From 25cea1807539a8d45f3f4ff8b775b3417387d6fe Mon Sep 17 00:00:00 2001 From: Robert Djurasaj Date: Mon, 1 Nov 2021 14:27:15 -0600 Subject: [PATCH 1/4] feat(ec2): add c6i instances (#17237) New C6I instances just got released: https://aws.amazon.com/blogs/aws/new-amazon-ec2-c6i-instances-powered-by-the-latest-generation-intel-xeon-scalable-processors/ Docs have already been updated: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html#cfn-ec2-instance-instancetype Screen Shot 2021-10-29 at 3 11 00 PM ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/@aws-cdk/aws-ec2/lib/instance-types.ts | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/packages/@aws-cdk/aws-ec2/lib/instance-types.ts b/packages/@aws-cdk/aws-ec2/lib/instance-types.ts index a2c5ccdadc760..1fc4e02f25daa 100644 --- a/packages/@aws-cdk/aws-ec2/lib/instance-types.ts +++ b/packages/@aws-cdk/aws-ec2/lib/instance-types.ts @@ -208,6 +208,16 @@ export enum InstanceClass { */ C5 = 'c5', + /** + * Compute optimized instances, 6th generation + */ + COMPUTE6_INTEL = 'c6i', + + /** + * Compute optimized instances, 6th generation + */ + C6I = 'c6i', + /** * Compute optimized instances with local NVME drive, 5th generation */ From d6585253067a0e4013d2a2d41a3d3adfd40d823c Mon Sep 17 00:00:00 2001 From: Nick Lynch Date: Mon, 1 Nov 2021 21:21:16 +0000 Subject: [PATCH 2/4] chore: use fixed deprecated list for strip-deprecated (#17260) This is a continuation (and the final piece!) of https://github.com/aws/jsii/pull/3085 and https://github.com/aws/aws-cdk/pull/17120. Changes cdk-build to use the fixed deprecated list, rather than stripping all deprecated elements. This will enable us to deprecate new elements going forward without stripping them from v2 and breaking customers. closes #16566 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- tools/@aws-cdk/cdk-build-tools/lib/package-info.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/@aws-cdk/cdk-build-tools/lib/package-info.ts b/tools/@aws-cdk/cdk-build-tools/lib/package-info.ts index 5b79a2d675a0a..b264d3043b1b6 100644 --- a/tools/@aws-cdk/cdk-build-tools/lib/package-info.ts +++ b/tools/@aws-cdk/cdk-build-tools/lib/package-info.ts @@ -99,7 +99,7 @@ export function packageCompiler(compilers: CompilerOverrides, options?: CDKBuild if (isJsii()) { const args = ['--silence-warnings=reserved-word']; if (options?.stripDeprecated) { - args.push('--strip-deprecated'); + args.push(`--strip-deprecated ${path.join(__dirname, '..', '..', '..', '..', 'deprecated_apis.txt')}`); } return [compilers.jsii || require.resolve('jsii/bin/jsii'), ...args]; } else { From 606a2d3e6ba23c184cd6ef989f68122f16627565 Mon Sep 17 00:00:00 2001 From: Eli Polonsky Date: Tue, 2 Nov 2021 00:15:13 +0200 Subject: [PATCH 3/4] chore: simplify auto approve mechanism (#17264) Currently, PR's are auto approved if they either: 1. Contain the `pr/auto-approve` label. 2. Created by `dependabot` 3. Created by `aws-cdk-automation` This is somewhat convoluted, and complicates the responsibility of the `auto-approve` workflow. In addition, this makes it impossible to formulate a single GitHub query to lookup all automated PR's that we expect to be approved and merged without human intervention. This PR switches to a simpler mechanism, by which the `auto-approve` workflow will **only** approve PR's that contain the appropriate label, forcing all PR creators to add the label if they wish to be auto-approved. This means we can now use a simple `label:pr/auto-approve` query to find all those automated PR's. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .github/workflows/auto-approve.yml | 6 +----- .github/workflows/pr-labeler.yml | 17 +++++++++++++++++ 2 files changed, 18 insertions(+), 5 deletions(-) create mode 100644 .github/workflows/pr-labeler.yml diff --git a/.github/workflows/auto-approve.yml b/.github/workflows/auto-approve.yml index 6e186b15f078f..ed29d53382d1f 100644 --- a/.github/workflows/auto-approve.yml +++ b/.github/workflows/auto-approve.yml @@ -7,11 +7,7 @@ on: jobs: auto-approve: - if: > - github.event.pull_request.user.login == 'dependabot[bot]' - || github.event.pull_request.user.login == 'dependabot-preview[bot]' - || (contains(github.event.pull_request.labels.*.name, 'pr/auto-approve') - && github.event.pull_request.user.login == 'aws-cdk-automation') + if: contains(github.event.pull_request.labels.*.name, 'pr/auto-approve') runs-on: ubuntu-latest permissions: pull-requests: write diff --git a/.github/workflows/pr-labeler.yml b/.github/workflows/pr-labeler.yml new file mode 100644 index 0000000000000..b8a816623a9e0 --- /dev/null +++ b/.github/workflows/pr-labeler.yml @@ -0,0 +1,17 @@ +# Apply various labels on PRs + +name: pr-labeler +on: + pull_request: + types: [ opened ] + +jobs: + auto-approve: + if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.user.login == 'dependabot-preview[bot]' + runs-on: ubuntu-latest + permissions: + pull-requests: write + steps: + - run: gh pr edit ${{ github.event.pull_request.number }} --add-label "pr/auto-approve" -R ${{ github.repository }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 135f7d33db5e96c3af4a8691c13b419e7b14ceae Mon Sep 17 00:00:00 2001 From: Julian Michel Date: Tue, 2 Nov 2021 00:09:24 +0100 Subject: [PATCH 4/4] feat(docdb): add the ability to exclude characters when generating passwords (#17262) Add property `excludeCharaters` to provide the ability to exclude characters when generating passwords in DocumentDB. Requested in #15732. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/@aws-cdk/aws-docdb/README.md | 1 + packages/@aws-cdk/aws-docdb/lib/cluster.ts | 1 + .../@aws-cdk/aws-docdb/lib/database-secret.ts | 9 ++++++- packages/@aws-cdk/aws-docdb/lib/props.ts | 7 ++++++ .../@aws-cdk/aws-docdb/test/cluster.test.ts | 25 ++++++++++++++++++- 5 files changed, 41 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk/aws-docdb/README.md b/packages/@aws-cdk/aws-docdb/README.md index 6f7ed89e28e11..12f8e08a08387 100644 --- a/packages/@aws-cdk/aws-docdb/README.md +++ b/packages/@aws-cdk/aws-docdb/README.md @@ -21,6 +21,7 @@ your instances will be launched privately or publicly: const cluster = new DatabaseCluster(this, 'Database', { masterUser: { username: 'myuser' // NOTE: 'admin' is reserved by DocumentDB + excludeCharacters: '\"@/:', // optional, defaults to the set "\"@/" }, instanceType: ec2.InstanceType.of(ec2.InstanceClass.R5, ec2.InstanceSize.LARGE), vpcSubnets: { diff --git a/packages/@aws-cdk/aws-docdb/lib/cluster.ts b/packages/@aws-cdk/aws-docdb/lib/cluster.ts index 56b5a724dd439..c2b4c7c9737a2 100644 --- a/packages/@aws-cdk/aws-docdb/lib/cluster.ts +++ b/packages/@aws-cdk/aws-docdb/lib/cluster.ts @@ -352,6 +352,7 @@ export class DatabaseCluster extends DatabaseClusterBase { secret = new DatabaseSecret(this, 'Secret', { username: props.masterUser.username, encryptionKey: props.masterUser.kmsKey, + excludeCharacters: props.masterUser.excludeCharacters, }); } diff --git a/packages/@aws-cdk/aws-docdb/lib/database-secret.ts b/packages/@aws-cdk/aws-docdb/lib/database-secret.ts index 605609b4b6ab2..8f1bca671da6d 100644 --- a/packages/@aws-cdk/aws-docdb/lib/database-secret.ts +++ b/packages/@aws-cdk/aws-docdb/lib/database-secret.ts @@ -32,6 +32,13 @@ export interface DatabaseSecretProps { * @default - no master secret information will be included */ readonly masterSecret?: ISecret; + + /** + * Characters to not include in the generated password. + * + * @default "\"@/" + */ + readonly excludeCharacters?: string; } /** @@ -61,7 +68,7 @@ export class DatabaseSecret extends Secret { masterarn: props.masterSecret?.secretArn, }), generateStringKey: 'password', - excludeCharacters: '"@/', + excludeCharacters: props.excludeCharacters ?? '"@/', }, }); } diff --git a/packages/@aws-cdk/aws-docdb/lib/props.ts b/packages/@aws-cdk/aws-docdb/lib/props.ts index 9cd24b1fce1bc..d02f8768973a9 100644 --- a/packages/@aws-cdk/aws-docdb/lib/props.ts +++ b/packages/@aws-cdk/aws-docdb/lib/props.ts @@ -53,6 +53,13 @@ export interface Login { * @default default master key */ readonly kmsKey?: kms.IKey; + + /** + * Specifies characters to not include in generated passwords. + * + * @default "\"@/" + */ + readonly excludeCharacters?: string; } /** diff --git a/packages/@aws-cdk/aws-docdb/test/cluster.test.ts b/packages/@aws-cdk/aws-docdb/test/cluster.test.ts index cb1f8653509df..6628520118c84 100644 --- a/packages/@aws-cdk/aws-docdb/test/cluster.test.ts +++ b/packages/@aws-cdk/aws-docdb/test/cluster.test.ts @@ -1,4 +1,4 @@ -import { expect as expectCDK, haveResource, ResourcePart, arrayWith } from '@aws-cdk/assert-internal'; +import { expect as expectCDK, haveResource, ResourcePart, arrayWith, haveResourceLike, objectLike } from '@aws-cdk/assert-internal'; import * as ec2 from '@aws-cdk/aws-ec2'; import * as kms from '@aws-cdk/aws-kms'; import * as cdk from '@aws-cdk/core'; @@ -293,6 +293,29 @@ describe('DatabaseCluster', () => { })); }); + test('creates a secret with excludeCharacters', () => { + // GIVEN + const stack = testStack(); + const vpc = new ec2.Vpc(stack, 'VPC'); + + // WHEN + new DatabaseCluster(stack, 'Database', { + masterUser: { + username: 'admin', + excludeCharacters: '"@/()[]', + }, + instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.SMALL), + vpc, + }); + + // THEN + expectCDK(stack).to(haveResourceLike('AWS::SecretsManager::Secret', { + GenerateSecretString: objectLike({ + ExcludeCharacters: '\"@/()[]', + }), + })); + }); + test('create an encrypted cluster with custom KMS key', () => { // GIVEN const stack = testStack();