diff --git a/CHANGELOG.md b/CHANGELOG.md index e09741c20e89e..d1e96f8f71317 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,28 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. +## [1.158.0](https://github.com/aws/aws-cdk/compare/v1.157.0...v1.158.0) (2022-05-27) + + +### Features + +* **apprunner:** VpcConnector construct ([#20471](https://github.com/aws/aws-cdk/issues/20471)) ([5052191](https://github.com/aws/aws-cdk/commit/50521911f22f433323d700db77530e883762138a)) +* **aws-ecr-assets:** support the --platform option when building docker images ([#20439](https://github.com/aws/aws-cdk/issues/20439)) ([adc0368](https://github.com/aws/aws-cdk/commit/adc0368dc1f137aeaa4bd92de77028269e3a48f4)), closes [#12472](https://github.com/aws/aws-cdk/issues/12472) [#16770](https://github.com/aws/aws-cdk/issues/16770) [#16858](https://github.com/aws/aws-cdk/issues/16858) +* **lambda:** validate function description length ([#20476](https://github.com/aws/aws-cdk/issues/20476)) ([de027e2](https://github.com/aws/aws-cdk/commit/de027e28ce5c95e70fed8874e6531eabba24521c)), closes [#20475](https://github.com/aws/aws-cdk/issues/20475) +* **s3:** adds objectSizeGreaterThan property for s3 lifecycle rule ([#20425](https://github.com/aws/aws-cdk/issues/20425)) ([23690e4](https://github.com/aws/aws-cdk/commit/23690e40b1604839f99da8b8f96168dda8679c47)), closes [#20372](https://github.com/aws/aws-cdk/issues/20372) +* **servicecatalog:** ProductStackHistory can retain old ProductStack iterations ([#20244](https://github.com/aws/aws-cdk/issues/20244)) ([1037b8c](https://github.com/aws/aws-cdk/commit/1037b8c7f58ccd162491b49d75954c38d685d67f)) + + +### Bug Fixes + +* **core:** NestedStack defaultChild is undefined ([#20450](https://github.com/aws/aws-cdk/issues/20450)) ([0a49927](https://github.com/aws/aws-cdk/commit/0a49927e9e5bc250f339f664fa843fae2fab92ec)), closes [#11221](https://github.com/aws/aws-cdk/issues/11221) +* **iam:** Role policies cannot grow beyond 10k ([#20400](https://github.com/aws/aws-cdk/issues/20400)) ([75bfce7](https://github.com/aws/aws-cdk/commit/75bfce70dbc57fe688c96b3c5cbb67fc4e6fcc56)), closes [#19276](https://github.com/aws/aws-cdk/issues/19276) [#19939](https://github.com/aws/aws-cdk/issues/19939) [#19835](https://github.com/aws/aws-cdk/issues/19835) +* **integ-runner:** always resynth on deploy ([#20508](https://github.com/aws/aws-cdk/issues/20508)) ([7138057](https://github.com/aws/aws-cdk/commit/71380571b878a50fe4b754c7dac78da075a98242)) +* **integ-tests:** DeployAssert should be private ([#20466](https://github.com/aws/aws-cdk/issues/20466)) ([0f52813](https://github.com/aws/aws-cdk/commit/0f52813bcf6a48c352f697004a899461dd06935d)) +* **lambda:** Fix typo in public subnet warning ([#20470](https://github.com/aws/aws-cdk/issues/20470)) ([85f4e29](https://github.com/aws/aws-cdk/commit/85f4e29e0551d71dd5f2f588584785cbc1ae7b72)) +* **pipelines:** too many CodeBuild steps inflate policy size ([#20396](https://github.com/aws/aws-cdk/issues/20396)) ([f334060](https://github.com/aws/aws-cdk/commit/f334060fca02e928bc4f5fdcfd45244060731d78)), closes [#20189](https://github.com/aws/aws-cdk/issues/20189) [#19276](https://github.com/aws/aws-cdk/issues/19276) [#19939](https://github.com/aws/aws-cdk/issues/19939) [#19835](https://github.com/aws/aws-cdk/issues/19835) +* **s3-deployment:** default role does not get `PutAcl` permissions on… ([#20492](https://github.com/aws/aws-cdk/issues/20492)) ([3e6ec5c](https://github.com/aws/aws-cdk/commit/3e6ec5c48cff41cec2b32566990046fd704f4ec1)) + ## [1.157.0](https://github.com/aws/aws-cdk/compare/v1.156.1...v1.157.0) (2022-05-20) diff --git a/packages/@aws-cdk/aws-ecs/lib/base/from-service-attributes.ts b/packages/@aws-cdk/aws-ecs/lib/base/from-service-attributes.ts index 8dfc272300d41..7a9cbc0d28563 100644 --- a/packages/@aws-cdk/aws-ecs/lib/base/from-service-attributes.ts +++ b/packages/@aws-cdk/aws-ecs/lib/base/from-service-attributes.ts @@ -27,7 +27,7 @@ export interface ServiceAttributes { readonly serviceName?: string; } -export function fromServiceAtrributes(scope: Construct, id: string, attrs: ServiceAttributes): IBaseService { +export function fromServiceAttributes(scope: Construct, id: string, attrs: ServiceAttributes): IBaseService { if ((attrs.serviceArn && attrs.serviceName) || (!attrs.serviceArn && !attrs.serviceName)) { throw new Error('You can only specify either serviceArn or serviceName.'); } diff --git a/packages/@aws-cdk/aws-ecs/lib/cluster.ts b/packages/@aws-cdk/aws-ecs/lib/cluster.ts index 8e48e2be59cec..188fa661944d3 100644 --- a/packages/@aws-cdk/aws-ecs/lib/cluster.ts +++ b/packages/@aws-cdk/aws-ecs/lib/cluster.ts @@ -370,6 +370,7 @@ export class Cluster extends Resource implements ICluster { machineImageType: provider.machineImageType, // Don't enable the instance-draining lifecycle hook if managed termination protection is enabled taskDrainTime: provider.enableManagedTerminationProtection ? Duration.seconds(0) : options.taskDrainTime, + canContainersAccessInstanceRole: options.canContainersAccessInstanceRole ?? provider.canContainersAccessInstanceRole, }); this._capacityProviderNames.push(provider.capacityProviderName); @@ -1109,6 +1110,13 @@ export class AsgCapacityProvider extends CoreConstruct { */ readonly enableManagedTerminationProtection?: boolean; + /** + * Specifies whether the containers can access the container instance role. + * + * @default false + */ + readonly canContainersAccessInstanceRole?: boolean; + constructor(scope: Construct, id: string, props: AsgCapacityProviderProps) { super(scope, id); @@ -1116,6 +1124,8 @@ export class AsgCapacityProvider extends CoreConstruct { this.machineImageType = props.machineImageType ?? MachineImageType.AMAZON_LINUX_2; + this.canContainersAccessInstanceRole = props.canContainersAccessInstanceRole; + this.enableManagedTerminationProtection = props.enableManagedTerminationProtection === undefined ? true : props.enableManagedTerminationProtection; diff --git a/packages/@aws-cdk/aws-ecs/lib/ec2/ec2-service.ts b/packages/@aws-cdk/aws-ecs/lib/ec2/ec2-service.ts index eca66a4db6ff3..c24a1780c8b48 100644 --- a/packages/@aws-cdk/aws-ecs/lib/ec2/ec2-service.ts +++ b/packages/@aws-cdk/aws-ecs/lib/ec2/ec2-service.ts @@ -2,7 +2,7 @@ import * as ec2 from '@aws-cdk/aws-ec2'; import { ArnFormat, Lazy, Resource, Stack } from '@aws-cdk/core'; import { Construct } from 'constructs'; import { BaseService, BaseServiceOptions, DeploymentControllerType, IBaseService, IService, LaunchType } from '../base/base-service'; -import { fromServiceAtrributes } from '../base/from-service-attributes'; +import { fromServiceAttributes } from '../base/from-service-attributes'; import { NetworkMode, TaskDefinition } from '../base/task-definition'; import { ICluster } from '../cluster'; import { CfnService } from '../ecs.generated'; @@ -134,10 +134,10 @@ export class Ec2Service extends BaseService implements IEc2Service { } /** - * Imports from the specified service attrributes. + * Imports from the specified service attributes. */ public static fromEc2ServiceAttributes(scope: Construct, id: string, attrs: Ec2ServiceAttributes): IBaseService { - return fromServiceAtrributes(scope, id, attrs); + return fromServiceAttributes(scope, id, attrs); } private readonly constraints: CfnService.PlacementConstraintProperty[]; diff --git a/packages/@aws-cdk/aws-ecs/lib/external/external-service.ts b/packages/@aws-cdk/aws-ecs/lib/external/external-service.ts index 9bb1eaf0b8cef..ba3bb291d422b 100644 --- a/packages/@aws-cdk/aws-ecs/lib/external/external-service.ts +++ b/packages/@aws-cdk/aws-ecs/lib/external/external-service.ts @@ -5,7 +5,7 @@ import * as cloudmap from '@aws-cdk/aws-servicediscovery'; import { ArnFormat, Resource, Stack } from '@aws-cdk/core'; import { Construct } from 'constructs'; import { AssociateCloudMapServiceOptions, BaseService, BaseServiceOptions, CloudMapOptions, DeploymentControllerType, EcsTarget, IBaseService, IEcsLoadBalancerTarget, IService, LaunchType, PropagatedTagSource } from '../base/base-service'; -import { fromServiceAtrributes } from '../base/from-service-attributes'; +import { fromServiceAttributes } from '../base/from-service-attributes'; import { ScalableTaskCount } from '../base/scalable-task-count'; import { Compatibility, LoadBalancerTargetOptions, TaskDefinition } from '../base/task-definition'; import { ICluster } from '../cluster'; @@ -79,10 +79,10 @@ export class ExternalService extends BaseService implements IExternalService { } /** - * Imports from the specified service attrributes. + * Imports from the specified service attributes. */ public static fromExternalServiceAttributes(scope: Construct, id: string, attrs: ExternalServiceAttributes): IBaseService { - return fromServiceAtrributes(scope, id, attrs); + return fromServiceAttributes(scope, id, attrs); } /** diff --git a/packages/@aws-cdk/aws-ecs/lib/fargate/fargate-service.ts b/packages/@aws-cdk/aws-ecs/lib/fargate/fargate-service.ts index b654c87887dda..a1ae858d0be61 100644 --- a/packages/@aws-cdk/aws-ecs/lib/fargate/fargate-service.ts +++ b/packages/@aws-cdk/aws-ecs/lib/fargate/fargate-service.ts @@ -3,7 +3,7 @@ import * as cdk from '@aws-cdk/core'; import { ArnFormat } from '@aws-cdk/core'; import { Construct } from 'constructs'; import { BaseService, BaseServiceOptions, DeploymentControllerType, IBaseService, IService, LaunchType } from '../base/base-service'; -import { fromServiceAtrributes } from '../base/from-service-attributes'; +import { fromServiceAttributes } from '../base/from-service-attributes'; import { TaskDefinition } from '../base/task-definition'; import { ICluster } from '../cluster'; @@ -111,10 +111,10 @@ export class FargateService extends BaseService implements IFargateService { } /** - * Imports from the specified service attrributes. + * Imports from the specified service attributes. */ public static fromFargateServiceAttributes(scope: Construct, id: string, attrs: FargateServiceAttributes): IBaseService { - return fromServiceAtrributes(scope, id, attrs); + return fromServiceAttributes(scope, id, attrs); } /** diff --git a/packages/@aws-cdk/aws-ecs/test/cluster.test.ts b/packages/@aws-cdk/aws-ecs/test/cluster.test.ts index d167c30989ded..45f9601728ef7 100644 --- a/packages/@aws-cdk/aws-ecs/test/cluster.test.ts +++ b/packages/@aws-cdk/aws-ecs/test/cluster.test.ts @@ -2306,3 +2306,145 @@ test('throws when ASG Capacity Provider with capacityProviderName starting with cluster.addAsgCapacityProvider(capacityProviderAl2); }).toThrow(/Invalid Capacity Provider Name: ecscp, If a name is specified, it cannot start with aws, ecs, or fargate./); }); + +describe('Accessing container instance role', function () { + + const addUserDataMock = jest.fn(); + const autoScalingGroup: autoscaling.AutoScalingGroup = { + addUserData: addUserDataMock, + addToRolePolicy: jest.fn(), + protectNewInstancesFromScaleIn: jest.fn(), + } as unknown as autoscaling.AutoScalingGroup; + + afterEach(() => { + addUserDataMock.mockClear(); + }); + + test('block ecs from accessing metadata service when canContainersAccessInstanceRole not set', () => { + // GIVEN + const app = new cdk.App(); + const stack = new cdk.Stack(app, 'test'); + const cluster = new ecs.Cluster(stack, 'EcsCluster'); + + // WHEN + + const capacityProvider = new ecs.AsgCapacityProvider(stack, 'Provider', { + autoScalingGroup: autoScalingGroup, + }); + + cluster.addAsgCapacityProvider(capacityProvider); + + // THEN + expect(autoScalingGroup.addUserData).toHaveBeenCalledWith('sudo iptables --insert FORWARD 1 --in-interface docker+ --destination 169.254.169.254/32 --jump DROP'); + expect(autoScalingGroup.addUserData).toHaveBeenCalledWith('sudo service iptables save'); + expect(autoScalingGroup.addUserData).toHaveBeenCalledWith('echo ECS_AWSVPC_BLOCK_IMDS=true >> /etc/ecs/ecs.config'); + }); + + test('allow ecs accessing metadata service when canContainersAccessInstanceRole is set on addAsgCapacityProvider', () => { + // GIVEN + const app = new cdk.App(); + const stack = new cdk.Stack(app, 'test'); + const cluster = new ecs.Cluster(stack, 'EcsCluster'); + + // WHEN + const capacityProvider = new ecs.AsgCapacityProvider(stack, 'Provider', { + autoScalingGroup: autoScalingGroup, + }); + + cluster.addAsgCapacityProvider(capacityProvider, { + canContainersAccessInstanceRole: true, + }); + + // THEN + expect(autoScalingGroup.addUserData).not.toHaveBeenCalledWith('sudo iptables --insert FORWARD 1 --in-interface docker+ --destination 169.254.169.254/32 --jump DROP'); + expect(autoScalingGroup.addUserData).not.toHaveBeenCalledWith('sudo service iptables save'); + expect(autoScalingGroup.addUserData).not.toHaveBeenCalledWith('echo ECS_AWSVPC_BLOCK_IMDS=true >> /etc/ecs/ecs.config'); + }); + + test('allow ecs accessing metadata service when canContainersAccessInstanceRole is set on AsgCapacityProvider instantiation', () => { + // GIVEN + const app = new cdk.App(); + const stack = new cdk.Stack(app, 'test'); + const cluster = new ecs.Cluster(stack, 'EcsCluster'); + + // WHEN + const capacityProvider = new ecs.AsgCapacityProvider(stack, 'Provider', { + autoScalingGroup: autoScalingGroup, + canContainersAccessInstanceRole: true, + }); + + cluster.addAsgCapacityProvider(capacityProvider); + + // THEN + expect(autoScalingGroup.addUserData).not.toHaveBeenCalledWith('sudo iptables --insert FORWARD 1 --in-interface docker+ --destination 169.254.169.254/32 --jump DROP'); + expect(autoScalingGroup.addUserData).not.toHaveBeenCalledWith('sudo service iptables save'); + expect(autoScalingGroup.addUserData).not.toHaveBeenCalledWith('echo ECS_AWSVPC_BLOCK_IMDS=true >> /etc/ecs/ecs.config'); + }); + + test('allow ecs accessing metadata service when canContainersAccessInstanceRole is set on constructor and method', () => { + // GIVEN + const app = new cdk.App(); + const stack = new cdk.Stack(app, 'test'); + const cluster = new ecs.Cluster(stack, 'EcsCluster'); + + // WHEN + const capacityProvider = new ecs.AsgCapacityProvider(stack, 'Provider', { + autoScalingGroup: autoScalingGroup, + canContainersAccessInstanceRole: true, + }); + + cluster.addAsgCapacityProvider(capacityProvider, { + canContainersAccessInstanceRole: true, + }); + + // THEN + expect(autoScalingGroup.addUserData).not.toHaveBeenCalledWith('sudo iptables --insert FORWARD 1 --in-interface docker+ --destination 169.254.169.254/32 --jump DROP'); + expect(autoScalingGroup.addUserData).not.toHaveBeenCalledWith('sudo service iptables save'); + expect(autoScalingGroup.addUserData).not.toHaveBeenCalledWith('echo ECS_AWSVPC_BLOCK_IMDS=true >> /etc/ecs/ecs.config'); + }); + + test('block ecs from accessing metadata service when canContainersAccessInstanceRole set on constructor and not set on method', () => { + // GIVEN + const app = new cdk.App(); + const stack = new cdk.Stack(app, 'test'); + const cluster = new ecs.Cluster(stack, 'EcsCluster'); + + // WHEN + const capacityProvider = new ecs.AsgCapacityProvider(stack, 'Provider', { + autoScalingGroup: autoScalingGroup, + canContainersAccessInstanceRole: true, + }); + + cluster.addAsgCapacityProvider(capacityProvider, { + canContainersAccessInstanceRole: false, + }); + + // THEN + expect(autoScalingGroup.addUserData).toHaveBeenCalledWith('sudo iptables --insert FORWARD 1 --in-interface docker+ --destination 169.254.169.254/32 --jump DROP'); + expect(autoScalingGroup.addUserData).toHaveBeenCalledWith('sudo service iptables save'); + expect(autoScalingGroup.addUserData).toHaveBeenCalledWith('echo ECS_AWSVPC_BLOCK_IMDS=true >> /etc/ecs/ecs.config'); + }); + + test('allow ecs accessing metadata service when canContainersAccessInstanceRole is not set on constructor and set on method', () => { + // GIVEN + const app = new cdk.App(); + const stack = new cdk.Stack(app, 'test'); + const cluster = new ecs.Cluster(stack, 'EcsCluster'); + + // WHEN + const capacityProvider = new ecs.AsgCapacityProvider(stack, 'Provider', { + autoScalingGroup: autoScalingGroup, + canContainersAccessInstanceRole: false, + }); + + cluster.addAsgCapacityProvider(capacityProvider, { + canContainersAccessInstanceRole: true, + }); + + // THEN + expect(autoScalingGroup.addUserData).not.toHaveBeenCalledWith('sudo iptables --insert FORWARD 1 --in-interface docker+ --destination 169.254.169.254/32 --jump DROP'); + expect(autoScalingGroup.addUserData).not.toHaveBeenCalledWith('sudo service iptables save'); + expect(autoScalingGroup.addUserData).not.toHaveBeenCalledWith('echo ECS_AWSVPC_BLOCK_IMDS=true >> /etc/ecs/ecs.config'); + }); +}); + diff --git a/packages/@aws-cdk/aws-lambda-nodejs/lib/function.ts b/packages/@aws-cdk/aws-lambda-nodejs/lib/function.ts index ee82e25ccca18..eea143f5713f9 100644 --- a/packages/@aws-cdk/aws-lambda-nodejs/lib/function.ts +++ b/packages/@aws-cdk/aws-lambda-nodejs/lib/function.ts @@ -147,7 +147,7 @@ function findLockFile(depsLockFilePath?: string): string { throw new Error('Cannot find a package lock file (`pnpm-lock.yaml`, `yarn.lock` or `package-lock.json`). Please specify it with `depsLockFilePath`.'); } if (lockFiles.length > 1) { - throw new Error(`Multiple package lock files found: ${lockFiles.join(', ')}. Please specify the desired one with \`depsFileLockPath\`.`); + throw new Error(`Multiple package lock files found: ${lockFiles.join(', ')}. Please specify the desired one with \`depsLockFilePath\`.`); } return lockFiles[0]; diff --git a/packages/@aws-cdk/cfnspec/spec-source/cfn-docs/cfn-docs.json b/packages/@aws-cdk/cfnspec/spec-source/cfn-docs/cfn-docs.json index c99e5a9c1f3a7..65e4fda07bbc6 100644 --- a/packages/@aws-cdk/cfnspec/spec-source/cfn-docs/cfn-docs.json +++ b/packages/@aws-cdk/cfnspec/spec-source/cfn-docs/cfn-docs.json @@ -14171,6 +14171,7 @@ }, "AWS::EC2::PlacementGroup": { "attributes": { + "GroupName": "", "Ref": "`Ref` returns the name of the placement group." }, "description": "Specifies a placement group in which to launch instances. The strategy of the placement group determines how the instances are organized within the group.\n\nA `cluster` placement group is a logical grouping of instances within a single Availability Zone that benefit from low network latency, high network throughput. A `spread` placement group places instances on distinct hardware. A `partition` placement group places groups of instances in different partitions, where instances in one partition do not share the same hardware with instances in another partition.\n\nFor more information, see [Placement Groups](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html) in the *Amazon EC2 User Guide* .", @@ -14794,6 +14795,7 @@ }, "description": "Attaches a VPC to a transit gateway.\n\nIf you attach a VPC with a CIDR range that overlaps the CIDR range of a VPC that is already attached, the new VPC CIDR range is not propagated to the default propagation route table.\n\nTo send VPC traffic to an attached transit gateway, add a route to the VPC route table using [AWS::EC2::Route](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-route.html) .", "properties": { + "Options": "", "SubnetIds": "The IDs of one or more subnets. You can specify only one subnet per Availability Zone. You must specify at least one subnet, but we recommend that you specify two subnets for better availability. The transit gateway uses one IP address from each specified subnet.", "Tags": "The tags for the attachment.", "TransitGatewayId": "The ID of the transit gateway.", @@ -15078,6 +15080,7 @@ }, "AWS::EC2::VPCPeeringConnection": { "attributes": { + "Id": "", "Ref": "`Ref` returns the ID of the VPC peering connection." }, "description": "Requests a VPC peering connection between two VPCs: a requester VPC that you own and an accepter VPC with which to create the connection. The accepter VPC can belong to another AWS account and can be in a different Region to the requester VPC.\n\nThe requester VPC and accepter VPC cannot have overlapping CIDR blocks. If you create a VPC peering connection request between VPCs with overlapping CIDR blocks, the VPC peering connection has a status of `failed` .\n\nFor more information, see [Walkthough: Peer with a VPC in another AWS account](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/peer-with-vpc-in-another-account.html) .", @@ -15781,7 +15784,7 @@ "attributes": {}, "description": "Information about the platform for the Amazon ECS service or task.\n\nFor more informataion about `RuntimePlatform` , see [RuntimePlatform](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#runtime-platform) in the *Amazon Elastic Container Service Developer Guide* .", "properties": { - "CpuArchitecture": "The CPU architecture.\n\nYou can run your Linux tasks on an ARM-based platform by setting the value to `ARM64` . This option is avaiable for tasks that run on Linuc Amazon EC2 instance or Linux containers on Fargate.", + "CpuArchitecture": "The CPU architecture.\n\nYou can run your Linux tasks on an ARM-based platform by setting the value to `ARM64` . This option is avaiable for tasks that run on Linux Amazon EC2 instance or Linux containers on Fargate.", "OperatingSystemFamily": "The operating system." } }, @@ -19501,7 +19504,7 @@ "description": "The `AWS::GameLift::Fleet` resource creates an Amazon GameLift (GameLift) fleet to host game servers. A fleet is a set of EC2 instances, each of which can host multiple game sessions.", "properties": { "BuildId": "A unique identifier for a build to be deployed on the new fleet. If you are deploying the fleet with a custom game build, you must specify this property. The build must have been successfully uploaded to Amazon GameLift and be in a `READY` status. This fleet setting cannot be changed once the fleet is created.", - "CertificateConfiguration": "Prompts GameLift to generate a TLS/SSL certificate for the fleet. TLS certificates are used for encrypting traffic between game clients and the game servers that are running on GameLift. By default, the `CertificateConfiguration` is set to `DISABLED` . This property cannot be changed after the fleet is created.\n\nNote: This feature requires the AWS Certificate Manager (ACM) service, which is not available in all AWS regions. When working in a region that does not support this feature, a fleet creation request with certificate generation fails with a 4xx error.", + "CertificateConfiguration": "Prompts GameLift to generate a TLS/SSL certificate for the fleet. GameLift uses the certificates to encrypt traffic between game clients and the game servers running on GameLift. By default, the `CertificateConfiguration` is `DISABLED` . You can't change this property after you create the fleet.\n\nAWS Certificate Manager (ACM) certificates expire after 13 months. Certificate expiration can cause fleets to fail, preventing players from connecting to instances in the fleet. We recommend you replace fleets before 13 months, consider using fleet aliases for a smooth transition.\n\n> ACM isn't available in all AWS regions. A fleet creation request with certificate generation enabled in an unsupported Region, fails with a 4xx error. For more information about the supported Regions, see [Supported Regions](https://docs.aws.amazon.com/acm/latest/userguide/acm-regions.html) in the *AWS Certificate Manager User Guide* .", "Description": "A human-readable description of the fleet.", "DesiredEC2Instances": "The number of EC2 instances that you want this fleet to host. When creating a new fleet, GameLift automatically sets this value to \"1\" and initiates a single instance. Once the fleet is active, update this value to trigger GameLift to add or remove instances from the fleet.", "EC2InboundPermissions": "The allowed IP address ranges and port settings that allow inbound traffic to access game sessions on this fleet. If the fleet is hosting a custom game build, this property must be set before players can connect to game sessions. For Realtime Servers fleets, GameLift automatically sets TCP and UDP ranges.", @@ -24499,6 +24502,7 @@ }, "description": "Creates an asset from an existing asset model. For more information, see [Creating assets](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/create-assets.html) in the *AWS IoT SiteWise User Guide* .", "properties": { + "AssetDescription": "", "AssetHierarchies": "A list of asset hierarchies that each contain a `hierarchyLogicalId` . A hierarchy specifies allowed parent/child asset relationships.", "AssetModelId": "The ID of the asset model from which to create the asset.", "AssetName": "A unique, friendly name for the asset.\n\nThe maximum length is 256 characters with the pattern `[^\\u0000-\\u001F\\u007F]+` .", @@ -34013,6 +34017,7 @@ "AdditionalTreatments": "An array of requests that defines additional treatments for the campaign, in addition to the default treatment for the campaign.", "ApplicationId": "The unique identifier for the Amazon Pinpoint application that the campaign is associated with.", "CampaignHook": "Specifies the Lambda function to use as a code hook for a campaign.", + "CustomDeliveryConfiguration": "The delivery configuration settings for sending the treatment through a custom channel. This object is required if the `MessageConfiguration` object for the treatment specifies a `CustomMessage` object.", "Description": "A custom description of the campaign.", "HoldoutPercent": "The allocated percentage of users (segment members) who shouldn't receive messages from the campaign.", "IsPaused": "Specifies whether to pause the campaign. A paused campaign doesn't run unless you resume it by changing this value to `false` . If you restart a campaign, the campaign restarts from the beginning and not at the point you paused it.", @@ -34024,6 +34029,7 @@ "SegmentId": "The unique identifier for the segment to associate with the campaign.", "SegmentVersion": "The version of the segment to associate with the campaign.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "TemplateConfiguration": "The message template to use for the treatment.", "TreatmentDescription": "A custom description of the default treatment for the campaign.", "TreatmentName": "A custom name of the default treatment for the campaign, if the campaign has multiple treatments. A *treatment* is a variation of a campaign that's used for A/B testing." } @@ -34036,6 +34042,13 @@ "Values": "The criteria values to use for the segment dimension. Depending on the value of the `AttributeType` property, endpoints are included or excluded from the segment if their attribute values match the criteria values." } }, + "AWS::Pinpoint::Campaign.CampaignCustomMessage": { + "attributes": {}, + "description": "Specifies the contents of a message that's sent through a custom channel to recipients of a campaign.", + "properties": { + "Data": "The raw, JSON-formatted string to use as the payload for the message. The maximum size is 5 KB." + } + }, "AWS::Pinpoint::Campaign.CampaignEmailMessage": { "attributes": {}, "description": "Specifies the content and \"From\" address for an email message that's sent to recipients of a campaign.", @@ -34084,6 +34097,14 @@ "TemplateId": "The template ID received from the regulatory body for sending SMS in your country." } }, + "AWS::Pinpoint::Campaign.CustomDeliveryConfiguration": { + "attributes": {}, + "description": "Specifies the delivery configuration settings for sending a campaign or campaign treatment through a custom channel. This object is required if you use the `CampaignCustomMessage` object to define the message to send for the campaign or campaign treatment.", + "properties": { + "DeliveryUri": "The destination to send the campaign or treatment to. This value can be one of the following:\n\n- The name or Amazon Resource Name (ARN) of an AWS Lambda function to invoke to handle delivery of the campaign or treatment.\n- The URL for a web application or service that supports HTTPS and can receive the message. The URL has to be a full URL, including the HTTPS protocol.", + "EndpointTypes": "The types of endpoints to send the campaign or treatment to. Each valid value maps to a type of channel that you can associate with an endpoint by using the `ChannelType` property of an endpoint." + } + }, "AWS::Pinpoint::Campaign.DefaultButtonConfiguration": { "attributes": {}, "description": "Specifies the default behavior for a button that appears in an in-app message. You can optionally add button configurations that specifically apply to iOS, Android, or web browser users.", @@ -34181,6 +34202,7 @@ "ADMMessage": "The message that the campaign sends through the ADM (Amazon Device Messaging) channel. If specified, this message overrides the default message.", "APNSMessage": "The message that the campaign sends through the APNs (Apple Push Notification service) channel. If specified, this message overrides the default message.", "BaiduMessage": "The message that the campaign sends through the Baidu (Baidu Cloud Push) channel. If specified, this message overrides the default message.", + "CustomMessage": "The message that the campaign sends through a custom channel, as specified by the delivery configuration ( `CustomDeliveryConfiguration` ) settings for the campaign. If specified, this message overrides the default message.", "DefaultMessage": "The default message that the campaign sends through all the channels that are configured for the campaign.", "EmailMessage": "The message that the campaign sends through the email channel. If specified, this message overrides the default message.", "GCMMessage": "The message that the campaign sends through the GCM channel, which enables Amazon Pinpoint to send push notifications through the Firebase Cloud Messaging (FCM), formerly Google Cloud Messaging (GCM), service. If specified, this message overrides the default message.", @@ -34233,13 +34255,33 @@ "Values": "The criteria values to use for the segment dimension. Depending on the value of the `DimensionType` property, endpoints are included or excluded from the segment if their values match the criteria values." } }, + "AWS::Pinpoint::Campaign.Template": { + "attributes": {}, + "description": "Specifies the name and version of the message template to use for the message.", + "properties": { + "Name": "The name of the message template to use for the message. If specified, this value must match the name of an existing message template.", + "Version": "The unique identifier for the version of the message template to use for the message. If specified, this value must match the identifier for an existing template version. To retrieve a list of versions and version identifiers for a template, use the Template Versions resource.\n\nIf you don't specify a value for this property, Amazon Pinpoint uses the *active version* of the template. The *active version* is typically the version of a template that's been most recently reviewed and approved for use, depending on your workflow. It isn't necessarily the latest version of a template." + } + }, + "AWS::Pinpoint::Campaign.TemplateConfiguration": { + "attributes": {}, + "description": "Specifies the message template to use for the message, for each type of channel.", + "properties": { + "EmailTemplate": "The email template to use for the message.", + "PushTemplate": "The push notification template to use for the message.", + "SMSTemplate": "The SMS template to use for the message.", + "VoiceTemplate": "The voice template to use for the message. This object isn't supported for campaigns." + } + }, "AWS::Pinpoint::Campaign.WriteTreatmentResource": { "attributes": {}, "description": "Specifies the settings for a campaign treatment. A *treatment* is a variation of a campaign that's used for A/B testing of a campaign.", "properties": { + "CustomDeliveryConfiguration": "The delivery configuration settings for sending the treatment through a custom channel. This object is required if the `MessageConfiguration` object for the treatment specifies a `CustomMessage` object.", "MessageConfiguration": "The message configuration settings for the treatment.", "Schedule": "The schedule settings for the treatment.", "SizePercent": "The allocated percentage of users (segment members) to send the treatment to.", + "TemplateConfiguration": "The message template to use for the treatment.", "TreatmentDescription": "A custom description of the treatment.", "TreatmentName": "A custom name for the treatment." } @@ -34751,8 +34793,8 @@ }, "description": "The `AWS::QLDB::Ledger` resource specifies a new Amazon Quantum Ledger Database (Amazon QLDB) ledger in your AWS account . Amazon QLDB is a fully managed ledger database that provides a transparent, immutable, and cryptographically verifiable transaction log owned by a central trusted authority. You can use QLDB to track all application data changes, and maintain a complete and verifiable history of changes over time.\n\nFor more information, see [CreateLedger](https://docs.aws.amazon.com/qldb/latest/developerguide/API_CreateLedger.html) in the *Amazon QLDB API Reference* .", "properties": { - "DeletionProtection": "The flag that prevents a ledger from being deleted by any user. If not provided on ledger creation, this feature is enabled ( `true` ) by default.\n\nIf deletion protection is enabled, you must first disable it before you can delete the ledger. You can disable it by calling the `UpdateLedger` operation to set the flag to `false` .", - "KmsKey": "The key in AWS Key Management Service ( AWS KMS ) to use for encryption of data at rest in the ledger. For more information, see [Encryption at rest](https://docs.aws.amazon.com/qldb/latest/developerguide/encryption-at-rest.html) in the *Amazon QLDB Developer Guide* .\n\nUse one of the following options to specify this parameter:\n\n- `AWS_OWNED_KMS_KEY` : Use an AWS KMS key that is owned and managed by AWS on your behalf.\n- *Undefined* : By default, use an AWS owned KMS key.\n- *A valid symmetric customer managed KMS key* : Use the specified KMS key in your account that you create, own, and manage.\n\nAmazon QLDB does not support asymmetric keys. For more information, see [Using symmetric and asymmetric keys](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) in the *AWS Key Management Service Developer Guide* .\n\nTo specify a customer managed KMS key, you can use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with `\"alias/\"` . To specify a key in a different AWS account , you must use the key ARN or alias ARN.\n\nFor example:\n\n- Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`\n- Key ARN: `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`\n- Alias name: `alias/ExampleAlias`\n- Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`\n\nFor more information, see [Key identifiers (KeyId)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) in the *AWS Key Management Service Developer Guide* .", + "DeletionProtection": "Specifies whether the ledger is protected from being deleted by any user. If not defined during ledger creation, this feature is enabled ( `true` ) by default.\n\nIf deletion protection is enabled, you must first disable it before you can delete the ledger. You can disable it by calling the `UpdateLedger` operation to set the parameter to `false` .", + "KmsKey": "The key in AWS Key Management Service ( AWS KMS ) to use for encryption of data at rest in the ledger. For more information, see [Encryption at rest](https://docs.aws.amazon.com/qldb/latest/developerguide/encryption-at-rest.html) in the *Amazon QLDB Developer Guide* .\n\nUse one of the following options to specify this parameter:\n\n- `AWS_OWNED_KMS_KEY` : Use an AWS KMS key that is owned and managed by AWS on your behalf.\n- *Undefined* : By default, use an AWS owned KMS key.\n- *A valid symmetric customer managed KMS key* : Use the specified symmetric encryption KMS key in your account that you create, own, and manage.\n\nAmazon QLDB does not support asymmetric keys. For more information, see [Using symmetric and asymmetric keys](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) in the *AWS Key Management Service Developer Guide* .\n\nTo specify a customer managed KMS key, you can use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with `\"alias/\"` . To specify a key in a different AWS account , you must use the key ARN or alias ARN.\n\nFor example:\n\n- Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`\n- Key ARN: `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`\n- Alias name: `alias/ExampleAlias`\n- Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`\n\nFor more information, see [Key identifiers (KeyId)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) in the *AWS Key Management Service Developer Guide* .", "Name": "The name of the ledger that you want to create. The name must be unique among all of the ledgers in your AWS account in the current Region.\n\nNaming constraints for ledger names are defined in [Quotas in Amazon QLDB](https://docs.aws.amazon.com/qldb/latest/developerguide/limits.html#limits.naming) in the *Amazon QLDB Developer Guide* .", "PermissionsMode": "The permissions mode to assign to the ledger that you want to create. This parameter can have one of the following values:\n\n- `ALLOW_ALL` : A legacy permissions mode that enables access control with API-level granularity for ledgers.\n\nThis mode allows users who have the `SendCommand` API permission for this ledger to run all PartiQL commands (hence, `ALLOW_ALL` ) on any tables in the specified ledger. This mode disregards any table-level or command-level IAM permissions policies that you create for the ledger.\n- `STANDARD` : ( *Recommended* ) A permissions mode that enables access control with finer granularity for ledgers, tables, and PartiQL commands.\n\nBy default, this mode denies all user requests to run any PartiQL commands on any tables in this ledger. To allow PartiQL commands to run, you must create IAM permissions policies for specific table resources and PartiQL actions, in addition to the `SendCommand` API permission for the ledger. For information, see [Getting started with the standard permissions mode](https://docs.aws.amazon.com/qldb/latest/developerguide/getting-started-standard-mode.html) in the *Amazon QLDB Developer Guide* .\n\n> We strongly recommend using the `STANDARD` permissions mode to maximize the security of your ledger data.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." @@ -37844,8 +37886,8 @@ "NoncurrentVersionExpirationInDays": "(Deprecated.) For buckets with versioning enabled (or suspended), specifies the time, in days, between when a new version of the object is uploaded to the bucket and when old versions of the object expire. When object versions expire, Amazon S3 permanently deletes them. If you specify a transition and expiration time, the expiration time must be later than the transition time.", "NoncurrentVersionTransition": "(Deprecated.) For buckets with versioning enabled (or suspended), specifies when non-current objects transition to a specified storage class. If you specify a transition and expiration time, the expiration time must be later than the transition time. If you specify this property, don't specify the `NoncurrentVersionTransitions` property.", "NoncurrentVersionTransitions": "For buckets with versioning enabled (or suspended), one or more transition rules that specify when non-current objects transition to a specified storage class. If you specify a transition and expiration time, the expiration time must be later than the transition time. If you specify this property, don't specify the `NoncurrentVersionTransition` property.", - "ObjectSizeGreaterThan": "Specifies the minimum object size in bytes for this rule to apply to. For more information about size based rules, see [Lifecycle configuration using size-based rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-configuration-examples.html#lc-size-rules) in the *Amazon S3 User Guide* .", - "ObjectSizeLessThan": "Specifies the maximum object size in bytes for this rule to apply to. For more information about sized based rules, see [Lifecycle configuration using size-based rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-configuration-examples.html#lc-size-rules) in the *Amazon S3 User Guide* .", + "ObjectSizeGreaterThan": "Specifies the minimum object size in bytes for this rule to apply to. Objects must be larger than this value in bytes. For more information about size based rules, see [Lifecycle configuration using size-based rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-configuration-examples.html#lc-size-rules) in the *Amazon S3 User Guide* .", + "ObjectSizeLessThan": "Specifies the maximum object size in bytes for this rule to apply to. Objects must be smaller than this value in bytes. For more information about sized based rules, see [Lifecycle configuration using size-based rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-configuration-examples.html#lc-size-rules) in the *Amazon S3 User Guide* .", "Prefix": "Object key prefix that identifies one or more objects to which this rule applies.\n\n> Replacement must be made for object keys containing special characters (such as carriage returns) when using XML requests. For more information, see [XML related object key constraints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-xml-related-constraints) .", "Status": "If `Enabled` , the rule is currently being applied. If `Disabled` , the rule is not currently being applied.", "TagFilters": "Tags to use to identify a subset of objects to which the lifecycle rule applies.", @@ -37855,7 +37897,7 @@ }, "AWS::S3::Bucket.S3KeyFilter": { "attributes": {}, - "description": "A container for object key name prefix and suffix filtering rules.\n\n> The same type of filter rule cannot be used more than once. For example, you cannot specify two prefix rules.", + "description": "A container for object key name prefix and suffix filtering rules. For more information about object key name filtering, see [Configuring event notifications using object key name filtering](https://docs.aws.amazon.com/AmazonS3/latest/userguide/notification-how-to-filtering.html) in the *Amazon S3 User Guide* .\n\n> The same type of filter rule cannot be used more than once. For example, you cannot specify two prefix rules.", "properties": { "Rules": "A list of containers for the key-value pair that defines the criteria for the filter rule." } diff --git a/packages/@aws-cdk/integ-runner/lib/cli.ts b/packages/@aws-cdk/integ-runner/lib/cli.ts index 94e9b9f78d73b..148d5e456f21c 100644 --- a/packages/@aws-cdk/integ-runner/lib/cli.ts +++ b/packages/@aws-cdk/integ-runner/lib/cli.ts @@ -50,9 +50,10 @@ async function main() { let failedSnapshots: IntegTestWorkerConfig[] = []; if (argv['max-workers'] < testRegions.length * (profiles ?? [1]).length) { - logger.warning('You are attempting to run %s tests in parallel, but only have %s workers. Not all of your profiles+regions will be utilized', argv.profiles*argv['parallel-regions'], argv['max-workers']); + logger.warning('You are attempting to run %s tests in parallel, but only have %s workers. Not all of your profiles+regions will be utilized', argv.profiles * argv['parallel-regions'], argv['max-workers']); } + let testsSucceeded = false; try { if (argv.list) { const tests = await new IntegrationTests(argv.directory).fromCliArgs(); @@ -99,6 +100,8 @@ async function main() { verbose: argv.verbose, updateWorkflow: !argv['disable-update-workflow'], }); + testsSucceeded = success; + if (argv.clean === false) { logger.warning('Not cleaning up stacks since "--no-clean" was used'); @@ -125,7 +128,9 @@ async function main() { if (!runUpdateOnFailed) { message = 'To re-run failed tests run: yarn integ-runner --update-on-failed'; } - throw new Error(`Some snapshot tests failed!\n${message}`); + if (!testsSucceeded) { + throw new Error(`Some tests failed!\n${message}`); + } } } diff --git a/packages/@aws-cdk/lambda-layer-awscli/layer/requirements.txt b/packages/@aws-cdk/lambda-layer-awscli/layer/requirements.txt index 4142bbbaacc8f..9b84c7758b66b 100644 --- a/packages/@aws-cdk/lambda-layer-awscli/layer/requirements.txt +++ b/packages/@aws-cdk/lambda-layer-awscli/layer/requirements.txt @@ -1 +1 @@ -awscli==1.24.5 +awscli==1.24.10 diff --git a/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts b/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts index 39f7cd2f2a1b1..200f6548c6554 100644 --- a/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts +++ b/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts @@ -459,7 +459,11 @@ function readIfPossible(filename: string): string | undefined { * @see https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html#API_AssumeRole_RequestParameters */ function safeUsername() { - return os.userInfo().username.replace(/[^\w+=,.@-]/g, '@'); + try { + return os.userInfo().username.replace(/[^\w+=,.@-]/g, '@'); + } catch (e) { + return 'noname'; + } } /** diff --git a/packages/aws-cdk/test/api/sdk-provider.test.ts b/packages/aws-cdk/test/api/sdk-provider.test.ts index c2e3d311af647..9c03a7be0beed 100644 --- a/packages/aws-cdk/test/api/sdk-provider.test.ts +++ b/packages/aws-cdk/test/api/sdk-provider.test.ts @@ -341,6 +341,34 @@ describe('with intercepted network calls', () => { }); }); + test('assuming a role does not fail when OS username cannot be read', async () => { + // GIVEN + prepareCreds({ + fakeSts, + config: { + default: { aws_access_key_id: 'foo', $account: '11111' }, + }, + }); + + await withMocked(os, 'userInfo', async (userInfo) => { + userInfo.mockImplementation(() => { + // SystemError thrown as documented: https://nodejs.org/docs/latest-v16.x/api/os.html#osuserinfooptions + throw new Error('SystemError on Linux: uv_os_get_passwd returned ENOENT. See #19401 issue.'); + }); + + // WHEN + const provider = await providerFromProfile(undefined); + + const sdk = (await provider.forEnvironment(env(uniq('88888')), Mode.ForReading, { assumeRoleArn: 'arn:aws:role' })).sdk as SDK; + await sdk.currentAccount(); + + // THEN + expect(fakeSts.assumedRoles[0]).toEqual(expect.objectContaining({ + roleSessionName: 'aws-cdk-noname', + })); + }); + }); + test('even if current credentials are for the wrong account, we will still use them to AssumeRole', async () => { // GIVEN prepareCreds({ diff --git a/packages/cdk-assets/lib/aws.ts b/packages/cdk-assets/lib/aws.ts index c35dedb38bbe2..4f79ead780227 100644 --- a/packages/cdk-assets/lib/aws.ts +++ b/packages/cdk-assets/lib/aws.ts @@ -150,6 +150,10 @@ export class DefaultAwsClient implements IAws { * @see https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html#API_AssumeRole_RequestParameters */ function safeUsername() { - return os.userInfo().username.replace(/[^\w+=,.@-]/g, '@'); + try { + return os.userInfo().username.replace(/[^\w+=,.@-]/g, '@'); + } catch (e) { + return 'noname'; + } } diff --git a/version.v1.json b/version.v1.json index e9b6f5ffd7864..aeca1be32b0b5 100644 --- a/version.v1.json +++ b/version.v1.json @@ -1,3 +1,3 @@ { - "version": "1.157.0" + "version": "1.158.0" } \ No newline at end of file