chore!: upgrade minimum required aws-cdk-lib version to 2.80.0 (#399)

Because of a security vulnerability in `aws-cdk-lib` prior to version 2.80.0, we are increasing the minimum required version to v2.80. See GHSA-rx28-r23p-2qc3 for the full CVE and impacts. > ### Who is affected? > #### MastersRole > Users with CDK version higher or equal to [1.57.0](https://github.com/aws/aws-cdk/releases/tag/v1.57.0) (including v2 users) that are not specifying the `mastersRole` property. The role in question can be located in the IAM console. It will have the following name pattern: > ``` > *-MastersRole-* > ``` > #### CreationRole > Users with CDK version higher or equal to [1.62.0](https://github.com/aws/aws-cdk/releases/tag/v1.62.0) (including v2 users). The role in question can be located in the IAM console. It will have the following name pattern: > ``` > *-ClusterCreationRole-* > ``` > ### Patches > The new versions no longer use the account root principal. Instead, they restrict the trust policy to the specific roles of lambda handlers that need it. This introduces some breaking changes that might require you to perform code changes. Refer to aws/aws-cdk#25674 for a detailed discussion of options. > > ### Workarounds > #### CreationRole > There is no workaround available for CreationRole. > > #### MastersRole > To avoid creating the default MastersRole, use the `mastersRole` property to explicitly provide a role. For example: > > ```ts > new eks.Cluster(this, 'Cluster', { > ... > mastersRole: iam.Role.fromRoleArn(this, 'Admin', 'arn:aws:iam::xxx:role/Admin') > }); > ``` ### References [aws/aws-cdk#25674](aws/aws-cdk#25674) If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via their [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to aws-security@amazon.com. Closes #225
hashicorp · Aug 25, 2023 · 2ee99f1 · 2ee99f1
1 parent 484aed7
commit 2ee99f1
Show file tree

Hide file tree

Showing 30 changed files with 507 additions and 408 deletions.
diff --git a/.gitignore b/.gitignore
diff --git a/.npmignore b/.npmignore
diff --git a/.projen/deps.json b/.projen/deps.json
diff --git a/.projenrc.ts b/.projenrc.ts
@@ -28,6 +28,9 @@ const project = new CdktfAwsCdkProject({
   projenrcTs: true,
 });
 
+project.addPeerDeps("aws-cdk-lib@^2.80.0");
+project.addDevDeps("aws-cdk-lib@2.80.0");
+
 project.package.addPackageResolutions("@types/babel__traverse@7.18.2");
 
 // Use pinned versions of github actions

diff --git a/README.md b/README.md
@@ -12,9 +12,10 @@ You need to manually map resources that the AWS Cloud Control API does not yet s
 
 The `AwsTerraformAdapter` currently only supports TypeScript projects:
 
-- `node` >= 16.14.0
+- `node` >= 18.12.0
 - `cdktf` >= 0.18.0
-- `aws-cdk-lib` >= 2.0.0 (requires `constructs` version 10)
+- `aws-cdk-lib` >= 2.80.0
+- `constructs` >= 10.0.25
 
 ```
 npm install @cdktf/aws-cdk

diff --git a/examples/typescript-cron-lambda/main.test.ts b/examples/typescript-cron-lambda/main.test.ts
@@ -15,82 +15,82 @@ describe("typescript-cron-lambda", () => {
 
     expect(synthResult).toMatchInlineSnapshot(`
       "{
-        \\"data\\": {
-          \\"aws_partition\\": {
-            \\"adapter_aws-partition_5B16AD9D\\": {
+        "data": {
+          "aws_partition": {
+            "adapter_aws-partition_5B16AD9D": {
             }
           }
         },
-        \\"provider\\": {
-          \\"aws\\": [
+        "provider": {
+          "aws": [
             {
-              \\"region\\": \\"us-west-2\\"
+              "region": "us-west-2"
             }
           ],
-          \\"time\\": [
+          "time": [
             {
-              \\"alias\\": \\"awsadapter_eventual_consistency_workaround_aspect_test\\"
+              "alias": "awsadapter_eventual_consistency_workaround_aspect_test"
             }
           ]
         },
-        \\"resource\\": {
-          \\"aws_cloudcontrolapi_resource\\": {
-            \\"adapter_lambda8B5974B5_06304D76\\": {
-              \\"depends_on\\": [
-                \\"time_sleep.adapter_lambdaServiceRole494E4CA6_sleep_lambdaServiceRole494E4CA6_73847BDD\\"
+        "resource": {
+          "aws_cloudcontrolapi_resource": {
+            "adapter_lambda8B5974B5_06304D76": {
+              "depends_on": [
+                "time_sleep.adapter_lambdaServiceRole494E4CA6_sleep_lambdaServiceRole494E4CA6_73847BDD"
               ],
-              \\"desired_state\\": \\"\${jsonencode({\\\\\\"Code\\\\\\" = {\\\\\\"ZipFile\\\\\\" = \\\\\\"# Copyright (c) HashiCorp, Inc.\\\\\\\\n# SPDX-License-Identifier: MPL-2.0\\\\\\\\n\\\\\\\\ndef main(event, context):\\\\\\\\n    print(\\\\\\\\\\\\\\"I'm running!\\\\\\\\\\\\\\")\\\\\\"}, \\\\\\"Role\\\\\\" = aws_iam_role.adapter_lambdaServiceRole494E4CA6_7D4D29EC.arn, \\\\\\"Handler\\\\\\" = \\\\\\"index.main\\\\\\", \\\\\\"Runtime\\\\\\" = \\\\\\"python3.6\\\\\\", \\\\\\"Timeout\\\\\\" = 300})}\\",
-              \\"type_name\\": \\"AWS::Lambda::Function\\"
+              "desired_state": "\${jsonencode({\\"Code\\" = {\\"ZipFile\\" = \\"# Copyright (c) HashiCorp, Inc.\\\\n# SPDX-License-Identifier: MPL-2.0\\\\n\\\\ndef main(event, context):\\\\n    print(\\\\\\"I'm running!\\\\\\")\\"}, \\"Handler\\" = \\"index.main\\", \\"Role\\" = aws_iam_role.adapter_lambdaServiceRole494E4CA6_7D4D29EC.arn, \\"Runtime\\" = \\"python3.6\\", \\"Timeout\\" = 300})}",
+              "type_name": "AWS::Lambda::Function"
             }
           },
-          \\"aws_cloudwatch_event_rule\\": {
-            \\"adapter_ruleF2C1DCDC_10BF962A\\": {
-              \\"is_enabled\\": true,
-              \\"schedule_expression\\": \\"cron(0 18 ? * MON-FRI *)\\"
+          "aws_cloudwatch_event_rule": {
+            "adapter_ruleF2C1DCDC_10BF962A": {
+              "is_enabled": true,
+              "schedule_expression": "cron(0 18 ? * MON-FRI *)"
             }
           },
-          \\"aws_cloudwatch_event_target\\": {
-            \\"adapter_ruleF2C1DCDC_target0_82E1D1E6\\": {
-              \\"arn\\": \\"\${jsondecode(aws_cloudcontrolapi_resource.adapter_lambda8B5974B5_06304D76.properties).Arn}\\",
-              \\"rule\\": \\"\${aws_cloudwatch_event_rule.adapter_ruleF2C1DCDC_10BF962A.id}\\"
+          "aws_cloudwatch_event_target": {
+            "adapter_ruleF2C1DCDC_target0_82E1D1E6": {
+              "arn": "\${jsondecode(aws_cloudcontrolapi_resource.adapter_lambda8B5974B5_06304D76.properties).Arn}",
+              "rule": "\${aws_cloudwatch_event_rule.adapter_ruleF2C1DCDC_10BF962A.id}"
             }
           },
-          \\"aws_iam_role\\": {
-            \\"adapter_lambdaServiceRole494E4CA6_7D4D29EC\\": {
-              \\"assume_role_policy\\": \\"\${jsonencode({\\\\\\"Statement\\\\\\" = [{\\\\\\"Action\\\\\\" = \\\\\\"sts:AssumeRole\\\\\\", \\\\\\"Effect\\\\\\" = \\\\\\"Allow\\\\\\", \\\\\\"Principal\\\\\\" = {\\\\\\"Service\\\\\\" = \\\\\\"lambda.amazonaws.com\\\\\\"}}], \\\\\\"Version\\\\\\" = \\\\\\"2012-10-17\\\\\\"})}\\",
-              \\"managed_policy_arns\\": [
-                \\"\${join(\\\\\\"\\\\\\", [\\\\\\"arn:\\\\\\", data.aws_partition.adapter_aws-partition_5B16AD9D.partition, \\\\\\":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole\\\\\\"])}\\"
+          "aws_iam_role": {
+            "adapter_lambdaServiceRole494E4CA6_7D4D29EC": {
+              "assume_role_policy": "\${jsonencode({\\"Statement\\" = [{\\"Action\\" = \\"sts:AssumeRole\\", \\"Effect\\" = \\"Allow\\", \\"Principal\\" = {\\"Service\\" = \\"lambda.amazonaws.com\\"}}], \\"Version\\" = \\"2012-10-17\\"})}",
+              "managed_policy_arns": [
+                "\${join(\\"\\", [\\"arn:\\", data.aws_partition.adapter_aws-partition_5B16AD9D.partition, \\":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole\\"])}"
               ]
             }
           },
-          \\"aws_lambda_permission\\": {
-            \\"adapter_ruleAllowEventRuleadapterlambdaFD1ADB594D612405_A1E85F36\\": {
-              \\"action\\": \\"lambda:InvokeFunction\\",
-              \\"function_name\\": \\"\${jsondecode(aws_cloudcontrolapi_resource.adapter_lambda8B5974B5_06304D76.properties).Arn}\\",
-              \\"principal\\": \\"events.amazonaws.com\\",
-              \\"source_arn\\": \\"\${aws_cloudwatch_event_rule.adapter_ruleF2C1DCDC_10BF962A.arn}\\"
+          "aws_lambda_permission": {
+            "adapter_ruleAllowEventRuleadapterlambdaFD1ADB594D612405_A1E85F36": {
+              "action": "lambda:InvokeFunction",
+              "function_name": "\${jsondecode(aws_cloudcontrolapi_resource.adapter_lambda8B5974B5_06304D76.properties).Arn}",
+              "principal": "events.amazonaws.com",
+              "source_arn": "\${aws_cloudwatch_event_rule.adapter_ruleF2C1DCDC_10BF962A.arn}"
             }
           },
-          \\"time_sleep\\": {
-            \\"adapter_lambdaServiceRole494E4CA6_sleep_lambdaServiceRole494E4CA6_73847BDD\\": {
-              \\"create_duration\\": \\"20s\\",
-              \\"depends_on\\": [
-                \\"aws_iam_role.adapter_lambdaServiceRole494E4CA6_7D4D29EC\\"
+          "time_sleep": {
+            "adapter_lambdaServiceRole494E4CA6_sleep_lambdaServiceRole494E4CA6_73847BDD": {
+              "create_duration": "20s",
+              "depends_on": [
+                "aws_iam_role.adapter_lambdaServiceRole494E4CA6_7D4D29EC"
               ],
-              \\"destroy_duration\\": \\"0s\\",
-              \\"provider\\": \\"time.awsadapter_eventual_consistency_workaround_aspect_test\\"
+              "destroy_duration": "0s",
+              "provider": "time.awsadapter_eventual_consistency_workaround_aspect_test"
             }
           }
         },
-        \\"terraform\\": {
-          \\"required_providers\\": {
-            \\"aws\\": {
-              \\"source\\": \\"aws\\",
-              \\"version\\": \\"3.76.1\\"
+        "terraform": {
+          "required_providers": {
+            "aws": {
+              "source": "aws",
+              "version": "3.76.1"
             },
-            \\"time\\": {
-              \\"source\\": \\"time\\",
-              \\"version\\": \\"0.7.2\\"
+            "time": {
+              "source": "time",
+              "version": "0.7.2"
             }
           }
         }

diff --git a/examples/typescript-cron-lambda/package.json b/examples/typescript-cron-lambda/package.json
@@ -22,7 +22,7 @@
   },
   "dependencies": {
     "@cdktf/aws-cdk": "^0.9.4",
-    "aws-cdk-lib": "2.0.0",
+    "aws-cdk-lib": "2.93.0",
     "cdktf": "0.18.0",
     "constructs": "^10.2.69"
   },

diff --git a/examples/typescript-cron-lambda/yarn.lock b/examples/typescript-cron-lambda/yarn.lock
@@ -18,6 +18,21 @@
     "@jridgewell/gen-mapping" "^0.3.0"
     "@jridgewell/trace-mapping" "^0.3.9"
 
+"@aws-cdk/asset-awscli-v1@^2.2.200":
+  version "2.2.200"
+  resolved "https://registry.yarnpkg.com/@aws-cdk/asset-awscli-v1/-/asset-awscli-v1-2.2.200.tgz#6ead533f73f705ad7350eb46955e2538e50cd013"
+  integrity sha512-Kf5J8DfJK4wZFWT2Myca0lhwke7LwHcHBo+4TvWOGJrFVVKVuuiLCkzPPRBQQVDj0Vtn2NBokZAz8pfMpAqAKg==
+
+"@aws-cdk/asset-kubectl-v20@^2.1.2":
+  version "2.1.2"
+  resolved "https://registry.yarnpkg.com/@aws-cdk/asset-kubectl-v20/-/asset-kubectl-v20-2.1.2.tgz#d8e20b5f5dc20128ea2000dc479ca3c7ddc27248"
+  integrity sha512-3M2tELJOxQv0apCIiuKQ4pAbncz9GuLwnKFqxifWfe77wuMxyTRPmxssYHs42ePqzap1LT6GDcPygGs+hHstLg==
+
+"@aws-cdk/asset-node-proxy-agent-v6@^2.0.1":
+  version "2.0.1"
+  resolved "https://registry.yarnpkg.com/@aws-cdk/asset-node-proxy-agent-v6/-/asset-node-proxy-agent-v6-2.0.1.tgz#6dc9b7cdb22ff622a7176141197962360c33e9ac"
+  integrity sha512-DDt4SLdLOwWCjGtltH4VCST7hpOI5DzieuhGZsBpZ+AgJdSI2GCjklCXm0GCTwJG/SolkL5dtQXyUKgg9luBDg==
+
 "@babel/code-frame@^7.0.0", "@babel/code-frame@^7.12.13", "@babel/code-frame@^7.18.6":
   version "7.18.6"
   resolved "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.18.6.tgz"
@@ -1287,9 +1302,9 @@ agent-base@6:
   dependencies:
     debug "4"
 
-ajv@^8.12.0:
+ajv@^8.0.1, ajv@^8.12.0:
   version "8.12.0"
-  resolved "https://registry.npmjs.org/ajv/-/ajv-8.12.0.tgz"
+  resolved "https://registry.yarnpkg.com/ajv/-/ajv-8.12.0.tgz#d1a0527323e22f53562c567c00991577dfbe19d1"
   integrity sha512-sRu1kpcO9yLtYxBKvqfTeh9KzZEwO3STyX1HT+4CaDzC6HpTGYhIhPIzj9XuKU7KYDwnaeh5hcOwjy1QuJzBPA==
   dependencies:
     fast-deep-equal "^3.1.1"
@@ -1420,19 +1435,23 @@ available-typed-arrays@^1.0.5:
   resolved "https://registry.npmjs.org/available-typed-arrays/-/available-typed-arrays-1.0.5.tgz"
   integrity sha512-DMD0KiN46eipeziST1LPP/STfDU0sufISXmjSgvVsoU2tqxctQeASejWcfNtxYKqETM1UxQ8sp2OrSBWpHY6sw==
 
-aws-cdk-lib@2.0.0:
-  version "2.0.0"
-  resolved "https://registry.npmjs.org/aws-cdk-lib/-/aws-cdk-lib-2.0.0.tgz"
-  integrity sha512-ETom3THcblmS3GSoS6rb2AGy7HZpcpoHvwNlxeVIVbmGOiKrrqjvECK2uOJtNboV/vDTHHjx/s/1SwptLo9dlg==
+aws-cdk-lib@2.93.0:
+  version "2.93.0"
+  resolved "https://registry.yarnpkg.com/aws-cdk-lib/-/aws-cdk-lib-2.93.0.tgz#545bc0072bc0f2e27cb0fecb0c9e54de29b10731"
+  integrity sha512-kKbcKkts272Ju5xjGKI3pXTOpiJxW4OQbDF8Vmw/NIkkuJLo8GlRCFfeOfoN/hilvlYQgENA67GCgSWccbvu7w==
   dependencies:
+    "@aws-cdk/asset-awscli-v1" "^2.2.200"
+    "@aws-cdk/asset-kubectl-v20" "^2.1.2"
+    "@aws-cdk/asset-node-proxy-agent-v6" "^2.0.1"
     "@balena/dockerignore" "^1.0.2"
     case "1.6.3"
-    fs-extra "^9.1.0"
-    ignore "^5.1.9"
-    jsonschema "^1.4.0"
-    minimatch "^3.0.4"
-    punycode "^2.1.1"
-    semver "^7.3.5"
+    fs-extra "^11.1.1"
+    ignore "^5.2.4"
+    jsonschema "^1.4.1"
+    minimatch "^3.1.2"
+    punycode "^2.3.0"
+    semver "^7.5.4"
+    table "^6.8.1"
     yaml "1.10.2"
 
 babel-jest@^29.6.4:
@@ -2597,7 +2616,7 @@ ieee754@^1.1.13:
   resolved "https://registry.npmjs.org/ieee754/-/ieee754-1.2.1.tgz"
   integrity sha512-dcyqhDvX1C46lXZcVqCpK+FtMRQVdIMN6/Df5js2zouUsqG7I6sFxitIC+7KYK29KdXOLHdu9zL4sFnoVQnqaA==
 
-ignore@^5.1.9:
+ignore@^5.2.4:
   version "5.2.4"
   resolved "https://registry.yarnpkg.com/ignore/-/ignore-5.2.4.tgz#a291c0c6178ff1b960befe47fcdec301674a6324"
   integrity sha512-MAb38BcSbH0eHNBxn7ql2NH/kX33OkB3lZ1BNdh7ENeRChHTYsTvWrMubiIAMNS2llXEEgZ1MUOBtXChP3kaFQ==
@@ -3538,7 +3557,7 @@ jsonify@^0.0.1:
   resolved "https://registry.npmjs.org/jsonify/-/jsonify-0.0.1.tgz"
   integrity sha512-2/Ki0GcmuqSrgFyelQq9M05y7PS0mEwuIzrf3f1fPqkVDVRvZrPZtVSMHxdgo8Aq0sxAOb/cr2aqqA3LeWHVPg==
 
-jsonschema@^1.4.0:
+jsonschema@^1.4.1:
   version "1.4.1"
   resolved "https://registry.yarnpkg.com/jsonschema/-/jsonschema-1.4.1.tgz#cc4c3f0077fb4542982973d8a083b6b34f482dab"
   integrity sha512-S6cATIPVv1z0IlxdN+zUk5EPjkGCdnhN4wVSBlvoUO1tOLJootbo9CquNJmbIh4yikWHiUedhRYrNPn1arpEmQ==
@@ -3610,6 +3629,11 @@ lodash.memoize@4.x:
   resolved "https://registry.npmjs.org/lodash.memoize/-/lodash.memoize-4.1.2.tgz"
   integrity sha512-t7j+NzmgnQzTAYXcsHYLgimltOV1MXHtlOWf6GjL9Kj8GK5FInw5JotxvbOs+IvV1/Dzo04/fCGfLVs7aXb4Ag==
 
+lodash.truncate@^4.4.2:
+  version "4.4.2"
+  resolved "https://registry.yarnpkg.com/lodash.truncate/-/lodash.truncate-4.4.2.tgz#5a350da0b1113b837ecfffd5812cbe58d6eae193"
+  integrity sha512-jttmRe7bRse52OsWIMDLaXxWqRAmtIUccAQ3garviCqJjafXOfNMO0yMfNpdD6zbGaTU0P5Nz7e7gAT6cKmJRw==
+
 lodash.union@^4.6.0:
   version "4.6.0"
   resolved "https://registry.npmjs.org/lodash.union/-/lodash.union-4.6.0.tgz"
@@ -3721,7 +3745,7 @@ mimic-response@^3.1.0:
   resolved "https://registry.npmjs.org/mimic-response/-/mimic-response-3.1.0.tgz"
   integrity sha512-z0yWI+4FDrrweS8Zmt4Ej5HdJmky15+L2e6Wgn3+iK5fWzb6T3fhNFq2+MeTRb064c6Wr4N/wv0DzQTjNzHNGQ==
 
-minimatch@^3.0.4, minimatch@^3.1.1:
+minimatch@^3.0.4, minimatch@^3.1.1, minimatch@^3.1.2:
   version "3.1.2"
   resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.1.2.tgz#19cd194bfd3e428f049a70817c038d89ab4be35b"
   integrity sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==
@@ -4120,9 +4144,9 @@ pump@^3.0.0:
     end-of-stream "^1.1.0"
     once "^1.3.1"
 
-punycode@^2.1.0, punycode@^2.1.1:
+punycode@^2.1.0, punycode@^2.1.1, punycode@^2.3.0:
   version "2.3.0"
-  resolved "https://registry.npmjs.org/punycode/-/punycode-2.3.0.tgz"
+  resolved "https://registry.yarnpkg.com/punycode/-/punycode-2.3.0.tgz#f67fa67c94da8f4d0cfff981aee4118064199b8f"
   integrity sha512-rRV+zQD8tVFys26lAGR9WUuS4iUAngJScM+ZRSKtvl5tKeZ2t5bvdNFdNHBW9FWR4guGHlgmsZ1G7BSm2wTbuA==
 
 pure-rand@^6.0.0:
@@ -4439,6 +4463,15 @@ slice-ansi@^3.0.0:
     astral-regex "^2.0.0"
     is-fullwidth-code-point "^3.0.0"
 
+slice-ansi@^4.0.0:
+  version "4.0.0"
+  resolved "https://registry.yarnpkg.com/slice-ansi/-/slice-ansi-4.0.0.tgz#500e8dd0fd55b05815086255b3195adf2a45fe6b"
+  integrity sha512-qMCMfhY040cVHT43K9BFygqYbUPFZKHOg7K73mtTWJRb8pyP3fzf4Ixd5SzdEJQ6MRUg/WBnOLxghZtKKurENQ==
+  dependencies:
+    ansi-styles "^4.0.0"
+    astral-regex "^2.0.0"
+    is-fullwidth-code-point "^3.0.0"
+
 snake-case@^3.0.4:
   version "3.0.4"
   resolved "https://registry.npmjs.org/snake-case/-/snake-case-3.0.4.tgz"
@@ -4629,6 +4662,17 @@ supports-preserve-symlinks-flag@^1.0.0:
   resolved "https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz"
   integrity sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==
 
+table@^6.8.1:
+  version "6.8.1"
+  resolved "https://registry.yarnpkg.com/table/-/table-6.8.1.tgz#ea2b71359fe03b017a5fbc296204471158080bdf"
+  integrity sha512-Y4X9zqrCftUhMeH2EptSSERdVKt/nEdijTOacGD/97EKjhQ/Qs8RTlEGABSJNNN8lac9kheH+af7yAkEWlgneA==
+  dependencies:
+    ajv "^8.0.1"
+    lodash.truncate "^4.4.2"
+    slice-ansi "^4.0.0"
+    string-width "^4.2.3"
+    strip-ansi "^6.0.1"
+
 tar-fs@^2.0.0:
   version "2.1.1"
   resolved "https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.1.tgz"