Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(release): 2.164.0 #31881

Merged
merged 29 commits into from
Oct 24, 2024
Merged

chore(release): 2.164.0 #31881

merged 29 commits into from
Oct 24, 2024

Conversation

aws-cdk-automation
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation commented Oct 24, 2024

See CHANGELOG

badmintoncryer and others added 28 commits October 21, 2024 21:14
### Issue # (if applicable)

Closes #31779.

### Reason for this change

Cloudformation supports for creating AWS IoT scheduled audit but AWS CDK does not.

### Description of changes

- Define `ScheduledAudit` construct

Cloudformation does not support two audit checks. Therefore I have not implemented these checks in the `AuditCheck` enum.
- INTERMEDIATE_CA_REVOKED_FOR_ACTIVE_DEVICE_CERTIFICATES_CHECK
- IOT_POLICY_POTENTIAL_MIS_CONFIGURATION_CHECK

If we try to deploy these checks, the deployment will fail.

```sh
Resource handler returned message: "Request contains an invalid Audit Check Name. (Service: Iot, Status Code: 400, Request ID: 3fb58c68-2845-4cc0-882c-7d9b5495ff2a)" (RequestToken: dcb09acd-609f-dfe5-7b63-6eb208052949, HandlerErrorCode: InvalidRequest)
```

### Description of how you validated changes

Added both unit and integ tests.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
I found some typos by chance and fixed them :)

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…rifications (#31840)

### Description of changes

Update the README to have the service be called *Amazon Data Firehose* instead of *Kinesis Data Firehose* as it has been renamed earlier this year: https://aws.amazon.com/about-aws/whats-new/2024/02/amazon-data-firehose-formerly-kinesis-data-firehose/

Additionally some more edits to include clarifications. 

### Description of how you validated changes



### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…wsSDK (#31839)

### Issue # (if applicable)

Closes #31789

### Reason for this change

Comments had grammatical mistakes.

### Description of changes

Rephrased the sentence and added more clarifcation.

### Description of how you validated changes


No

### Checklist
- [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
… deployments (#31846)

Fixes #31845  

Manually verified that cross-account access is possible again. Will follow up with a PR for more tests. 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…#31805)

### Reason for this change

The `request-cli-integ-test` pipeline is currently broken after a dependabot commit ([af89640](af89640)) which upgraded the version of the `actions-comment-pull-request` action to the latest changes which had breaking changes.

### Description of changes

Updated the parameters passed to the action to correspond to the new naming convention as defined in the [changelog](https://github.com/thollander/actions-comment-pull-request/releases/tag/v3.0.0).

### Description of how you validated changes

I cannot test this myself, but the changes are straightforward.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable)

Closes #31653

### Reason for this change

With Role.customizeRoles enabled, dynamodb.Table.addGlobalSecondaryIndex causes an error. This is a critical blocker for customers who require the use of customizeRoles.

### Description of changes

#### Intended behaviour

When `customizeRoles` is used, the `iam-policy-report.txt` report will contain a list
of IAM roles and associated permissions that would have been created. This report is
generated so that it attempts to resolve any references and replace with a more user
friendly value.

The following are some examples of the value that will appear in the report:

```json
"Resource": {
      "Fn::GetAtt": [
           "SomeResource",
           "Arn"
       ]
}
```

The policy report will instead get:

```json
"(Path/To/SomeResource.Arn)"
```


#### Current issues
There are two main issues here:
1. Policy synthesizer (which is used for customizeRoles to generate report) is created with `App` scope. This caused the failure in the original issue `Resolution error: PolicySynthesizer at 'PolicySynthesizer' should be created in the scope of a Stack, but no Stack found.` because token resolution requires a Stack scope not an App scope.
2. The policy synthesizer was using `DefaultTokenResolver`. The default token resolution class does not generate the same format of output values for the policy report. i.e. A concatenated token value, i.e. `${Token[Token.X]}/index/*` would be converted to `(PhysicalId).Arn` instead of `"(Path/To/SomeResource.Arn)"`. 
3. Pseudo parameters like `AWS::NoValue` would be rendered as `Tokens` in the policy report which is not idea. Update it to make it output `NOVALUE`.

This PR addresses the above two issues.

### Description of how you validated changes

New and existing tests pass.

### Checklist
- [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…legacy bucket names (#31852)

### Issue # (if applicable)

Closes #<issue number here>.

### Reason for this change


PR #31813

### Description of changes




- update s3 README to mention support for uppercase letters in legacy bucket names

### Description of how you validated changes



preview of the README file

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ge (#31811)

### Issue # (if applicable)

N/A

### Reason for this change

To ensure customers are using the module securely, we want to encourage them to follow the best practice of the principal of least privilege. That is, customers are only providing as much access as necessary to complete the task, and no privileges greater than that.

### Description of changes

* Updated the README to include sentences around the privilege and access granting sections encouraging only giving the least amount of privileges necessary.
* Updated the README example to remove wildcard privilege.

### Description of how you validated changes

`yarn rosetta:extract` passes.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…Preview (#31854)

### Description of changes

Updated the README stability banner as we move Cognito Identity Pools into developer preview, taking the next step towards being fully stabilized.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable)

Closes #31711

### Reason for this change

When we set mapPublicIpOnLaunch=false for public subnets, NAT instances does not get public IP addresses assigned, resulting in non-working NAT instances.

Disabling mapPublicIpOnLaunch is recommended as AWS Config rule (and cdk-nag as well.)
https://docs.aws.amazon.com/config/latest/developerguide/subnet-auto-assign-public-ip-disabled.html

### Description of changes

Support `associatePublicIpAddress`

### Description of how you validated changes

New unit and integ tests.

### Checklist
- [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable)

Closes #31815.

### Reason for this change
To use email based MFA.


### Description of changes
Add email option to [MfaSecondFactor](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.MfaSecondFactor.html).



### Description of how you validated changes
Add unit tests and integ test.



### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Add Anthropic's Claude 3.5 Sonnet V2 model.

- https://aws.amazon.com/blogs/aws/upgraded-claude-3-5-sonnet-from-anthropic-available-now-computer-use-public-beta-and-claude-3-5-haiku-coming-soon-in-amazon-bedrock/
- The upgraded [Claude 3.5 Sonnet](https://aws.amazon.com/bedrock/claude/) is available today in [Amazon Bedrock](https://aws.amazon.com/bedrock/) in the US West (Oregon).

```
% AWS_REGION=us-west-2 AWS_PROFILE=pahud aws bedrock li
st-foundation-models | jq -r '.modelSummaries[] | select(.modelId | startswith("anthropic.claude-3-5")) | .modelId'
anthropic.claude-3-5-sonnet-20241022-v2:0
anthropic.claude-3-5-sonnet-20240620-v1:0:18k
anthropic.claude-3-5-sonnet-20240620-v1:0:51k
anthropic.claude-3-5-sonnet-20240620-v1:0:200k
anthropic.claude-3-5-sonnet-20240620-v1:0
```


### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…rget throws synth error (#31837)

### Issue # (if applicable)

Closes #29284.

### Reason for this change

Removed the same env check between the Schedule and the Lambda target to allow use of imported Lambda function as target.

### Description of changes

Removed the check that forces the Schedule and the Lambda function to be in the same account and region.

### Description of how you validated changes

- Unit test added to ensure no synth error when using imported Lambda function.
- Integ test added to ensure imported function works. The test ensures the lambda is executed and did what it is supposed to do (i.e. added tag to itself).

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable)

None

### Reason for this change

There are some improper JSDoc formatting.

### Description of changes

I have corrected multiple instances of improper JSDoc formatting.

```diff
/**
-   * description
-   * 
-   * @default - xxx
-   */
+ * description
+ * 
+ * @default - xxx
+ */ 
```
### Description of how you validated changes

None

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue #29618

### Reason for this change

We aim to speed up deployment times in our development environment by using the hotswap feature. However, our services have dependencies on each other, and the current hotswap behavior is too disruptive. 

### Description of changes

We modified the hotswap implementation for ECS services to pass the `minimumHealthyPercent` and `maximumHealthyPercent` configurable parameters. These parameters are exposed to the cli and can be passed as `--hotswap-ecs-minimum-healthy-percent <number>` and `--hotswap-ecs-maximum-healthy-percent <number>`

The implementation is careful to maintain the existing behaviour. That is, if none of the new flags is used, the current `minimumHealthyPercent = 0` and  `maximumHealthyPercent = undefined` values are used.

### Description of how you validated changes

We added a unit test validating that the correct values are passed to the task definition. We also executed using the locally built version of cdk validating that the behavior is as expected: the parameters are respected during hotswap deployments, and the existing API is maintained.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…rification (#31861)

### Description of changes

Clarify in README that a LogGroup and LogStream with **default settings** will be created. 

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…key causes EventBridge FailedInvocations (#31836)

### Issue # (if applicable)

Closes #10996.

### Reason for this change
When a Kinesis Stream is encrypted with a custom managed KMS key, CDK will generate a KMS key for the Kinesis Stream.
```
stream = new kinesis.Stream(stack, 'MyStream', {
  encryption: kinesis.StreamEncryption.KMS,
});
```

If it is used as a events target, CDK will provide permissions to the role of target so it can write to the kinesis stream:
```
{
     Action: ['kinesis:PutRecord', 'kinesis:PutRecords'],
     Effect: 'Allow',
     Resource: streamArn,
}
```

If the kinesis is not encrypted with the customer managed kms key, these permissions will be sufficient. However, since the kinesis is encrypted with the the customer managed kms key, the invocation will fail because events doesn't have the permissions to the KMS key.

Actually there's already `grantWrite()` method to grant sufficient permissions in this case. When a customer managed KMS key is used, it will generate extra policies for the key. We should use it.
https://github.com/aws/aws-cdk/blob/366b4927c50168113dd4057f6255ab6c76278135/packages/aws-cdk-lib/aws-kinesis/lib/stream.ts#L355

Difference:

these permissions will be added to the event
```
{
     Action: ['kinesis:ListShards(new permission)', 'kinesis:PutRecord', 'kinesis:PutRecords'],
     Effect: 'Allow',
     Resource: streamArn,
}
```

these permissions will be added to the event if the target kinesis stream is using a customer managed KMS key
```
{
    Action: ['kms:Encrypt', 'kms:ReEncrypt*', 'kms:GenerateDataKey*'],
    Effect: 'Allow',
    Resource: streamKeyArn,
},
```

### Description of changes

Use the existing `grantWrite()` method instead of manipulating IAM policies directly.

### Description of how you validated changes

unit tests/integration tests

### Checklist
- [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…icies in TableV2 and feature flag (#31513)

### Issue # (if applicable)

Closes #30705

### Reason for this change

Resource policies were shared across all replicas in a region.

### Description of changes

Changed the logic to only apply resource policy to the local replica region, or to specific replicas only when defined.

### Description of how you validated changes

yes

### Checklist
- [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…rces/destinations are supported in the CDK (#31868)

### Description of changes
update README to explicitly clarify which sources/destinations are supported in the CDK

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ld projects (#31859)

### Issue # (if applicable)

Closes #31614

### Reason for this change

Updates the default curated Docker image used for CodeBuild projects to the latest version. The existing default image version is deprecated. 

### Description of changes

Updated image constants in the CodeBuild project logic. 

### Description of how you validated changes

Updated and ran CodeBuild unit tests. 

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ap stack (#31876)

If the bootstrap stack can't be found, it can't be validated. We used to fail closed, but that just means that cross-account publishing is broken.

Instead, we have to fail open.

This is not the only protection mechanism we have, so the local check is more of a bonus.

Fixes #31866.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…rces (#31878)

The cross-account asset uploading detection check required that the `deploy-role` could call `DescribeStackResources` -- which it can't.

Instead, rely on parsing the `Outputs` of `DescribeStacks`. This is equivalent for the built-in stack, and relies on stack customizers to have removed the Output or put a dummy value there that does not look like a stack name (like `''`, `'-'` or `'*'`). It's not *as* good, but probably good enough.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@aws-cdk-automation aws-cdk-automation added auto-approve pr/no-squash This PR should be merged instead of squash-merging it labels Oct 24, 2024
@github-actions github-actions bot added the p2 label Oct 24, 2024
@aws-cdk-automation aws-cdk-automation requested a review from a team October 24, 2024 13:01
@aws-cdk-automation
Copy link
Collaborator Author

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 3a64371
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

Copy link
Contributor

mergify bot commented Oct 24, 2024

Thank you for contributing! Your pull request will be automatically updated and merged without squashing (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 75cf2e0 into v2-release Oct 24, 2024
8 of 9 checks passed
@mergify mergify bot deleted the bump/2.164.0 branch October 24, 2024 13:41
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

This was referenced Oct 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
auto-approve p2 pr/no-squash This PR should be merged instead of squash-merging it
Projects
None yet
Development

Successfully merging this pull request may close these issues.