: AWS CDK Team <aws-cdk@amazon.com> Co-authored-by: Neta Nir <neta1nir@gmail.com> Co-authored-by: Shiv Lakshminarayan <shivlaks@amazon.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>

When running unit tests `outdir` defaults to a temporary directory in the system temp directory. On macOS `os.tmpdir()` is a symlink. In `v1.61.0` we changed the bundling directory to be a directory inside `outdir` (`cdk.out`). This makes Docker bundling fail during tests. Fix it by using `fs.realpathSync`. Closes #10262 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

This commits expands on a previous [commit]. The remaining CDK modules have been migrated to use the `Construct` and `IConstruct` from the "constructs" module instead of the "@aws-cdk/core" module. Migrating modules to use the "constructs" module, prevents merge conflicts from arising in these files when the construct compatibility layer in "@aws-cdk/core" module is removed in the v2 branch. [commit]: c179699 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge #26

Merge #26

Commits on Sep 16, 2020

Commits on Sep 17, 2020

Commits on Sep 18, 2020

Commits on Sep 21, 2020

Commits on Sep 22, 2020

Commits on Sep 23, 2020

Commits on Sep 24, 2020

Commits on Sep 25, 2020

Commits on Sep 26, 2020

Commits on Sep 28, 2020

Commits on Sep 29, 2020

Commits on Sep 30, 2020

Commits on Oct 1, 2020