This repository was archived by the owner on Dec 29, 2021. It is now read-only.
test: Add failing test to replicate leaked credentials #1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
theipster
force-pushed
the
custom-resources-credentials-leakage
branch
from
16a05ce to
ab038ab
Compare
Revert `aws:asset:original-path` to fix aws#17706
Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.
The recommendation from AWS is to not use this feature in production. So `false` is a sensible default. Fixes aws#17578. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws-cloudformation/cloudformation-coverage-roadmap#133 just shipped. Docs: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html#cfn-ec2-instance-propagatetagstovolumeoncreation Waiting on cloudfromation specs to get bumped to the latest version. Depends on aws#17844. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
When configuring the Cognito SES email integration we were performing a region check to make sure you were configuring SES in one of the 3 supported regions. This was based on the Cognito documentation [here](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-email.html#user-pool-email-developer) which is not correct. This PR removes that check allowing CloudFormation to provide the validation. If a user provides an incorrect region the CloudFormation deployment will fail with a descriptive error message. fixes aws#17795 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Managed Policy ARNs should be deduped when added to a Role, otherwise the deployment is going to fail. Remove the unnecessary use of `Lazy.uncachedString` to make sure that the ARNs of two `ManagedPolicy.fromAwsManagedPolicyName()` policies are consistent. Fixes aws#17552. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…aws#17571) This adds a new integration test that deploys an s3.Bucket with autoDeleteObjects set to true. The autoDeleteObjects feature deploys a Nodejs Lambda backed Custom Resource. Lambda backed custom resources that are included as part of CDK constructs are compiled and bundled as part of the construct library. There are scenarios where this compiled source code (e.g. __entrypoint__.js) could be modified by the build process and cause the lambda execution to fail. This integration test should catch those instances. If the lambda function throws errors during execution the CustomResource will eventually fail. In the integration test this will result in a test timeout and failure. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
**Issue**
When creating a VPC you can not define the VPC name. The current way to set the name is using the `Tags` class
**VPC Example:**
```javascript
const vpc = new ec2.Vpc(this, 'vpc-id', {
maxAzs: 2,
subnetConfiguration: [
{
name: 'private-subnet-1',
subnetType: ec2.SubnetType.PRIVATE,
cidrMask: 24,
},
{
name: 'public-subnet-1',
subnetType: ec2.SubnetType.PUBLIC,
cidrMask: 24,
},
]
});
cdk.Tags.of(vpc).add('Name', 'CustomVPCName');
```
**Proposal:**
```javascript
const vpc = new ec2.Vpc(this, 'vpc-id', {
maxAzs: 2,
subnetConfiguration: [
{
name: 'private-subnet-1',
subnetType: ec2.SubnetType.PRIVATE,
cidrMask: 24,
},
{
name: 'public-subnet-1',
subnetType: ec2.SubnetType.PUBLIC,
cidrMask: 24,
mapPublicIpOnLaunch: false, // or true
},
],
vpcName: 'CustomVPCName',
});
```
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
The `rewrite-imports-v2` tool is used to rewrite imports from CDK v1 apps and libraries to CDK v2 compliant imports. The initial launch of this tool focused solely on the conversion of CDKv1 to CDKv2 imports, but ignored the complexity of 'constructs` now being used as its own independent library and the lack of the Construct compatibility layer from v2. This fix introduces rewrites for Constructs. All `IConstruct` and `Construct` imports will be converted from `@aws-cdk/core` to `constructs`, and any qualified references (e.g., `cdk.Construct`) will be renamed as well (e.g., `constructs.Construct`). Imports of the construct library will be added as needed. fixes aws#17826 _Implementation note:_ Apologies for the diff. The best way to be able to recursively visit the tree involved converting the existing, simple `ts.visitNode()` approach to a `TransformerFactory`-based approach so `ts.visitEachChild()` could be used. This required a few method moves and the creation of a class to hold some context. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ns (aws#17941) It is convention in the CDK to expose the underlying `grant()` API to make it simple for users to grant custom permissions to their resource. In addition, this PR removes 'glue:BatchDeletePartition' from `readPermissions`, which was previously erroneously added. closes aws#17935 and aws#15116. BREAKING CHANGE: the grantRead API previously included 'glue:BatchDeletePartition', and now it does not. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
) Fixes: aws#17546 This adds to the fix in aws#16083 that was addressing the issue where the LogRetention Lambda can be executed concurrently and create a race condition where multiple invocations are trying to create or modify the same log group. The previous fix addressed the issue if it occurred during log group creation, in the `createLogGroupSafe` method, but did not account for the same problem happening when modifying a log group's retention period in the `setRetentionPolicy` method. This fix applies the same logic from the last fix to the other method. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
We're trialling open context providers internally. Not ready yet to call this a public API but we will maintain firmer guarantees on this function going forward. Issues already uncovered by doing this that the more general open framework will have to deal with: * `SdkProvider` would need to be open and stable * What if the provider doesn't need account/region? * Schema validation in query and response * Side channel instructions to the context framework * (not to mention: how will the code get on the user's machine?) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…e Redis cluster (aws#17919) Following the recently released support for autoscaling in ElastiCache Redis cluster, I'd like to use CDK in order to manage the infrastructure. The only required change is to introduce a new enum value for 'elasticache' key ([cloudformation doc](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-applicationautoscaling-scalabletarget.html#cfn-applicationautoscaling-scalabletarget-servicenamespace)), however to improve dev experience I've introduced three new `PredefinedMetricType` following [cloudformation docs](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-applicationautoscaling-scalingpolicy-predefinedmetricspecification.html#cfn-applicationautoscaling-scalingpolicy-predefinedmetricspecification-predefinedmetrictype) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This PR adds hotswap support for S3 Bucket Deployments. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Before, when the `stateMachineName` property was used, the value of `stateMachineName` was passed directly to the SDK where an ARN was required. Now, when the `stateMachineName` property is used, we construct the ARN from its value, and pass that ARN to the SDK. Closes aws#17716 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This is proposed by aws#17711. This PR was created for implemeting `Input` L2 Construct. Implementing it is needed before `DetectorModel`. The reason is described in here: aws#17711 (comment) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ecycleHook (aws#16187) This makes the notificationTargetArn optional in LifecycleHook. CloudFormation docs specify it as optional [here](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-as-lifecyclehook.html). Closes aws#14641. To achieve this, the `role` parameter was made optional. To avoid breaking users, a role is provided if users specify a `notificationTarget` (which they currently all do, as it is a required property) and is not provided otherwise. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Closes aws#17867 * Assigned props.environment to a public readonly member * Added integration test that confirms the environment can be appended after the task is instantiated Made 2 cosmetic, but no obvious changes. Environment values are specified: name: value name2: value But in the test and the README.md files the sample values were: name: something value: something else This is using the string 'value" as a key - which, as someone reading the code for the first time, was confusing. So I changed the sample values to more clearly display what's a key and what's a value. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Adding builtin support for the new ARM64 CloudWatch insights Lambda layers which were [announced](https://aws.amazon.com/about-aws/whats-new/2021/11/amazon-cloudwatch-lambda-insights-functions-graviton2/) yesterday. also fixes aws#17133 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
`commit_message` is deprecated and replaced by `commit_message_template`.
Closes aws#17943. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…, and u-24tb1 (aws#17964) `u-6tb1`,`u-9tb1`, `u-12tb1` blog post: https://aws.amazon.com/blogs/aws/now-available-amazon-ec2-high-memory-instances-with-6-9-and-12-tb-of-memory-perfect-for-sap-hana/ `u-18tb1` `u-24tb1` blog post: https://aws.amazon.com/blogs/aws/ec2-high-memory-update-new-18-tb-and-24-tb-instances/ ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.