diff --git a/CHANGELOG.v2.alpha.md b/CHANGELOG.v2.alpha.md index ae5784f8a9df1..4801dda8486bd 100644 --- a/CHANGELOG.v2.alpha.md +++ b/CHANGELOG.v2.alpha.md @@ -2,6 +2,19 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. +## [2.164.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.163.1-alpha.0...v2.164.0-alpha.0) (2024-10-24) + + +### Features + +* **iot:** scheduled audit ([#31776](https://github.com/aws/aws-cdk/issues/31776)) ([366b492](https://github.com/aws/aws-cdk/commit/366b4927c50168113dd4057f6255ab6c76278135)), closes [#31779](https://github.com/aws/aws-cdk/issues/31779) + + +### Bug Fixes + +* **ec2:** allow NAT instance to associate public IP ([#31812](https://github.com/aws/aws-cdk/issues/31812)) ([e96b4ce](https://github.com/aws/aws-cdk/commit/e96b4ce4ae64076e4c2e688c649c69fb15a624d6)), closes [#31711](https://github.com/aws/aws-cdk/issues/31711) +* **scheduler-targets-alpha:** imported lambda function as schedule target throws synth error ([#31837](https://github.com/aws/aws-cdk/issues/31837)) ([d1d179f](https://github.com/aws/aws-cdk/commit/d1d179f617f83bbb3bf44d3cc629be8eed0d4e2b)), closes [#29284](https://github.com/aws/aws-cdk/issues/29284) + ## [2.163.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.163.0-alpha.0...v2.163.1-alpha.0) (2024-10-22) ## [2.163.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.162.1-alpha.0...v2.163.0-alpha.0) (2024-10-21) diff --git a/CHANGELOG.v2.md b/CHANGELOG.v2.md index 0bc7d0feea9bb..7c9b0e7c01450 100644 --- a/CHANGELOG.v2.md +++ b/CHANGELOG.v2.md @@ -2,6 +2,24 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. +## [2.164.0](https://github.com/aws/aws-cdk/compare/v2.163.1...v2.164.0) (2024-10-24) + + +### Features + +* **cli:** add ability to configure hotswap properties for ECS ([#30511](https://github.com/aws/aws-cdk/issues/30511)) ([fee2cf8](https://github.com/aws/aws-cdk/commit/fee2cf88c58c6c1f25b9e6fad87c8042de464fd9)), closes [#29618](https://github.com/aws/aws-cdk/issues/29618) +* **cognito:** support email based MFA ([#31816](https://github.com/aws/aws-cdk/issues/31816)) ([f9d6eef](https://github.com/aws/aws-cdk/commit/f9d6eefd52d5bdc63ff2be844f567e8f1d0b4258)), closes [#31815](https://github.com/aws/aws-cdk/issues/31815) +* **cognito:** the Cognito Identity Pools module is now in Developer Preview ([#31854](https://github.com/aws/aws-cdk/issues/31854)) ([b22899f](https://github.com/aws/aws-cdk/commit/b22899f9dee04d5c446ebcdfff810a954ac08dc6)) + + +### Bug Fixes + +* **cli:** cross-account asset publishing doesn't work without bootstrap stack ([#31876](https://github.com/aws/aws-cdk/issues/31876)) ([427bf63](https://github.com/aws/aws-cdk/commit/427bf630cb2e28ec98477b313eef32d5b9b91525)), closes [#31866](https://github.com/aws/aws-cdk/issues/31866) +* **cli:** deploy-role is not authorized to perform DescribeStackResources ([#31878](https://github.com/aws/aws-cdk/issues/31878)) ([8d06824](https://github.com/aws/aws-cdk/commit/8d06824298d80b18c6b0143a9ac38b79ea5d6253)) +* **core:** fix policy synthesizer logic for precreated roles ([#31710](https://github.com/aws/aws-cdk/issues/31710)) ([aae03c9](https://github.com/aws/aws-cdk/commit/aae03c9f899ec2a77b841207ef0b4eb3a7e0ae00)) +* **dynamodb:** replication regions are incompatible with resource policies in TableV2 and feature flag ([#31513](https://github.com/aws/aws-cdk/issues/31513)) ([0b03eb0](https://github.com/aws/aws-cdk/commit/0b03eb0f62c132c1bd586a8ec31818398d07707f)), closes [#30705](https://github.com/aws/aws-cdk/issues/30705) +* **events-targets:** kinesis Stream target with Customer-Managed KMS key causes EventBridge FailedInvocations ([#31836](https://github.com/aws/aws-cdk/issues/31836)) ([58dfda0](https://github.com/aws/aws-cdk/commit/58dfda087a8aabde2683cd99df005d6e5e73a7ce)), closes [#10996](https://github.com/aws/aws-cdk/issues/10996) + ## [2.163.1](https://github.com/aws/aws-cdk/compare/v2.163.0...v2.163.1) (2024-10-22) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.asset-build-spec.js.snapshot/CodeBuildAssetBuildSpecStack.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.asset-build-spec.js.snapshot/CodeBuildAssetBuildSpecStack.template.json index c4231385ef554..64d6060026013 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.asset-build-spec.js.snapshot/CodeBuildAssetBuildSpecStack.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.asset-build-spec.js.snapshot/CodeBuildAssetBuildSpecStack.template.json @@ -173,7 +173,7 @@ }, "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:1.0", + "Image": "aws/codebuild/standard:7.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER" @@ -254,4 +254,4 @@ ] } } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.caching.js.snapshot/aws-cdk-codebuild.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.caching.js.snapshot/aws-cdk-codebuild.template.json index bb229d9f143c6..11f09584f8b22 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.caching.js.snapshot/aws-cdk-codebuild.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.caching.js.snapshot/aws-cdk-codebuild.template.json @@ -140,7 +140,7 @@ }, "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:1.0", + "Image": "aws/codebuild/standard:7.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER" @@ -209,4 +209,4 @@ ] } } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.defaults.lit.js.snapshot/codebuild-default-project.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.defaults.lit.js.snapshot/codebuild-default-project.template.json index 14e4f78ae05b1..226ad024c0b0b 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.defaults.lit.js.snapshot/codebuild-default-project.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.defaults.lit.js.snapshot/codebuild-default-project.template.json @@ -132,7 +132,7 @@ }, "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:1.0", + "Image": "aws/codebuild/standard:7.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER" @@ -188,4 +188,4 @@ ] } } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.github-webhook-batch.js.snapshot/test-codebuild-github-webhook-batch.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.github-webhook-batch.js.snapshot/test-codebuild-github-webhook-batch.template.json index bc46e43fb1f95..4a64ef1155033 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.github-webhook-batch.js.snapshot/test-codebuild-github-webhook-batch.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.github-webhook-batch.js.snapshot/test-codebuild-github-webhook-batch.template.json @@ -145,7 +145,7 @@ }, "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:1.0", + "Image": "aws/codebuild/standard:7.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER" @@ -222,4 +222,4 @@ ] } } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.github.js.snapshot/test-codebuild-github.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.github.js.snapshot/test-codebuild-github.template.json index f86a893132c8e..24f6d96bf066a 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.github.js.snapshot/test-codebuild-github.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.github.js.snapshot/test-codebuild-github.template.json @@ -98,7 +98,7 @@ }, "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:1.0", + "Image": "aws/codebuild/standard:7.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER" @@ -155,4 +155,4 @@ ] } } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-bucket.js.snapshot/aws-cdk-codebuild.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-bucket.js.snapshot/aws-cdk-codebuild.template.json index 2e7587aa97929..4008c2af0f554 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-bucket.js.snapshot/aws-cdk-codebuild.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-bucket.js.snapshot/aws-cdk-codebuild.template.json @@ -133,7 +133,7 @@ }, "Environment": { "ComputeType": "BUILD_GENERAL1_LARGE", - "Image": "aws/codebuild/standard:1.0", + "Image": "aws/codebuild/standard:7.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER" @@ -199,4 +199,4 @@ ] } } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-buildspec-artifacts.js.snapshot/aws-cdk-codebuild-buildspec-artifact-name.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-buildspec-artifacts.js.snapshot/aws-cdk-codebuild-buildspec-artifact-name.template.json index 5267ba939c5d5..72d66ec27a492 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-buildspec-artifacts.js.snapshot/aws-cdk-codebuild-buildspec-artifact-name.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-buildspec-artifacts.js.snapshot/aws-cdk-codebuild-buildspec-artifact-name.template.json @@ -148,7 +148,7 @@ }, "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:1.0", + "Image": "aws/codebuild/standard:7.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER" @@ -204,4 +204,4 @@ ] } } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-file-system-location.js.snapshot/aws-cdk-codebuild-file-system-locations.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-file-system-location.js.snapshot/aws-cdk-codebuild-file-system-locations.template.json index 32b4a351f097d..b552e67966a31 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-file-system-location.js.snapshot/aws-cdk-codebuild-file-system-locations.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-file-system-location.js.snapshot/aws-cdk-codebuild-file-system-locations.template.json @@ -383,7 +383,7 @@ }, "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:1.0", + "Image": "aws/codebuild/standard:7.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": true, "Type": "LINUX_CONTAINER" @@ -509,4 +509,4 @@ ] } } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-logging.js.snapshot/aws-cdk-codebuild-logging.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-logging.js.snapshot/aws-cdk-codebuild-logging.template.json index 72dd78a0d0545..357baccc21c40 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-logging.js.snapshot/aws-cdk-codebuild-logging.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-logging.js.snapshot/aws-cdk-codebuild-logging.template.json @@ -192,7 +192,7 @@ }, "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:1.0", + "Image": "aws/codebuild/standard:7.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER" @@ -261,4 +261,4 @@ ] } } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-notification.js.snapshot/aws-cdk-codebuild-project-vpc.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-notification.js.snapshot/aws-cdk-codebuild-project-vpc.template.json index 203f21a5fe640..4c194911d30db 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-notification.js.snapshot/aws-cdk-codebuild-project-vpc.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-notification.js.snapshot/aws-cdk-codebuild-project-vpc.template.json @@ -132,7 +132,7 @@ }, "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:1.0", + "Image": "aws/codebuild/standard:7.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER" @@ -241,4 +241,4 @@ ] } } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-secondary-sources-artifacts.js.snapshot/aws-cdk-codebuild-secondary-sources-artifacts.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-secondary-sources-artifacts.js.snapshot/aws-cdk-codebuild-secondary-sources-artifacts.template.json index 05e907f202018..ae152536d24be 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-secondary-sources-artifacts.js.snapshot/aws-cdk-codebuild-secondary-sources-artifacts.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-secondary-sources-artifacts.js.snapshot/aws-cdk-codebuild-secondary-sources-artifacts.template.json @@ -170,7 +170,7 @@ }, "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:1.0", + "Image": "aws/codebuild/standard:7.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER" @@ -256,4 +256,4 @@ ] } } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-visibility.js.snapshot/codebuild-visibility.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-visibility.js.snapshot/codebuild-visibility.template.json index ad99d88e5c723..ba9c06e90ba83 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-visibility.js.snapshot/codebuild-visibility.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-visibility.js.snapshot/codebuild-visibility.template.json @@ -171,7 +171,7 @@ "EncryptionKey": "alias/aws/s3", "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:1.0", + "Image": "aws/codebuild/standard:7.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER" @@ -234,4 +234,4 @@ ] } } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-vpc.js.snapshot/aws-cdk-codebuild-project-vpc.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-vpc.js.snapshot/aws-cdk-codebuild-project-vpc.template.json index 029b4608ae5ed..9a42045c22043 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-vpc.js.snapshot/aws-cdk-codebuild-project-vpc.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-vpc.js.snapshot/aws-cdk-codebuild-project-vpc.template.json @@ -383,7 +383,7 @@ }, "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:1.0", + "Image": "aws/codebuild/standard:7.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER" @@ -489,4 +489,4 @@ ] } } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.report-group-delete-reports.js.snapshot/aws-cdk-report-group-delete-reports.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.report-group-delete-reports.js.snapshot/aws-cdk-report-group-delete-reports.template.json index f23ea7df4e3bf..7e3e531ec8257 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.report-group-delete-reports.js.snapshot/aws-cdk-report-group-delete-reports.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.report-group-delete-reports.js.snapshot/aws-cdk-report-group-delete-reports.template.json @@ -128,7 +128,7 @@ "EncryptionKey": "alias/aws/s3", "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:1.0", + "Image": "aws/codebuild/standard:7.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER" @@ -194,4 +194,4 @@ ] } } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.report-group.js.snapshot/aws-cdk-report-group.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.report-group.js.snapshot/aws-cdk-report-group.template.json index 468660b702b17..2a03ac4db02b8 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.report-group.js.snapshot/aws-cdk-report-group.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.report-group.js.snapshot/aws-cdk-report-group.template.json @@ -148,7 +148,7 @@ }, "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:1.0", + "Image": "aws/codebuild/standard:7.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER" @@ -225,4 +225,4 @@ ] } } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-code-build-batch.js.snapshot/aws-cdk-codepipeline-codebuild-batch.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-code-build-batch.js.snapshot/aws-cdk-codepipeline-codebuild-batch.template.json index 65f8f49e881bb..4b0a9aeba2acd 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-code-build-batch.js.snapshot/aws-cdk-codepipeline-codebuild-batch.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-code-build-batch.js.snapshot/aws-cdk-codepipeline-codebuild-batch.template.json @@ -482,7 +482,7 @@ "EncryptionKey": "alias/aws/s3", "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:1.0", + "Image": "aws/codebuild/standard:7.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER" @@ -580,4 +580,4 @@ ] } } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-code-build-multiple-inputs-outputs.js.snapshot/aws-cdk-codepipeline-codebuild-multiple-inputs-outputs.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-code-build-multiple-inputs-outputs.js.snapshot/aws-cdk-codepipeline-codebuild-multiple-inputs-outputs.template.json index 4c2e43447e268..0ec139706eee1 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-code-build-multiple-inputs-outputs.js.snapshot/aws-cdk-codepipeline-codebuild-multiple-inputs-outputs.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-code-build-multiple-inputs-outputs.js.snapshot/aws-cdk-codepipeline-codebuild-multiple-inputs-outputs.template.json @@ -584,7 +584,7 @@ "EncryptionKey": "alias/aws/s3", "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:1.0", + "Image": "aws/codebuild/standard:7.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER" @@ -635,4 +635,4 @@ ] } } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-code-commit-build.js.snapshot/aws-cdk-codepipeline-codecommit-codebuild.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-code-commit-build.js.snapshot/aws-cdk-codepipeline-codecommit-codebuild.template.json index 4c6a4f4daa0f3..13d604fcb8b8a 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-code-commit-build.js.snapshot/aws-cdk-codepipeline-codecommit-codebuild.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-code-commit-build.js.snapshot/aws-cdk-codepipeline-codecommit-codebuild.template.json @@ -190,7 +190,7 @@ }, "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:1.0", + "Image": "aws/codebuild/standard:7.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER" @@ -847,4 +847,4 @@ ] } } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-events.js.snapshot/aws-cdk-pipeline-event-target.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-events.js.snapshot/aws-cdk-pipeline-event-target.template.json index 8c0a96dacfa2c..61ef73b460c6b 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-events.js.snapshot/aws-cdk-pipeline-event-target.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-events.js.snapshot/aws-cdk-pipeline-event-target.template.json @@ -841,7 +841,7 @@ }, "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:1.0", + "Image": "aws/codebuild/standard:7.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER" @@ -921,4 +921,4 @@ ] } } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-with-pipeline-triggers.js.snapshot/aws-cdk-codepipeline-with-pipeline-triggers.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-with-pipeline-triggers.js.snapshot/aws-cdk-codepipeline-with-pipeline-triggers.template.json index 577f1d2a091d7..71cfa19ffb1d2 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-with-pipeline-triggers.js.snapshot/aws-cdk-codepipeline-with-pipeline-triggers.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-with-pipeline-triggers.js.snapshot/aws-cdk-codepipeline-with-pipeline-triggers.template.json @@ -194,7 +194,7 @@ }, "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:1.0", + "Image": "aws/codebuild/standard:7.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER" @@ -946,7 +946,7 @@ }, "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:1.0", + "Image": "aws/codebuild/standard:7.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER" @@ -1553,4 +1553,4 @@ ] } } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-with-replication.js.snapshot/integ-pipeline-consumer-stack.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-with-replication.js.snapshot/integ-pipeline-consumer-stack.template.json index 15f69eb441260..e67aa1735dee6 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-with-replication.js.snapshot/integ-pipeline-consumer-stack.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-with-replication.js.snapshot/integ-pipeline-consumer-stack.template.json @@ -831,7 +831,7 @@ }, "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:1.0", + "Image": "aws/codebuild/standard:7.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER" @@ -979,4 +979,4 @@ ] } } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/s3/integ.source-bucket-events-cross-stack-same-env.js.snapshot/PipelineStack.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/s3/integ.source-bucket-events-cross-stack-same-env.js.snapshot/PipelineStack.template.json index 5c9baff630942..9fc88833bae1d 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/s3/integ.source-bucket-events-cross-stack-same-env.js.snapshot/PipelineStack.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/s3/integ.source-bucket-events-cross-stack-same-env.js.snapshot/PipelineStack.template.json @@ -178,7 +178,7 @@ }, "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:1.0", + "Image": "aws/codebuild/standard:7.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER" @@ -885,4 +885,4 @@ ] } } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/codebuild/integ.project-events.js.snapshot/aws-cdk-codebuild-events.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/codebuild/integ.project-events.js.snapshot/aws-cdk-codebuild-events.template.json index 4d8c799d34fb8..a9c97e9a1bf41 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/codebuild/integ.project-events.js.snapshot/aws-cdk-codebuild-events.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/codebuild/integ.project-events.js.snapshot/aws-cdk-codebuild-events.template.json @@ -221,7 +221,7 @@ }, "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:1.0", + "Image": "aws/codebuild/standard:7.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER" @@ -518,4 +518,4 @@ ] } } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/codebuild/integ.start-build.js.snapshot/aws-stepfunctions-tasks-codebuild-start-build-integ.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/codebuild/integ.start-build.js.snapshot/aws-stepfunctions-tasks-codebuild-start-build-integ.template.json index 7e556e0d9bf21..d618f4d51c48e 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/codebuild/integ.start-build.js.snapshot/aws-stepfunctions-tasks-codebuild-start-build-integ.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/codebuild/integ.start-build.js.snapshot/aws-stepfunctions-tasks-codebuild-start-build-integ.template.json @@ -139,7 +139,7 @@ "Value": "defaultZone" } ], - "Image": "aws/codebuild/standard:1.0", + "Image": "aws/codebuild/standard:7.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER" diff --git a/packages/@aws-cdk/aws-kinesisfirehose-alpha/README.md b/packages/@aws-cdk/aws-kinesisfirehose-alpha/README.md index 3b216e66b1355..dd348a267e943 100644 --- a/packages/@aws-cdk/aws-kinesisfirehose-alpha/README.md +++ b/packages/@aws-cdk/aws-kinesisfirehose-alpha/README.md @@ -54,7 +54,7 @@ The above example defines the following resources: ## Sources -An Amazon Data Firehose delivery stream can accept data from three main sources: Kinesis Data Streams, Managed Streaming for Apache Kafka (MSK), or via a "direct put" (API calls). +An Amazon Data Firehose delivery stream can accept data from three main sources: Kinesis Data Streams, Managed Streaming for Apache Kafka (MSK), or via a "direct put" (API calls). Currently only Kinesis Data Streams and direct put are supported in the CDK. See: [Sending Data to a Delivery Stream](https://docs.aws.amazon.com/firehose/latest/dev/basic-write.html) in the *Amazon Data Firehose Developer Guide*. @@ -96,7 +96,9 @@ Data must be provided via "direct put", ie., by using a `PutRecord` or ## Destinations -The following destinations are supported. See [kinesisfirehose-destinations](https://docs.aws.amazon.com/cdk/api/latest/docs/aws-kinesisfirehose-destinations-readme.html) +Amazon Data Firehose supports multiple AWS and third-party services as destinations, including Amazon S3, Amazon Redshift, and more. You can find the full list of supported destination [here](https://docs.aws.amazon.com/firehose/latest/dev/create-destination.html). + +Currently in the AWS CDK, only S3 is implemented as an L2 construct destination. Other destinations can still be configured using L1 constructs. See [kinesisfirehose-destinations](https://docs.aws.amazon.com/cdk/api/latest/docs/aws-kinesisfirehose-destinations-readme.html) for the implementations of these destinations. ### S3 diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/lambda-invoke.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/lambda-invoke.ts index bbd986780b6bd..3de6a3dd7f0a2 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/lambda-invoke.ts +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/lambda-invoke.ts @@ -11,7 +11,7 @@ export class LambdaInvoke extends ScheduleTargetBase implements IScheduleTarget constructor( func: lambda.IFunction, - props: ScheduleTargetBaseProps, + props: ScheduleTargetBaseProps = {}, ) { super(props, func.functionArn); this.func = func; diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/lambda-invoke.test.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/lambda-invoke.test.ts index 2fcb2a8d30629..c0586ccedf106 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/lambda-invoke.test.ts +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/lambda-invoke.test.ts @@ -24,7 +24,7 @@ describe('schedule target', () => { }); test('creates IAM role and IAM policy for lambda target in the same account', () => { - const lambdaTarget = new LambdaInvoke(func, {}); + const lambdaTarget = new LambdaInvoke(func); new Schedule(stack, 'MyScheduleDummy', { schedule: expr, @@ -85,6 +85,63 @@ describe('schedule target', () => { }); }); + test('creates IAM role and IAM policy for lambda version', () => { + const lambdaVersion = new lambda.Version(stack, 'MyLambdaVersion', { + lambda: func, + }); + const lambdaTarget = new LambdaInvoke(lambdaVersion); + + new Schedule(stack, 'MyScheduleDummy', { + schedule: expr, + target: lambdaTarget, + }); + + Template.fromStack(stack).resourceCountIs('AWS::Lambda::Permission', 0); + + Template.fromStack(stack).hasResource('AWS::Scheduler::Schedule', { + Properties: { + Target: { + Arn: { + Ref: 'MyLambdaVersion2EF97E33', + }, + RoleArn: { 'Fn::GetAtt': ['SchedulerRoleForTarget1441a743A31888', 'Arn'] }, + RetryPolicy: {}, + }, + }, + }); + + Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: [ + { + Action: 'lambda:InvokeFunction', + Effect: 'Allow', + Resource: { + Ref: 'MyLambdaVersion2EF97E33', + }, + }, + ], + }, + Roles: [{ Ref: 'SchedulerRoleForTarget1441a743A31888' }], + }); + + Template.fromStack(stack).hasResourceProperties('AWS::IAM::Role', { + AssumeRolePolicyDocument: { + Version: '2012-10-17', + Statement: [ + { + Effect: 'Allow', + Condition: { StringEquals: { 'aws:SourceAccount': '123456789012' } }, + Principal: { + Service: 'scheduler.amazonaws.com', + }, + Action: 'sts:AssumeRole', + }, + ], + }, + }); + }); + test('creates IAM policy for provided IAM role', () => { const targetExecutionRole = new Role(stack, 'ProvidedTargetRole', { assumedBy: new AccountRootPrincipal(), @@ -193,7 +250,7 @@ describe('schedule target', () => { test('creates IAM policy for imported lambda function in the same account', () => { const importedFunc = lambda.Function.fromFunctionArn(stack, 'ImportedFunction', 'arn:aws:lambda:us-east-1:123456789012:function/somefunc'); - const lambdaTarget = new LambdaInvoke(importedFunc, {}); + const lambdaTarget = new LambdaInvoke(importedFunc); new Schedule(stack, 'MyScheduleDummy', { schedule: expr, @@ -229,6 +286,68 @@ describe('schedule target', () => { }); }); + test('creates IAM role and IAM policy for lambda alias', () => { + const lambdaVersion = new lambda.Version(stack, 'MyLambdaVersion', { + lambda: func, + }); + const lambdaAlias = new lambda.Alias(stack, 'MyLambdaAlias', { + version: lambdaVersion, + aliasName: 'SomeAliasName', + }); + + const lambdaTarget = new LambdaInvoke(lambdaAlias); + + new Schedule(stack, 'MyScheduleDummy', { + schedule: expr, + target: lambdaTarget, + }); + + Template.fromStack(stack).resourceCountIs('AWS::Lambda::Permission', 0); + + Template.fromStack(stack).hasResource('AWS::Scheduler::Schedule', { + Properties: { + Target: { + Arn: { + Ref: 'MyLambdaAliasD26C43B4', + }, + RoleArn: { 'Fn::GetAtt': ['SchedulerRoleForTarget1441a743A31888', 'Arn'] }, + RetryPolicy: {}, + }, + }, + }); + + Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: [ + { + Action: 'lambda:InvokeFunction', + Effect: 'Allow', + Resource: { + Ref: 'MyLambdaAliasD26C43B4', + }, + }, + ], + }, + Roles: [{ Ref: 'SchedulerRoleForTarget1441a743A31888' }], + }); + + Template.fromStack(stack).hasResourceProperties('AWS::IAM::Role', { + AssumeRolePolicyDocument: { + Version: '2012-10-17', + Statement: [ + { + Effect: 'Allow', + Condition: { StringEquals: { 'aws:SourceAccount': '123456789012' } }, + Principal: { + Service: 'scheduler.amazonaws.com', + }, + Action: 'sts:AssumeRole', + }, + ], + }, + }); + }); + test('creates IAM policy for imported role for lambda function in the same account', () => { const importedRole = Role.fromRoleArn(stack, 'ImportedRole', 'arn:aws:iam::123456789012:role/someRole'); @@ -330,7 +449,7 @@ describe('schedule target', () => { }, ); - const lambdaTarget = new LambdaInvoke(importedFunc, {}); + const lambdaTarget = new LambdaInvoke(importedFunc); new Schedule(stack, 'MyScheduleDummy', { schedule: expr, target: lambdaTarget, diff --git a/packages/@aws-cdk/integ-runner/package.json b/packages/@aws-cdk/integ-runner/package.json index 8692c6a2c9a33..903f8fe8df86a 100644 --- a/packages/@aws-cdk/integ-runner/package.json +++ b/packages/@aws-cdk/integ-runner/package.json @@ -74,7 +74,7 @@ "@aws-cdk/cloud-assembly-schema": "^38.0.1", "@aws-cdk/cloudformation-diff": "0.0.0", "@aws-cdk/cx-api": "0.0.0", - "cdk-assets": "^2.155.15", + "cdk-assets": "^2.155.17", "@aws-cdk/aws-service-spec": "^0.1.29", "@aws-cdk/cdk-cli-wrapper": "0.0.0", "aws-cdk": "0.0.0", diff --git a/packages/aws-cdk-lib/aws-codebuild/lib/project.ts b/packages/aws-cdk-lib/aws-codebuild/lib/project.ts index 089757a96bc31..42bdca951ba99 100644 --- a/packages/aws-cdk-lib/aws-codebuild/lib/project.ts +++ b/packages/aws-cdk-lib/aws-codebuild/lib/project.ts @@ -563,7 +563,7 @@ export interface CommonProjectProps { /** * Build environment to use for the build. * - * @default BuildEnvironment.LinuxBuildImage.STANDARD_1_0 + * @default BuildEnvironment.LinuxBuildImage.STANDARD_7_0 */ readonly environment?: BuildEnvironment; @@ -1060,7 +1060,7 @@ export class Project extends ProjectBase { }); this.grantPrincipal = this.role; - this.buildImage = (props.environment && props.environment.buildImage) || LinuxBuildImage.STANDARD_1_0; + this.buildImage = (props.environment && props.environment.buildImage) || LinuxBuildImage.STANDARD_7_0; // let source "bind" to the project. this usually involves granting permissions // for the code build role to interact with the source. @@ -1624,7 +1624,7 @@ export interface BuildEnvironment { /** * The image used for the builds. * - * @default LinuxBuildImage.STANDARD_1_0 + * @default LinuxBuildImage.STANDARD_7_0 */ readonly buildImage?: IBuildImage; diff --git a/packages/aws-cdk-lib/aws-codebuild/test/codebuild.test.ts b/packages/aws-cdk-lib/aws-codebuild/test/codebuild.test.ts index e0923a70b1b3b..8337c1d17a0cd 100644 --- a/packages/aws-cdk-lib/aws-codebuild/test/codebuild.test.ts +++ b/packages/aws-cdk-lib/aws-codebuild/test/codebuild.test.ts @@ -149,7 +149,7 @@ describe('default properties', () => { 'Environment': { 'Type': 'LINUX_CONTAINER', 'PrivilegedMode': false, - 'Image': 'aws/codebuild/standard:1.0', + 'Image': 'aws/codebuild/standard:7.0', 'ImagePullCredentialsType': 'CODEBUILD', 'ComputeType': 'BUILD_GENERAL1_SMALL', }, @@ -315,7 +315,7 @@ describe('default properties', () => { }, 'Environment': { 'ComputeType': 'BUILD_GENERAL1_SMALL', - 'Image': 'aws/codebuild/standard:1.0', + 'Image': 'aws/codebuild/standard:7.0', 'ImagePullCredentialsType': 'CODEBUILD', 'PrivilegedMode': false, 'Type': 'LINUX_CONTAINER', @@ -1351,7 +1351,7 @@ describe('artifacts', () => { 'Environment': { 'Type': 'LINUX_CONTAINER', 'PrivilegedMode': false, - 'Image': 'aws/codebuild/standard:1.0', + 'Image': 'aws/codebuild/standard:7.0', 'ImagePullCredentialsType': 'CODEBUILD', 'ComputeType': 'BUILD_GENERAL1_SMALL', }, @@ -1588,7 +1588,7 @@ test('environment variables can be overridden at the project level', () => { }, ], 'PrivilegedMode': false, - 'Image': 'aws/codebuild/standard:1.0', + 'Image': 'aws/codebuild/standard:7.0', 'ImagePullCredentialsType': 'CODEBUILD', 'ComputeType': 'BUILD_GENERAL1_SMALL', }, diff --git a/packages/aws-cdk-lib/aws-codepipeline-actions/test/pipeline.test.ts b/packages/aws-cdk-lib/aws-codepipeline-actions/test/pipeline.test.ts index fac873b4ba4fd..21b561a36d5ba 100644 --- a/packages/aws-cdk-lib/aws-codepipeline-actions/test/pipeline.test.ts +++ b/packages/aws-cdk-lib/aws-codepipeline-actions/test/pipeline.test.ts @@ -412,7 +412,7 @@ describe('pipeline', () => { 'Environment': { 'Type': 'LINUX_CONTAINER', 'PrivilegedMode': false, - 'Image': 'aws/codebuild/standard:1.0', + 'Image': 'aws/codebuild/standard:7.0', 'ComputeType': 'BUILD_GENERAL1_SMALL', }, }); diff --git a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md index 0e959c0a2a5ee..ff008f4ea1225 100644 --- a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md +++ b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md @@ -80,6 +80,7 @@ Flags come in three types: | [@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId](#aws-cdkaws-rdssetcorrectvaluefordatabaseinstancereadreplicainstanceresourceid) | When enabled, the value of property `instanceResourceId` in construct `DatabaseInstanceReadReplica` will be set to the correct value which is `DbiResourceId` instead of currently `DbInstanceArn` | 2.161.0 | (fix) | | [@aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics](#aws-cdkcorecfnincluderejectcomplexresourceupdatecreatepolicyintrinsics) | When enabled, CFN templates added with `cfn-include` will error if the template contains Resource Update or Create policies with CFN Intrinsics that include non-primitive values. | 2.161.0 | (fix) | | [@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy](#aws-cdkaws-stepfunctions-tasksfixrunecstaskpolicy) | When enabled, the resource of IAM Run Ecs policy generated by SFN EcsRunTask will reference the definition, instead of constructing ARN. | 2.163.0 | (fix) | +| [@aws-cdk/aws-dynamodb:resourcePolicyPerReplica](#aws-cdkaws-dynamodbresourcepolicyperreplica) | When enabled will allow you to specify a resource policy per replica, and not copy the source table policy to all replicas | 2.164.0 | (fix) | @@ -143,6 +144,7 @@ The following json shows the current recommended set of flags, as `cdk init` wou "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": false, "@aws-cdk/aws-s3:keepNotificationInImportedBucket": false, "@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions": true, + "@aws-cdk/aws-dynamodb:resourcePolicyPerReplica": true, "@aws-cdk/aws-ec2:ec2SumTImeoutEnabled": true, "@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission": true, "@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId": true, @@ -1509,4 +1511,22 @@ When this feature flag is enabled, if the task definition is created in the stac | 2.163.0 | `false` | `true` | +### @aws-cdk/aws-dynamodb:resourcePolicyPerReplica + +*When enabled will allow you to specify a resource policy per replica, and not copy the source table policy to all replicas* (fix) + +If this flag is not set, the default behavior for `TableV2` is to use a different `resourcePolicy` for each replica. + +If this flag is set to false, the behavior is that each replica shares the same `resourcePolicy` as the source table. +This will prevent you from creating a new table which has an additional replica and a resource policy. + +This is a feature flag as the old behavior was technically incorrect but users may have come to depend on it. + + +| Since | Default | Recommended | +| ----- | ----- | ----- | +| (not in v1) | | | +| 2.164.0 | `false` | `true` | + + diff --git a/packages/aws-cdk-lib/cx-api/lib/features.ts b/packages/aws-cdk-lib/cx-api/lib/features.ts index 182d14a5f738f..9bc3d0d5a8977 100644 --- a/packages/aws-cdk-lib/cx-api/lib/features.ts +++ b/packages/aws-cdk-lib/cx-api/lib/features.ts @@ -1161,7 +1161,7 @@ export const FLAGS: Record = { This will prevent you from creating a new table which has an additional replica and a resource policy. This is a feature flag as the old behavior was technically incorrect but users may have come to depend on it.`, - introducedIn: { v2: 'V2NEXT' }, + introducedIn: { v2: '2.164.0' }, recommendedValue: true, }, diff --git a/packages/aws-cdk/lib/api/aws-auth/sdk.ts b/packages/aws-cdk/lib/api/aws-auth/sdk.ts index 6a78965620c01..fab6d1d3ce4b0 100644 --- a/packages/aws-cdk/lib/api/aws-auth/sdk.ts +++ b/packages/aws-cdk/lib/api/aws-auth/sdk.ts @@ -174,7 +174,18 @@ export class SDK implements ISDK { } public s3(): AWS.S3 { - return this.wrapServiceErrorHandling(new AWS.S3(this.config)); + return this.wrapServiceErrorHandling(new AWS.S3({ + // In FIPS enabled environments, the MD5 algorithm is not available for use in crypto module. + // However by default the S3 client is using an MD5 checksum for content integrity checking. + // While this usage is technically allowed in FIPS (MD5 is only prohibited for cryptographic use), + // in practice it is just easier to use an allowed checksum mechanism. + // We are disabling the S3 content checksums, and are re-enabling the regular SigV4 body signing. + // SigV4 uses SHA256 for their content checksum. This configuration matches the default behavior + // of the AWS SDKv3 and is a safe choice for all users. + s3DisableBodySigning: false, + computeChecksums: false, + ...this.config, + })); } public route53(): AWS.Route53 { diff --git a/packages/aws-cdk/lib/api/util/checks.ts b/packages/aws-cdk/lib/api/util/checks.ts index 11c1c856eb384..96fe2a3bc549f 100644 --- a/packages/aws-cdk/lib/api/util/checks.ts +++ b/packages/aws-cdk/lib/api/util/checks.ts @@ -18,13 +18,19 @@ export async function determineAllowCrossAccountAssetPublishing(sdk: ISDK, custo return true; } - // other scenarios are highly irregular and potentially dangerous so we prevent it by - // instructing cdk-assets to detect foreign bucket ownership and reject. + // If there is a staging bucket AND the bootstrap version is old, then we want to protect + // against accidental cross-account publishing. return false; } catch (e) { + // You would think we would need to fail closed here, but the reality is + // that we get here if we couldn't find the bootstrap stack: that is + // completely valid, and many large organizations may have their own method + // of creating bootstrap resources. If they do, there's nothing for us to validate, + // but we can't use that as a reason to disallow cross-account publishing. We'll just + // have to trust they did their due diligence. So we fail open. debug(`Error determining cross account asset publishing: ${e}`); - debug('Defaulting to disallowing cross account asset publishing'); - return false; + debug('Defaulting to allowing cross account asset publishing'); + return true; } } @@ -54,15 +60,16 @@ export async function getBootstrapStackInfo(sdk: ISDK, stackName: string): Promi throw new Error(`Invalid BootstrapVersion value: ${versionOutput.OutputValue}`); } - // try to get bucketname from the logical resource id - let bucketName: string | undefined; - const resourcesResponse = await cfn.describeStackResources({ StackName: stackName }).promise(); - const bucketResource = resourcesResponse.StackResources?.find(resource => - resource.ResourceType === 'AWS::S3::Bucket', - ); - bucketName = bucketResource?.PhysicalResourceId; - - let hasStagingBucket = !!bucketName; + // try to get bucketname from the logical resource id. If there is no + // bucketname, or the value doesn't look like an S3 bucket name, we assume + // the bucket doesn't exist (this is for the case where a template customizer did + // not dare to remove the Output, but put a dummy value there like '' or '-' or '***'). + // + // We would have preferred to look at the stack resources here, but + // unfortunately the deploy role doesn't have permissions call DescribeStackResources. + const bucketName = stack.Outputs?.find(output => output.OutputKey === 'BucketName')?.OutputValue; + // Must begin and end with letter or number. + const hasStagingBucket = !!(bucketName && bucketName.match(/^[a-z0-9]/) && bucketName.match(/[a-z0-9]$/)); return { hasStagingBucket, diff --git a/packages/aws-cdk/package.json b/packages/aws-cdk/package.json index 5cfa1b1134a9f..0167152d63397 100644 --- a/packages/aws-cdk/package.json +++ b/packages/aws-cdk/package.json @@ -104,7 +104,7 @@ "archiver": "^5.3.2", "aws-sdk": "^2.1691.0", "camelcase": "^6.3.0", - "cdk-assets": "^2.155.15", + "cdk-assets": "^2.155.17", "cdk-from-cfn": "^0.162.0", "chalk": "^4", "chokidar": "^3.6.0", diff --git a/packages/aws-cdk/test/api/util/checks.test.ts b/packages/aws-cdk/test/api/util/checks.test.ts index 2db7e3d1603ea..697cbced9254b 100644 --- a/packages/aws-cdk/test/api/util/checks.test.ts +++ b/packages/aws-cdk/test/api/util/checks.test.ts @@ -25,8 +25,20 @@ describe('determineAllowCrossAccountAssetPublishing', () => { }); }); - AWSMock.mock('CloudFormation', 'describeStackResources', (_params: any, callback: Function) => { - callback(null, { StackResources: [] }); + const result = await determineAllowCrossAccountAssetPublishing(mockSDK); + expect(result).toBe(true); + }); + + it.each(['', '-', '*', '---'])('should return true when the bucket output does not look like a real bucket', async (notABucketName) => { + AWSMock.mock('CloudFormation', 'describeStacks', (_params: any, callback: Function) => { + callback(null, { + Stacks: [{ + Outputs: [ + { OutputKey: 'BootstrapVersion', OutputValue: '1' }, + { OutputKey: 'BucketName', OutputValue: notABucketName }, + ], + }], + }); }); const result = await determineAllowCrossAccountAssetPublishing(mockSDK); @@ -37,13 +49,30 @@ describe('determineAllowCrossAccountAssetPublishing', () => { AWSMock.mock('CloudFormation', 'describeStacks', (_params: any, callback: Function) => { callback(null, { Stacks: [{ - Outputs: [{ OutputKey: 'BootstrapVersion', OutputValue: '21' }], + Outputs: [ + { OutputKey: 'BootstrapVersion', OutputValue: '21' }, + { OutputKey: 'BucketName', OutputValue: 'some-bucket' }, + ], }], }); }); - AWSMock.mock('CloudFormation', 'describeStackResources', (_params: any, callback: Function) => { - callback(null, { StackResources: [{ ResourceType: 'AWS::S3::Bucket', PhysicalResourceId: 'some-bucket' }] }); + const result = await determineAllowCrossAccountAssetPublishing(mockSDK); + expect(result).toBe(true); + }); + + it('should return true if looking up the bootstrap stack fails', async () => { + AWSMock.mock('CloudFormation', 'describeStacks', (_params: any, callback: Function) => { + callback(new Error('Could not read bootstrap stack')); + }); + + const result = await determineAllowCrossAccountAssetPublishing(mockSDK); + expect(result).toBe(true); + }); + + it('should return true if looking up the bootstrap stack fails', async () => { + AWSMock.mock('CloudFormation', 'describeStacks', (_params: any, callback: Function) => { + callback(new Error('Could not read bootstrap stack')); }); const result = await determineAllowCrossAccountAssetPublishing(mockSDK); @@ -54,15 +83,14 @@ describe('determineAllowCrossAccountAssetPublishing', () => { AWSMock.mock('CloudFormation', 'describeStacks', (_params: any, callback: Function) => { callback(null, { Stacks: [{ - Outputs: [{ OutputKey: 'BootstrapVersion', OutputValue: '20' }], + Outputs: [ + { OutputKey: 'BootstrapVersion', OutputValue: '20' }, + { OutputKey: 'BucketName', OutputValue: 'some-bucket' }, + ], }], }); }); - AWSMock.mock('CloudFormation', 'describeStackResources', (_params: any, callback: Function) => { - callback(null, { StackResources: [{ ResourceType: 'AWS::S3::Bucket', PhysicalResourceId: 'some-bucket' }] }); - }); - const result = await determineAllowCrossAccountAssetPublishing(mockSDK); expect(result).toBe(false); }); @@ -85,15 +113,14 @@ describe('getBootstrapStackInfo', () => { AWSMock.mock('CloudFormation', 'describeStacks', (_params: any, callback: Function) => { callback(null, { Stacks: [{ - Outputs: [{ OutputKey: 'BootstrapVersion', OutputValue: '21' }], + Outputs: [ + { OutputKey: 'BootstrapVersion', OutputValue: '21' }, + { OutputKey: 'BucketName', OutputValue: 'some-bucket' }, + ], }], }); }); - AWSMock.mock('CloudFormation', 'describeStackResources', (_params: any, callback: Function) => { - callback(null, { StackResources: [{ ResourceType: 'AWS::S3::Bucket', PhysicalResourceId: 'some-bucket' }] }); - }); - const result = await getBootstrapStackInfo(mockSDK, 'CDKToolkit'); expect(result).toEqual({ hasStagingBucket: true, diff --git a/version.v2.json b/version.v2.json index a3c8b17a2f5e2..c70824e010f3c 100644 --- a/version.v2.json +++ b/version.v2.json @@ -1,4 +1,4 @@ { - "version": "2.163.1", - "alphaVersion": "2.163.1-alpha.0" + "version": "2.164.0", + "alphaVersion": "2.164.0-alpha.0" } \ No newline at end of file diff --git a/yarn.lock b/yarn.lock index 1e079cf0fd5bf..e3d2e43dbccff 100644 --- a/yarn.lock +++ b/yarn.lock @@ -79,7 +79,7 @@ jsonschema "^1.4.1" semver "^7.6.3" -"@aws-cdk/cx-api@^2.162.1": +"@aws-cdk/cx-api@^2.163.1": version "2.163.1" resolved "https://registry.npmjs.org/@aws-cdk/cx-api/-/cx-api-2.163.1.tgz#ef55da9f471c963d877b23d3201ca4560d656b2e" integrity sha512-0bVL/pX0UcliCdXVcgtLVL3W5EHAp4RgW7JN3prz1dIOmLZzZ30DW0qWSc0D0EVE3rVG6RVgfIiuFBFK6WFZ+w== @@ -6646,13 +6646,13 @@ case@1.6.3, case@^1.6.3: resolved "https://registry.npmjs.org/case/-/case-1.6.3.tgz#0a4386e3e9825351ca2e6216c60467ff5f1ea1c9" integrity sha512-mzDSXIPaFwVDvZAHqZ9VlbyF4yyXRuX6IvB06WvPYkqJVO24kX1PPhv9bfpKNFZyxYFmmgo03HUiD8iklmJYRQ== -cdk-assets@^2.155.15: - version "2.155.15" - resolved "https://registry.npmjs.org/cdk-assets/-/cdk-assets-2.155.15.tgz#e9480cc610d95c940dd785dfc50bcca32786e0ee" - integrity sha512-L8I+YEkh1V4jljJ6gMkiDuW7+G8SkA6sF8l5dQMw3WBNeD6RUPZ2gV8gDAse+PNZ59Xu8lXElAnwzJeZQKpHqg== +cdk-assets@^2.155.17: + version "2.155.17" + resolved "https://registry.npmjs.org/cdk-assets/-/cdk-assets-2.155.17.tgz#d6c285d0279aec8226b45577a151e6dd32a12fa5" + integrity sha512-+hJlYYlsPHhPCeMC/V3pMyrjz5K8p9SQdC50qMg6a8/w/3w0WY1ZixyKGtpJfFB11C3Ubb04l2miieaAH00CIA== dependencies: "@aws-cdk/cloud-assembly-schema" "^38.0.1" - "@aws-cdk/cx-api" "^2.162.1" + "@aws-cdk/cx-api" "^2.163.1" archiver "^5.3.2" aws-sdk "^2.1691.0" glob "^7.2.3"