From 7a010993f10e5a8e4035e28a1f977e877ab4ca49 Mon Sep 17 00:00:00 2001 From: AWS CDK Team Date: Fri, 27 May 2022 04:56:56 +0000 Subject: [PATCH 1/9] chore(release): 1.158.0 --- CHANGELOG.md | 22 ++++++++++++++++++++++ version.v1.json | 2 +- 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e09741c20e89e..d1e96f8f71317 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,28 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. +## [1.158.0](https://github.com/aws/aws-cdk/compare/v1.157.0...v1.158.0) (2022-05-27) + + +### Features + +* **apprunner:** VpcConnector construct ([#20471](https://github.com/aws/aws-cdk/issues/20471)) ([5052191](https://github.com/aws/aws-cdk/commit/50521911f22f433323d700db77530e883762138a)) +* **aws-ecr-assets:** support the --platform option when building docker images ([#20439](https://github.com/aws/aws-cdk/issues/20439)) ([adc0368](https://github.com/aws/aws-cdk/commit/adc0368dc1f137aeaa4bd92de77028269e3a48f4)), closes [#12472](https://github.com/aws/aws-cdk/issues/12472) [#16770](https://github.com/aws/aws-cdk/issues/16770) [#16858](https://github.com/aws/aws-cdk/issues/16858) +* **lambda:** validate function description length ([#20476](https://github.com/aws/aws-cdk/issues/20476)) ([de027e2](https://github.com/aws/aws-cdk/commit/de027e28ce5c95e70fed8874e6531eabba24521c)), closes [#20475](https://github.com/aws/aws-cdk/issues/20475) +* **s3:** adds objectSizeGreaterThan property for s3 lifecycle rule ([#20425](https://github.com/aws/aws-cdk/issues/20425)) ([23690e4](https://github.com/aws/aws-cdk/commit/23690e40b1604839f99da8b8f96168dda8679c47)), closes [#20372](https://github.com/aws/aws-cdk/issues/20372) +* **servicecatalog:** ProductStackHistory can retain old ProductStack iterations ([#20244](https://github.com/aws/aws-cdk/issues/20244)) ([1037b8c](https://github.com/aws/aws-cdk/commit/1037b8c7f58ccd162491b49d75954c38d685d67f)) + + +### Bug Fixes + +* **core:** NestedStack defaultChild is undefined ([#20450](https://github.com/aws/aws-cdk/issues/20450)) ([0a49927](https://github.com/aws/aws-cdk/commit/0a49927e9e5bc250f339f664fa843fae2fab92ec)), closes [#11221](https://github.com/aws/aws-cdk/issues/11221) +* **iam:** Role policies cannot grow beyond 10k ([#20400](https://github.com/aws/aws-cdk/issues/20400)) ([75bfce7](https://github.com/aws/aws-cdk/commit/75bfce70dbc57fe688c96b3c5cbb67fc4e6fcc56)), closes [#19276](https://github.com/aws/aws-cdk/issues/19276) [#19939](https://github.com/aws/aws-cdk/issues/19939) [#19835](https://github.com/aws/aws-cdk/issues/19835) +* **integ-runner:** always resynth on deploy ([#20508](https://github.com/aws/aws-cdk/issues/20508)) ([7138057](https://github.com/aws/aws-cdk/commit/71380571b878a50fe4b754c7dac78da075a98242)) +* **integ-tests:** DeployAssert should be private ([#20466](https://github.com/aws/aws-cdk/issues/20466)) ([0f52813](https://github.com/aws/aws-cdk/commit/0f52813bcf6a48c352f697004a899461dd06935d)) +* **lambda:** Fix typo in public subnet warning ([#20470](https://github.com/aws/aws-cdk/issues/20470)) ([85f4e29](https://github.com/aws/aws-cdk/commit/85f4e29e0551d71dd5f2f588584785cbc1ae7b72)) +* **pipelines:** too many CodeBuild steps inflate policy size ([#20396](https://github.com/aws/aws-cdk/issues/20396)) ([f334060](https://github.com/aws/aws-cdk/commit/f334060fca02e928bc4f5fdcfd45244060731d78)), closes [#20189](https://github.com/aws/aws-cdk/issues/20189) [#19276](https://github.com/aws/aws-cdk/issues/19276) [#19939](https://github.com/aws/aws-cdk/issues/19939) [#19835](https://github.com/aws/aws-cdk/issues/19835) +* **s3-deployment:** default role does not get `PutAcl` permissions on… ([#20492](https://github.com/aws/aws-cdk/issues/20492)) ([3e6ec5c](https://github.com/aws/aws-cdk/commit/3e6ec5c48cff41cec2b32566990046fd704f4ec1)) + ## [1.157.0](https://github.com/aws/aws-cdk/compare/v1.156.1...v1.157.0) (2022-05-20) diff --git a/version.v1.json b/version.v1.json index e9b6f5ffd7864..aeca1be32b0b5 100644 --- a/version.v1.json +++ b/version.v1.json @@ -1,3 +1,3 @@ { - "version": "1.157.0" + "version": "1.158.0" } \ No newline at end of file From c274c2f983de2dfd20ed2886a3c50f7fd3f6b3f4 Mon Sep 17 00:00:00 2001 From: Cory Hall <43035978+corymhall@users.noreply.github.com> Date: Fri, 27 May 2022 09:32:37 -0400 Subject: [PATCH 2/9] fix(integ-runner): don't throw error if tests pass (#20511) If you run `integ-runner --update-on-failed` and the test succeeds, then the cli should not return an exit code. re #20384 ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/@aws-cdk/integ-runner/lib/cli.ts | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk/integ-runner/lib/cli.ts b/packages/@aws-cdk/integ-runner/lib/cli.ts index 1c7c7920375d5..6014d4997378a 100644 --- a/packages/@aws-cdk/integ-runner/lib/cli.ts +++ b/packages/@aws-cdk/integ-runner/lib/cli.ts @@ -49,9 +49,10 @@ async function main() { let failedSnapshots: IntegTestWorkerConfig[] = []; if (argv['max-workers'] < testRegions.length * (profiles ?? [1]).length) { - logger.warning('You are attempting to run %s tests in parallel, but only have %s workers. Not all of your profiles+regions will be utilized', argv.profiles*argv['parallel-regions'], argv['max-workers']); + logger.warning('You are attempting to run %s tests in parallel, but only have %s workers. Not all of your profiles+regions will be utilized', argv.profiles * argv['parallel-regions'], argv['max-workers']); } + let testsSucceeded = false; try { if (argv.list) { const tests = await new IntegrationTests(argv.directory).fromCliArgs(); @@ -99,6 +100,8 @@ async function main() { verbose: argv.verbose, updateWorkflow: !argv['disable-update-workflow'], }); + testsSucceeded = success; + if (argv.clean === false) { logger.warning('Not cleaning up stacks since "--no-clean" was used'); @@ -125,7 +128,9 @@ async function main() { if (!runUpdateOnFailed) { message = 'To re-run failed tests run: yarn integ-runner --update-on-failed'; } - throw new Error(`Some snapshot tests failed!\n${message}`); + if (!testsSucceeded) { + throw new Error(`Some tests failed!\n${message}`); + } } } From df419ba70a1ab5bca22baf104750dcc61e2cd4e7 Mon Sep 17 00:00:00 2001 From: Madeline Kusters Date: Fri, 27 May 2022 07:32:04 -0700 Subject: [PATCH 3/9] chore: empty commit to trigger pr build From 6f4aba805b93523958d5cb4c8db4c1c800f53806 Mon Sep 17 00:00:00 2001 From: Stephen Blackstone Date: Fri, 27 May 2022 11:05:59 -0400 Subject: [PATCH 4/9] Fix error message when creating a NodeJS function (#20524) Error message gives the incorrect field depsFileLockPath Should be depsLockFilePath ---- ### All Submissions: * [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: None. * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features None. * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* Yep. --- packages/@aws-cdk/aws-lambda-nodejs/lib/function.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-lambda-nodejs/lib/function.ts b/packages/@aws-cdk/aws-lambda-nodejs/lib/function.ts index ee82e25ccca18..eea143f5713f9 100644 --- a/packages/@aws-cdk/aws-lambda-nodejs/lib/function.ts +++ b/packages/@aws-cdk/aws-lambda-nodejs/lib/function.ts @@ -147,7 +147,7 @@ function findLockFile(depsLockFilePath?: string): string { throw new Error('Cannot find a package lock file (`pnpm-lock.yaml`, `yarn.lock` or `package-lock.json`). Please specify it with `depsLockFilePath`.'); } if (lockFiles.length > 1) { - throw new Error(`Multiple package lock files found: ${lockFiles.join(', ')}. Please specify the desired one with \`depsFileLockPath\`.`); + throw new Error(`Multiple package lock files found: ${lockFiles.join(', ')}. Please specify the desired one with \`depsLockFilePath\`.`); } return lockFiles[0]; From b7bc10cc7a734fe3b4a9194dffbc017f2fe3ef43 Mon Sep 17 00:00:00 2001 From: Adam Brodziak Date: Fri, 27 May 2022 18:23:10 +0200 Subject: [PATCH 5/9] fix: Default username in RoleSessionName (#20188) In case user does not have entry in `/etc/passwd` the `os.userInfo()` call will throw `SystemError` exception as documented: https://nodejs.org/docs/latest-v16.x/api/os.html#osuserinfooptions Fixes #19401 issue. It can be tested inside Docker for ad-hoc 1234 user ID: ```sh docker run -u 1234 -e CDK_HOME=/tmp npm run cdk diff ``` The `CDK_HOME=/tmp` is a workaround for #7937 issue, where CDK complains that it can't write cached info in user homedir, because it does not exists. Once #7937 will be fixed then #19401 will most likely hit users. However above workaround is a viable option. Hence those two issues are related, but not duplicated. ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) Yes, followed the guide. ### Adding new Unconventional Dependencies: * [x] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) No new dependencies. ### New Features * [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? * [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? No, it's a bugfix, not a feature. *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../aws-cdk/lib/api/aws-auth/sdk-provider.ts | 6 +++- .../aws-cdk/test/api/sdk-provider.test.ts | 28 +++++++++++++++++++ packages/cdk-assets/lib/aws.ts | 6 +++- 3 files changed, 38 insertions(+), 2 deletions(-) diff --git a/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts b/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts index 39f7cd2f2a1b1..200f6548c6554 100644 --- a/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts +++ b/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts @@ -459,7 +459,11 @@ function readIfPossible(filename: string): string | undefined { * @see https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html#API_AssumeRole_RequestParameters */ function safeUsername() { - return os.userInfo().username.replace(/[^\w+=,.@-]/g, '@'); + try { + return os.userInfo().username.replace(/[^\w+=,.@-]/g, '@'); + } catch (e) { + return 'noname'; + } } /** diff --git a/packages/aws-cdk/test/api/sdk-provider.test.ts b/packages/aws-cdk/test/api/sdk-provider.test.ts index c2e3d311af647..9c03a7be0beed 100644 --- a/packages/aws-cdk/test/api/sdk-provider.test.ts +++ b/packages/aws-cdk/test/api/sdk-provider.test.ts @@ -341,6 +341,34 @@ describe('with intercepted network calls', () => { }); }); + test('assuming a role does not fail when OS username cannot be read', async () => { + // GIVEN + prepareCreds({ + fakeSts, + config: { + default: { aws_access_key_id: 'foo', $account: '11111' }, + }, + }); + + await withMocked(os, 'userInfo', async (userInfo) => { + userInfo.mockImplementation(() => { + // SystemError thrown as documented: https://nodejs.org/docs/latest-v16.x/api/os.html#osuserinfooptions + throw new Error('SystemError on Linux: uv_os_get_passwd returned ENOENT. See #19401 issue.'); + }); + + // WHEN + const provider = await providerFromProfile(undefined); + + const sdk = (await provider.forEnvironment(env(uniq('88888')), Mode.ForReading, { assumeRoleArn: 'arn:aws:role' })).sdk as SDK; + await sdk.currentAccount(); + + // THEN + expect(fakeSts.assumedRoles[0]).toEqual(expect.objectContaining({ + roleSessionName: 'aws-cdk-noname', + })); + }); + }); + test('even if current credentials are for the wrong account, we will still use them to AssumeRole', async () => { // GIVEN prepareCreds({ diff --git a/packages/cdk-assets/lib/aws.ts b/packages/cdk-assets/lib/aws.ts index c35dedb38bbe2..4f79ead780227 100644 --- a/packages/cdk-assets/lib/aws.ts +++ b/packages/cdk-assets/lib/aws.ts @@ -150,6 +150,10 @@ export class DefaultAwsClient implements IAws { * @see https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html#API_AssumeRole_RequestParameters */ function safeUsername() { - return os.userInfo().username.replace(/[^\w+=,.@-]/g, '@'); + try { + return os.userInfo().username.replace(/[^\w+=,.@-]/g, '@'); + } catch (e) { + return 'noname'; + } } From dacefd6c4770f06390f853fdf4703d8662beb3f5 Mon Sep 17 00:00:00 2001 From: Joshua Weber <57131123+daschaa@users.noreply.github.com> Date: Fri, 27 May 2022 19:10:42 +0200 Subject: [PATCH 6/9] fix(ecs): canContainersAccessInstanceRole is ignored when passed in AsgCapacityProvider constructor (#20522) Fixes #20293 When adding an AsgCapacityProvider the property `canContainersAccessInstanceRole` is only checked when passed in via the method `addAsgCapacityProvider`. It is ignored when passing the property via the instantiation of an AsgCapacityProvider. In this PR I added, that if either one way (method or constructor) has got the property set - it is respected in the outcome. For more details please see the issue #20293 I decided **not** to omit the property on the class level because it would bring in breaking changes. ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? * [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/@aws-cdk/aws-ecs/lib/cluster.ts | 10 ++ .../@aws-cdk/aws-ecs/test/cluster.test.ts | 142 ++++++++++++++++++ 2 files changed, 152 insertions(+) diff --git a/packages/@aws-cdk/aws-ecs/lib/cluster.ts b/packages/@aws-cdk/aws-ecs/lib/cluster.ts index 8e48e2be59cec..188fa661944d3 100644 --- a/packages/@aws-cdk/aws-ecs/lib/cluster.ts +++ b/packages/@aws-cdk/aws-ecs/lib/cluster.ts @@ -370,6 +370,7 @@ export class Cluster extends Resource implements ICluster { machineImageType: provider.machineImageType, // Don't enable the instance-draining lifecycle hook if managed termination protection is enabled taskDrainTime: provider.enableManagedTerminationProtection ? Duration.seconds(0) : options.taskDrainTime, + canContainersAccessInstanceRole: options.canContainersAccessInstanceRole ?? provider.canContainersAccessInstanceRole, }); this._capacityProviderNames.push(provider.capacityProviderName); @@ -1109,6 +1110,13 @@ export class AsgCapacityProvider extends CoreConstruct { */ readonly enableManagedTerminationProtection?: boolean; + /** + * Specifies whether the containers can access the container instance role. + * + * @default false + */ + readonly canContainersAccessInstanceRole?: boolean; + constructor(scope: Construct, id: string, props: AsgCapacityProviderProps) { super(scope, id); @@ -1116,6 +1124,8 @@ export class AsgCapacityProvider extends CoreConstruct { this.machineImageType = props.machineImageType ?? MachineImageType.AMAZON_LINUX_2; + this.canContainersAccessInstanceRole = props.canContainersAccessInstanceRole; + this.enableManagedTerminationProtection = props.enableManagedTerminationProtection === undefined ? true : props.enableManagedTerminationProtection; diff --git a/packages/@aws-cdk/aws-ecs/test/cluster.test.ts b/packages/@aws-cdk/aws-ecs/test/cluster.test.ts index d167c30989ded..45f9601728ef7 100644 --- a/packages/@aws-cdk/aws-ecs/test/cluster.test.ts +++ b/packages/@aws-cdk/aws-ecs/test/cluster.test.ts @@ -2306,3 +2306,145 @@ test('throws when ASG Capacity Provider with capacityProviderName starting with cluster.addAsgCapacityProvider(capacityProviderAl2); }).toThrow(/Invalid Capacity Provider Name: ecscp, If a name is specified, it cannot start with aws, ecs, or fargate./); }); + +describe('Accessing container instance role', function () { + + const addUserDataMock = jest.fn(); + const autoScalingGroup: autoscaling.AutoScalingGroup = { + addUserData: addUserDataMock, + addToRolePolicy: jest.fn(), + protectNewInstancesFromScaleIn: jest.fn(), + } as unknown as autoscaling.AutoScalingGroup; + + afterEach(() => { + addUserDataMock.mockClear(); + }); + + test('block ecs from accessing metadata service when canContainersAccessInstanceRole not set', () => { + // GIVEN + const app = new cdk.App(); + const stack = new cdk.Stack(app, 'test'); + const cluster = new ecs.Cluster(stack, 'EcsCluster'); + + // WHEN + + const capacityProvider = new ecs.AsgCapacityProvider(stack, 'Provider', { + autoScalingGroup: autoScalingGroup, + }); + + cluster.addAsgCapacityProvider(capacityProvider); + + // THEN + expect(autoScalingGroup.addUserData).toHaveBeenCalledWith('sudo iptables --insert FORWARD 1 --in-interface docker+ --destination 169.254.169.254/32 --jump DROP'); + expect(autoScalingGroup.addUserData).toHaveBeenCalledWith('sudo service iptables save'); + expect(autoScalingGroup.addUserData).toHaveBeenCalledWith('echo ECS_AWSVPC_BLOCK_IMDS=true >> /etc/ecs/ecs.config'); + }); + + test('allow ecs accessing metadata service when canContainersAccessInstanceRole is set on addAsgCapacityProvider', () => { + // GIVEN + const app = new cdk.App(); + const stack = new cdk.Stack(app, 'test'); + const cluster = new ecs.Cluster(stack, 'EcsCluster'); + + // WHEN + const capacityProvider = new ecs.AsgCapacityProvider(stack, 'Provider', { + autoScalingGroup: autoScalingGroup, + }); + + cluster.addAsgCapacityProvider(capacityProvider, { + canContainersAccessInstanceRole: true, + }); + + // THEN + expect(autoScalingGroup.addUserData).not.toHaveBeenCalledWith('sudo iptables --insert FORWARD 1 --in-interface docker+ --destination 169.254.169.254/32 --jump DROP'); + expect(autoScalingGroup.addUserData).not.toHaveBeenCalledWith('sudo service iptables save'); + expect(autoScalingGroup.addUserData).not.toHaveBeenCalledWith('echo ECS_AWSVPC_BLOCK_IMDS=true >> /etc/ecs/ecs.config'); + }); + + test('allow ecs accessing metadata service when canContainersAccessInstanceRole is set on AsgCapacityProvider instantiation', () => { + // GIVEN + const app = new cdk.App(); + const stack = new cdk.Stack(app, 'test'); + const cluster = new ecs.Cluster(stack, 'EcsCluster'); + + // WHEN + const capacityProvider = new ecs.AsgCapacityProvider(stack, 'Provider', { + autoScalingGroup: autoScalingGroup, + canContainersAccessInstanceRole: true, + }); + + cluster.addAsgCapacityProvider(capacityProvider); + + // THEN + expect(autoScalingGroup.addUserData).not.toHaveBeenCalledWith('sudo iptables --insert FORWARD 1 --in-interface docker+ --destination 169.254.169.254/32 --jump DROP'); + expect(autoScalingGroup.addUserData).not.toHaveBeenCalledWith('sudo service iptables save'); + expect(autoScalingGroup.addUserData).not.toHaveBeenCalledWith('echo ECS_AWSVPC_BLOCK_IMDS=true >> /etc/ecs/ecs.config'); + }); + + test('allow ecs accessing metadata service when canContainersAccessInstanceRole is set on constructor and method', () => { + // GIVEN + const app = new cdk.App(); + const stack = new cdk.Stack(app, 'test'); + const cluster = new ecs.Cluster(stack, 'EcsCluster'); + + // WHEN + const capacityProvider = new ecs.AsgCapacityProvider(stack, 'Provider', { + autoScalingGroup: autoScalingGroup, + canContainersAccessInstanceRole: true, + }); + + cluster.addAsgCapacityProvider(capacityProvider, { + canContainersAccessInstanceRole: true, + }); + + // THEN + expect(autoScalingGroup.addUserData).not.toHaveBeenCalledWith('sudo iptables --insert FORWARD 1 --in-interface docker+ --destination 169.254.169.254/32 --jump DROP'); + expect(autoScalingGroup.addUserData).not.toHaveBeenCalledWith('sudo service iptables save'); + expect(autoScalingGroup.addUserData).not.toHaveBeenCalledWith('echo ECS_AWSVPC_BLOCK_IMDS=true >> /etc/ecs/ecs.config'); + }); + + test('block ecs from accessing metadata service when canContainersAccessInstanceRole set on constructor and not set on method', () => { + // GIVEN + const app = new cdk.App(); + const stack = new cdk.Stack(app, 'test'); + const cluster = new ecs.Cluster(stack, 'EcsCluster'); + + // WHEN + const capacityProvider = new ecs.AsgCapacityProvider(stack, 'Provider', { + autoScalingGroup: autoScalingGroup, + canContainersAccessInstanceRole: true, + }); + + cluster.addAsgCapacityProvider(capacityProvider, { + canContainersAccessInstanceRole: false, + }); + + // THEN + expect(autoScalingGroup.addUserData).toHaveBeenCalledWith('sudo iptables --insert FORWARD 1 --in-interface docker+ --destination 169.254.169.254/32 --jump DROP'); + expect(autoScalingGroup.addUserData).toHaveBeenCalledWith('sudo service iptables save'); + expect(autoScalingGroup.addUserData).toHaveBeenCalledWith('echo ECS_AWSVPC_BLOCK_IMDS=true >> /etc/ecs/ecs.config'); + }); + + test('allow ecs accessing metadata service when canContainersAccessInstanceRole is not set on constructor and set on method', () => { + // GIVEN + const app = new cdk.App(); + const stack = new cdk.Stack(app, 'test'); + const cluster = new ecs.Cluster(stack, 'EcsCluster'); + + // WHEN + const capacityProvider = new ecs.AsgCapacityProvider(stack, 'Provider', { + autoScalingGroup: autoScalingGroup, + canContainersAccessInstanceRole: false, + }); + + cluster.addAsgCapacityProvider(capacityProvider, { + canContainersAccessInstanceRole: true, + }); + + // THEN + expect(autoScalingGroup.addUserData).not.toHaveBeenCalledWith('sudo iptables --insert FORWARD 1 --in-interface docker+ --destination 169.254.169.254/32 --jump DROP'); + expect(autoScalingGroup.addUserData).not.toHaveBeenCalledWith('sudo service iptables save'); + expect(autoScalingGroup.addUserData).not.toHaveBeenCalledWith('echo ECS_AWSVPC_BLOCK_IMDS=true >> /etc/ecs/ecs.config'); + }); +}); + From f4439ceda079dd762ec30c6f4a893d6bcd7ed100 Mon Sep 17 00:00:00 2001 From: dafujii <41186511+dafujii@users.noreply.github.com> Date: Sat, 28 May 2022 10:26:48 +0900 Subject: [PATCH 7/9] fix(ecs): fix typo from fromServiceAtrributes to fromServiceAttributes (#20456) Fixed: #20458 I found `fromServiceAtrributes`. I fixed to `fromServiceAttributes` ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../@aws-cdk/aws-ecs/lib/base/from-service-attributes.ts | 2 +- packages/@aws-cdk/aws-ecs/lib/ec2/ec2-service.ts | 6 +++--- packages/@aws-cdk/aws-ecs/lib/external/external-service.ts | 6 +++--- packages/@aws-cdk/aws-ecs/lib/fargate/fargate-service.ts | 6 +++--- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/packages/@aws-cdk/aws-ecs/lib/base/from-service-attributes.ts b/packages/@aws-cdk/aws-ecs/lib/base/from-service-attributes.ts index 8dfc272300d41..7a9cbc0d28563 100644 --- a/packages/@aws-cdk/aws-ecs/lib/base/from-service-attributes.ts +++ b/packages/@aws-cdk/aws-ecs/lib/base/from-service-attributes.ts @@ -27,7 +27,7 @@ export interface ServiceAttributes { readonly serviceName?: string; } -export function fromServiceAtrributes(scope: Construct, id: string, attrs: ServiceAttributes): IBaseService { +export function fromServiceAttributes(scope: Construct, id: string, attrs: ServiceAttributes): IBaseService { if ((attrs.serviceArn && attrs.serviceName) || (!attrs.serviceArn && !attrs.serviceName)) { throw new Error('You can only specify either serviceArn or serviceName.'); } diff --git a/packages/@aws-cdk/aws-ecs/lib/ec2/ec2-service.ts b/packages/@aws-cdk/aws-ecs/lib/ec2/ec2-service.ts index eca66a4db6ff3..c24a1780c8b48 100644 --- a/packages/@aws-cdk/aws-ecs/lib/ec2/ec2-service.ts +++ b/packages/@aws-cdk/aws-ecs/lib/ec2/ec2-service.ts @@ -2,7 +2,7 @@ import * as ec2 from '@aws-cdk/aws-ec2'; import { ArnFormat, Lazy, Resource, Stack } from '@aws-cdk/core'; import { Construct } from 'constructs'; import { BaseService, BaseServiceOptions, DeploymentControllerType, IBaseService, IService, LaunchType } from '../base/base-service'; -import { fromServiceAtrributes } from '../base/from-service-attributes'; +import { fromServiceAttributes } from '../base/from-service-attributes'; import { NetworkMode, TaskDefinition } from '../base/task-definition'; import { ICluster } from '../cluster'; import { CfnService } from '../ecs.generated'; @@ -134,10 +134,10 @@ export class Ec2Service extends BaseService implements IEc2Service { } /** - * Imports from the specified service attrributes. + * Imports from the specified service attributes. */ public static fromEc2ServiceAttributes(scope: Construct, id: string, attrs: Ec2ServiceAttributes): IBaseService { - return fromServiceAtrributes(scope, id, attrs); + return fromServiceAttributes(scope, id, attrs); } private readonly constraints: CfnService.PlacementConstraintProperty[]; diff --git a/packages/@aws-cdk/aws-ecs/lib/external/external-service.ts b/packages/@aws-cdk/aws-ecs/lib/external/external-service.ts index 9bb1eaf0b8cef..ba3bb291d422b 100644 --- a/packages/@aws-cdk/aws-ecs/lib/external/external-service.ts +++ b/packages/@aws-cdk/aws-ecs/lib/external/external-service.ts @@ -5,7 +5,7 @@ import * as cloudmap from '@aws-cdk/aws-servicediscovery'; import { ArnFormat, Resource, Stack } from '@aws-cdk/core'; import { Construct } from 'constructs'; import { AssociateCloudMapServiceOptions, BaseService, BaseServiceOptions, CloudMapOptions, DeploymentControllerType, EcsTarget, IBaseService, IEcsLoadBalancerTarget, IService, LaunchType, PropagatedTagSource } from '../base/base-service'; -import { fromServiceAtrributes } from '../base/from-service-attributes'; +import { fromServiceAttributes } from '../base/from-service-attributes'; import { ScalableTaskCount } from '../base/scalable-task-count'; import { Compatibility, LoadBalancerTargetOptions, TaskDefinition } from '../base/task-definition'; import { ICluster } from '../cluster'; @@ -79,10 +79,10 @@ export class ExternalService extends BaseService implements IExternalService { } /** - * Imports from the specified service attrributes. + * Imports from the specified service attributes. */ public static fromExternalServiceAttributes(scope: Construct, id: string, attrs: ExternalServiceAttributes): IBaseService { - return fromServiceAtrributes(scope, id, attrs); + return fromServiceAttributes(scope, id, attrs); } /** diff --git a/packages/@aws-cdk/aws-ecs/lib/fargate/fargate-service.ts b/packages/@aws-cdk/aws-ecs/lib/fargate/fargate-service.ts index b654c87887dda..a1ae858d0be61 100644 --- a/packages/@aws-cdk/aws-ecs/lib/fargate/fargate-service.ts +++ b/packages/@aws-cdk/aws-ecs/lib/fargate/fargate-service.ts @@ -3,7 +3,7 @@ import * as cdk from '@aws-cdk/core'; import { ArnFormat } from '@aws-cdk/core'; import { Construct } from 'constructs'; import { BaseService, BaseServiceOptions, DeploymentControllerType, IBaseService, IService, LaunchType } from '../base/base-service'; -import { fromServiceAtrributes } from '../base/from-service-attributes'; +import { fromServiceAttributes } from '../base/from-service-attributes'; import { TaskDefinition } from '../base/task-definition'; import { ICluster } from '../cluster'; @@ -111,10 +111,10 @@ export class FargateService extends BaseService implements IFargateService { } /** - * Imports from the specified service attrributes. + * Imports from the specified service attributes. */ public static fromFargateServiceAttributes(scope: Construct, id: string, attrs: FargateServiceAttributes): IBaseService { - return fromServiceAtrributes(scope, id, attrs); + return fromServiceAttributes(scope, id, attrs); } /** From 3a0077e5ebf8a146354e7f0be451ed4d973b2a38 Mon Sep 17 00:00:00 2001 From: AWS CDK Automation <43080478+aws-cdk-automation@users.noreply.github.com> Date: Mon, 30 May 2022 02:46:20 -0700 Subject: [PATCH 8/9] docs(cfnspec): update CloudFormation documentation (#20540) --- .../spec-source/cfn-docs/cfn-docs.json | 56 ++++++++++++++++--- 1 file changed, 49 insertions(+), 7 deletions(-) diff --git a/packages/@aws-cdk/cfnspec/spec-source/cfn-docs/cfn-docs.json b/packages/@aws-cdk/cfnspec/spec-source/cfn-docs/cfn-docs.json index c99e5a9c1f3a7..65e4fda07bbc6 100644 --- a/packages/@aws-cdk/cfnspec/spec-source/cfn-docs/cfn-docs.json +++ b/packages/@aws-cdk/cfnspec/spec-source/cfn-docs/cfn-docs.json @@ -14171,6 +14171,7 @@ }, "AWS::EC2::PlacementGroup": { "attributes": { + "GroupName": "", "Ref": "`Ref` returns the name of the placement group." }, "description": "Specifies a placement group in which to launch instances. The strategy of the placement group determines how the instances are organized within the group.\n\nA `cluster` placement group is a logical grouping of instances within a single Availability Zone that benefit from low network latency, high network throughput. A `spread` placement group places instances on distinct hardware. A `partition` placement group places groups of instances in different partitions, where instances in one partition do not share the same hardware with instances in another partition.\n\nFor more information, see [Placement Groups](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html) in the *Amazon EC2 User Guide* .", @@ -14794,6 +14795,7 @@ }, "description": "Attaches a VPC to a transit gateway.\n\nIf you attach a VPC with a CIDR range that overlaps the CIDR range of a VPC that is already attached, the new VPC CIDR range is not propagated to the default propagation route table.\n\nTo send VPC traffic to an attached transit gateway, add a route to the VPC route table using [AWS::EC2::Route](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-route.html) .", "properties": { + "Options": "", "SubnetIds": "The IDs of one or more subnets. You can specify only one subnet per Availability Zone. You must specify at least one subnet, but we recommend that you specify two subnets for better availability. The transit gateway uses one IP address from each specified subnet.", "Tags": "The tags for the attachment.", "TransitGatewayId": "The ID of the transit gateway.", @@ -15078,6 +15080,7 @@ }, "AWS::EC2::VPCPeeringConnection": { "attributes": { + "Id": "", "Ref": "`Ref` returns the ID of the VPC peering connection." }, "description": "Requests a VPC peering connection between two VPCs: a requester VPC that you own and an accepter VPC with which to create the connection. The accepter VPC can belong to another AWS account and can be in a different Region to the requester VPC.\n\nThe requester VPC and accepter VPC cannot have overlapping CIDR blocks. If you create a VPC peering connection request between VPCs with overlapping CIDR blocks, the VPC peering connection has a status of `failed` .\n\nFor more information, see [Walkthough: Peer with a VPC in another AWS account](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/peer-with-vpc-in-another-account.html) .", @@ -15781,7 +15784,7 @@ "attributes": {}, "description": "Information about the platform for the Amazon ECS service or task.\n\nFor more informataion about `RuntimePlatform` , see [RuntimePlatform](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#runtime-platform) in the *Amazon Elastic Container Service Developer Guide* .", "properties": { - "CpuArchitecture": "The CPU architecture.\n\nYou can run your Linux tasks on an ARM-based platform by setting the value to `ARM64` . This option is avaiable for tasks that run on Linuc Amazon EC2 instance or Linux containers on Fargate.", + "CpuArchitecture": "The CPU architecture.\n\nYou can run your Linux tasks on an ARM-based platform by setting the value to `ARM64` . This option is avaiable for tasks that run on Linux Amazon EC2 instance or Linux containers on Fargate.", "OperatingSystemFamily": "The operating system." } }, @@ -19501,7 +19504,7 @@ "description": "The `AWS::GameLift::Fleet` resource creates an Amazon GameLift (GameLift) fleet to host game servers. A fleet is a set of EC2 instances, each of which can host multiple game sessions.", "properties": { "BuildId": "A unique identifier for a build to be deployed on the new fleet. If you are deploying the fleet with a custom game build, you must specify this property. The build must have been successfully uploaded to Amazon GameLift and be in a `READY` status. This fleet setting cannot be changed once the fleet is created.", - "CertificateConfiguration": "Prompts GameLift to generate a TLS/SSL certificate for the fleet. TLS certificates are used for encrypting traffic between game clients and the game servers that are running on GameLift. By default, the `CertificateConfiguration` is set to `DISABLED` . This property cannot be changed after the fleet is created.\n\nNote: This feature requires the AWS Certificate Manager (ACM) service, which is not available in all AWS regions. When working in a region that does not support this feature, a fleet creation request with certificate generation fails with a 4xx error.", + "CertificateConfiguration": "Prompts GameLift to generate a TLS/SSL certificate for the fleet. GameLift uses the certificates to encrypt traffic between game clients and the game servers running on GameLift. By default, the `CertificateConfiguration` is `DISABLED` . You can't change this property after you create the fleet.\n\nAWS Certificate Manager (ACM) certificates expire after 13 months. Certificate expiration can cause fleets to fail, preventing players from connecting to instances in the fleet. We recommend you replace fleets before 13 months, consider using fleet aliases for a smooth transition.\n\n> ACM isn't available in all AWS regions. A fleet creation request with certificate generation enabled in an unsupported Region, fails with a 4xx error. For more information about the supported Regions, see [Supported Regions](https://docs.aws.amazon.com/acm/latest/userguide/acm-regions.html) in the *AWS Certificate Manager User Guide* .", "Description": "A human-readable description of the fleet.", "DesiredEC2Instances": "The number of EC2 instances that you want this fleet to host. When creating a new fleet, GameLift automatically sets this value to \"1\" and initiates a single instance. Once the fleet is active, update this value to trigger GameLift to add or remove instances from the fleet.", "EC2InboundPermissions": "The allowed IP address ranges and port settings that allow inbound traffic to access game sessions on this fleet. If the fleet is hosting a custom game build, this property must be set before players can connect to game sessions. For Realtime Servers fleets, GameLift automatically sets TCP and UDP ranges.", @@ -24499,6 +24502,7 @@ }, "description": "Creates an asset from an existing asset model. For more information, see [Creating assets](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/create-assets.html) in the *AWS IoT SiteWise User Guide* .", "properties": { + "AssetDescription": "", "AssetHierarchies": "A list of asset hierarchies that each contain a `hierarchyLogicalId` . A hierarchy specifies allowed parent/child asset relationships.", "AssetModelId": "The ID of the asset model from which to create the asset.", "AssetName": "A unique, friendly name for the asset.\n\nThe maximum length is 256 characters with the pattern `[^\\u0000-\\u001F\\u007F]+` .", @@ -34013,6 +34017,7 @@ "AdditionalTreatments": "An array of requests that defines additional treatments for the campaign, in addition to the default treatment for the campaign.", "ApplicationId": "The unique identifier for the Amazon Pinpoint application that the campaign is associated with.", "CampaignHook": "Specifies the Lambda function to use as a code hook for a campaign.", + "CustomDeliveryConfiguration": "The delivery configuration settings for sending the treatment through a custom channel. This object is required if the `MessageConfiguration` object for the treatment specifies a `CustomMessage` object.", "Description": "A custom description of the campaign.", "HoldoutPercent": "The allocated percentage of users (segment members) who shouldn't receive messages from the campaign.", "IsPaused": "Specifies whether to pause the campaign. A paused campaign doesn't run unless you resume it by changing this value to `false` . If you restart a campaign, the campaign restarts from the beginning and not at the point you paused it.", @@ -34024,6 +34029,7 @@ "SegmentId": "The unique identifier for the segment to associate with the campaign.", "SegmentVersion": "The version of the segment to associate with the campaign.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) .", + "TemplateConfiguration": "The message template to use for the treatment.", "TreatmentDescription": "A custom description of the default treatment for the campaign.", "TreatmentName": "A custom name of the default treatment for the campaign, if the campaign has multiple treatments. A *treatment* is a variation of a campaign that's used for A/B testing." } @@ -34036,6 +34042,13 @@ "Values": "The criteria values to use for the segment dimension. Depending on the value of the `AttributeType` property, endpoints are included or excluded from the segment if their attribute values match the criteria values." } }, + "AWS::Pinpoint::Campaign.CampaignCustomMessage": { + "attributes": {}, + "description": "Specifies the contents of a message that's sent through a custom channel to recipients of a campaign.", + "properties": { + "Data": "The raw, JSON-formatted string to use as the payload for the message. The maximum size is 5 KB." + } + }, "AWS::Pinpoint::Campaign.CampaignEmailMessage": { "attributes": {}, "description": "Specifies the content and \"From\" address for an email message that's sent to recipients of a campaign.", @@ -34084,6 +34097,14 @@ "TemplateId": "The template ID received from the regulatory body for sending SMS in your country." } }, + "AWS::Pinpoint::Campaign.CustomDeliveryConfiguration": { + "attributes": {}, + "description": "Specifies the delivery configuration settings for sending a campaign or campaign treatment through a custom channel. This object is required if you use the `CampaignCustomMessage` object to define the message to send for the campaign or campaign treatment.", + "properties": { + "DeliveryUri": "The destination to send the campaign or treatment to. This value can be one of the following:\n\n- The name or Amazon Resource Name (ARN) of an AWS Lambda function to invoke to handle delivery of the campaign or treatment.\n- The URL for a web application or service that supports HTTPS and can receive the message. The URL has to be a full URL, including the HTTPS protocol.", + "EndpointTypes": "The types of endpoints to send the campaign or treatment to. Each valid value maps to a type of channel that you can associate with an endpoint by using the `ChannelType` property of an endpoint." + } + }, "AWS::Pinpoint::Campaign.DefaultButtonConfiguration": { "attributes": {}, "description": "Specifies the default behavior for a button that appears in an in-app message. You can optionally add button configurations that specifically apply to iOS, Android, or web browser users.", @@ -34181,6 +34202,7 @@ "ADMMessage": "The message that the campaign sends through the ADM (Amazon Device Messaging) channel. If specified, this message overrides the default message.", "APNSMessage": "The message that the campaign sends through the APNs (Apple Push Notification service) channel. If specified, this message overrides the default message.", "BaiduMessage": "The message that the campaign sends through the Baidu (Baidu Cloud Push) channel. If specified, this message overrides the default message.", + "CustomMessage": "The message that the campaign sends through a custom channel, as specified by the delivery configuration ( `CustomDeliveryConfiguration` ) settings for the campaign. If specified, this message overrides the default message.", "DefaultMessage": "The default message that the campaign sends through all the channels that are configured for the campaign.", "EmailMessage": "The message that the campaign sends through the email channel. If specified, this message overrides the default message.", "GCMMessage": "The message that the campaign sends through the GCM channel, which enables Amazon Pinpoint to send push notifications through the Firebase Cloud Messaging (FCM), formerly Google Cloud Messaging (GCM), service. If specified, this message overrides the default message.", @@ -34233,13 +34255,33 @@ "Values": "The criteria values to use for the segment dimension. Depending on the value of the `DimensionType` property, endpoints are included or excluded from the segment if their values match the criteria values." } }, + "AWS::Pinpoint::Campaign.Template": { + "attributes": {}, + "description": "Specifies the name and version of the message template to use for the message.", + "properties": { + "Name": "The name of the message template to use for the message. If specified, this value must match the name of an existing message template.", + "Version": "The unique identifier for the version of the message template to use for the message. If specified, this value must match the identifier for an existing template version. To retrieve a list of versions and version identifiers for a template, use the Template Versions resource.\n\nIf you don't specify a value for this property, Amazon Pinpoint uses the *active version* of the template. The *active version* is typically the version of a template that's been most recently reviewed and approved for use, depending on your workflow. It isn't necessarily the latest version of a template." + } + }, + "AWS::Pinpoint::Campaign.TemplateConfiguration": { + "attributes": {}, + "description": "Specifies the message template to use for the message, for each type of channel.", + "properties": { + "EmailTemplate": "The email template to use for the message.", + "PushTemplate": "The push notification template to use for the message.", + "SMSTemplate": "The SMS template to use for the message.", + "VoiceTemplate": "The voice template to use for the message. This object isn't supported for campaigns." + } + }, "AWS::Pinpoint::Campaign.WriteTreatmentResource": { "attributes": {}, "description": "Specifies the settings for a campaign treatment. A *treatment* is a variation of a campaign that's used for A/B testing of a campaign.", "properties": { + "CustomDeliveryConfiguration": "The delivery configuration settings for sending the treatment through a custom channel. This object is required if the `MessageConfiguration` object for the treatment specifies a `CustomMessage` object.", "MessageConfiguration": "The message configuration settings for the treatment.", "Schedule": "The schedule settings for the treatment.", "SizePercent": "The allocated percentage of users (segment members) to send the treatment to.", + "TemplateConfiguration": "The message template to use for the treatment.", "TreatmentDescription": "A custom description of the treatment.", "TreatmentName": "A custom name for the treatment." } @@ -34751,8 +34793,8 @@ }, "description": "The `AWS::QLDB::Ledger` resource specifies a new Amazon Quantum Ledger Database (Amazon QLDB) ledger in your AWS account . Amazon QLDB is a fully managed ledger database that provides a transparent, immutable, and cryptographically verifiable transaction log owned by a central trusted authority. You can use QLDB to track all application data changes, and maintain a complete and verifiable history of changes over time.\n\nFor more information, see [CreateLedger](https://docs.aws.amazon.com/qldb/latest/developerguide/API_CreateLedger.html) in the *Amazon QLDB API Reference* .", "properties": { - "DeletionProtection": "The flag that prevents a ledger from being deleted by any user. If not provided on ledger creation, this feature is enabled ( `true` ) by default.\n\nIf deletion protection is enabled, you must first disable it before you can delete the ledger. You can disable it by calling the `UpdateLedger` operation to set the flag to `false` .", - "KmsKey": "The key in AWS Key Management Service ( AWS KMS ) to use for encryption of data at rest in the ledger. For more information, see [Encryption at rest](https://docs.aws.amazon.com/qldb/latest/developerguide/encryption-at-rest.html) in the *Amazon QLDB Developer Guide* .\n\nUse one of the following options to specify this parameter:\n\n- `AWS_OWNED_KMS_KEY` : Use an AWS KMS key that is owned and managed by AWS on your behalf.\n- *Undefined* : By default, use an AWS owned KMS key.\n- *A valid symmetric customer managed KMS key* : Use the specified KMS key in your account that you create, own, and manage.\n\nAmazon QLDB does not support asymmetric keys. For more information, see [Using symmetric and asymmetric keys](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) in the *AWS Key Management Service Developer Guide* .\n\nTo specify a customer managed KMS key, you can use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with `\"alias/\"` . To specify a key in a different AWS account , you must use the key ARN or alias ARN.\n\nFor example:\n\n- Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`\n- Key ARN: `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`\n- Alias name: `alias/ExampleAlias`\n- Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`\n\nFor more information, see [Key identifiers (KeyId)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) in the *AWS Key Management Service Developer Guide* .", + "DeletionProtection": "Specifies whether the ledger is protected from being deleted by any user. If not defined during ledger creation, this feature is enabled ( `true` ) by default.\n\nIf deletion protection is enabled, you must first disable it before you can delete the ledger. You can disable it by calling the `UpdateLedger` operation to set the parameter to `false` .", + "KmsKey": "The key in AWS Key Management Service ( AWS KMS ) to use for encryption of data at rest in the ledger. For more information, see [Encryption at rest](https://docs.aws.amazon.com/qldb/latest/developerguide/encryption-at-rest.html) in the *Amazon QLDB Developer Guide* .\n\nUse one of the following options to specify this parameter:\n\n- `AWS_OWNED_KMS_KEY` : Use an AWS KMS key that is owned and managed by AWS on your behalf.\n- *Undefined* : By default, use an AWS owned KMS key.\n- *A valid symmetric customer managed KMS key* : Use the specified symmetric encryption KMS key in your account that you create, own, and manage.\n\nAmazon QLDB does not support asymmetric keys. For more information, see [Using symmetric and asymmetric keys](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) in the *AWS Key Management Service Developer Guide* .\n\nTo specify a customer managed KMS key, you can use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with `\"alias/\"` . To specify a key in a different AWS account , you must use the key ARN or alias ARN.\n\nFor example:\n\n- Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`\n- Key ARN: `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`\n- Alias name: `alias/ExampleAlias`\n- Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`\n\nFor more information, see [Key identifiers (KeyId)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) in the *AWS Key Management Service Developer Guide* .", "Name": "The name of the ledger that you want to create. The name must be unique among all of the ledgers in your AWS account in the current Region.\n\nNaming constraints for ledger names are defined in [Quotas in Amazon QLDB](https://docs.aws.amazon.com/qldb/latest/developerguide/limits.html#limits.naming) in the *Amazon QLDB Developer Guide* .", "PermissionsMode": "The permissions mode to assign to the ledger that you want to create. This parameter can have one of the following values:\n\n- `ALLOW_ALL` : A legacy permissions mode that enables access control with API-level granularity for ledgers.\n\nThis mode allows users who have the `SendCommand` API permission for this ledger to run all PartiQL commands (hence, `ALLOW_ALL` ) on any tables in the specified ledger. This mode disregards any table-level or command-level IAM permissions policies that you create for the ledger.\n- `STANDARD` : ( *Recommended* ) A permissions mode that enables access control with finer granularity for ledgers, tables, and PartiQL commands.\n\nBy default, this mode denies all user requests to run any PartiQL commands on any tables in this ledger. To allow PartiQL commands to run, you must create IAM permissions policies for specific table resources and PartiQL actions, in addition to the `SendCommand` API permission for the ledger. For information, see [Getting started with the standard permissions mode](https://docs.aws.amazon.com/qldb/latest/developerguide/getting-started-standard-mode.html) in the *Amazon QLDB Developer Guide* .\n\n> We strongly recommend using the `STANDARD` permissions mode to maximize the security of your ledger data.", "Tags": "An array of key-value pairs to apply to this resource.\n\nFor more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) ." @@ -37844,8 +37886,8 @@ "NoncurrentVersionExpirationInDays": "(Deprecated.) For buckets with versioning enabled (or suspended), specifies the time, in days, between when a new version of the object is uploaded to the bucket and when old versions of the object expire. When object versions expire, Amazon S3 permanently deletes them. If you specify a transition and expiration time, the expiration time must be later than the transition time.", "NoncurrentVersionTransition": "(Deprecated.) For buckets with versioning enabled (or suspended), specifies when non-current objects transition to a specified storage class. If you specify a transition and expiration time, the expiration time must be later than the transition time. If you specify this property, don't specify the `NoncurrentVersionTransitions` property.", "NoncurrentVersionTransitions": "For buckets with versioning enabled (or suspended), one or more transition rules that specify when non-current objects transition to a specified storage class. If you specify a transition and expiration time, the expiration time must be later than the transition time. If you specify this property, don't specify the `NoncurrentVersionTransition` property.", - "ObjectSizeGreaterThan": "Specifies the minimum object size in bytes for this rule to apply to. For more information about size based rules, see [Lifecycle configuration using size-based rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-configuration-examples.html#lc-size-rules) in the *Amazon S3 User Guide* .", - "ObjectSizeLessThan": "Specifies the maximum object size in bytes for this rule to apply to. For more information about sized based rules, see [Lifecycle configuration using size-based rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-configuration-examples.html#lc-size-rules) in the *Amazon S3 User Guide* .", + "ObjectSizeGreaterThan": "Specifies the minimum object size in bytes for this rule to apply to. Objects must be larger than this value in bytes. For more information about size based rules, see [Lifecycle configuration using size-based rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-configuration-examples.html#lc-size-rules) in the *Amazon S3 User Guide* .", + "ObjectSizeLessThan": "Specifies the maximum object size in bytes for this rule to apply to. Objects must be smaller than this value in bytes. For more information about sized based rules, see [Lifecycle configuration using size-based rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-configuration-examples.html#lc-size-rules) in the *Amazon S3 User Guide* .", "Prefix": "Object key prefix that identifies one or more objects to which this rule applies.\n\n> Replacement must be made for object keys containing special characters (such as carriage returns) when using XML requests. For more information, see [XML related object key constraints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-xml-related-constraints) .", "Status": "If `Enabled` , the rule is currently being applied. If `Disabled` , the rule is not currently being applied.", "TagFilters": "Tags to use to identify a subset of objects to which the lifecycle rule applies.", @@ -37855,7 +37897,7 @@ }, "AWS::S3::Bucket.S3KeyFilter": { "attributes": {}, - "description": "A container for object key name prefix and suffix filtering rules.\n\n> The same type of filter rule cannot be used more than once. For example, you cannot specify two prefix rules.", + "description": "A container for object key name prefix and suffix filtering rules. For more information about object key name filtering, see [Configuring event notifications using object key name filtering](https://docs.aws.amazon.com/AmazonS3/latest/userguide/notification-how-to-filtering.html) in the *Amazon S3 User Guide* .\n\n> The same type of filter rule cannot be used more than once. For example, you cannot specify two prefix rules.", "properties": { "Rules": "A list of containers for the key-value pair that defines the criteria for the filter rule." } From d814293b8092d975977005b3e28a0a8ac4c6389f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 May 2022 11:11:10 +0000 Subject: [PATCH 9/9] chore(deps): Bump awscli from 1.24.5 to 1.24.10 in /packages/@aws-cdk/lambda-layer-awscli (#20542) Bumps [awscli](https://github.com/aws/aws-cli) from 1.24.5 to 1.24.10.
Changelog

Sourced from awscli's changelog.

1.24.10

  • api-change:appflow: Adding the following features/changes: Parquet output that preserves typing from the source connector, Failed executions threshold before deactivation for scheduled flows, increasing max size of access and refresh token from 2048 to 4096
  • api-change:sagemaker: Amazon SageMaker Notebook Instances now allows configuration of Instance Metadata Service version and Amazon SageMaker Studio now supports G5 instance types.
  • api-change:datasync: AWS DataSync now supports TLS encryption in transit, file system policies and access points for EFS locations.
  • api-change:emr-serverless: This release adds support for Amazon EMR Serverless, a serverless runtime environment that simplifies running analytics applications using the latest open source frameworks such as Apache Spark and Apache Hive.

1.24.9

  • api-change:ec2: C7g instances, powered by the latest generation AWS Graviton3 processors, provide the best price performance in Amazon EC2 for compute-intensive workloads.
  • api-change:emr-serverless: This release adds support for Amazon EMR Serverless, a serverless runtime environment that simplifies running analytics applications using the latest open source frameworks such as Apache Spark and Apache Hive.
  • api-change:forecast: Introduced a new field in Auto Predictor as Time Alignment Boundary. It helps in aligning the timestamps generated during Forecast exports
  • api-change:lightsail: Amazon Lightsail now supports the ability to configure a Lightsail Container Service to pull images from Amazon ECR private repositories in your account.

1.24.8

  • api-change:secretsmanager: Documentation updates for Secrets Manager
  • api-change:sagemaker: Amazon SageMaker Autopilot adds support for manually selecting features from the input dataset using the CreateAutoMLJob API.
  • api-change:apprunner: Documentation-only update added for CodeConfiguration.
  • api-change:apigateway: Documentation updates for Amazon API Gateway
  • api-change:fsx: This release adds root squash support to FSx for Lustre to restrict root level access from clients by mapping root users to a less-privileged user/group with limited permissions.
  • api-change:lookoutmetrics: Adding AthenaSourceConfig for MetricSet APIs to support Athena as a data source.
  • api-change:voice-id: VoiceID will now automatically expire Speakers if they haven't been accessed for Enrollment, Re-enrollment or Successful Auth for three years. The Speaker APIs now return a "LastAccessedAt" time for Speakers, and the EvaluateSession API returns "SPEAKER_EXPIRED" Auth Decision for EXPIRED Speakers.
  • api-change:cloudformation: Add a new parameter statusReason to DescribeStackSetOperation output for additional details

1.24.7

  • api-change:ec2: Stop Protection feature enables customers to protect their instances from accidental stop actions.
  • api-change:cognito-idp: Amazon Cognito now supports requiring attribute verification (ex. email and phone number) before update.
  • api-change:mediaconvert: AWS Elemental MediaConvert SDK has added support for rules that constrain Automatic-ABR rendition selection when generating ABR package ladders.
  • api-change:networkmanager: This release adds Multi Account API support for a TGW Global Network, to enable and disable AWSServiceAccess with AwsOrganizations for Network Manager service and dependency CloudFormation StackSets service.
  • api-change:ivschat: Doc-only update. For MessageReviewHandler structure, added timeout period in the description of the fallbackResult field

1.24.6

  • api-change:forecast: New APIs for Monitor that help you understand how your predictors perform over time.
  • api-change:elasticache: Added support for encryption in transit for Memcached clusters. Customers can now launch Memcached cluster with encryption in transit enabled when using Memcached version 1.6.12 or later.
  • api-change:personalize: Adding modelMetrics as part of DescribeRecommender API response for Personalize.
Commits
  • 61acbef Merge branch 'release-1.24.10'
  • fd11aff Bumping version to 1.24.10
  • 4db48c4 Update changelog based on model updates
  • c9cedb1 Merge pull request #3822 from mkrn/develop
  • 7f04197 Merge branch 'release-1.24.9'
  • faafcb1 Merge branch 'release-1.24.9' into develop
  • 4c24413 Bumping version to 1.24.9
  • 2db57f7 Update changelog based on model updates
  • d9f828c Add support for aws cloudformation package of AWS::AppSync::FunctionConfigura...
  • 20348b2 Merge pull request #4353 from yoshiken/delete_unused_variable
  • Additional commits viewable in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=awscli&package-manager=pip&previous-version=1.24.5&new-version=1.24.10)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
--- packages/@aws-cdk/lambda-layer-awscli/layer/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@aws-cdk/lambda-layer-awscli/layer/requirements.txt b/packages/@aws-cdk/lambda-layer-awscli/layer/requirements.txt index 4142bbbaacc8f..9b84c7758b66b 100644 --- a/packages/@aws-cdk/lambda-layer-awscli/layer/requirements.txt +++ b/packages/@aws-cdk/lambda-layer-awscli/layer/requirements.txt @@ -1 +1 @@ -awscli==1.24.5 +awscli==1.24.10