From 82b163d00c0b6726cdd8c7fc092fd377bda0a4e2 Mon Sep 17 00:00:00 2001 From: Michael Sambol Date: Tue, 23 Jul 2024 17:53:01 -0500 Subject: [PATCH 01/17] fix(stepfunctions-tasks): run task perm no longer valid (#30788) ### Issue # (if applicable) Closes #30751. ### Reason for this change `runTask` on `${taskDefinitionFamilyArn}` is no longer relevant (see validation errors in the linked issue. This was currently disabled with a FF. This PR removes the permission entirely, and removes the FF. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../test/ecs/integ.ec2-run-task.ts | 3 +- .../test/ecs/integ.fargate-run-task.ts | 3 +- .../lib/ecs/run-task.ts | 33 +- .../test/ecs/run-tasks-feature-flag.test.ts | 488 ------------------ .../test/ecs/run-tasks.test.ts | 2 - packages/aws-cdk-lib/cx-api/lib/features.ts | 14 - 6 files changed, 8 insertions(+), 535 deletions(-) delete mode 100644 packages/aws-cdk-lib/aws-stepfunctions-tasks/test/ecs/run-tasks-feature-flag.test.ts diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.ts index e4af41e57113b..05cb571dbd3d7 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.ts @@ -4,7 +4,7 @@ import * as ecs from 'aws-cdk-lib/aws-ecs'; import * as sfn from 'aws-cdk-lib/aws-stepfunctions'; import * as cdk from 'aws-cdk-lib'; import * as tasks from 'aws-cdk-lib/aws-stepfunctions-tasks'; -import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP, ECS_REDUCE_RUN_TASK_PERMISSIONS } from 'aws-cdk-lib/cx-api'; +import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP } from 'aws-cdk-lib/cx-api'; import { IntegTest } from '@aws-cdk/integ-tests-alpha'; /* @@ -20,7 +20,6 @@ import { IntegTest } from '@aws-cdk/integ-tests-alpha'; const app = new cdk.App(); const stack = new cdk.Stack(app, 'aws-sfn-tasks-ecs-run-task'); stack.node.setContext(EC2_RESTRICT_DEFAULT_SECURITY_GROUP, false); -stack.node.setContext(ECS_REDUCE_RUN_TASK_PERMISSIONS, true); const cluster = new ecs.Cluster(stack, 'Ec2Cluster'); cluster.addCapacity('DefaultAutoScalingGroup', { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.fargate-run-task.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.fargate-run-task.ts index 98a31e84b9520..3dad45d7604a3 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.fargate-run-task.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.fargate-run-task.ts @@ -3,7 +3,7 @@ import * as ecs from 'aws-cdk-lib/aws-ecs'; import * as sfn from 'aws-cdk-lib/aws-stepfunctions'; import * as cdk from 'aws-cdk-lib'; import * as tasks from 'aws-cdk-lib/aws-stepfunctions-tasks'; -import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP, ECS_REDUCE_RUN_TASK_PERMISSIONS } from 'aws-cdk-lib/cx-api'; +import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP } from 'aws-cdk-lib/cx-api'; import { IntegTest } from '@aws-cdk/integ-tests-alpha'; /* @@ -19,7 +19,6 @@ import { IntegTest } from '@aws-cdk/integ-tests-alpha'; const app = new cdk.App(); const stack = new cdk.Stack(app, 'aws-sfn-tasks-ecs-fargate-run-task'); stack.node.setContext(EC2_RESTRICT_DEFAULT_SECURITY_GROUP, false); -stack.node.setContext(ECS_REDUCE_RUN_TASK_PERMISSIONS, true); const cluster = new ecs.Cluster(stack, 'FargateCluster'); diff --git a/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/ecs/run-task.ts b/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/ecs/run-task.ts index f23a0d68fc567..6ab4fc5cedbe7 100644 --- a/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/ecs/run-task.ts +++ b/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/ecs/run-task.ts @@ -5,7 +5,6 @@ import * as ecs from '../../../aws-ecs'; import * as iam from '../../../aws-iam'; import * as sfn from '../../../aws-stepfunctions'; import * as cdk from '../../../core'; -import * as cxapi from '../../../cx-api'; import { integrationResourceArn, validatePatternSupported } from '../private/task-utils'; /** @@ -347,31 +346,11 @@ export class EcsRunTask extends sfn.TaskStateBase implements ec2.IConnectable { private makePolicyStatements(): iam.PolicyStatement[] { const stack = cdk.Stack.of(this); - const taskDefinitionFamilyArn = this.getTaskDefinitionFamilyArn(); - const reduceRunTaskPermissions = cdk.FeatureFlags.of(this).isEnabled(cxapi.ECS_REDUCE_RUN_TASK_PERMISSIONS); - let policyStatements = []; - - // https://docs.aws.amazon.com/step-functions/latest/dg/ecs-iam.html - if (reduceRunTaskPermissions) { - policyStatements.push( - new iam.PolicyStatement({ - actions: ['ecs:RunTask'], - resources: [`${taskDefinitionFamilyArn}:*`], - }), - ); - } else { - policyStatements.push( - new iam.PolicyStatement({ - actions: ['ecs:RunTask'], - resources: [ - taskDefinitionFamilyArn, - `${taskDefinitionFamilyArn}:*`, - ], - }), - ); - } - - policyStatements.push( + const policyStatements = [ + new iam.PolicyStatement({ + actions: ['ecs:RunTask'], + resources: [`${this.getTaskDefinitionFamilyArn()}:*`], + }), new iam.PolicyStatement({ actions: ['ecs:StopTask', 'ecs:DescribeTasks'], resources: ['*'], @@ -380,7 +359,7 @@ export class EcsRunTask extends sfn.TaskStateBase implements ec2.IConnectable { actions: ['iam:PassRole'], resources: this.taskExecutionRoles().map((r) => r.roleArn), }), - ); + ]; if (this.integrationPattern === sfn.IntegrationPattern.RUN_JOB) { policyStatements.push( diff --git a/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/ecs/run-tasks-feature-flag.test.ts b/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/ecs/run-tasks-feature-flag.test.ts deleted file mode 100644 index a4b8cf53b812e..0000000000000 --- a/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/ecs/run-tasks-feature-flag.test.ts +++ /dev/null @@ -1,488 +0,0 @@ -import { Template } from '../../../assertions'; -import * as autoscaling from '../../../aws-autoscaling'; -import * as ec2 from '../../../aws-ec2'; -import * as ecs from '../../../aws-ecs'; -import * as sfn from '../../../aws-stepfunctions'; -import { Stack } from '../../../core'; -import { ECS_REDUCE_RUN_TASK_PERMISSIONS } from '../../../cx-api'; -import * as tasks from '../../lib'; - -let stack: Stack; -let vpc: ec2.Vpc; -let cluster: ecs.Cluster; - -/* eslint-disable quote-props */ - -test('Setting ECS_REDUCE_RUN_TASK_PERMISSIONS to false grants extra permissions', () => { - stack = new Stack(); - stack.node.setContext(ECS_REDUCE_RUN_TASK_PERMISSIONS, false); - vpc = new ec2.Vpc(stack, 'Vpc'); - cluster = new ecs.Cluster(stack, 'Cluster', { vpc }); - cluster.addAsgCapacityProvider(new ecs.AsgCapacityProvider(stack, 'Capacity', { - autoScalingGroup: new autoscaling.AutoScalingGroup(stack, 'ASG', { - vpc, - instanceType: new ec2.InstanceType('t3.medium'), - machineImage: ec2.MachineImage.latestAmazonLinux2023(), - }), - })); - - const taskDefinition = new ecs.TaskDefinition(stack, 'TD', { - memoryMiB: '512', - cpu: '256', - compatibility: ecs.Compatibility.FARGATE, - }); - const containerDefinition = taskDefinition.addContainer('TheContainer', { - image: ecs.ContainerImage.fromRegistry('foo/bar'), - memoryLimitMiB: 256, - }); - - // WHEN - const runTask = new tasks.EcsRunTask(stack, 'RunFargate', { - integrationPattern: sfn.IntegrationPattern.RUN_JOB, - cluster, - taskDefinition, - containerOverrides: [ - { - containerDefinition, - environment: [{ name: 'SOME_KEY', value: sfn.JsonPath.stringAt('$.SomeKey') }], - }, - ], - launchTarget: new tasks.EcsFargateLaunchTarget({ - platformVersion: ecs.FargatePlatformVersion.VERSION1_4, - }), - }); - - new sfn.StateMachine(stack, 'SM', { - definitionBody: sfn.DefinitionBody.fromChainable(runTask), - }); - - // THEN - expect(stack.resolve(runTask.toStateJson())).toEqual({ - End: true, - Parameters: { - Cluster: { 'Fn::GetAtt': ['ClusterEB0386A7', 'Arn'] }, - LaunchType: 'FARGATE', - NetworkConfiguration: { - AwsvpcConfiguration: { - SecurityGroups: [{ 'Fn::GetAtt': ['RunFargateSecurityGroup709740F2', 'GroupId'] }], - Subnets: [{ Ref: 'VpcPrivateSubnet1Subnet536B997A' }, { Ref: 'VpcPrivateSubnet2Subnet3788AAA1' }], - }, - }, - PlatformVersion: '1.4.0', - TaskDefinition: 'TD', - Overrides: { - ContainerOverrides: [ - { - Environment: [ - { - Name: 'SOME_KEY', - 'Value.$': '$.SomeKey', - }, - ], - Name: 'TheContainer', - }, - ], - }, - }, - Resource: { - 'Fn::Join': [ - '', - [ - 'arn:', - { - Ref: 'AWS::Partition', - }, - ':states:::ecs:runTask.sync', - ], - ], - }, - Type: 'Task', - }); - - Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: [ - { - Action: 'ecs:RunTask', - Effect: 'Allow', - Resource: [{ - 'Fn::Join': [ - '', - [ - 'arn:', - { 'Fn::Select': [1, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [2, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [3, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [4, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [0, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, - '/', - { 'Fn::Select': [1, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, - ], - ], - }, { - 'Fn::Join': [ - '', - [ - 'arn:', - { 'Fn::Select': [1, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [2, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [3, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [4, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [0, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, - '/', - { 'Fn::Select': [1, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, - ':*', - ], - ], - }], - }, - { - Action: ['ecs:StopTask', 'ecs:DescribeTasks'], - Effect: 'Allow', - Resource: '*', - }, - { - Action: 'iam:PassRole', - Effect: 'Allow', - Resource: { 'Fn::GetAtt': ['TDTaskRoleC497AFFC', 'Arn'] }, - }, - { - Action: ['events:PutTargets', 'events:PutRule', 'events:DescribeRule'], - Effect: 'Allow', - Resource: { - 'Fn::Join': [ - '', - [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':events:', - { Ref: 'AWS::Region' }, - ':', - { Ref: 'AWS::AccountId' }, - ':rule/StepFunctionsGetEventsForECSTaskRule', - ], - ], - }, - }, - ], - }, - }); -}); - -test('Leaving ECS_REDUCE_RUN_TASK_PERMISSIONS as the default (false) grants extra permissions', () => { - stack = new Stack(); - stack.node.setContext(ECS_REDUCE_RUN_TASK_PERMISSIONS, false); - vpc = new ec2.Vpc(stack, 'Vpc'); - cluster = new ecs.Cluster(stack, 'Cluster', { vpc }); - cluster.addAsgCapacityProvider(new ecs.AsgCapacityProvider(stack, 'Capacity', { - autoScalingGroup: new autoscaling.AutoScalingGroup(stack, 'ASG', { - vpc, - instanceType: new ec2.InstanceType('t3.medium'), - machineImage: ec2.MachineImage.latestAmazonLinux2023(), - }), - })); - - const taskDefinition = new ecs.TaskDefinition(stack, 'TD', { - memoryMiB: '512', - cpu: '256', - compatibility: ecs.Compatibility.FARGATE, - }); - const containerDefinition = taskDefinition.addContainer('TheContainer', { - image: ecs.ContainerImage.fromRegistry('foo/bar'), - memoryLimitMiB: 256, - }); - - // WHEN - const runTask = new tasks.EcsRunTask(stack, 'RunFargate', { - integrationPattern: sfn.IntegrationPattern.RUN_JOB, - cluster, - taskDefinition, - containerOverrides: [ - { - containerDefinition, - environment: [{ name: 'SOME_KEY', value: sfn.JsonPath.stringAt('$.SomeKey') }], - }, - ], - launchTarget: new tasks.EcsFargateLaunchTarget({ - platformVersion: ecs.FargatePlatformVersion.VERSION1_4, - }), - }); - - new sfn.StateMachine(stack, 'SM', { - definitionBody: sfn.DefinitionBody.fromChainable(runTask), - }); - - // THEN - expect(stack.resolve(runTask.toStateJson())).toEqual({ - End: true, - Parameters: { - Cluster: { 'Fn::GetAtt': ['ClusterEB0386A7', 'Arn'] }, - LaunchType: 'FARGATE', - NetworkConfiguration: { - AwsvpcConfiguration: { - SecurityGroups: [{ 'Fn::GetAtt': ['RunFargateSecurityGroup709740F2', 'GroupId'] }], - Subnets: [{ Ref: 'VpcPrivateSubnet1Subnet536B997A' }, { Ref: 'VpcPrivateSubnet2Subnet3788AAA1' }], - }, - }, - PlatformVersion: '1.4.0', - TaskDefinition: 'TD', - Overrides: { - ContainerOverrides: [ - { - Environment: [ - { - Name: 'SOME_KEY', - 'Value.$': '$.SomeKey', - }, - ], - Name: 'TheContainer', - }, - ], - }, - }, - Resource: { - 'Fn::Join': [ - '', - [ - 'arn:', - { - Ref: 'AWS::Partition', - }, - ':states:::ecs:runTask.sync', - ], - ], - }, - Type: 'Task', - }); - - Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: [ - { - Action: 'ecs:RunTask', - Effect: 'Allow', - Resource: [{ - 'Fn::Join': [ - '', - [ - 'arn:', - { 'Fn::Select': [1, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [2, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [3, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [4, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [0, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, - '/', - { 'Fn::Select': [1, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, - ], - ], - }, { - 'Fn::Join': [ - '', - [ - 'arn:', - { 'Fn::Select': [1, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [2, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [3, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [4, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [0, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, - '/', - { 'Fn::Select': [1, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, - ':*', - ], - ], - }], - }, - { - Action: ['ecs:StopTask', 'ecs:DescribeTasks'], - Effect: 'Allow', - Resource: '*', - }, - { - Action: 'iam:PassRole', - Effect: 'Allow', - Resource: { 'Fn::GetAtt': ['TDTaskRoleC497AFFC', 'Arn'] }, - }, - { - Action: ['events:PutTargets', 'events:PutRule', 'events:DescribeRule'], - Effect: 'Allow', - Resource: { - 'Fn::Join': [ - '', - [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':events:', - { Ref: 'AWS::Region' }, - ':', - { Ref: 'AWS::AccountId' }, - ':rule/StepFunctionsGetEventsForECSTaskRule', - ], - ], - }, - }, - ], - }, - }); -}); - -test('Setting ECS_REDUCE_RUN_TASK_PERMISSIONS to true reduces permissions', () => { - stack = new Stack(); - stack.node.setContext(ECS_REDUCE_RUN_TASK_PERMISSIONS, true); - vpc = new ec2.Vpc(stack, 'Vpc'); - cluster = new ecs.Cluster(stack, 'Cluster', { vpc }); - cluster.addAsgCapacityProvider(new ecs.AsgCapacityProvider(stack, 'Capacity', { - autoScalingGroup: new autoscaling.AutoScalingGroup(stack, 'ASG', { - vpc, - instanceType: new ec2.InstanceType('t3.medium'), - machineImage: ec2.MachineImage.latestAmazonLinux2023(), - }), - })); - - const taskDefinition = new ecs.TaskDefinition(stack, 'TD', { - memoryMiB: '512', - cpu: '256', - compatibility: ecs.Compatibility.FARGATE, - }); - const containerDefinition = taskDefinition.addContainer('TheContainer', { - image: ecs.ContainerImage.fromRegistry('foo/bar'), - memoryLimitMiB: 256, - }); - - // WHEN - const runTask = new tasks.EcsRunTask(stack, 'RunFargate', { - integrationPattern: sfn.IntegrationPattern.RUN_JOB, - cluster, - taskDefinition, - containerOverrides: [ - { - containerDefinition, - environment: [{ name: 'SOME_KEY', value: sfn.JsonPath.stringAt('$.SomeKey') }], - }, - ], - launchTarget: new tasks.EcsFargateLaunchTarget({ - platformVersion: ecs.FargatePlatformVersion.VERSION1_4, - }), - }); - - new sfn.StateMachine(stack, 'SM', { - definitionBody: sfn.DefinitionBody.fromChainable(runTask), - }); - - // THEN - expect(stack.resolve(runTask.toStateJson())).toEqual({ - End: true, - Parameters: { - Cluster: { 'Fn::GetAtt': ['ClusterEB0386A7', 'Arn'] }, - LaunchType: 'FARGATE', - NetworkConfiguration: { - AwsvpcConfiguration: { - SecurityGroups: [{ 'Fn::GetAtt': ['RunFargateSecurityGroup709740F2', 'GroupId'] }], - Subnets: [{ Ref: 'VpcPrivateSubnet1Subnet536B997A' }, { Ref: 'VpcPrivateSubnet2Subnet3788AAA1' }], - }, - }, - PlatformVersion: '1.4.0', - TaskDefinition: 'TD', - Overrides: { - ContainerOverrides: [ - { - Environment: [ - { - Name: 'SOME_KEY', - 'Value.$': '$.SomeKey', - }, - ], - Name: 'TheContainer', - }, - ], - }, - }, - Resource: { - 'Fn::Join': [ - '', - [ - 'arn:', - { - Ref: 'AWS::Partition', - }, - ':states:::ecs:runTask.sync', - ], - ], - }, - Type: 'Task', - }); - - Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: [ - { - Action: 'ecs:RunTask', - Effect: 'Allow', - Resource: { - 'Fn::Join': [ - '', - [ - 'arn:', - { 'Fn::Select': [1, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [2, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [3, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [4, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [0, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, - '/', - { 'Fn::Select': [1, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, - ':*', - ], - ], - }, - }, - { - Action: ['ecs:StopTask', 'ecs:DescribeTasks'], - Effect: 'Allow', - Resource: '*', - }, - { - Action: 'iam:PassRole', - Effect: 'Allow', - Resource: { 'Fn::GetAtt': ['TDTaskRoleC497AFFC', 'Arn'] }, - }, - { - Action: ['events:PutTargets', 'events:PutRule', 'events:DescribeRule'], - Effect: 'Allow', - Resource: { - 'Fn::Join': [ - '', - [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':events:', - { Ref: 'AWS::Region' }, - ':', - { Ref: 'AWS::AccountId' }, - ':rule/StepFunctionsGetEventsForECSTaskRule', - ], - ], - }, - }, - ], - }, - }); -}); diff --git a/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/ecs/run-tasks.test.ts b/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/ecs/run-tasks.test.ts index 785a96ba4f075..9ef23e8e9a3d6 100644 --- a/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/ecs/run-tasks.test.ts +++ b/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/ecs/run-tasks.test.ts @@ -4,7 +4,6 @@ import * as ec2 from '../../../aws-ec2'; import * as ecs from '../../../aws-ecs'; import * as sfn from '../../../aws-stepfunctions'; import { Stack } from '../../../core'; -import { ECS_REDUCE_RUN_TASK_PERMISSIONS } from '../../../cx-api'; import * as tasks from '../../lib'; let stack: Stack; @@ -16,7 +15,6 @@ let cluster: ecs.Cluster; beforeEach(() => { // GIVEN stack = new Stack(); - stack.node.setContext(ECS_REDUCE_RUN_TASK_PERMISSIONS, true); vpc = new ec2.Vpc(stack, 'Vpc'); cluster = new ecs.Cluster(stack, 'Cluster', { vpc }); cluster.addAsgCapacityProvider(new ecs.AsgCapacityProvider(stack, 'Capacity', { diff --git a/packages/aws-cdk-lib/cx-api/lib/features.ts b/packages/aws-cdk-lib/cx-api/lib/features.ts index ba01e8b9a0e6f..233529bf8fa5b 100644 --- a/packages/aws-cdk-lib/cx-api/lib/features.ts +++ b/packages/aws-cdk-lib/cx-api/lib/features.ts @@ -101,7 +101,6 @@ export const CODEPIPELINE_CROSS_ACCOUNT_KEYS_DEFAULT_VALUE_TO_FALSE = '@aws-cdk/ export const CODEPIPELINE_DEFAULT_PIPELINE_TYPE_TO_V2 = '@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2'; export const KMS_REDUCE_CROSS_ACCOUNT_REGION_POLICY_SCOPE = '@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope'; export const PIPELINE_REDUCE_ASSET_ROLE_TRUST_SCOPE = '@aws-cdk/pipelines:reduceAssetRoleTrustScope'; -export const ECS_REDUCE_RUN_TASK_PERMISSIONS = '@aws-cdk/aws-stepfunctions-tasks:ecsReduceRunTaskPermissions'; export const EKS_NODEGROUP_NAME = '@aws-cdk/aws-eks:nodegroupNameAttribute'; export const EBS_DEFAULT_GP3 = '@aws-cdk/aws-ec2:ebsDefaultGp3Volume'; export const ECS_REMOVE_DEFAULT_DEPLOYMENT_ALARM = '@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm'; @@ -1093,19 +1092,6 @@ export const FLAGS: Record = { introducedIn: { v2: '2.145.0' }, recommendedValue: false, }, - - ////////////////////////////////////////////////////////////////////// - [ECS_REDUCE_RUN_TASK_PERMISSIONS]: { - type: FlagType.BugFix, - summary: 'When enabled, IAM Policy created to run tasks won\'t include the task definition ARN, only the revision ARN.', - detailsMd: ` - When this feature flag is enabled, the IAM Policy created to run tasks won\'t include the task definition ARN, only the revision ARN. - The revision ARN is more specific than the task definition ARN. See https://docs.aws.amazon.com/step-functions/latest/dg/ecs-iam.html - for more details. - `, - introducedIn: { v2: '2.148.0' }, - recommendedValue: true, - }, }; const CURRENT_MV = 'v2'; From f5dd73bd19f546335531f587f6d7fbde8aff96ce Mon Sep 17 00:00:00 2001 From: shikha372 Date: Tue, 23 Jul 2024 17:11:49 -0700 Subject: [PATCH 02/17] feat(stepfunctions-tasks): allow BedrockInvokeModel to use JsonPath (#30298) ### Issue # (if applicable) Closes #29229. ### Reason for this change When trying to use JsonPath to specify the S3 URIs that BedrockInvokeModel will read from and write from, you get an error. Example of the Error message: `jsii.errors.JavaScriptError: Error: Field references must be the entire string, cannot concatenate them (found 's3://${Token[prompt_bucket.348]}/${Token[prompt_key.349]}')` ### Description of changes Extended the inputPath property to be allowed as an input value for the task state. Instead of adding a new S3Uri props in current `BedrockInvokeModelProps` as proposed in the original issue, leveraged the `inputPath` property that is already defined in `sfn.TaskStateBaseProps` and being extended by `BedrockInvokeModelInputProps` and `BedrockInvokeModelOutputProps` **Limitation:** We cannot limit the resource policy to specific input token for which the value might be coming from the prompt, so had to keep it as [*] here. ### Description of how you validated changes Added unit tests. Successful deployment of integration tests in the account. ### Checklist - [x] Unit Tests - [x] Integration Tests - [x] Updated ReadMe - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- ...efaultTestDeployAssert9C0D2DFC.assets.json | 2 +- ...sks-bedrock-invoke-model-integ.assets.json | 6 +- ...s-bedrock-invoke-model-integ.template.json | 35 +++++- .../integ.invoke-model.js.snapshot/cdk.out | 2 +- .../integ.invoke-model.js.snapshot/integ.json | 2 +- .../manifest.json | 4 +- .../integ.invoke-model.js.snapshot/tree.json | 43 ++++++- .../test/bedrock/integ.invoke-model.ts | 8 +- .../aws-stepfunctions-tasks/README.md | 21 ++++ .../lib/bedrock/invoke-model.ts | 43 ++++++- .../test/bedrock/invoke-model.test.ts | 108 ++++++++++++++++++ 11 files changed, 255 insertions(+), 19 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/bedrock/integ.invoke-model.js.snapshot/InvokeModelDefaultTestDeployAssert9C0D2DFC.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/bedrock/integ.invoke-model.js.snapshot/InvokeModelDefaultTestDeployAssert9C0D2DFC.assets.json index ec22c34fcf613..62c1eb1585be8 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/bedrock/integ.invoke-model.js.snapshot/InvokeModelDefaultTestDeployAssert9C0D2DFC.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/bedrock/integ.invoke-model.js.snapshot/InvokeModelDefaultTestDeployAssert9C0D2DFC.assets.json @@ -1,5 +1,5 @@ { - "version": "35.0.0", + "version": "36.0.0", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/bedrock/integ.invoke-model.js.snapshot/aws-stepfunctions-tasks-bedrock-invoke-model-integ.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/bedrock/integ.invoke-model.js.snapshot/aws-stepfunctions-tasks-bedrock-invoke-model-integ.assets.json index 2d7004e16caf5..ea5387a06b82c 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/bedrock/integ.invoke-model.js.snapshot/aws-stepfunctions-tasks-bedrock-invoke-model-integ.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/bedrock/integ.invoke-model.js.snapshot/aws-stepfunctions-tasks-bedrock-invoke-model-integ.assets.json @@ -1,7 +1,7 @@ { - "version": "35.0.0", + "version": "36.0.0", "files": { - "19db222d8d51351d1127c4b099aa6545a4c1ddd9425a2e0f78c328f39ff74edf": { + "e9d946bbac52fb88d3fc7c9ea4f26da0e6a6965417c8ae9fb5464e5342269444": { "source": { "path": "aws-stepfunctions-tasks-bedrock-invoke-model-integ.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "19db222d8d51351d1127c4b099aa6545a4c1ddd9425a2e0f78c328f39ff74edf.json", + "objectKey": "e9d946bbac52fb88d3fc7c9ea4f26da0e6a6965417c8ae9fb5464e5342269444.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/bedrock/integ.invoke-model.js.snapshot/aws-stepfunctions-tasks-bedrock-invoke-model-integ.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/bedrock/integ.invoke-model.js.snapshot/aws-stepfunctions-tasks-bedrock-invoke-model-integ.template.json index ce41a5e96cc20..a67f72f4ea158 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/bedrock/integ.invoke-model.js.snapshot/aws-stepfunctions-tasks-bedrock-invoke-model-integ.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/bedrock/integ.invoke-model.js.snapshot/aws-stepfunctions-tasks-bedrock-invoke-model-integ.template.json @@ -41,6 +41,25 @@ ] ] } + }, + { + "Action": [ + "s3:GetObject", + "s3:PutObject" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":s3:::*" + ] + ] + } } ], "Version": "2012-10-17" @@ -72,7 +91,19 @@ { "Ref": "AWS::Region" }, - "::foundation-model/amazon.titan-text-express-v1\",\"Body\":{\"inputText\":\"Generate a list of five first names.\",\"textGenerationConfig\":{\"maxTokenCount\":100,\"temperature\":1}}}},\"Prompt2\":{\"End\":true,\"Type\":\"Task\",\"ResultPath\":\"$\",\"ResultSelector\":{\"names.$\":\"$.Body.results[0].outputText\"},\"Resource\":\"arn:", + "::foundation-model/amazon.titan-text-express-v1\",\"Body\":{\"inputText\":\"Generate a list of five first names.\",\"textGenerationConfig\":{\"maxTokenCount\":100,\"temperature\":1}}}},\"Prompt2\":{\"Next\":\"Prompt3\",\"Type\":\"Task\",\"ResultPath\":\"$\",\"ResultSelector\":{\"names.$\":\"$.Body.results[0].outputText\"},\"Resource\":\"arn:", + { + "Ref": "AWS::Partition" + }, + ":states:::bedrock:invokeModel\",\"Parameters\":{\"ModelId\":\"arn:", + { + "Ref": "AWS::Partition" + }, + ":bedrock:", + { + "Ref": "AWS::Region" + }, + "::foundation-model/amazon.titan-text-express-v1\",\"Body\":{\"inputText.$\":\"States.Format('Alphabetize this list of first names:\\n{}', $.names)\",\"textGenerationConfig\":{\"maxTokenCount\":100,\"temperature\":1}}}},\"Prompt3\":{\"End\":true,\"Type\":\"Task\",\"InputPath\":\"$.names\",\"OutputPath\":\"$.names\",\"Resource\":\"arn:", { "Ref": "AWS::Partition" }, @@ -84,7 +115,7 @@ { "Ref": "AWS::Region" }, - "::foundation-model/amazon.titan-text-express-v1\",\"Body\":{\"inputText.$\":\"States.Format('Alphabetize this list of first names:\\n{}', $.names)\",\"textGenerationConfig\":{\"maxTokenCount\":100,\"temperature\":1}}}}},\"TimeoutSeconds\":30}" + "::foundation-model/amazon.titan-text-express-v1\",\"Input\":{\"S3Uri.$\":\"$.names\"},\"Output\":{\"S3Uri.$\":\"$.names\"}}}},\"TimeoutSeconds\":30}" ] ] }, diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/bedrock/integ.invoke-model.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/bedrock/integ.invoke-model.js.snapshot/cdk.out index c5cb2e5de6344..1f0068d32659a 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/bedrock/integ.invoke-model.js.snapshot/cdk.out +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/bedrock/integ.invoke-model.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"35.0.0"} \ No newline at end of file +{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/bedrock/integ.invoke-model.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/bedrock/integ.invoke-model.js.snapshot/integ.json index 5eb622d1d7b82..36143be21ab57 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/bedrock/integ.invoke-model.js.snapshot/integ.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/bedrock/integ.invoke-model.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "35.0.0", + "version": "36.0.0", "testCases": { "InvokeModel/DefaultTest": { "stacks": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/bedrock/integ.invoke-model.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/bedrock/integ.invoke-model.js.snapshot/manifest.json index 60de1b8de8ab7..677092f63b132 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/bedrock/integ.invoke-model.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/bedrock/integ.invoke-model.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "35.0.0", + "version": "36.0.0", "artifacts": { "aws-stepfunctions-tasks-bedrock-invoke-model-integ.assets": { "type": "cdk:asset-manifest", @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/19db222d8d51351d1127c4b099aa6545a4c1ddd9425a2e0f78c328f39ff74edf.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/e9d946bbac52fb88d3fc7c9ea4f26da0e6a6965417c8ae9fb5464e5342269444.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/bedrock/integ.invoke-model.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/bedrock/integ.invoke-model.js.snapshot/tree.json index b3a2882dbd6fb..17b23007671bd 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/bedrock/integ.invoke-model.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/bedrock/integ.invoke-model.js.snapshot/tree.json @@ -24,6 +24,14 @@ "version": "0.0.0" } }, + "Prompt3": { + "id": "Prompt3", + "path": "aws-stepfunctions-tasks-bedrock-invoke-model-integ/Prompt3", + "constructInfo": { + "fqn": "aws-cdk-lib.aws_stepfunctions_tasks.BedrockInvokeModel", + "version": "0.0.0" + } + }, "StateMachine": { "id": "StateMachine", "path": "aws-stepfunctions-tasks-bedrock-invoke-model-integ/StateMachine", @@ -96,6 +104,25 @@ ] ] } + }, + { + "Action": [ + "s3:GetObject", + "s3:PutObject" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":s3:::*" + ] + ] + } } ], "Version": "2012-10-17" @@ -147,7 +174,19 @@ { "Ref": "AWS::Region" }, - "::foundation-model/amazon.titan-text-express-v1\",\"Body\":{\"inputText\":\"Generate a list of five first names.\",\"textGenerationConfig\":{\"maxTokenCount\":100,\"temperature\":1}}}},\"Prompt2\":{\"End\":true,\"Type\":\"Task\",\"ResultPath\":\"$\",\"ResultSelector\":{\"names.$\":\"$.Body.results[0].outputText\"},\"Resource\":\"arn:", + "::foundation-model/amazon.titan-text-express-v1\",\"Body\":{\"inputText\":\"Generate a list of five first names.\",\"textGenerationConfig\":{\"maxTokenCount\":100,\"temperature\":1}}}},\"Prompt2\":{\"Next\":\"Prompt3\",\"Type\":\"Task\",\"ResultPath\":\"$\",\"ResultSelector\":{\"names.$\":\"$.Body.results[0].outputText\"},\"Resource\":\"arn:", + { + "Ref": "AWS::Partition" + }, + ":states:::bedrock:invokeModel\",\"Parameters\":{\"ModelId\":\"arn:", + { + "Ref": "AWS::Partition" + }, + ":bedrock:", + { + "Ref": "AWS::Region" + }, + "::foundation-model/amazon.titan-text-express-v1\",\"Body\":{\"inputText.$\":\"States.Format('Alphabetize this list of first names:\\n{}', $.names)\",\"textGenerationConfig\":{\"maxTokenCount\":100,\"temperature\":1}}}},\"Prompt3\":{\"End\":true,\"Type\":\"Task\",\"InputPath\":\"$.names\",\"OutputPath\":\"$.names\",\"Resource\":\"arn:", { "Ref": "AWS::Partition" }, @@ -159,7 +198,7 @@ { "Ref": "AWS::Region" }, - "::foundation-model/amazon.titan-text-express-v1\",\"Body\":{\"inputText.$\":\"States.Format('Alphabetize this list of first names:\\n{}', $.names)\",\"textGenerationConfig\":{\"maxTokenCount\":100,\"temperature\":1}}}}},\"TimeoutSeconds\":30}" + "::foundation-model/amazon.titan-text-express-v1\",\"Input\":{\"S3Uri.$\":\"$.names\"},\"Output\":{\"S3Uri.$\":\"$.names\"}}}},\"TimeoutSeconds\":30}" ] ] }, diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/bedrock/integ.invoke-model.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/bedrock/integ.invoke-model.ts index 95860f09e624e..2d98f804b4475 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/bedrock/integ.invoke-model.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/bedrock/integ.invoke-model.ts @@ -52,7 +52,13 @@ const prompt2 = new BedrockInvokeModel(stack, 'Prompt2', { resultPath: '$', }); -const chain = sfn.Chain.start(prompt1).next(prompt2); +const prompt3 = new BedrockInvokeModel(stack, 'Prompt3', { + model, + inputPath: sfn.JsonPath.stringAt('$.names'), + outputPath: sfn.JsonPath.stringAt('$.names'), +}); + +const chain = sfn.Chain.start(prompt1).next(prompt2).next(prompt3); new sfn.StateMachine(stack, 'StateMachine', { definitionBody: sfn.DefinitionBody.fromChainable(chain), diff --git a/packages/aws-cdk-lib/aws-stepfunctions-tasks/README.md b/packages/aws-cdk-lib/aws-stepfunctions-tasks/README.md index 4b288aafd7f93..9f5943afaa16b 100644 --- a/packages/aws-cdk-lib/aws-stepfunctions-tasks/README.md +++ b/packages/aws-cdk-lib/aws-stepfunctions-tasks/README.md @@ -398,6 +398,27 @@ const task = new tasks.BedrockInvokeModel(this, 'Prompt Model', { names: sfn.JsonPath.stringAt('$.Body.results[0].outputText'), }, }); +``` +### Using Input Path + +Provide S3 URI as an input or output path to invoke a model + +```ts + +import * as bedrock from 'aws-cdk-lib/aws-bedrock'; + +const model = bedrock.FoundationModel.fromFoundationModelId( + this, + 'Model', + bedrock.FoundationModelIdentifier.AMAZON_TITAN_TEXT_G1_EXPRESS_V1, +); + +const task = new tasks.BedrockInvokeModel(this, 'Prompt Model', { + model, + inputPath: sfn.JsonPath.stringAt('$.prompt'), + outputPath: sfn.JsonPath.stringAt('$.prompt'), +}); + ``` You can apply a guardrail to the invocation by setting `guardrail`. diff --git a/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/bedrock/invoke-model.ts b/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/bedrock/invoke-model.ts index f831cf606c8c5..3abc7338cab8c 100644 --- a/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/bedrock/invoke-model.ts +++ b/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/bedrock/invoke-model.ts @@ -140,12 +140,14 @@ export class BedrockInvokeModel extends sfn.TaskStateBase { constructor(scope: Construct, id: string, private readonly props: BedrockInvokeModelProps) { super(scope, id, props); + this.integrationPattern = props.integrationPattern ?? sfn.IntegrationPattern.REQUEST_RESPONSE; validatePatternSupported(this.integrationPattern, BedrockInvokeModel.SUPPORTED_INTEGRATION_PATTERNS); const isBodySpecified = props.body !== undefined; - const isInputSpecified = props.input !== undefined && props.input.s3Location !== undefined; + //Either specific props.input with bucket name and object key or input s3 path + const isInputSpecified = (props.input !== undefined && props.input.s3Location !== undefined) || (props.inputPath !== undefined); if (isBodySpecified && isInputSpecified) { throw new Error('Either `body` or `input` must be specified, but not both.'); @@ -171,7 +173,21 @@ export class BedrockInvokeModel extends sfn.TaskStateBase { }), ]; - if (this.props.input !== undefined && this.props.input.s3Location !== undefined) { + if (this.props.inputPath !== undefined) { + policyStatements.push( + new iam.PolicyStatement({ + actions: ['s3:GetObject'], + resources: [ + Stack.of(this).formatArn({ + region: '', + account: '', + service: 's3', + resource: '*', + }), + ], + }), + ); + } else if (this.props.input !== undefined && this.props.input.s3Location !== undefined) { policyStatements.push( new iam.PolicyStatement({ actions: ['s3:GetObject'], @@ -188,7 +204,21 @@ export class BedrockInvokeModel extends sfn.TaskStateBase { ); } - if (this.props.output !== undefined && this.props.output.s3Location !== undefined) { + if (this.props.outputPath !== undefined) { + policyStatements.push( + new iam.PolicyStatement({ + actions: ['s3:PutObject'], + resources: [ + Stack.of(this).formatArn({ + region: '', + account: '', + service: 's3', + resource: '*', + }), + ], + }), + ); + } else if (this.props.output !== undefined && this.props.output.s3Location !== undefined) { policyStatements.push( new iam.PolicyStatement({ actions: ['s3:PutObject'], @@ -241,10 +271,10 @@ export class BedrockInvokeModel extends sfn.TaskStateBase { Body: this.props.body?.value, Input: this.props.input?.s3Location ? { S3Uri: `s3://${this.props.input.s3Location.bucketName}/${this.props.input.s3Location.objectKey}`, - } : undefined, + } : this.props.inputPath ? { S3Uri: this.props.inputPath } : undefined, Output: this.props.output?.s3Location ? { S3Uri: `s3://${this.props.output.s3Location.bucketName}/${this.props.output.s3Location.objectKey}`, - } : undefined, + } : this.props.outputPath ? { S3Uri: this.props.outputPath }: undefined, GuardrailIdentifier: this.props.guardrail?.guardrailIdentifier, GuardrailVersion: this.props.guardrail?.guardrailVersion, Trace: this.props.traceEnabled === undefined @@ -254,5 +284,6 @@ export class BedrockInvokeModel extends sfn.TaskStateBase { : 'DISABLED', }), }; - } + }; } + diff --git a/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/bedrock/invoke-model.test.ts b/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/bedrock/invoke-model.test.ts index 3c480ea1638a3..02fa2737bb2b8 100644 --- a/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/bedrock/invoke-model.test.ts +++ b/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/bedrock/invoke-model.test.ts @@ -204,6 +204,52 @@ describe('Invoke Model', () => { }); }); + test('invoke model allows input and output json path', () => { + const stack = new cdk.Stack(); + const model = bedrock.ProvisionedModel.fromProvisionedModelArn(stack, 'Imported', 'arn:aws:bedrock:us-turbo-2:123456789012:provisioned-model/abc-123'); + + const task = new BedrockInvokeModel(stack, 'Invoke', { + model, + inputPath: sfn.JsonPath.stringAt('$.prompt'), + outputPath: sfn.JsonPath.stringAt('$.prompt'), + }); + + new sfn.StateMachine(stack, 'StateMachine', { + definitionBody: sfn.DefinitionBody.fromChainable(task), + }); + + // THEN + expect(stack.resolve(task.toStateJson())).toEqual({ + Type: 'Task', + Resource: { + 'Fn::Join': [ + '', + [ + 'arn:', + { + Ref: 'AWS::Partition', + }, + ':states:::bedrock:invokeModel', + ], + ], + }, + End: true, + InputPath: '$.prompt', + OutputPath: '$.prompt', + Parameters: { + ModelId: 'arn:aws:bedrock:us-turbo-2:123456789012:provisioned-model/abc-123', + Input: { + //Expected key modified from S3Uri to S3Uri.$ as per the State Machine context key field transformation + //Reference: https://docs.aws.amazon.com/step-functions/latest/dg/input-output-example.html + 'S3Uri.$': '$.prompt', + }, + Output: { + 'S3Uri.$': '$.prompt', + }, + }, + }); + }); + test('S3 permissions are created in generated policy when input and output locations are specified', () => { // GIVEN const stack = new cdk.Stack(); @@ -276,6 +322,68 @@ describe('Invoke Model', () => { }); }); + test('S3 permissions are created in generated policy when input and output path are specified', () => { + // GIVEN + const stack = new cdk.Stack(); + const model = bedrock.ProvisionedModel.fromProvisionedModelArn(stack, 'Imported', 'arn:aws:bedrock:us-turbo-2:123456789012:provisioned-model/abc-123'); + + // WHEN + const task = new BedrockInvokeModel(stack, 'Invoke', { + model, + inputPath: sfn.JsonPath.stringAt('$.prompt'), + outputPath: sfn.JsonPath.stringAt('$.prompt'), + }); + + new sfn.StateMachine(stack, 'StateMachine', { + definitionBody: sfn.DefinitionBody.fromChainable(task), + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: Match.objectLike({ + Statement: Match.arrayWith([ + { + Action: 'bedrock:InvokeModel', + Effect: 'Allow', + Resource: 'arn:aws:bedrock:us-turbo-2:123456789012:provisioned-model/abc-123', + }, + { + Action: 's3:GetObject', + Effect: 'Allow', + Resource: { + 'Fn::Join': [ + '', + [ + 'arn:', + { + Ref: 'AWS::Partition', + }, + ':s3:::*', + ], + ], + }, + }, + { + Action: 's3:PutObject', + Effect: 'Allow', + Resource: { + 'Fn::Join': [ + '', + [ + 'arn:', + { + Ref: 'AWS::Partition', + }, + ':s3:::*', + ], + ], + }, + }, + ]), + }), + }); + }); + test('fails on neither input nor body set', () => { // GIVEN const stack = new cdk.Stack(); From 597228c1552a21f8dc7250a0be62160f838bb776 Mon Sep 17 00:00:00 2001 From: yuppe <63234480+yuppe-kyupeen@users.noreply.github.com> Date: Wed, 24 Jul 2024 10:02:08 +0900 Subject: [PATCH 03/17] feat(ec2): add `versionDescription` property for `LaunchTemplate` (#30837) ### Issue # (if applicable) ### Reason for this change The change introduces the `versionDescription` property to the `LaunchTemplate` ### Description of changes - Add the `versionDescription` property for `LaunchTemplateProps`, which was missing in the L2 construct. - Add validation for character limit ### Description of how you validated changes I Added a unit test for launch template and added the `versionDescription` property in the integration tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../aws-cdk-ec2-lt-metadata-1.assets.json | 4 +- .../aws-cdk-ec2-lt-metadata-1.template.json | 3 +- .../manifest.json | 2 +- .../tree.json | 107 +++++++++--------- .../aws-ec2/test/integ.launch-template.ts | 1 + packages/aws-cdk-lib/aws-ec2/README.md | 2 + .../aws-ec2/lib/launch-template.ts | 16 +++ .../aws-ec2/test/launch-template.test.ts | 22 ++++ 8 files changed, 100 insertions(+), 57 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.launch-template.js.snapshot/aws-cdk-ec2-lt-metadata-1.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.launch-template.js.snapshot/aws-cdk-ec2-lt-metadata-1.assets.json index 3fdfa3f0a8b2d..1147a2215bf03 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.launch-template.js.snapshot/aws-cdk-ec2-lt-metadata-1.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.launch-template.js.snapshot/aws-cdk-ec2-lt-metadata-1.assets.json @@ -14,7 +14,7 @@ } } }, - "f6f451c7b6b6085fc3c3c85e56c55856c2b6d5f71491ba5d0f9b93436468b5de": { + "8cd8c63d04ed01a1a76f21f94fa840809a354a12b00cfac1a16d1bfb8973a85a": { "source": { "path": "aws-cdk-ec2-lt-metadata-1.template.json", "packaging": "file" @@ -22,7 +22,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "f6f451c7b6b6085fc3c3c85e56c55856c2b6d5f71491ba5d0f9b93436468b5de.json", + "objectKey": "8cd8c63d04ed01a1a76f21f94fa840809a354a12b00cfac1a16d1bfb8973a85a.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.launch-template.js.snapshot/aws-cdk-ec2-lt-metadata-1.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.launch-template.js.snapshot/aws-cdk-ec2-lt-metadata-1.template.json index 07935b6686310..061a117dbcb13 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.launch-template.js.snapshot/aws-cdk-ec2-lt-metadata-1.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.launch-template.js.snapshot/aws-cdk-ec2-lt-metadata-1.template.json @@ -211,7 +211,8 @@ } ] } - ] + ], + "VersionDescription": "test template v1" } }, "sg2860DD91F": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.launch-template.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.launch-template.js.snapshot/manifest.json index 9d0fde1e73ce8..92489c9202eb6 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.launch-template.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.launch-template.js.snapshot/manifest.json @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/f6f451c7b6b6085fc3c3c85e56c55856c2b6d5f71491ba5d0f9b93436468b5de.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/8cd8c63d04ed01a1a76f21f94fa840809a354a12b00cfac1a16d1bfb8973a85a.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.launch-template.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.launch-template.js.snapshot/tree.json index 0475a6ce3a9fe..ed2fedb904e4d 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.launch-template.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.launch-template.js.snapshot/tree.json @@ -31,8 +31,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnVPC", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "RestrictDefaultSecurityGroupCustomResource": { @@ -43,28 +43,28 @@ "id": "Default", "path": "aws-cdk-ec2-lt-metadata-1/MyVpc/RestrictDefaultSecurityGroupCustomResource/Default", "constructInfo": { - "fqn": "aws-cdk-lib.CfnResource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.CustomResource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.Vpc", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "LatestNodeRuntimeMap": { "id": "LatestNodeRuntimeMap", "path": "aws-cdk-ec2-lt-metadata-1/LatestNodeRuntimeMap", "constructInfo": { - "fqn": "aws-cdk-lib.CfnMapping", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Custom::VpcRestrictDefaultSGCustomResourceProvider": { @@ -75,30 +75,30 @@ "id": "Staging", "path": "aws-cdk-ec2-lt-metadata-1/Custom::VpcRestrictDefaultSGCustomResourceProvider/Staging", "constructInfo": { - "fqn": "aws-cdk-lib.AssetStaging", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Role": { "id": "Role", "path": "aws-cdk-ec2-lt-metadata-1/Custom::VpcRestrictDefaultSGCustomResourceProvider/Role", "constructInfo": { - "fqn": "aws-cdk-lib.CfnResource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Handler": { "id": "Handler", "path": "aws-cdk-ec2-lt-metadata-1/Custom::VpcRestrictDefaultSGCustomResourceProvider/Handler", "constructInfo": { - "fqn": "aws-cdk-lib.CfnResource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.CustomResourceProviderBase", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "sg1": { @@ -125,14 +125,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSecurityGroup", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.SecurityGroup", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "LT": { @@ -198,18 +198,19 @@ } ] } - ] + ], + "versionDescription": "test template v1" } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnLaunchTemplate", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.LaunchTemplate", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "sg2": { @@ -236,14 +237,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSecurityGroup", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.SecurityGroup", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "LTWithMachineImage": { @@ -298,52 +299,52 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnLaunchTemplate", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.LaunchTemplate", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "SsmParameterValue:--aws--service--ami-amazon-linux-latest--amzn2-ami-hvm-x86_64-gp2:C96584B6-F00A-464E-AD19-53AFF4B05118.Parameter": { "id": "SsmParameterValue:--aws--service--ami-amazon-linux-latest--amzn2-ami-hvm-x86_64-gp2:C96584B6-F00A-464E-AD19-53AFF4B05118.Parameter", "path": "aws-cdk-ec2-lt-metadata-1/SsmParameterValue:--aws--service--ami-amazon-linux-latest--amzn2-ami-hvm-x86_64-gp2:C96584B6-F00A-464E-AD19-53AFF4B05118.Parameter", "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "SsmParameterValue:--aws--service--ami-amazon-linux-latest--amzn2-ami-hvm-x86_64-gp2:C96584B6-F00A-464E-AD19-53AFF4B05118": { "id": "SsmParameterValue:--aws--service--ami-amazon-linux-latest--amzn2-ami-hvm-x86_64-gp2:C96584B6-F00A-464E-AD19-53AFF4B05118", "path": "aws-cdk-ec2-lt-metadata-1/SsmParameterValue:--aws--service--ami-amazon-linux-latest--amzn2-ami-hvm-x86_64-gp2:C96584B6-F00A-464E-AD19-53AFF4B05118", "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "BootstrapVersion": { "id": "BootstrapVersion", "path": "aws-cdk-ec2-lt-metadata-1/BootstrapVersion", "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "CheckBootstrapVersion": { "id": "CheckBootstrapVersion", "path": "aws-cdk-ec2-lt-metadata-1/CheckBootstrapVersion", "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "LambdaTest": { @@ -370,22 +371,22 @@ "id": "BootstrapVersion", "path": "LambdaTest/DefaultTest/DeployAssert/BootstrapVersion", "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "CheckBootstrapVersion": { "id": "CheckBootstrapVersion", "path": "LambdaTest/DefaultTest/DeployAssert/CheckBootstrapVersion", "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, @@ -410,8 +411,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.App", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } } \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.launch-template.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.launch-template.ts index 39d71b394b897..0aa48e0277a81 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.launch-template.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.launch-template.ts @@ -16,6 +16,7 @@ const sg1 = new ec2.SecurityGroup(stack, 'sg1', { }); const lt = new ec2.LaunchTemplate(stack, 'LT', { + versionDescription: 'test template v1', httpEndpoint: true, httpProtocolIpv6: true, httpPutResponseHopLimit: 2, diff --git a/packages/aws-cdk-lib/aws-ec2/README.md b/packages/aws-cdk-lib/aws-ec2/README.md index 5d10fd95d7e5f..686eb78ed2a3f 100644 --- a/packages/aws-cdk-lib/aws-ec2/README.md +++ b/packages/aws-cdk-lib/aws-ec2/README.md @@ -2287,6 +2287,8 @@ const instanceProfile = new iam.InstanceProfile(this, 'InstanceProfile', { }); const template = new ec2.LaunchTemplate(this, 'LaunchTemplate', { + launchTemplateName: 'MyTemplateV1', + versionDescription: 'This is my v1 template', machineImage: ec2.MachineImage.latestAmazonLinux2023(), securityGroup: new ec2.SecurityGroup(this, 'LaunchTemplateSG', { vpc: vpc, diff --git a/packages/aws-cdk-lib/aws-ec2/lib/launch-template.ts b/packages/aws-cdk-lib/aws-ec2/lib/launch-template.ts index 04ec805533bd9..eea0bfe06dd65 100644 --- a/packages/aws-cdk-lib/aws-ec2/lib/launch-template.ts +++ b/packages/aws-cdk-lib/aws-ec2/lib/launch-template.ts @@ -221,6 +221,17 @@ export interface LaunchTemplateProps { */ readonly launchTemplateName?: string; + /** + * A description for the first version of the launch template. + * + * The version description must be maximum 255 characters long. + * + * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-launchtemplate.html#cfn-ec2-launchtemplate-versiondescription + * + * @default - No description + */ + readonly versionDescription?: string; + /** * Type of instance to launch. * @@ -735,8 +746,13 @@ export class LaunchTemplate extends Resource implements ILaunchTemplate, iam.IGr ? [{ deviceIndex: 0, associatePublicIpAddress: props.associatePublicIpAddress, groups: securityGroupsToken }] : undefined; + if (props.versionDescription && !Token.isUnresolved(props.versionDescription) && props.versionDescription.length > 255) { + throw new Error(`versionDescription must be less than or equal to 255 characters, got ${props.versionDescription.length}`); + } + const resource = new CfnLaunchTemplate(this, 'Resource', { launchTemplateName: props?.launchTemplateName, + versionDescription: props?.versionDescription, launchTemplateData: { blockDeviceMappings: props?.blockDevices !== undefined ? launchTemplateBlockDeviceMappings(this, props.blockDevices) : undefined, creditSpecification: props?.cpuCredits !== undefined ? { diff --git a/packages/aws-cdk-lib/aws-ec2/test/launch-template.test.ts b/packages/aws-cdk-lib/aws-ec2/test/launch-template.test.ts index 227eb1c1b0d84..a818c23b8f1cb 100644 --- a/packages/aws-cdk-lib/aws-ec2/test/launch-template.test.ts +++ b/packages/aws-cdk-lib/aws-ec2/test/launch-template.test.ts @@ -147,6 +147,28 @@ describe('LaunchTemplate', () => { }); }); + test('Given versionDescription', () => { + // WHEN + new LaunchTemplate(stack, 'Template', { + versionDescription: 'test template', + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::EC2::LaunchTemplate', { + VersionDescription: 'test template', + }); + }); + + test('throw error when versionDescription is too long', () => { + const tooLongDescription = 'a'.repeat(256); + // WHEN / THEN + expect(() => { + new LaunchTemplate(stack, 'TemplateWithTooLongDescription', { + versionDescription: tooLongDescription, + }); + }).toThrow('versionDescription must be less than or equal to 255 characters, got 256'); + }); + test('Given instanceType', () => { // WHEN new LaunchTemplate(stack, 'Template', { From 7b2a65384a1592410cd820b745c680fea00d8c95 Mon Sep 17 00:00:00 2001 From: Pahud Hsieh Date: Wed, 24 Jul 2024 11:37:14 -0400 Subject: [PATCH 04/17] chore(eks): update failing snapshots (#30829) update `framework-integ/test/aws-eks/test/integ.eks-helm-asset.ts` that might fail in some cases: 1. set `aws.region` for the helm charts to ensure successful helm deployment 2. make sure each helm charts assertion use different chart source to avoid conflict 3. update the snapshots ### Issue # (if applicable) Closes #. ### Reason for this change ### Description of changes ### Description of how you validated changes ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../apply/__init__.py | 0 .../get/__init__.py | 0 .../helm/__init__.py | 1 + .../index.py | 0 .../patch/__init__.py | 0 .../aws-cdk-eks-helm-test.assets.json | 14 ++--- .../aws-cdk-eks-helm-test.template.json | 60 +++++++++++++++++-- ...bectlProvider207F42E4.nested.template.json | 2 +- .../manifest.json | 2 +- .../tree.json | 4 +- .../test/aws-eks/test/integ.eks-helm-asset.ts | 21 +++++-- 11 files changed, 81 insertions(+), 23 deletions(-) rename packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/{asset.abc70c90ded969d12235ca11768293cb20557cff54518518480c0d9fb344a098 => asset.58216e9cbe7ed5d0c2b7c7d47e173e8f81c25ea6457f5446c34c22be7e6f7f51}/apply/__init__.py (100%) rename packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/{asset.abc70c90ded969d12235ca11768293cb20557cff54518518480c0d9fb344a098 => asset.58216e9cbe7ed5d0c2b7c7d47e173e8f81c25ea6457f5446c34c22be7e6f7f51}/get/__init__.py (100%) rename packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/{asset.abc70c90ded969d12235ca11768293cb20557cff54518518480c0d9fb344a098 => asset.58216e9cbe7ed5d0c2b7c7d47e173e8f81c25ea6457f5446c34c22be7e6f7f51}/helm/__init__.py (99%) rename packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/{asset.abc70c90ded969d12235ca11768293cb20557cff54518518480c0d9fb344a098 => asset.58216e9cbe7ed5d0c2b7c7d47e173e8f81c25ea6457f5446c34c22be7e6f7f51}/index.py (100%) rename packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/{asset.abc70c90ded969d12235ca11768293cb20557cff54518518480c0d9fb344a098 => asset.58216e9cbe7ed5d0c2b7c7d47e173e8f81c25ea6457f5446c34c22be7e6f7f51}/patch/__init__.py (100%) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/asset.abc70c90ded969d12235ca11768293cb20557cff54518518480c0d9fb344a098/apply/__init__.py b/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/asset.58216e9cbe7ed5d0c2b7c7d47e173e8f81c25ea6457f5446c34c22be7e6f7f51/apply/__init__.py similarity index 100% rename from packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/asset.abc70c90ded969d12235ca11768293cb20557cff54518518480c0d9fb344a098/apply/__init__.py rename to packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/asset.58216e9cbe7ed5d0c2b7c7d47e173e8f81c25ea6457f5446c34c22be7e6f7f51/apply/__init__.py diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/asset.abc70c90ded969d12235ca11768293cb20557cff54518518480c0d9fb344a098/get/__init__.py b/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/asset.58216e9cbe7ed5d0c2b7c7d47e173e8f81c25ea6457f5446c34c22be7e6f7f51/get/__init__.py similarity index 100% rename from packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/asset.abc70c90ded969d12235ca11768293cb20557cff54518518480c0d9fb344a098/get/__init__.py rename to packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/asset.58216e9cbe7ed5d0c2b7c7d47e173e8f81c25ea6457f5446c34c22be7e6f7f51/get/__init__.py diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/asset.abc70c90ded969d12235ca11768293cb20557cff54518518480c0d9fb344a098/helm/__init__.py b/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/asset.58216e9cbe7ed5d0c2b7c7d47e173e8f81c25ea6457f5446c34c22be7e6f7f51/helm/__init__.py similarity index 99% rename from packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/asset.abc70c90ded969d12235ca11768293cb20557cff54518518480c0d9fb344a098/helm/__init__.py rename to packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/asset.58216e9cbe7ed5d0c2b7c7d47e173e8f81c25ea6457f5446c34c22be7e6f7f51/helm/__init__.py index ddf0753a8aa6b..a8964465650a1 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/asset.abc70c90ded969d12235ca11768293cb20557cff54518518480c0d9fb344a098/helm/__init__.py +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/asset.58216e9cbe7ed5d0c2b7c7d47e173e8f81c25ea6457f5446c34c22be7e6f7f51/helm/__init__.py @@ -186,6 +186,7 @@ def helm(verb, release, chart = None, repo = None, file = None, namespace = None cmnd.append('--atomic') cmnd.extend(['--kubeconfig', kubeconfig]) + print(cmnd) maxAttempts = 3 retry = maxAttempts while retry > 0: diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/asset.abc70c90ded969d12235ca11768293cb20557cff54518518480c0d9fb344a098/index.py b/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/asset.58216e9cbe7ed5d0c2b7c7d47e173e8f81c25ea6457f5446c34c22be7e6f7f51/index.py similarity index 100% rename from packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/asset.abc70c90ded969d12235ca11768293cb20557cff54518518480c0d9fb344a098/index.py rename to packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/asset.58216e9cbe7ed5d0c2b7c7d47e173e8f81c25ea6457f5446c34c22be7e6f7f51/index.py diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/asset.abc70c90ded969d12235ca11768293cb20557cff54518518480c0d9fb344a098/patch/__init__.py b/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/asset.58216e9cbe7ed5d0c2b7c7d47e173e8f81c25ea6457f5446c34c22be7e6f7f51/patch/__init__.py similarity index 100% rename from packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/asset.abc70c90ded969d12235ca11768293cb20557cff54518518480c0d9fb344a098/patch/__init__.py rename to packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/asset.58216e9cbe7ed5d0c2b7c7d47e173e8f81c25ea6457f5446c34c22be7e6f7f51/patch/__init__.py diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/aws-cdk-eks-helm-test.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/aws-cdk-eks-helm-test.assets.json index 8b758cfa82d6c..c193dbe6fc296 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/aws-cdk-eks-helm-test.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/aws-cdk-eks-helm-test.assets.json @@ -53,15 +53,15 @@ } } }, - "abc70c90ded969d12235ca11768293cb20557cff54518518480c0d9fb344a098": { + "58216e9cbe7ed5d0c2b7c7d47e173e8f81c25ea6457f5446c34c22be7e6f7f51": { "source": { - "path": "asset.abc70c90ded969d12235ca11768293cb20557cff54518518480c0d9fb344a098", + "path": "asset.58216e9cbe7ed5d0c2b7c7d47e173e8f81c25ea6457f5446c34c22be7e6f7f51", "packaging": "zip" }, "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "abc70c90ded969d12235ca11768293cb20557cff54518518480c0d9fb344a098.zip", + "objectKey": "58216e9cbe7ed5d0c2b7c7d47e173e8f81c25ea6457f5446c34c22be7e6f7f51.zip", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } @@ -105,7 +105,7 @@ } } }, - "e23ed13a7821108db50050a225f7b03107502f583d2faa3a1f82a71756081a75": { + "103a1c2a2539a9843f062d1d618f1fbd8483ea496405f34f6aca5ae90f507af8": { "source": { "path": "awscdkekshelmtestawscdkawseksKubectlProvider207F42E4.nested.template.json", "packaging": "file" @@ -113,12 +113,12 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "e23ed13a7821108db50050a225f7b03107502f583d2faa3a1f82a71756081a75.json", + "objectKey": "103a1c2a2539a9843f062d1d618f1fbd8483ea496405f34f6aca5ae90f507af8.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } }, - "87e05e7e56d00f8bd9133b97480ff01b622c9f7f500f8544cef311a412454395": { + "cce6daec2a6b207f27324c17c5286150f99302d682cd87133faac356ffa683f3": { "source": { "path": "aws-cdk-eks-helm-test.template.json", "packaging": "file" @@ -126,7 +126,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "87e05e7e56d00f8bd9133b97480ff01b622c9f7f500f8544cef311a412454395.json", + "objectKey": "cce6daec2a6b207f27324c17c5286150f99302d682cd87133faac356ffa683f3.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/aws-cdk-eks-helm-test.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/aws-cdk-eks-helm-test.template.json index 03d07827f9b96..ff5440e467401 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/aws-cdk-eks-helm-test.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/aws-cdk-eks-helm-test.template.json @@ -1092,6 +1092,18 @@ "Release": "s3-chart", "Chart": "s3-chart", "Version": "v0.1.0", + "Values": { + "Fn::Join": [ + "", + [ + "{\"aws\":{\"region\":\"", + { + "Ref": "AWS::Region" + }, + "\"}}" + ] + ] + }, "Namespace": "ack-system", "Repository": "oci://public.ecr.aws/aws-controllers-k8s/s3-chart", "CreateNamespace": true @@ -1123,6 +1135,18 @@ "Release": "lambda-chart-release", "Chart": "lambda-chart", "Version": "v0.1.4", + "Values": { + "Fn::Join": [ + "", + [ + "{\"aws\":{\"region\":\"", + { + "Ref": "AWS::Region" + }, + "\"}}" + ] + ] + }, "Namespace": "ack-system", "Repository": "oci://public.ecr.aws/aws-controllers-k8s/lambda-chart", "CreateNamespace": true @@ -1153,7 +1177,19 @@ }, "Release": "rds-chart-release", "Chart": "rds-chart", - "Version": "v1.1.2", + "Version": "1.4.1", + "Values": { + "Fn::Join": [ + "", + [ + "{\"aws\":{\"region\":\"", + { + "Ref": "AWS::Region" + }, + "\"}}" + ] + ] + }, "Namespace": "ack-system", "Repository": "oci://public.ecr.aws/aws-controllers-k8s/rds-chart", "CreateNamespace": true, @@ -1183,11 +1219,23 @@ "Arn" ] }, - "Release": "rds-chart-release", - "Chart": "rds-chart", - "Version": "v1.1.2", + "Release": "ec2-chart-release", + "Chart": "ec2-chart", + "Version": "1.2.13", + "Values": { + "Fn::Join": [ + "", + [ + "{\"aws\":{\"region\":\"", + { + "Ref": "AWS::Region" + }, + "\"}}" + ] + ] + }, "Namespace": "ack-system", - "Repository": "oci://public.ecr.aws/aws-controllers-k8s/rds-chart", + "Repository": "oci://public.ecr.aws/aws-controllers-k8s/ec2-chart", "CreateNamespace": true, "SkipCrds": true, "Atomic": true @@ -1298,7 +1346,7 @@ { "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" }, - "/e23ed13a7821108db50050a225f7b03107502f583d2faa3a1f82a71756081a75.json" + "/103a1c2a2539a9843f062d1d618f1fbd8483ea496405f34f6aca5ae90f507af8.json" ] ] } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/awscdkekshelmtestawscdkawseksKubectlProvider207F42E4.nested.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/awscdkekshelmtestawscdkawseksKubectlProvider207F42E4.nested.template.json index 4defc3836af59..0b1f5db1afccd 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/awscdkekshelmtestawscdkawseksKubectlProvider207F42E4.nested.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/awscdkekshelmtestawscdkawseksKubectlProvider207F42E4.nested.template.json @@ -7,7 +7,7 @@ "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" }, - "S3Key": "abc70c90ded969d12235ca11768293cb20557cff54518518480c0d9fb344a098.zip" + "S3Key": "58216e9cbe7ed5d0c2b7c7d47e173e8f81c25ea6457f5446c34c22be7e6f7f51.zip" }, "Description": "onEvent handler for EKS kubectl resource provider", "Environment": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/manifest.json index 0abd7f388ac4e..f0cda2a802f8a 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/manifest.json @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/87e05e7e56d00f8bd9133b97480ff01b622c9f7f500f8544cef311a412454395.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/cce6daec2a6b207f27324c17c5286150f99302d682cd87133faac356ffa683f3.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/tree.json index e37cdfc5ebf7d..297cff6003621 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.js.snapshot/tree.json @@ -3010,7 +3010,7 @@ "s3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" }, - "s3Key": "abc70c90ded969d12235ca11768293cb20557cff54518518480c0d9fb344a098.zip" + "s3Key": "58216e9cbe7ed5d0c2b7c7d47e173e8f81c25ea6457f5446c34c22be7e6f7f51.zip" }, "description": "onEvent handler for EKS kubectl resource provider", "environment": { @@ -3481,7 +3481,7 @@ { "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" }, - "/e23ed13a7821108db50050a225f7b03107502f583d2faa3a1f82a71756081a75.json" + "/103a1c2a2539a9843f062d1d618f1fbd8483ea496405f34f6aca5ae90f507af8.json" ] ] } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.ts index 2a06da34209f8..b79d8b3629fd4 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-helm-asset.ts @@ -51,6 +51,7 @@ class EksClusterStack extends Stack { chartAsset: chartAsset, }); + // https://gallery.ecr.aws/aws-controllers-k8s/s3-chart this.cluster.addHelmChart('test-oci-chart', { chart: 's3-chart', release: 's3-chart', @@ -58,6 +59,7 @@ class EksClusterStack extends Stack { version: 'v0.1.0', namespace: 'ack-system', createNamespace: true, + values: { aws: { region: this.region } }, }); // there is no opinionated way of testing charts from private ECR, so there is description of manual steps needed to reproduce: @@ -68,6 +70,7 @@ class EksClusterStack extends Stack { // 5. Change `repository` in above test to oci://YOUR_ACCOUNT_ID.dkr.ecr.YOUR_REGION.amazonaws.com/helm-charts-test // 6. Run integration tests as usual + // https://gallery.ecr.aws/aws-controllers-k8s/lambda-chart this.cluster.addHelmChart('test-oci-chart-different-release-name', { chart: 'lambda-chart', release: 'lambda-chart-release', @@ -75,31 +78,37 @@ class EksClusterStack extends Stack { version: 'v0.1.4', namespace: 'ack-system', createNamespace: true, + values: { aws: { region: this.region } }, }); // testing the disable mechanism of the installation of CRDs + // https://gallery.ecr.aws/aws-controllers-k8s/rds-chart this.cluster.addHelmChart('test-skip-crd-installation', { chart: 'rds-chart', release: 'rds-chart-release', repository: 'oci://public.ecr.aws/aws-controllers-k8s/rds-chart', - version: 'v1.1.2', + version: '1.4.1', namespace: 'ack-system', createNamespace: true, skipCrds: true, + values: { aws: { region: this.region } }, }); - //testing installation with atomic flag set to true + // testing installation with atomic flag set to true + // https://gallery.ecr.aws/aws-controllers-k8s/sns-chart this.cluster.addHelmChart('test-atomic-installation', { - chart: 'rds-chart', - release: 'rds-chart-release', - repository: 'oci://public.ecr.aws/aws-controllers-k8s/rds-chart', - version: 'v1.1.2', + chart: 'ec2-chart', + release: 'ec2-chart-release', + repository: 'oci://public.ecr.aws/aws-controllers-k8s/ec2-chart', + version: '1.2.13', namespace: 'ack-system', createNamespace: true, skipCrds: true, atomic: true, + values: { aws: { region: this.region } }, }); + // https://github.com/orgs/grafana-operator/packages/container/package/helm-charts%2Fgrafana-operator this.cluster.addHelmChart('test-non-ecr-oci-chart', { chart: 'grafana-operator', release: 'grafana-operator-release', From 71315394394634f92b01ed70aa25b59116ad6ec0 Mon Sep 17 00:00:00 2001 From: Grace Luo <54298030+gracelu0@users.noreply.github.com> Date: Wed, 24 Jul 2024 10:27:31 -0700 Subject: [PATCH 05/17] chore: add note to bug report template (#30934) ### Issue # (if applicable) N/A ### Reason for this change Remind users to submit security-related issues using the existing mechanism in GitHub. ### Description of changes Add note to the top of the template ### Description of how you validated changes Previewed the template in GitHub (can't find a way to actually view the updated template locally) ### Checklist - [n/a] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .github/ISSUE_TEMPLATE/bug-report.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/ISSUE_TEMPLATE/bug-report.yml b/.github/ISSUE_TEMPLATE/bug-report.yml index eecd4056ab65c..c3843d23481d8 100644 --- a/.github/ISSUE_TEMPLATE/bug-report.yml +++ b/.github/ISSUE_TEMPLATE/bug-report.yml @@ -5,6 +5,14 @@ title: "(module name): (short issue description)" labels: [bug, needs-triage] assignees: [] body: + - type: markdown + attributes: + value: | + Thanks for taking the time to fill out this bug report! + + **⚠️ Please read this before filling out the form below:** + If the bug you are reporting is a security-related issue or a security vulnerability, + please report it via [Report a security vulnerability](https://github.com/aws/aws-cdk/security/advisories/new) instead of this template. - type: textarea id: description attributes: From e7af8f8d1fbbe7b1a9b5998c33574e620368480f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20Durand?= Date: Wed, 24 Jul 2024 21:02:51 +0200 Subject: [PATCH 06/17] docs(rds): clarify how to enable S3Import/S3Export in Readme.md (#30459) ### Reason for this change Documentation does not state clearly that feature needs to be manually enabled when using Postgres Example : The following code will fail with the error message ```ts const cluster = new rds.DatabaseCluster(this, 'Database', { engine: rds.DatabaseClusterEngine.auroraPostgres({version: AuroraPostgresEngineVersion.of('12.7','12')}), writer: rds.ClusterInstance.provisioned('writer', { instanceType: ec2.InstanceType.of(ec2.InstanceClass.R6G, ec2.InstanceSize.XLARGE4), }), serverlessV2MinCapacity: 6.5, serverlessV2MaxCapacity: 64, s3ImportRole: sampleRole }); ``` Will fail with this error message :`Error: s3Import is not supported for Postgres version: 12.7. Use a version that supports the s3Import feature` But the thing is that 12.7 does support it ! The real problem here is that the feature needs to be enabled as such ```ts const cluster = new rds.DatabaseCluster(this, 'Database', { engine: rds.DatabaseClusterEngine.auroraPostgres({version: AuroraPostgresEngineVersion.of('12.7','12', {s3Export: true, s3Import:true})}), writer: rds.ClusterInstance.provisioned('writer', { instanceType: ec2.InstanceType.of(ec2.InstanceClass.R6G, ec2.InstanceSize.XLARGE4), }), serverlessV2MinCapacity: 6.5, serverlessV2MaxCapacity: 64, s3ImportRole: sampleRole }); ``` ### Description of changes Small update to Readme.md and inline TSdoc ### Description of how you validated changes None ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/aws-cdk-lib/aws-rds/README.md | 1 + packages/aws-cdk-lib/aws-rds/lib/cluster.ts | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/packages/aws-cdk-lib/aws-rds/README.md b/packages/aws-cdk-lib/aws-rds/README.md index 973762247098e..58eed278f186d 100644 --- a/packages/aws-cdk-lib/aws-rds/README.md +++ b/packages/aws-cdk-lib/aws-rds/README.md @@ -938,6 +938,7 @@ Data in S3 buckets can be imported to and exported from certain database engines functionality, set the `s3ImportBuckets` and `s3ExportBuckets` properties for import and export respectively. When configured, the CDK automatically creates and configures IAM roles as required. Additionally, the `s3ImportRole` and `s3ExportRole` properties can be used to set this role directly. +Note: To use `s3ImportRole` and `s3ExportRole` with Aurora PostgreSQL, you must also enable the S3 import and export features when you create the DatabaseClusterEngine. You can read more about loading data to (or from) S3 here: diff --git a/packages/aws-cdk-lib/aws-rds/lib/cluster.ts b/packages/aws-cdk-lib/aws-rds/lib/cluster.ts index 30bfd914d6303..515115663b828 100644 --- a/packages/aws-cdk-lib/aws-rds/lib/cluster.ts +++ b/packages/aws-cdk-lib/aws-rds/lib/cluster.ts @@ -253,7 +253,7 @@ interface DatabaseClusterBaseProps { * This feature is only supported by the Aurora database engine. * * This property must not be used if `s3ImportBuckets` is used. - * + * To use this property with Aurora PostgreSQL, it must be configured with the S3 import feature enabled when creating the DatabaseClusterEngine * For MySQL: * @see https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Integrating.LoadFromS3.html * @@ -284,7 +284,7 @@ interface DatabaseClusterBaseProps { * This feature is only supported by the Aurora database engine. * * This property must not be used if `s3ExportBuckets` is used. - * + * To use this property with Aurora PostgreSQL, it must be configured with the S3 export feature enabled when creating the DatabaseClusterEngine * For MySQL: * @see https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Integrating.SaveIntoS3.html * From 64afa72e1ca035331a56e3d3fdf24097464275f1 Mon Sep 17 00:00:00 2001 From: GZ Date: Wed, 24 Jul 2024 12:33:40 -0700 Subject: [PATCH 07/17] chore: lock conversations on closed issues and PRs with message (#30941) ### Issue # (if applicable) ### Reason for this change Lock conversations on closed issues and PRs to make sure important comments are not left on closed items and no one would be able to see it. Force people to create new issues instead. ### Description of changes Lock conversations. ### Description of how you validated changes Tested in a forked repo and it works correctly. ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .github/workflows/closed-issue-message.yml | 21 --------- .../workflows/lock-issue-pr-with-message.yml | 47 +++++++++++++++++++ 2 files changed, 47 insertions(+), 21 deletions(-) delete mode 100644 .github/workflows/closed-issue-message.yml create mode 100644 .github/workflows/lock-issue-pr-with-message.yml diff --git a/.github/workflows/closed-issue-message.yml b/.github/workflows/closed-issue-message.yml deleted file mode 100644 index ebd26358d80f9..0000000000000 --- a/.github/workflows/closed-issue-message.yml +++ /dev/null @@ -1,21 +0,0 @@ -name: Closed Issue Message -on: - issues: - types: [closed] - pull_request_target: - types: [closed] -jobs: - auto_comment: - permissions: - pull-requests: write - issues: write - runs-on: ubuntu-latest - steps: - - uses: aws-actions/closed-issue-message@v1 - with: - # These inputs are both required - repo-token: "${{ secrets.GITHUB_TOKEN }}" - message: | - Comments on closed issues and PRs are hard for our team to see. - If you need help, please open a new issue that references this one. - If you wish to keep having a conversation with other community members under this issue feel free to do so. diff --git a/.github/workflows/lock-issue-pr-with-message.yml b/.github/workflows/lock-issue-pr-with-message.yml new file mode 100644 index 0000000000000..10650ddbeec4d --- /dev/null +++ b/.github/workflows/lock-issue-pr-with-message.yml @@ -0,0 +1,47 @@ +name: Lock Closed Issues and PRs with message + +on: + pull_request_target: + types: [closed] + issues: + types: [closed] + +jobs: + auto_comment: + permissions: + pull-requests: write + issues: write + runs-on: ubuntu-latest + steps: + - uses: aws-actions/closed-issue-message@v1 + with: + repo-token: "${{ secrets.GITHUB_TOKEN }}" + message: | + Comments on closed issues and PRs are hard for our team to see. + If you need help, please open a new issue that references this one. + If you wish to keep having a conversation with other community members under this issue feel free to do so. + lock: + permissions: + pull-requests: write + issues: write + runs-on: ubuntu-latest + needs: auto_comment + steps: + - name: Lock closed issue or PR + run: | + if [ "${{ github.event_name }}" == "issues" ]; then + ISSUE_NUMBER=${{ github.event.issue.number }} + ISSUE_URL=https://api.github.com/repos/${{ github.repository }}/issues/${ISSUE_NUMBER}/lock + else + ISSUE_NUMBER=${{ github.event.pull_request.number }} + ISSUE_URL=https://api.github.com/repos/${{ github.repository }}/issues/${ISSUE_NUMBER}/lock + fi + + curl -s -X PUT -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ + -H "Accept: application/vnd.github.v3+json" \ + ${ISSUE_URL} \ + -d @- < Date: Thu, 25 Jul 2024 05:57:24 +0900 Subject: [PATCH 08/17] chore(elasticloadbalancingv2): specific 5XX CloudWatch metrics for ALB (#30659) ### Reason for this change ALB supports metrics for specific load balancer generated 5XX level error metrics. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html However, they are currently not included in `HttpCodeElb`, so the `metrics.httpCodeElb` method is not available and `metrics.custom` must be used. ```ts let alb: IApplicationLoadBalancer; alb.metrics.httpCodeElb(HttpCodeElb.ELB_5XX_COUNT); // we can do this alb.metrics.httpCodeElb(HttpCodeElb.ELB_500_COUNT); // currently we cannot do this alb.metrics.custom("HTTPCode_ELB_500_Count"); ``` Adding the metric names to `HttpCodeElb` makes it easier to understand as it can be configured in the same way as `HTTPCode_ELB_5XX_Count`. ### Description of changes Add metrics names to `HttpCodeElb`. ### Description of how you validated changes ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../lib/alb/application-load-balancer.ts | 20 ++++++++++++++++ .../test/alb/load-balancer.test.ts | 23 +++++++++++++++++++ 2 files changed, 43 insertions(+) diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts index 6a0914ea8e153..0ec173c7b77df 100644 --- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts +++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts @@ -753,6 +753,26 @@ export enum HttpCodeElb { * The number of HTTP 5XX server error codes that originate from the load balancer. */ ELB_5XX_COUNT = 'HTTPCode_ELB_5XX_Count', + + /** + * The number of HTTP 500 server error codes that originate from the load balancer. + */ + ELB_500_COUNT = 'HTTPCode_ELB_500_Count', + + /** + * The number of HTTP 502 server error codes that originate from the load balancer. + */ + ELB_502_COUNT = 'HTTPCode_ELB_502_Count', + + /** + * The number of HTTP 503 server error codes that originate from the load balancer. + */ + ELB_503_COUNT = 'HTTPCode_ELB_503_Count', + + /** + * The number of HTTP 504 server error codes that originate from the load balancer. + */ + ELB_504_COUNT = 'HTTPCode_ELB_504_Count', } /** diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/load-balancer.test.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/load-balancer.test.ts index 930f3a2a18923..958a881846fab 100644 --- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/load-balancer.test.ts +++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/load-balancer.test.ts @@ -684,6 +684,29 @@ describe('tests', () => { } }); + test.each([ + elbv2.HttpCodeElb.ELB_500_COUNT, + elbv2.HttpCodeElb.ELB_502_COUNT, + elbv2.HttpCodeElb.ELB_503_COUNT, + elbv2.HttpCodeElb.ELB_504_COUNT, + ])('use specific load balancer generated 5XX metrics', (metricName) => { + // GIVEN + const stack = new cdk.Stack(); + const vpc = new ec2.Vpc(stack, 'Stack'); + const lb = new elbv2.ApplicationLoadBalancer(stack, 'LB', { vpc }); + + // WHEN + const metric = lb.metrics.httpCodeElb(metricName); + + // THEN + expect(metric.namespace).toEqual('AWS/ApplicationELB'); + expect(metric.statistic).toEqual('Sum'); + expect(metric.metricName).toEqual(metricName); + expect(stack.resolve(metric.dimensions)).toEqual({ + LoadBalancer: { 'Fn::GetAtt': ['LB8A12904C', 'LoadBalancerFullName'] }, + }); + }); + test('loadBalancerName', () => { // GIVEN const stack = new cdk.Stack(); From cd80fcaeba32f79e76586af63eca5363b731895b Mon Sep 17 00:00:00 2001 From: GZ Date: Wed, 24 Jul 2024 15:15:26 -0700 Subject: [PATCH 09/17] chore: update message in GHA lock conversations (#30942) ### Issue # (if applicable) Fix the misleading message in https://github.com/aws/aws-cdk/pull/30941 ### Reason for this change Update message left by GHA ### Description of changes Since we lock conversations, we should update the message to be more accurate. ### Description of how you validated changes Tested in private fork with GHA. ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .github/workflows/lock-issue-pr-with-message.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/lock-issue-pr-with-message.yml b/.github/workflows/lock-issue-pr-with-message.yml index 10650ddbeec4d..8192c5ac7898e 100644 --- a/.github/workflows/lock-issue-pr-with-message.yml +++ b/.github/workflows/lock-issue-pr-with-message.yml @@ -19,13 +19,12 @@ jobs: message: | Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one. - If you wish to keep having a conversation with other community members under this issue feel free to do so. lock: permissions: pull-requests: write issues: write runs-on: ubuntu-latest - needs: auto_comment + needs: auto_comment # only run after comment is complete steps: - name: Lock closed issue or PR run: | From 84dd06b07d112db43119be3cbffe66b898092b33 Mon Sep 17 00:00:00 2001 From: mazyu36 Date: Thu, 25 Jul 2024 09:03:27 +0900 Subject: [PATCH 10/17] chore(bedrock): support meta llama3-1 (#30932) Add Meta Llama 3.1 model. Ref * https://aws.amazon.com/about-aws/whats-new/2024/07/meta-llama-3-1-generative-ai-models-amazon-bedrock/ * https://docs.aws.amazon.com/bedrock/latest/userguide/model-ids.html ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/aws-cdk-lib/aws-bedrock/lib/foundation-model.ts | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/packages/aws-cdk-lib/aws-bedrock/lib/foundation-model.ts b/packages/aws-cdk-lib/aws-bedrock/lib/foundation-model.ts index bfabc3dfea97f..7058b4e97c8aa 100644 --- a/packages/aws-cdk-lib/aws-bedrock/lib/foundation-model.ts +++ b/packages/aws-cdk-lib/aws-bedrock/lib/foundation-model.ts @@ -194,6 +194,15 @@ export class FoundationModelIdentifier { /** Base model "meta.llama3-70b-instruct-v1:0". */ public static readonly META_LLAMA_3_70_INSTRUCT_V1 = new FoundationModelIdentifier('meta.llama3-70b-instruct-v1:0'); + /** Base model "meta.llama3-1-8b-instruct-v1:0". */ + public static readonly META_LLAMA_3_1_8B_INSTRUCT_V1 = new FoundationModelIdentifier('meta.llama3-1-8b-instruct-v1:0'); + + /** Base model "meta.llama3-1-70b-instruct-v1:0". */ + public static readonly META_LLAMA_3_1_70_INSTRUCT_V1 = new FoundationModelIdentifier('meta.llama3-1-70b-instruct-v1:0'); + + /** Base model "meta.llama3-1-405b-instruct-v1:0". */ + public static readonly META_LLAMA_3_1_405_INSTRUCT_V1 = new FoundationModelIdentifier('meta.llama3-1-405b-instruct-v1:0'); + /** Base model "mistral.mistral-7b-instruct-v0:2". */ public static readonly MISTRAL_MISTRAL_7B_INSTRUCT_V0_2 = new FoundationModelIdentifier('mistral.mistral-7b-instruct-v0:2'); From 50be967fc41416e0457e03f3c8a4de2b7e6a6d90 Mon Sep 17 00:00:00 2001 From: Ashish Dhingra <67916761+ashishdhingra@users.noreply.github.com> Date: Thu, 25 Jul 2024 10:15:00 -0700 Subject: [PATCH 11/17] chore: update github-merit-badger.yml (#30950) ### Issue # (if applicable) N/A ### Reason for this change Add `ashishdhingra` to ignore list for merit badger. ### Description of changes Add `ashishdhingra` to ignore list for merit badger. ### Description of how you validated changes ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .github/workflows/github-merit-badger.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/github-merit-badger.yml b/.github/workflows/github-merit-badger.yml index 3dc009d6c6612..48ac26aae71b2 100644 --- a/.github/workflows/github-merit-badger.yml +++ b/.github/workflows/github-merit-badger.yml @@ -17,4 +17,4 @@ jobs: badges: '[beginning-contributor,repeat-contributor,valued-contributor,admired-contributor,star-contributor,distinguished-contributor]' thresholds: '[0,3,6,13,25,50]' badge-type: 'achievement' - ignore-usernames: '[rix0rrr,iliapolo,otaviomacedo,kaizencc,comcalvi,TheRealAmazonKendra,vinayak-kukreja,mrgrain,pahud,cgarvis,kellertk,HBobertz,sumupitchayan,SankyRed,udaypant,colifran,khushail,scanlonp,mikewrighton,moelasmar,paulhcsun,awsmjs,evgenyka,GavinZZ,aaythapa,xazhao,ConnorRobertson,ssenchenko,gracelu0,jfuss,SimonCMoore,shikha372,kirtishrinkhala,godwingrs22,bergjaak,IanKonlog,Leo10Gama,samson-keung,scorbiere,aws-cdk-automation,dependabot[bot],mergify[bot]]' + ignore-usernames: '[rix0rrr,iliapolo,otaviomacedo,kaizencc,comcalvi,TheRealAmazonKendra,vinayak-kukreja,mrgrain,pahud,cgarvis,kellertk,ashishdhingra,HBobertz,sumupitchayan,SankyRed,udaypant,colifran,khushail,scanlonp,mikewrighton,moelasmar,paulhcsun,awsmjs,evgenyka,GavinZZ,aaythapa,xazhao,ConnorRobertson,ssenchenko,gracelu0,jfuss,SimonCMoore,shikha372,kirtishrinkhala,godwingrs22,bergjaak,IanKonlog,Leo10Gama,samson-keung,scorbiere,aws-cdk-automation,dependabot[bot],mergify[bot]]' From 742c52ee9d894573c1c497702f49b0d18554b804 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 25 Jul 2024 17:46:50 +0000 Subject: [PATCH 12/17] chore(deps): bump requirejs from 2.3.6 to 2.3.7 (#30952) Bumps [requirejs](https://github.com/jrburke/r.js) from 2.3.6 to 2.3.7.
Commits

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=requirejs&package-manager=npm_and_yarn&previous-version=2.3.6&new-version=2.3.7)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/aws/aws-cdk/network/alerts).
--- yarn.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/yarn.lock b/yarn.lock index a38305994df03..ad0479e629b75 100644 --- a/yarn.lock +++ b/yarn.lock @@ -14759,9 +14759,9 @@ requirejs-config-file@^4.0.0: stringify-object "^3.2.1" requirejs@^2.3.5: - version "2.3.6" - resolved "https://registry.npmjs.org/requirejs/-/requirejs-2.3.6.tgz#e5093d9601c2829251258c0b9445d4d19fa9e7c9" - integrity sha512-ipEzlWQe6RK3jkzikgCupiTbTvm4S0/CAU5GlgptkN5SO6F3u0UD0K18wy6ErDqiCyP4J4YYe1HuAShvsxePLg== + version "2.3.7" + resolved "https://registry.npmjs.org/requirejs/-/requirejs-2.3.7.tgz#0b22032e51a967900e0ae9f32762c23a87036bd0" + integrity sha512-DouTG8T1WanGok6Qjg2SXuCMzszOo0eHeH9hDZ5Y4x8Je+9JB38HdTLT4/VA8OaUhBa0JPVHJ0pyBkM1z+pDsw== resolve-alpn@^1.2.0: version "1.2.1" From 9d79c518b47384a339b28146e2bc651a84b507f7 Mon Sep 17 00:00:00 2001 From: Pahud Hsieh Date: Thu, 25 Jul 2024 17:25:13 -0400 Subject: [PATCH 13/17] fix(appconfig): sourcedConfiguration doesn't use retrievalRole (#30733) ### Issue # (if applicable) Closes #30609 ### Reason for this change To refactor the retrievalRole creation logic. ### Description of changes ### Description of how you validated changes Unit tests: 1. configuration with retrievalRole undefined from bucket source should create a new role 2. configuration with retrievalRole defined should NOT create a new role and should use the passed role for the retrievalRoleArn 3. configuration with retrievalRole undefined from CodePipeline source should NOT create a new role Integ test: 1. update the existing integ test to assert a use case where the retrievalRole is provided. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../index.py | 24 +- .../index.js | 1 + .../aws-appconfig-configuration.assets.json | 23 +- .../aws-appconfig-configuration.template.json | 419 +++++++- .../manifest.json | 74 +- .../integ.configuration.js.snapshot/tree.json | 952 ++++++++++++------ .../aws-appconfig/test/integ.configuration.ts | 62 +- .../aws-appconfig/lib/configuration.ts | 29 +- .../aws-appconfig/test/configuration.test.ts | 149 ++- 9 files changed, 1393 insertions(+), 340 deletions(-) rename packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.configuration.js.snapshot/{asset.e976a796f036a5efbf44b99e44cfb5a961df08d8dbf7cd37e60bf216fb982a00 => asset.0158f40002a8c211635388a87874fd4dcc3d68f525fe08a0fe0f014069ae539c}/index.py (94%) create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.configuration.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.configuration.js.snapshot/asset.e976a796f036a5efbf44b99e44cfb5a961df08d8dbf7cd37e60bf216fb982a00/index.py b/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.configuration.js.snapshot/asset.0158f40002a8c211635388a87874fd4dcc3d68f525fe08a0fe0f014069ae539c/index.py similarity index 94% rename from packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.configuration.js.snapshot/asset.e976a796f036a5efbf44b99e44cfb5a961df08d8dbf7cd37e60bf216fb982a00/index.py rename to packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.configuration.js.snapshot/asset.0158f40002a8c211635388a87874fd4dcc3d68f525fe08a0fe0f014069ae539c/index.py index 4015927d9c843..e4d3920e40c02 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.configuration.js.snapshot/asset.e976a796f036a5efbf44b99e44cfb5a961df08d8dbf7cd37e60bf216fb982a00/index.py +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.configuration.js.snapshot/asset.0158f40002a8c211635388a87874fd4dcc3d68f525fe08a0fe0f014069ae539c/index.py @@ -5,6 +5,7 @@ import shutil import subprocess import tempfile +import urllib.parse from urllib.request import Request, urlopen from uuid import uuid4 from zipfile import ZipFile @@ -30,7 +31,8 @@ def handler(event, context): def cfn_error(message=None): - logger.error("| cfn_error: %s" % message) + if message: + logger.error("| cfn_error: %s" % message.encode()) cfn_send(event, context, CFN_FAILED, reason=message, physicalResourceId=event.get('PhysicalResourceId', None)) @@ -99,8 +101,8 @@ def cfn_error(message=None): if old_s3_dest == "s3:///": old_s3_dest = None - logger.info("| s3_dest: %s" % s3_dest) - logger.info("| old_s3_dest: %s" % old_s3_dest) + logger.info("| s3_dest: %s" % sanitize_message(s3_dest)) + logger.info("| old_s3_dest: %s" % sanitize_message(old_s3_dest)) # if we are creating a new resource, allocate a physical id for it # otherwise, we expect physical id to be relayed by cloudformation @@ -108,7 +110,7 @@ def cfn_error(message=None): physical_id = "aws.cdk.s3deployment.%s" % str(uuid4()) else: if not physical_id: - cfn_error("invalid request: request type is '%s' but 'PhysicalResourceId' is not defined" % {request_type}) + cfn_error("invalid request: request type is '%s' but 'PhysicalResourceId' is not defined" % request_type) return # delete or create/update (only if "retain_on_delete" is false) @@ -141,6 +143,20 @@ def cfn_error(message=None): logger.exception(e) cfn_error(str(e)) +#--------------------------------------------------------------------------------------------------- +# Sanitize the message to mitigate CWE-117 and CWE-93 vulnerabilities +def sanitize_message(message): + if not message: + return message + + # Sanitize the message to prevent log injection and HTTP response splitting + sanitized_message = message.replace('\n', '').replace('\r', '') + + # Encode the message to handle special characters + encoded_message = urllib.parse.quote(sanitized_message) + + return encoded_message + #--------------------------------------------------------------------------------------------------- # populate all files from s3_source_zips to a destination bucket def s3_deploy(s3_source_zips, s3_dest, user_metadata, system_metadata, prune, exclude, include, source_markers, extract): diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.configuration.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js b/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.configuration.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js new file mode 100644 index 0000000000000..1002ba018e9fb --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.configuration.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js @@ -0,0 +1 @@ +"use strict";var f=Object.create;var i=Object.defineProperty;var I=Object.getOwnPropertyDescriptor;var C=Object.getOwnPropertyNames;var w=Object.getPrototypeOf,P=Object.prototype.hasOwnProperty;var A=(t,e)=>{for(var o in e)i(t,o,{get:e[o],enumerable:!0})},d=(t,e,o,r)=>{if(e&&typeof e=="object"||typeof e=="function")for(let s of C(e))!P.call(t,s)&&s!==o&&i(t,s,{get:()=>e[s],enumerable:!(r=I(e,s))||r.enumerable});return t};var l=(t,e,o)=>(o=t!=null?f(w(t)):{},d(e||!t||!t.__esModule?i(o,"default",{value:t,enumerable:!0}):o,t)),B=t=>d(i({},"__esModule",{value:!0}),t);var q={};A(q,{autoDeleteHandler:()=>S,handler:()=>H});module.exports=B(q);var h=require("@aws-sdk/client-s3");var y=l(require("https")),m=l(require("url")),a={sendHttpRequest:D,log:T,includeStackTraces:!0,userHandlerIndex:"./index"},p="AWSCDK::CustomResourceProviderFramework::CREATE_FAILED",L="AWSCDK::CustomResourceProviderFramework::MISSING_PHYSICAL_ID";function R(t){return async(e,o)=>{let r={...e,ResponseURL:"..."};if(a.log(JSON.stringify(r,void 0,2)),e.RequestType==="Delete"&&e.PhysicalResourceId===p){a.log("ignoring DELETE event caused by a failed CREATE event"),await u("SUCCESS",e);return}try{let s=await t(r,o),n=k(e,s);await u("SUCCESS",n)}catch(s){let n={...e,Reason:a.includeStackTraces?s.stack:s.message};n.PhysicalResourceId||(e.RequestType==="Create"?(a.log("CREATE failed, responding with a marker physical resource id so that the subsequent DELETE will be ignored"),n.PhysicalResourceId=p):a.log(`ERROR: Malformed event. "PhysicalResourceId" is required: ${JSON.stringify(e)}`)),await u("FAILED",n)}}}function k(t,e={}){let o=e.PhysicalResourceId??t.PhysicalResourceId??t.RequestId;if(t.RequestType==="Delete"&&o!==t.PhysicalResourceId)throw new Error(`DELETE: cannot change the physical resource ID from "${t.PhysicalResourceId}" to "${e.PhysicalResourceId}" during deletion`);return{...t,...e,PhysicalResourceId:o}}async function u(t,e){let o={Status:t,Reason:e.Reason??t,StackId:e.StackId,RequestId:e.RequestId,PhysicalResourceId:e.PhysicalResourceId||L,LogicalResourceId:e.LogicalResourceId,NoEcho:e.NoEcho,Data:e.Data},r=m.parse(e.ResponseURL),s=`${r.protocol}//${r.hostname}/${r.pathname}?***`;a.log("submit response to cloudformation",s,o);let n=JSON.stringify(o),E={hostname:r.hostname,path:r.path,method:"PUT",headers:{"content-type":"","content-length":Buffer.byteLength(n,"utf8")}};await O({attempts:5,sleep:1e3},a.sendHttpRequest)(E,n)}async function D(t,e){return new Promise((o,r)=>{try{let s=y.request(t,n=>{n.resume(),!n.statusCode||n.statusCode>=400?r(new Error(`Unsuccessful HTTP response: ${n.statusCode}`)):o()});s.on("error",r),s.write(e),s.end()}catch(s){r(s)}})}function T(t,...e){console.log(t,...e)}function O(t,e){return async(...o)=>{let r=t.attempts,s=t.sleep;for(;;)try{return await e(...o)}catch(n){if(r--<=0)throw n;await b(Math.floor(Math.random()*s)),s*=2}}}async function b(t){return new Promise(e=>setTimeout(e,t))}var g="aws-cdk:auto-delete-objects",x=JSON.stringify({Version:"2012-10-17",Statement:[]}),c=new h.S3({}),H=R(S);async function S(t){switch(t.RequestType){case"Create":return;case"Update":return{PhysicalResourceId:(await F(t)).PhysicalResourceId};case"Delete":return N(t.ResourceProperties?.BucketName)}}async function F(t){let e=t,o=e.OldResourceProperties?.BucketName;return{PhysicalResourceId:e.ResourceProperties?.BucketName??o}}async function _(t){try{let e=(await c.getBucketPolicy({Bucket:t}))?.Policy??x,o=JSON.parse(e);o.Statement.push({Principal:"*",Effect:"Deny",Action:["s3:PutObject"],Resource:[`arn:aws:s3:::${t}/*`]}),await c.putBucketPolicy({Bucket:t,Policy:JSON.stringify(o)})}catch(e){if(e.name==="NoSuchBucket")throw e;console.log(`Could not set new object deny policy on bucket '${t}' prior to deletion.`)}}async function U(t){let e;do{e=await c.listObjectVersions({Bucket:t});let o=[...e.Versions??[],...e.DeleteMarkers??[]];if(o.length===0)return;let r=o.map(s=>({Key:s.Key,VersionId:s.VersionId}));await c.deleteObjects({Bucket:t,Delete:{Objects:r}})}while(e?.IsTruncated)}async function N(t){if(!t)throw new Error("No BucketName was provided.");try{if(!await W(t)){console.log(`Bucket does not have '${g}' tag, skipping cleaning.`);return}await _(t),await U(t)}catch(e){if(e.name==="NoSuchBucket"){console.log(`Bucket '${t}' does not exist.`);return}throw e}}async function W(t){return(await c.getBucketTagging({Bucket:t})).TagSet?.some(o=>o.Key===g&&o.Value==="true")}0&&(module.exports={autoDeleteHandler,handler}); diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.configuration.js.snapshot/aws-appconfig-configuration.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.configuration.js.snapshot/aws-appconfig-configuration.assets.json index 82c6d027afe5f..e49571ad44d85 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.configuration.js.snapshot/aws-appconfig-configuration.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.configuration.js.snapshot/aws-appconfig-configuration.assets.json @@ -1,6 +1,19 @@ { "version": "36.0.0", "files": { + "44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61": { + "source": { + "path": "asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61", + "packaging": "zip" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61.zip", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + }, "3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961": { "source": { "path": "asset.3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961.zip", @@ -14,15 +27,15 @@ } } }, - "e976a796f036a5efbf44b99e44cfb5a961df08d8dbf7cd37e60bf216fb982a00": { + "0158f40002a8c211635388a87874fd4dcc3d68f525fe08a0fe0f014069ae539c": { "source": { - "path": "asset.e976a796f036a5efbf44b99e44cfb5a961df08d8dbf7cd37e60bf216fb982a00", + "path": "asset.0158f40002a8c211635388a87874fd4dcc3d68f525fe08a0fe0f014069ae539c", "packaging": "zip" }, "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "e976a796f036a5efbf44b99e44cfb5a961df08d8dbf7cd37e60bf216fb982a00.zip", + "objectKey": "0158f40002a8c211635388a87874fd4dcc3d68f525fe08a0fe0f014069ae539c.zip", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } @@ -53,7 +66,7 @@ } } }, - "bc60e6498e01ff2afc7280330547559fc0e8c9c15f5ff05fc560ea731f76277e": { + "f3c7c62924a5ad7e781abc71a57fb0540e3c9a334acad335dfe1da25e271f381": { "source": { "path": "aws-appconfig-configuration.template.json", "packaging": "file" @@ -61,7 +74,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "bc60e6498e01ff2afc7280330547559fc0e8c9c15f5ff05fc560ea731f76277e.json", + "objectKey": "f3c7c62924a5ad7e781abc71a57fb0540e3c9a334acad335dfe1da25e271f381.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.configuration.js.snapshot/aws-appconfig-configuration.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.configuration.js.snapshot/aws-appconfig-configuration.template.json index 2ff57c90bfa5f..2d3078ecab5ec 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.configuration.js.snapshot/aws-appconfig-configuration.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.configuration.js.snapshot/aws-appconfig-configuration.template.json @@ -586,6 +586,10 @@ "Type": "AWS::S3::Bucket", "Properties": { "Tags": [ + { + "Key": "aws-cdk:auto-delete-objects", + "Value": "true" + }, { "Key": "aws-cdk:cr-owned:2255b7ad", "Value": "true" @@ -598,6 +602,143 @@ "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" }, + "MyBucketPolicyE7FBAC7B": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "MyBucketF68F3FF0" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:DeleteObject*", + "s3:GetBucket*", + "s3:List*", + "s3:PutBucketPolicy" + ], + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", + "Arn" + ] + } + }, + "Resource": [ + { + "Fn::GetAtt": [ + "MyBucketF68F3FF0", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "MyBucketF68F3FF0", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + } + ], + "Version": "2012-10-17" + } + } + }, + "MyBucketAutoDeleteObjectsCustomResource2C28D565": { + "Type": "Custom::S3AutoDeleteObjects", + "Properties": { + "ServiceToken": { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", + "Arn" + ] + }, + "BucketName": { + "Ref": "MyBucketF68F3FF0" + } + }, + "DependsOn": [ + "MyBucketPolicyE7FBAC7B" + ], + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ] + }, + "ManagedPolicyArns": [ + { + "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + } + ] + } + }, + "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "S3Bucket": { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "S3Key": "44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61.zip" + }, + "Timeout": 900, + "MemorySize": 128, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", + "Arn" + ] + }, + "Runtime": { + "Fn::FindInMap": [ + "LatestNodeRuntimeMap", + { + "Ref": "AWS::Region" + }, + "value" + ] + }, + "Description": { + "Fn::Join": [ + "", + [ + "Lambda function for auto-deleting objects in ", + { + "Ref": "MyBucketF68F3FF0" + }, + " S3 bucket." + ] + ] + } + }, + "DependsOn": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092" + ] + }, "DeployConfigInBucketAwsCliLayerFC57D055": { "Type": "AWS::Lambda::LayerVersion", "Properties": { @@ -776,7 +917,7 @@ "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" }, - "S3Key": "e976a796f036a5efbf44b99e44cfb5a961df08d8dbf7cd37e60bf216fb982a00.zip" + "S3Key": "0158f40002a8c211635388a87874fd4dcc3d68f525fe08a0fe0f014069ae539c.zip" }, "Environment": { "Variables": { @@ -940,6 +1081,158 @@ } } }, + "DummyRoleA4B7EAF1": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "appconfig.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + } + } + }, + "DummyRoleDefaultPolicy68837380": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:GetObject", + "s3:GetObjectMetadata", + "s3:GetObjectVersion" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":s3:::", + { + "Ref": "MyBucketF68F3FF0" + }, + "/*" + ] + ] + } + }, + { + "Action": [ + "s3:GetBucketLocation", + "s3:GetBucketVersioning", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":s3:::", + { + "Ref": "MyBucketF68F3FF0" + } + ] + ] + } + }, + { + "Action": "s3:ListAllMyBuckets", + "Effect": "Allow", + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "DummyRoleDefaultPolicy68837380", + "Roles": [ + { + "Ref": "DummyRoleA4B7EAF1" + } + ] + } + }, + "MyConfigFromBucketWithRoleDeploymentStrategy109EA62F": { + "Type": "AWS::AppConfig::DeploymentStrategy", + "Properties": { + "DeploymentDurationInMinutes": 20, + "FinalBakeTimeInMinutes": 10, + "GrowthFactor": 10, + "GrowthType": "EXPONENTIAL", + "Name": "awsappconfigconfiguration-MyWithRole-DeploymentStrategy-94CCA86F", + "ReplicateTo": "NONE" + }, + "DependsOn": [ + "DummyRoleDefaultPolicy68837380", + "DummyRoleA4B7EAF1" + ] + }, + "MyConfigFromBucketWithRole625F4717": { + "Type": "AWS::AppConfig::ConfigurationProfile", + "Properties": { + "ApplicationId": { + "Ref": "MyAppConfigB4B63E75" + }, + "Description": { + "Fn::Join": [ + "", + [ + "Sourced from ", + { + "Fn::Select": [ + 0, + { + "Fn::GetAtt": [ + "DeployConfigInBucketCustomResource91997C5B", + "SourceObjectKeys" + ] + } + ] + }, + " with defined role" + ] + ] + }, + "LocationUri": { + "Fn::Join": [ + "", + [ + "s3://", + { + "Ref": "MyBucketF68F3FF0" + }, + "/hello/world/file.txt" + ] + ] + }, + "Name": "awsappconfigconfiguration-MyConfigFromBucketWithRole-AE02C397", + "RetrievalRoleArn": { + "Fn::GetAtt": [ + "DummyRoleA4B7EAF1", + "Arn" + ] + } + }, + "DependsOn": [ + "DummyRoleDefaultPolicy68837380", + "DummyRoleA4B7EAF1" + ] + }, "MySecret8FE80B51": { "Type": "AWS::SecretsManager::Secret", "Properties": { @@ -1787,6 +2080,130 @@ } } }, + "Mappings": { + "LatestNodeRuntimeMap": { + "af-south-1": { + "value": "nodejs20.x" + }, + "ap-east-1": { + "value": "nodejs20.x" + }, + "ap-northeast-1": { + "value": "nodejs20.x" + }, + "ap-northeast-2": { + "value": "nodejs20.x" + }, + "ap-northeast-3": { + "value": "nodejs20.x" + }, + "ap-south-1": { + "value": "nodejs20.x" + }, + "ap-south-2": { + "value": "nodejs20.x" + }, + "ap-southeast-1": { + "value": "nodejs20.x" + }, + "ap-southeast-2": { + "value": "nodejs20.x" + }, + "ap-southeast-3": { + "value": "nodejs20.x" + }, + "ap-southeast-4": { + "value": "nodejs20.x" + }, + "ap-southeast-5": { + "value": "nodejs20.x" + }, + "ap-southeast-7": { + "value": "nodejs20.x" + }, + "ca-central-1": { + "value": "nodejs20.x" + }, + "ca-west-1": { + "value": "nodejs20.x" + }, + "cn-north-1": { + "value": "nodejs18.x" + }, + "cn-northwest-1": { + "value": "nodejs18.x" + }, + "eu-central-1": { + "value": "nodejs20.x" + }, + "eu-central-2": { + "value": "nodejs20.x" + }, + "eu-isoe-west-1": { + "value": "nodejs18.x" + }, + "eu-north-1": { + "value": "nodejs20.x" + }, + "eu-south-1": { + "value": "nodejs20.x" + }, + "eu-south-2": { + "value": "nodejs20.x" + }, + "eu-west-1": { + "value": "nodejs20.x" + }, + "eu-west-2": { + "value": "nodejs20.x" + }, + "eu-west-3": { + "value": "nodejs20.x" + }, + "il-central-1": { + "value": "nodejs20.x" + }, + "me-central-1": { + "value": "nodejs20.x" + }, + "me-south-1": { + "value": "nodejs20.x" + }, + "mx-central-1": { + "value": "nodejs20.x" + }, + "sa-east-1": { + "value": "nodejs20.x" + }, + "us-east-1": { + "value": "nodejs20.x" + }, + "us-east-2": { + "value": "nodejs20.x" + }, + "us-gov-east-1": { + "value": "nodejs18.x" + }, + "us-gov-west-1": { + "value": "nodejs18.x" + }, + "us-iso-east-1": { + "value": "nodejs18.x" + }, + "us-iso-west-1": { + "value": "nodejs18.x" + }, + "us-isob-east-1": { + "value": "nodejs18.x" + }, + "us-west-1": { + "value": "nodejs20.x" + }, + "us-west-2": { + "value": "nodejs20.x" + } + } + }, "Parameters": { "BootstrapVersion": { "Type": "AWS::SSM::Parameter::Value", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.configuration.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.configuration.js.snapshot/manifest.json index 13b08d3f38a1c..7570cc2bc0ed0 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.configuration.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.configuration.js.snapshot/manifest.json @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/bc60e6498e01ff2afc7280330547559fc0e8c9c15f5ff05fc560ea731f76277e.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/f3c7c62924a5ad7e781abc71a57fb0540e3c9a334acad335dfe1da25e271f381.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -238,6 +238,36 @@ "data": "MyBucketF68F3FF0" } ], + "/aws-appconfig-configuration/MyBucket/Policy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "MyBucketPolicyE7FBAC7B" + } + ], + "/aws-appconfig-configuration/MyBucket/AutoDeleteObjectsCustomResource/Default": [ + { + "type": "aws:cdk:logicalId", + "data": "MyBucketAutoDeleteObjectsCustomResource2C28D565" + } + ], + "/aws-appconfig-configuration/LatestNodeRuntimeMap": [ + { + "type": "aws:cdk:logicalId", + "data": "LatestNodeRuntimeMap" + } + ], + "/aws-appconfig-configuration/Custom::S3AutoDeleteObjectsCustomResourceProvider/Role": [ + { + "type": "aws:cdk:logicalId", + "data": "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092" + } + ], + "/aws-appconfig-configuration/Custom::S3AutoDeleteObjectsCustomResourceProvider/Handler": [ + { + "type": "aws:cdk:logicalId", + "data": "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F" + } + ], "/aws-appconfig-configuration/DeployConfigInBucket/AwsCliLayer/Resource": [ { "type": "aws:cdk:logicalId", @@ -286,6 +316,30 @@ "data": "MyConfigFromBucket064B5420" } ], + "/aws-appconfig-configuration/DummyRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "DummyRoleA4B7EAF1" + } + ], + "/aws-appconfig-configuration/DummyRole/DefaultPolicy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "DummyRoleDefaultPolicy68837380" + } + ], + "/aws-appconfig-configuration/MyConfigFromBucketWithRole/DeploymentStrategy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "MyConfigFromBucketWithRoleDeploymentStrategy109EA62F" + } + ], + "/aws-appconfig-configuration/MyConfigFromBucketWithRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "MyConfigFromBucketWithRole625F4717" + } + ], "/aws-appconfig-configuration/MySecret/Resource": [ { "type": "aws:cdk:logicalId", @@ -435,24 +489,6 @@ "type": "aws:cdk:logicalId", "data": "CheckBootstrapVersion" } - ], - "MyAppConfigEnvDeployLater26FA1032": [ - { - "type": "aws:cdk:logicalId", - "data": "MyAppConfigEnvDeployLater26FA1032", - "trace": [ - "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" - ] - } - ], - "MyHostedConfigFromJsonDeploymentFA00BC528601D": [ - { - "type": "aws:cdk:logicalId", - "data": "MyHostedConfigFromJsonDeploymentFA00BC528601D", - "trace": [ - "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" - ] - } ] }, "displayName": "aws-appconfig-configuration" diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.configuration.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.configuration.js.snapshot/tree.json index 47b7b5fd0a7d4..1c595e577ce95 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.configuration.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.configuration.js.snapshot/tree.json @@ -22,8 +22,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnApplication", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "HostedEnv": { @@ -43,14 +43,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnEnvironment", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.Environment", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "HostedEnvFromJson": { @@ -70,14 +70,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnEnvironment", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.Environment", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "HostedEnvFromYaml": { @@ -97,14 +97,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnEnvironment", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.Environment", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "ParameterEnv": { @@ -124,14 +124,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnEnvironment", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.Environment", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "DocumentEnv": { @@ -151,14 +151,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnEnvironment", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.Environment", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "BucketEnv": { @@ -178,14 +178,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnEnvironment", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.Environment", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "SecretEnv": { @@ -205,14 +205,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnEnvironment", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.Environment", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "SecretEnvWithKey": { @@ -232,20 +232,20 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnEnvironment", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.Environment", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.Application", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "MyDeployStrategy": { @@ -266,14 +266,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnDeploymentStrategy", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.DeploymentStrategy", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "MyHostedConfigFromFile": { @@ -299,14 +299,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnDeploymentStrategy", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.DeploymentStrategy", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "ConfigurationProfile": { @@ -323,8 +323,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnConfigurationProfile", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Resource": { @@ -344,14 +344,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnHostedConfigurationVersion", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.HostedConfiguration", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "MyHostedConfig": { @@ -382,8 +382,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnConfigurationProfile", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Resource": { @@ -403,8 +403,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnHostedConfigurationVersion", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Deployment8E5DB": { @@ -431,14 +431,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnDeployment", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.HostedConfiguration", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "MyHostedConfigFromJson": { @@ -459,8 +459,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnConfigurationProfile", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Resource": { @@ -480,8 +480,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnHostedConfigurationVersion", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Deployment3AC6E": { @@ -508,14 +508,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnDeployment", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.HostedConfiguration", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "MyHostedConfigFromYaml": { @@ -536,8 +536,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnConfigurationProfile", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Resource": { @@ -557,8 +557,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnHostedConfigurationVersion", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "DeploymentD93A5": { @@ -585,14 +585,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnDeployment", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.HostedConfiguration", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "MyValidatorFunction": { @@ -607,8 +607,8 @@ "id": "ImportServiceRole", "path": "aws-appconfig-configuration/MyValidatorFunction/ServiceRole/ImportServiceRole", "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Resource": { @@ -646,14 +646,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Resource": { @@ -676,8 +676,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_lambda.CfnFunction", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "AppConfigPermission": { @@ -697,14 +697,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_lambda.CfnPermission", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_lambda.Function", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "MyParameter": { @@ -722,14 +722,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ssm.CfnParameter", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ssm.StringParameter", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "MyConfigFromParameter": { @@ -744,8 +744,8 @@ "id": "ImportRole", "path": "aws-appconfig-configuration/MyConfigFromParameter/Role/ImportRole", "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Resource": { @@ -806,14 +806,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Resource": { @@ -870,8 +870,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnConfigurationProfile", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Deployment28051": { @@ -897,14 +897,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnDeployment", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.SourcedConfiguration", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "MyDocument": { @@ -933,8 +933,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ssm.CfnDocument", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "MyConfigFromDocument": { @@ -949,8 +949,8 @@ "id": "ImportRole", "path": "aws-appconfig-configuration/MyConfigFromDocument/Role/ImportRole", "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Resource": { @@ -1011,14 +1011,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Resource": { @@ -1051,8 +1051,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnConfigurationProfile", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Deployment7A5BA": { @@ -1077,14 +1077,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnDeployment", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.SourcedConfiguration", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "MyBucket": { @@ -1098,6 +1098,10 @@ "aws:cdk:cloudformation:type": "AWS::S3::Bucket", "aws:cdk:cloudformation:props": { "tags": [ + { + "key": "aws-cdk:auto-delete-objects", + "value": "true" + }, { "key": "aws-cdk:cr-owned:2255b7ad", "value": "true" @@ -1109,14 +1113,144 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.CfnBucket", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "Policy": { + "id": "Policy", + "path": "aws-appconfig-configuration/MyBucket/Policy", + "children": { + "Resource": { + "id": "Resource", + "path": "aws-appconfig-configuration/MyBucket/Policy/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::S3::BucketPolicy", + "aws:cdk:cloudformation:props": { + "bucket": { + "Ref": "MyBucketF68F3FF0" + }, + "policyDocument": { + "Statement": [ + { + "Action": [ + "s3:DeleteObject*", + "s3:GetBucket*", + "s3:List*", + "s3:PutBucketPolicy" + ], + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", + "Arn" + ] + } + }, + "Resource": [ + { + "Fn::GetAtt": [ + "MyBucketF68F3FF0", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "MyBucketF68F3FF0", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + } + ], + "Version": "2012-10-17" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "AutoDeleteObjectsCustomResource": { + "id": "AutoDeleteObjectsCustomResource", + "path": "aws-appconfig-configuration/MyBucket/AutoDeleteObjectsCustomResource", + "children": { + "Default": { + "id": "Default", + "path": "aws-appconfig-configuration/MyBucket/AutoDeleteObjectsCustomResource/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.Bucket", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "LatestNodeRuntimeMap": { + "id": "LatestNodeRuntimeMap", + "path": "aws-appconfig-configuration/LatestNodeRuntimeMap", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "Custom::S3AutoDeleteObjectsCustomResourceProvider": { + "id": "Custom::S3AutoDeleteObjectsCustomResourceProvider", + "path": "aws-appconfig-configuration/Custom::S3AutoDeleteObjectsCustomResourceProvider", + "children": { + "Staging": { + "id": "Staging", + "path": "aws-appconfig-configuration/Custom::S3AutoDeleteObjectsCustomResourceProvider/Staging", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "Role": { + "id": "Role", + "path": "aws-appconfig-configuration/Custom::S3AutoDeleteObjectsCustomResourceProvider/Role", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "Handler": { + "id": "Handler", + "path": "aws-appconfig-configuration/Custom::S3AutoDeleteObjectsCustomResourceProvider/Handler", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "DeployConfigInBucket": { @@ -1135,22 +1269,22 @@ "id": "Stage", "path": "aws-appconfig-configuration/DeployConfigInBucket/AwsCliLayer/Code/Stage", "constructInfo": { - "fqn": "aws-cdk-lib.AssetStaging", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "AssetBucket": { "id": "AssetBucket", "path": "aws-appconfig-configuration/DeployConfigInBucket/AwsCliLayer/Code/AssetBucket", "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.BucketBase", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3_assets.Asset", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Resource": { @@ -1169,22 +1303,22 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_lambda.CfnLayerVersion", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.lambda_layer_awscli.AwsCliLayer", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "CustomResourceHandler": { "id": "CustomResourceHandler", "path": "aws-appconfig-configuration/DeployConfigInBucket/CustomResourceHandler", "constructInfo": { - "fqn": "aws-cdk-lib.aws_lambda.SingletonFunction", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Asset1": { @@ -1195,22 +1329,22 @@ "id": "Stage", "path": "aws-appconfig-configuration/DeployConfigInBucket/Asset1/Stage", "constructInfo": { - "fqn": "aws-cdk-lib.AssetStaging", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "AssetBucket": { "id": "AssetBucket", "path": "aws-appconfig-configuration/DeployConfigInBucket/Asset1/AssetBucket", "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.BucketBase", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3_assets.Asset", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "CustomResource": { @@ -1221,14 +1355,14 @@ "id": "Default", "path": "aws-appconfig-configuration/DeployConfigInBucket/CustomResource/Default", "constructInfo": { - "fqn": "aws-cdk-lib.CfnResource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.CustomResource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Asset2": { @@ -1239,28 +1373,28 @@ "id": "Stage", "path": "aws-appconfig-configuration/DeployConfigInBucket/Asset2/Stage", "constructInfo": { - "fqn": "aws-cdk-lib.AssetStaging", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "AssetBucket": { "id": "AssetBucket", "path": "aws-appconfig-configuration/DeployConfigInBucket/Asset2/AssetBucket", "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.BucketBase", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3_assets.Asset", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3_deployment.BucketDeployment", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C": { @@ -1275,8 +1409,8 @@ "id": "ImportServiceRole", "path": "aws-appconfig-configuration/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/ImportServiceRole", "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Resource": { @@ -1314,8 +1448,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "DefaultPolicy": { @@ -1420,20 +1554,20 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Code": { @@ -1444,22 +1578,22 @@ "id": "Stage", "path": "aws-appconfig-configuration/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/Code/Stage", "constructInfo": { - "fqn": "aws-cdk-lib.AssetStaging", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "AssetBucket": { "id": "AssetBucket", "path": "aws-appconfig-configuration/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/Code/AssetBucket", "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.BucketBase", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3_assets.Asset", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Resource": { @@ -1472,7 +1606,7 @@ "s3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" }, - "s3Key": "e976a796f036a5efbf44b99e44cfb5a961df08d8dbf7cd37e60bf216fb982a00.zip" + "s3Key": "0158f40002a8c211635388a87874fd4dcc3d68f525fe08a0fe0f014069ae539c.zip" }, "environment": { "variables": { @@ -1496,14 +1630,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_lambda.CfnFunction", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_lambda.Function", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "MyConfigFromBucket": { @@ -1529,14 +1663,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnDeploymentStrategy", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.DeploymentStrategy", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Role": { @@ -1547,8 +1681,8 @@ "id": "ImportRole", "path": "aws-appconfig-configuration/MyConfigFromBucket/Role/ImportRole", "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Resource": { @@ -1635,14 +1769,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Resource": { @@ -1695,14 +1829,238 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnConfigurationProfile", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.SourcedConfiguration", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "DummyRole": { + "id": "DummyRole", + "path": "aws-appconfig-configuration/DummyRole", + "children": { + "ImportDummyRole": { + "id": "ImportDummyRole", + "path": "aws-appconfig-configuration/DummyRole/ImportDummyRole", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "Resource": { + "id": "Resource", + "path": "aws-appconfig-configuration/DummyRole/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:props": { + "assumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "appconfig.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "DefaultPolicy": { + "id": "DefaultPolicy", + "path": "aws-appconfig-configuration/DummyRole/DefaultPolicy", + "children": { + "Resource": { + "id": "Resource", + "path": "aws-appconfig-configuration/DummyRole/DefaultPolicy/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Policy", + "aws:cdk:cloudformation:props": { + "policyDocument": { + "Statement": [ + { + "Action": [ + "s3:GetObject", + "s3:GetObjectMetadata", + "s3:GetObjectVersion" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":s3:::", + { + "Ref": "MyBucketF68F3FF0" + }, + "/*" + ] + ] + } + }, + { + "Action": [ + "s3:GetBucketLocation", + "s3:GetBucketVersioning", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":s3:::", + { + "Ref": "MyBucketF68F3FF0" + } + ] + ] + } + }, + { + "Action": "s3:ListAllMyBuckets", + "Effect": "Allow", + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "policyName": "DummyRoleDefaultPolicy68837380", + "roles": [ + { + "Ref": "DummyRoleA4B7EAF1" + } + ] + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "MyConfigFromBucketWithRole": { + "id": "MyConfigFromBucketWithRole", + "path": "aws-appconfig-configuration/MyConfigFromBucketWithRole", + "children": { + "DeploymentStrategy": { + "id": "DeploymentStrategy", + "path": "aws-appconfig-configuration/MyConfigFromBucketWithRole/DeploymentStrategy", + "children": { + "Resource": { + "id": "Resource", + "path": "aws-appconfig-configuration/MyConfigFromBucketWithRole/DeploymentStrategy/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::AppConfig::DeploymentStrategy", + "aws:cdk:cloudformation:props": { + "deploymentDurationInMinutes": 20, + "finalBakeTimeInMinutes": 10, + "growthFactor": 10, + "growthType": "EXPONENTIAL", + "name": "awsappconfigconfiguration-MyWithRole-DeploymentStrategy-94CCA86F", + "replicateTo": "NONE" + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "Resource": { + "id": "Resource", + "path": "aws-appconfig-configuration/MyConfigFromBucketWithRole/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::AppConfig::ConfigurationProfile", + "aws:cdk:cloudformation:props": { + "applicationId": { + "Ref": "MyAppConfigB4B63E75" + }, + "description": { + "Fn::Join": [ + "", + [ + "Sourced from ", + { + "Fn::Select": [ + 0, + { + "Fn::GetAtt": [ + "DeployConfigInBucketCustomResource91997C5B", + "SourceObjectKeys" + ] + } + ] + }, + " with defined role" + ] + ] + }, + "locationUri": { + "Fn::Join": [ + "", + [ + "s3://", + { + "Ref": "MyBucketF68F3FF0" + }, + "/hello/world/file.txt" + ] + ] + }, + "name": "awsappconfigconfiguration-MyConfigFromBucketWithRole-AE02C397", + "retrievalRoleArn": { + "Fn::GetAtt": [ + "DummyRoleA4B7EAF1", + "Arn" + ] + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "MySecret": { @@ -1719,14 +2077,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_secretsmanager.CfnSecret", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_secretsmanager.Secret", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "MyConfigFromSecret": { @@ -1752,14 +2110,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnDeploymentStrategy", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.DeploymentStrategy", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Role": { @@ -1770,8 +2128,8 @@ "id": "ImportRole", "path": "aws-appconfig-configuration/MyConfigFromSecret/Role/ImportRole", "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Resource": { @@ -1812,14 +2170,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Resource": { @@ -1844,14 +2202,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnConfigurationProfile", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.SourcedConfiguration", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "MyKey": { @@ -1941,14 +2299,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.CfnKey", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.Key", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "MySecretWithKey": { @@ -1971,14 +2329,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_secretsmanager.CfnSecret", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_secretsmanager.Secret", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "MyConfigFromSecretWithKey": { @@ -2004,14 +2362,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnDeploymentStrategy", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.DeploymentStrategy", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Role": { @@ -2022,8 +2380,8 @@ "id": "ImportRole", "path": "aws-appconfig-configuration/MyConfigFromSecretWithKey/Role/ImportRole", "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Resource": { @@ -2074,14 +2432,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Resource": { @@ -2106,14 +2464,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnConfigurationProfile", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.SourcedConfiguration", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "MyPipeline": { @@ -2161,14 +2519,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.CfnKey", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.Key", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "ArtifactsBucketEncryptionKeyAlias": { @@ -2191,14 +2549,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.CfnAlias", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.Alias", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "ArtifactsBucket": { @@ -2235,8 +2593,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.CfnBucket", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Policy": { @@ -2294,20 +2652,20 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.CfnBucketPolicy", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.BucketPolicy", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.Bucket", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Role": { @@ -2318,8 +2676,8 @@ "id": "ImportRole", "path": "aws-appconfig-configuration/MyPipeline/Role/ImportRole", "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Resource": { @@ -2343,8 +2701,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "DefaultPolicy": { @@ -2442,20 +2800,20 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Resource": { @@ -2554,8 +2912,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_codepipeline.CfnPipeline", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "beta": { @@ -2574,8 +2932,8 @@ "id": "ImportCodePipelineActionRole", "path": "aws-appconfig-configuration/MyPipeline/beta/Source/CodePipelineActionRole/ImportCodePipelineActionRole", "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Resource": { @@ -2614,8 +2972,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "DefaultPolicy": { @@ -2721,20 +3079,20 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, @@ -2765,8 +3123,8 @@ "id": "ImportCodePipelineActionRole", "path": "aws-appconfig-configuration/MyPipeline/prod/Deploy/CodePipelineActionRole/ImportCodePipelineActionRole", "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Resource": { @@ -2805,8 +3163,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "DefaultPolicy": { @@ -2910,20 +3268,20 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, @@ -2940,8 +3298,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_codepipeline.Pipeline", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "MyConfigFromPipeline": { @@ -2967,14 +3325,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnDeploymentStrategy", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.DeploymentStrategy", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Resource": { @@ -3001,36 +3359,36 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnConfigurationProfile", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.SourcedConfiguration", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "BootstrapVersion": { "id": "BootstrapVersion", "path": "aws-appconfig-configuration/BootstrapVersion", "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "CheckBootstrapVersion": { "id": "CheckBootstrapVersion", "path": "aws-appconfig-configuration/CheckBootstrapVersion", "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "appconfig-configuration": { @@ -3057,22 +3415,22 @@ "id": "BootstrapVersion", "path": "appconfig-configuration/DefaultTest/DeployAssert/BootstrapVersion", "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "CheckBootstrapVersion": { "id": "CheckBootstrapVersion", "path": "appconfig-configuration/DefaultTest/DeployAssert/CheckBootstrapVersion", "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, @@ -3097,8 +3455,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.App", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } } \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.configuration.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.configuration.ts index eb77c8f596506..3d44344688aa5 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.configuration.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.configuration.ts @@ -1,11 +1,12 @@ import { IntegTest } from '@aws-cdk/integ-tests-alpha'; -import { App, Duration, Stack, RemovalPolicy, Fn, SecretValue } from 'aws-cdk-lib'; +import { App, Duration, Stack, RemovalPolicy, Fn, SecretValue, ArnFormat } from 'aws-cdk-lib'; import { Artifact, Pipeline } from 'aws-cdk-lib/aws-codepipeline'; import { S3DeployAction, S3SourceAction } from 'aws-cdk-lib/aws-codepipeline-actions'; import { Key } from 'aws-cdk-lib/aws-kms'; import { Code, Function, Runtime } from 'aws-cdk-lib/aws-lambda'; import { Bucket } from 'aws-cdk-lib/aws-s3'; import * as s3Deployment from 'aws-cdk-lib/aws-s3-deployment'; +import * as iam from 'aws-cdk-lib/aws-iam'; import { Secret } from 'aws-cdk-lib/aws-secretsmanager'; import { CfnDocument, StringParameter } from 'aws-cdk-lib/aws-ssm'; import { @@ -145,6 +146,7 @@ const bucketEnv = appConfigApp.addEnvironment('BucketEnv'); const bucket = new Bucket(stack, 'MyBucket', { versioned: true, removalPolicy: RemovalPolicy.DESTROY, + autoDeleteObjects: true, }); bucket.applyRemovalPolicy(RemovalPolicy.DESTROY); const deployment = new s3Deployment.BucketDeployment(stack, 'DeployConfigInBucket', { @@ -159,6 +161,21 @@ new SourcedConfiguration(stack, 'MyConfigFromBucket', { deployTo: [bucketEnv], }); +// create a dummyRole +const dummyRole = generateDummyRole(); + +// yet another SourcedConfiguration with defined retrievalRole +const sc = new SourcedConfiguration(stack, 'MyConfigFromBucketWithRole', { + application: appConfigApp, + location: ConfigurationSource.fromBucket(bucket, 'hello/world/file.txt'), + description: `Sourced from ${Fn.select(0, deployment.objectKeys)} with defined role`, + deployTo: [bucketEnv], + retrievalRole: dummyRole, +}); + +// ensure the dependency on the dummy role as well as its default policy +sc.node.addDependency(dummyRole, dummyRole.node.tryFindChild('DefaultPolicy') as iam.CfnPolicy); + // secrets manager as configuration source (without key) const secretEnv = appConfigApp.addEnvironment('SecretEnv'); const secret = new Secret(stack, 'MySecret', { @@ -229,4 +246,45 @@ new IntegTest(app, 'appconfig-configuration', { }, }, }, -}); \ No newline at end of file +}); + +function generateDummyRole(): iam.Role { + const role = new iam.Role(stack, 'DummyRole', { + assumedBy: new iam.ServicePrincipal('appconfig.amazonaws.com'), + }); + role.addToPrincipalPolicy(new iam.PolicyStatement({ + actions: [ + 's3:GetObject', + 's3:GetObjectMetadata', + 's3:GetObjectVersion', + ], + resources: [stack.formatArn({ + region: '', + account: '', + service: 's3', + arnFormat: ArnFormat.NO_RESOURCE_NAME, + resource: `${bucket.bucketName}/*`, + })], + })); + role.addToPrincipalPolicy(new iam.PolicyStatement({ + actions: [ + 's3:GetBucketLocation', + 's3:GetBucketVersioning', + 's3:ListBucket', + 's3:ListBucketVersions', + ], + resources: [stack.formatArn({ + region: '', + account: '', + service: 's3', + arnFormat: ArnFormat.NO_RESOURCE_NAME, + resource: bucket.bucketName, + })], + })); + role.addToPrincipalPolicy(new iam.PolicyStatement({ + actions: ['s3:ListAllMyBuckets'], + resources: ['*'], + })); + + return role; +} \ No newline at end of file diff --git a/packages/aws-cdk-lib/aws-appconfig/lib/configuration.ts b/packages/aws-cdk-lib/aws-appconfig/lib/configuration.ts index 1e2197a411a56..72c94cb9ad5ab 100644 --- a/packages/aws-cdk-lib/aws-appconfig/lib/configuration.ts +++ b/packages/aws-cdk-lib/aws-appconfig/lib/configuration.ts @@ -512,7 +512,7 @@ export interface SourcedConfigurationProps extends ConfigurationProps { /** * The IAM role to retrieve the configuration. * - * @default - A role is generated. + * @default - Auto generated if location type is not ConfigurationSourceType.CODE_PIPELINE otherwise no role specified. */ readonly retrievalRole?: iam.IRole; } @@ -564,16 +564,7 @@ export class SourcedConfiguration extends ConfigurationBase { this.locationUri = this.location.locationUri; this.versionNumber = props.versionNumber; this.sourceKey = this.location.key; - this.retrievalRole = props.retrievalRole || this.location.type != ConfigurationSourceType.CODE_PIPELINE - ? new iam.Role(this, 'Role', { - roleName: PhysicalName.GENERATE_IF_NEEDED, - assumedBy: new iam.ServicePrincipal('appconfig.amazonaws.com'), - inlinePolicies: { - ['AllowAppConfigReadFromSourcePolicy']: this.getPolicyForRole(), - }, - }) - : undefined; - + this.retrievalRole = props.retrievalRole ?? this.getRetrievalRole(); this._cfnConfigurationProfile = new CfnConfigurationProfile(this, 'Resource', { applicationId: this.applicationId, locationUri: this.locationUri, @@ -596,6 +587,22 @@ export class SourcedConfiguration extends ConfigurationBase { this.deployConfigToEnvironments(); } + private getRetrievalRole(): iam.Role | undefined { + // Check if the configuration source is not from CodePipeline + if (this.location.type != ConfigurationSourceType.CODE_PIPELINE) { + return new iam.Role(this, 'Role', { + roleName: PhysicalName.GENERATE_IF_NEEDED, + assumedBy: new iam.ServicePrincipal('appconfig.amazonaws.com'), + inlinePolicies: { + ['AllowAppConfigReadFromSourcePolicy']: this.getPolicyForRole(), + }, + }); + } else { + // No role is needed if the configuration source is from CodePipeline + return undefined; + } + } + private getPolicyForRole(): iam.PolicyDocument { const policy = new iam.PolicyStatement({ effect: iam.Effect.ALLOW, diff --git a/packages/aws-cdk-lib/aws-appconfig/test/configuration.test.ts b/packages/aws-cdk-lib/aws-appconfig/test/configuration.test.ts index 55a30e584d969..2f035acc71d13 100644 --- a/packages/aws-cdk-lib/aws-appconfig/test/configuration.test.ts +++ b/packages/aws-cdk-lib/aws-appconfig/test/configuration.test.ts @@ -1,4 +1,4 @@ -import { Template } from '../../assertions'; +import { Template, Match } from '../../assertions'; import { Artifact, Pipeline } from '../../aws-codepipeline'; import { S3DeployAction, S3SourceAction } from '../../aws-codepipeline-actions'; import * as iam from '../../aws-iam'; @@ -283,6 +283,153 @@ describe('configuration', () => { Template.fromStack(stack).resourceCountIs('AWS::AppConfig::Deployment', 2); }); + test('configuration with retrievalRole undefined from bucket source should create a new role', () => { + // GIVEN + const stack = new cdk.Stack(); + const app = new Application(stack, 'MyAppConfig', { + applicationName: 'MyApplication', + }); + const bucket = new Bucket(stack, 'MyBucket'); + + // WHEN + new SourcedConfiguration(stack, 'MySourcedConfig', { + versionNumber: '1', + location: ConfigurationSource.fromBucket(bucket, 'path/to/object'), + application: app, + }); + + // THEN + // should have a new role provisioned with AllowAppConfigReadFromSourcePolicy + Template.fromStack(stack).hasResourceProperties('AWS::IAM::Role', { + AssumeRolePolicyDocument: { + Statement: [ + { + Action: 'sts:AssumeRole', + Effect: 'Allow', + Principal: { + Service: 'appconfig.amazonaws.com', + }, + }, + ], + Version: '2012-10-17', + }, + Policies: [ + { + PolicyName: 'AllowAppConfigReadFromSourcePolicy', + }, + ], + }); + }); + + test('configuration with retrievalRole defined should NOT create a new role', () => { + // GIVEN + const stack = new cdk.Stack(); + const app = new Application(stack, 'MyAppConfig', { + applicationName: 'MyApplication', + }); + const bucket = new Bucket(stack, 'MyBucket'); + + // WHEN + new SourcedConfiguration(stack, 'MySourcedConfig', { + versionNumber: '1', + location: ConfigurationSource.fromBucket(bucket, 'path/to/object'), + application: app, + retrievalRole: new iam.Role(stack, 'MyRole', { + assumedBy: new iam.ServicePrincipal('appconfig.amazonaws.com'), + }), + }); + + // THEN + // should NOT have a new role provisioned with AllowAppConfigReadFromSourcePolicy + Template.fromStack(stack).hasResourceProperties('AWS::IAM::Role', Match.not({ + AssumeRolePolicyDocument: { + Statement: [ + { + Action: 'sts:AssumeRole', + Effect: 'Allow', + Principal: { + Service: 'appconfig.amazonaws.com', + }, + }, + ], + Version: '2012-10-17', + }, + Policies: [ + { + PolicyName: 'AllowAppConfigReadFromSourcePolicy', + }, + ], + })); + // and should use the passed role for the retrievalRoleArn + Template.fromStack(stack).hasResourceProperties('AWS::AppConfig::ConfigurationProfile', { + Name: 'MySourcedConfig', + RetrievalRoleArn: { 'Fn::GetAtt': ['MyRoleF48FFE04', 'Arn'] }, + }); + + }); + + test('configuration with retrievalRole undefined from CodePipeline source should NOT create a new role', () => { + // GIVEN + const stack = new cdk.Stack(); + const app = new Application(stack, 'MyAppConfig', { + applicationName: 'MyApplication', + }); + const bucket = new Bucket(stack, 'MyBucket'); + const sourceAction = new S3SourceAction({ + actionName: 'Source', + bucket: bucket, + bucketKey: 'hello/world/codepipeline.txt', + output: new Artifact('SourceOutput'), + }); + const deployAction = new S3DeployAction({ + actionName: 'Deploy', + input: Artifact.artifact('SourceOutput'), + bucket: bucket, + extract: true, + }); + const pipeline = new Pipeline(stack, 'MyPipeline', { + stages: [ + { + stageName: 'beta', + actions: [sourceAction], + }, + { + stageName: 'prod', + actions: [deployAction], + }, + ], + }); + + // WHEN + new SourcedConfiguration(stack, 'MySourcedConfig', { + versionNumber: '1', + location: ConfigurationSource.fromPipeline(pipeline), + application: app, + }); + + // THEN + // should NOT have a new role provisioned with AllowAppConfigReadFromSourcePolicy + Template.fromStack(stack).hasResourceProperties('AWS::IAM::Role', Match.not({ + AssumeRolePolicyDocument: { + Statement: [ + { + Action: 'sts:AssumeRole', + Effect: 'Allow', + Principal: { + Service: 'appconfig.amazonaws.com', + }, + }, + ], + Version: '2012-10-17', + }, + Policies: [ + { + PolicyName: 'AllowAppConfigReadFromSourcePolicy', + }, + ], + })); + }); + test('configuration with two configurations and no deployment strategy specified', () => { const stack = new cdk.Stack(); const app = new Application(stack, 'MyAppConfig', { From 79c779613546f32ea8eec206237d631cc533dc3e Mon Sep 17 00:00:00 2001 From: mazyu36 Date: Fri, 26 Jul 2024 09:43:52 +0900 Subject: [PATCH 14/17] chore(lambda): add `otel-sqs-handler` to the `AdotLambdaLayerType` enum (#30314) ### Issue # (if applicable) Closes #30310 . ### Reason for this change Missing enum option of `otel-sqs-handler` ### Description of changes Add `SQS_HANDLER` option ### Description of how you validated changes I verified that the correct values were set in the environment variables after deploying. Since only an enum option was added, I determined that adding unit tests or integration tests was unnecessary. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/aws-cdk-lib/aws-lambda/lib/adot-layers.ts | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/packages/aws-cdk-lib/aws-lambda/lib/adot-layers.ts b/packages/aws-cdk-lib/aws-lambda/lib/adot-layers.ts index 8988c0cbfc515..fd6257aa7b73a 100644 --- a/packages/aws-cdk-lib/aws-lambda/lib/adot-layers.ts +++ b/packages/aws-cdk-lib/aws-lambda/lib/adot-layers.ts @@ -189,6 +189,11 @@ export enum AdotLambdaExecWrapper { * Wrapping python lambda handlers see https://aws-otel.github.io/docs/getting-started/lambda/lambda-python */ INSTRUMENT_HANDLER = '/opt/otel-instrument', + + /** + * Wrapping SQS-triggered function handlers (implementing RequestHandler) + */ + SQS_HANDLER = '/opt/otel-sqs-handler', } abstract class AdotLambdaLayerVersion { From c756ea12fdc54a014076de9ecb40edd4860d344b Mon Sep 17 00:00:00 2001 From: shikha372 Date: Fri, 26 Jul 2024 13:35:25 -0700 Subject: [PATCH 15/17] chore(doc): fix broken link for RFC in contributing guide (#30955) ### Issue # (if applicable) Closes #NA. ### Reason for this change Current link is broken in the contributing guide and gives 404. ### Description of changes Fix broken link to point to correct AWS RFC repo. ### Description of how you validated changes ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- CONTRIBUTING.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 7644c072eb899..dc40e8d24d86b 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -371,7 +371,7 @@ In some cases, it is useful to seek feedback by iterating on a design document. In many cases, the comments section of the relevant GitHub issue is sufficient for such discussion, and can be a good place to socialize and get feedback on what you plan to do. If the changes are significant in scope, require a longer form medium to communicate, or you just want to ensure that the core team agrees with your planned implementation before you submit it for review to avoid wasted work, there are a few different strategies you can pursue. 1. README driven development - This is the core team's preferred method for reviewing new APIs. Submit a draft PR with updates to the README for the package that you intend to change that clearly describes how the functionality will be used. For new L2s, include usage examples that cover common use cases and showcase the features of the API you're designing. The most important thing to consider for any feature is the public API and this will help to give a clear picture of what changes users can expect. -1. Write an [RFC](aws/aws-cdk-rfcs) - This is a process for discussing new functionality that is large in scope, may incur breaking changes, or may otherwise warrant discussion from multiple stakeholders on the core team or within the community. Specifically, it is a good place to discuss new features in the core CDK framework or the CLI that are unable to be decoupled from the core cdk codebase. +1. Write an [RFC](https://github.com/aws/aws-cdk-rfcs) - This is a process for discussing new functionality that is large in scope, may incur breaking changes, or may otherwise warrant discussion from multiple stakeholders on the core team or within the community. Specifically, it is a good place to discuss new features in the core CDK framework or the CLI that are unable to be decoupled from the core cdk codebase. 1. Publish a package - A separate package is the best place to demonstrate the value of new functionality that you believe should be included within the CDK core libraries. It not only illustrates a complete solution with its entire API surface area available to review, it also proves that your design works! When publishing a package with the goal for eventual inclusion within aws-cdk-lib, make sure to follow our [design guidelines](./docs/DESIGN_GUIDELINES.md) wherever relevant. Performing any of the above processes helps us to ensure that expectations are clearly set before a contribution is made. We want to ensure that everyone is able to contribute to the CDK ecosystem effectively. If you make a contribution that is ultimately not merged by into aws-cdk-lib, but you believe it should be, we encourage you to keep pursuing it. The scope of the core framework is intentionally limited to ensure that we can effectively maintain its surface area and ensure code quality and reliability over the long term. However, new patterns may emerge in the ecosystem that clearly provide better solutions than those currently in aws-cdk-lib. If your solutions gains popularity within the community, and you want us to re-evaluate its inclusion, reach out to us on cdk.dev or create a GitHub issue with a feature request and references to your package. See [demonstrating value](#demonstrating-value) for more information. From 8b935a67901837613130bc81a24b2b8ad8975d90 Mon Sep 17 00:00:00 2001 From: mazyu36 Date: Sat, 27 Jul 2024 06:13:10 +0900 Subject: [PATCH 16/17] chore(bedrock): support Mistral Large 2 (#30945) Add Mistral Large 2 foundation model. Ref: * https://aws.amazon.com/about-aws/whats-new/2024/07/mistral-large-2-foundation-model-amazon-bedrock/ * https://docs.aws.amazon.com/bedrock/latest/userguide/model-ids.html image ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/aws-cdk-lib/aws-bedrock/lib/foundation-model.ts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/packages/aws-cdk-lib/aws-bedrock/lib/foundation-model.ts b/packages/aws-cdk-lib/aws-bedrock/lib/foundation-model.ts index 7058b4e97c8aa..daacd34ef584d 100644 --- a/packages/aws-cdk-lib/aws-bedrock/lib/foundation-model.ts +++ b/packages/aws-cdk-lib/aws-bedrock/lib/foundation-model.ts @@ -215,6 +215,9 @@ export class FoundationModelIdentifier { /** Base model "mistral.mistral-small-2402-v1:0". */ public static readonly MISTRAL_SMALL_V0_1 = new FoundationModelIdentifier('mistral.mistral-small-2402-v1:0'); + /** Base model "mistral.mistral-large-2407-v1:0". */ + public static readonly MISTRAL_LARGE_2_V0_1 = new FoundationModelIdentifier('mistral.mistral-large-2407-v1:0'); + /** * Base model "stability.stable-diffusion-xl". * @deprecated use latest version of the model From 5f3337fb4da26671040720ae9041d09b9f0136c8 Mon Sep 17 00:00:00 2001 From: watany <76135106+watany-dev@users.noreply.github.com> Date: Sat, 27 Jul 2024 07:28:26 +0900 Subject: [PATCH 17/17] chore(cloudfront): adding Managed cache policy (#30797) ### Reason for this change This Updated. https://aws.amazon.com/jp/about-aws/whats-new/2024/07/amazon-cloudfront-managed-cache-policies-web-applications/ ### Description of changes Adding Managed Cache Policies. - [UseOriginCacheControlHeaders](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-cache-policies.html#managed-cache-policy-origin-cache-headers) - [UseOriginCacheControlHeaders-QueryStrings](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-cache-policies.html#managed-cache-policy-origin-cache-headers-query-strings) ### Description of how you validated changes no ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../aws-cdk-lib/aws-cloudfront/lib/cache-policy.ts | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/packages/aws-cdk-lib/aws-cloudfront/lib/cache-policy.ts b/packages/aws-cdk-lib/aws-cloudfront/lib/cache-policy.ts index d60c486ae6952..ab123d9949f54 100644 --- a/packages/aws-cdk-lib/aws-cloudfront/lib/cache-policy.ts +++ b/packages/aws-cdk-lib/aws-cloudfront/lib/cache-policy.ts @@ -108,6 +108,16 @@ export class CachePolicy extends Resource implements ICachePolicy { /** Designed for use with an origin that is an AWS Elemental MediaPackage endpoint. */ public static readonly ELEMENTAL_MEDIA_PACKAGE = CachePolicy.fromManagedCachePolicy('08627262-05a9-4f76-9ded-b50ca2e3a84f'); + /** + * Designed for use with an origin that returns Cache-Control HTTP response headers and does not serve different content based on values present in the query string. + */ + public static readonly USE_ORIGIN_CACHE_CONTROL_HEADERS = CachePolicy.fromManagedCachePolicy('83da9c7e-98b4-4e11-a168-04f0df8e2c65'); + + /** + * Designed for use with an origin that returns Cache-Control HTTP response headers and serves different content based on values present in the query string. + */ + public static readonly USE_ORIGIN_CACHE_CONTROL_HEADERS_QUERY_STRINGS = CachePolicy.fromManagedCachePolicy('4cc15a8a-d715-48a4-82b8-cc0b614638fe'); + /** Imports a Cache Policy from its id. */ public static fromCachePolicyId(scope: Construct, id: string, cachePolicyId: string): ICachePolicy { return new class extends Resource implements ICachePolicy {