diff --git a/.github/workflows/request-cli-integ-test.yml b/.github/workflows/request-cli-integ-test.yml index 8847151c25039..81fbdb9c4ed26 100644 --- a/.github/workflows/request-cli-integ-test.yml +++ b/.github/workflows/request-cli-integ-test.yml @@ -19,7 +19,7 @@ jobs: persist-credentials: false - name: Find changed cli files id: changed-cli-files - uses: tj-actions/changed-files@bab30c2299617f6615ec02a68b9a40d10bd21366 + uses: tj-actions/changed-files@d6e91a2266cdb9d62096cebf1e8546899c6aa18f with: base_sha: ${{ github.event.pull_request.base.sha }} files_yaml: | diff --git a/aws-cdk.code-workspace b/aws-cdk.code-workspace index a7ebb6636469f..406bc32a95401 100644 --- a/aws-cdk.code-workspace +++ b/aws-cdk.code-workspace @@ -31,7 +31,7 @@ "name": "aws-custom-resource-sdk-adapter", "rootPath": "packages/@aws-cdk/aws-custom-resource-sdk-adapter" }, - { "name": "cli-args-gen", "rootPath": "tools/@aws-cdk/cli-args-gen" } + { "name": "user-input-gen", "rootPath": "tools/@aws-cdk/user-input-gen" } ] }, "extensions": { diff --git a/lerna.json b/lerna.json index c10809593a0e4..05a0f3ac14fb5 100644 --- a/lerna.json +++ b/lerna.json @@ -10,7 +10,7 @@ "packages/@aws-cdk-testing/*", "packages/@aws-cdk/*/lambda-packages/*", "tools/@aws-cdk/cdk-build-tools", - "tools/@aws-cdk/cli-args-gen", + "tools/@aws-cdk/user-input-gen", "tools/@aws-cdk/cdk-release", "tools/@aws-cdk/node-bundle", "tools/@aws-cdk/pkglint", diff --git a/package.json b/package.json index 0f3eb7971f811..a75d010d3c217 100644 --- a/package.json +++ b/package.json @@ -77,7 +77,7 @@ "packages/@aws-cdk-testing/*", "packages/@aws-cdk/*/lambda-packages/*", "tools/@aws-cdk/cdk-build-tools", - "tools/@aws-cdk/cli-args-gen", + "tools/@aws-cdk/user-input-gen", "tools/@aws-cdk/cdk-release", "tools/@aws-cdk/node-bundle", "tools/@aws-cdk/pkglint", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/AlbDualstackWithoutPublicIpv4DefaultTestDeployAssertFA6F90DD.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/AlbDualstackWithoutPublicIpv4DefaultTestDeployAssertFA6F90DD.assets.json index 4a0f5e0c5e4b3..659ffb1cc71f4 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/AlbDualstackWithoutPublicIpv4DefaultTestDeployAssertFA6F90DD.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/AlbDualstackWithoutPublicIpv4DefaultTestDeployAssertFA6F90DD.assets.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "39.0.0", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/aws-cdk-elbv2-integ-dualstack-without-public-ipv4.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/aws-cdk-elbv2-integ-dualstack-without-public-ipv4.assets.json index 5091d2e660924..fb6e143f30005 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/aws-cdk-elbv2-integ-dualstack-without-public-ipv4.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/aws-cdk-elbv2-integ-dualstack-without-public-ipv4.assets.json @@ -1,7 +1,7 @@ { - "version": "36.0.0", + "version": "39.0.0", "files": { - "688bf4caeb2845f3dc89826da60063b380e5d0fe7ab50a95f9ffc76451c42a77": { + "0fac4619627ba59020023785c5d86d47abad0759e7add3aa2f150f8cbfcd7a9a": { "source": { "path": "aws-cdk-elbv2-integ-dualstack-without-public-ipv4.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "688bf4caeb2845f3dc89826da60063b380e5d0fe7ab50a95f9ffc76451c42a77.json", + "objectKey": "0fac4619627ba59020023785c5d86d47abad0759e7add3aa2f150f8cbfcd7a9a.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/aws-cdk-elbv2-integ-dualstack-without-public-ipv4.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/aws-cdk-elbv2-integ-dualstack-without-public-ipv4.template.json index 8882537e5df34..d430a9159e6c5 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/aws-cdk-elbv2-integ-dualstack-without-public-ipv4.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/aws-cdk-elbv2-integ-dualstack-without-public-ipv4.template.json @@ -530,6 +530,13 @@ "FromPort": 80, "IpProtocol": "tcp", "ToPort": 80 + }, + { + "CidrIpv6": "::/0", + "Description": "Allow from anyone on port 80", + "FromPort": 80, + "IpProtocol": "tcp", + "ToPort": 80 } ], "VpcId": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/cdk.out index 1f0068d32659a..91e1a8b9901d5 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/cdk.out +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"36.0.0"} \ No newline at end of file +{"version":"39.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/integ.json index 4fd4fa6f896d6..b780151e89492 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/integ.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "39.0.0", "testCases": { "AlbDualstackWithoutPublicIpv4/DefaultTest": { "stacks": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/manifest.json index 87f61f9552ca1..6534e24089c8d 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "39.0.0", "artifacts": { "aws-cdk-elbv2-integ-dualstack-without-public-ipv4.assets": { "type": "cdk:asset-manifest", @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/688bf4caeb2845f3dc89826da60063b380e5d0fe7ab50a95f9ffc76451c42a77.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/0fac4619627ba59020023785c5d86d47abad0759e7add3aa2f150f8cbfcd7a9a.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/tree.json index 07d5c271d52c2..4810b354d0d71 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/tree.json @@ -31,7 +31,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnVPC", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -97,7 +97,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -127,7 +127,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -146,7 +146,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -166,7 +166,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -186,7 +186,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnEIP", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -214,7 +214,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnNatGateway", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -234,13 +234,13 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.PublicSubnet", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -306,7 +306,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -336,7 +336,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -355,7 +355,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -375,7 +375,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -395,7 +395,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnEIP", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -423,7 +423,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnNatGateway", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -443,13 +443,13 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.PublicSubnet", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -493,7 +493,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -523,7 +523,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -542,7 +542,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -562,13 +562,13 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.PrivateSubnet", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -612,7 +612,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -642,7 +642,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -661,7 +661,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -681,13 +681,13 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.PrivateSubnet", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -706,7 +706,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnInternetGateway", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -725,13 +725,13 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnVPCGatewayAttachment", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.Vpc", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -748,7 +748,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnVPCCidrBlock", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -790,7 +790,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.CfnLoadBalancer", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -821,6 +821,13 @@ "fromPort": 80, "toPort": 80, "description": "Allow from anyone on port 80" + }, + { + "cidrIpv6": "::/0", + "ipProtocol": "tcp", + "fromPort": 80, + "toPort": 80, + "description": "Allow from anyone on port 80" } ], "vpcId": { @@ -829,13 +836,13 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSecurityGroup", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.SecurityGroup", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -865,7 +872,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.CfnListener", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -899,7 +906,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.CfnTargetGroup", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } } @@ -939,7 +946,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.CfnTargetGroup", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } } @@ -982,14 +989,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.CfnListenerRule", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationListenerRule", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.4.2" } }, "action1Rule": { @@ -1028,14 +1035,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.CfnListenerRule", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationListenerRule", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.4.2" } } }, @@ -1269,7 +1276,7 @@ "path": "AlbDualstackWithoutPublicIpv4/DefaultTest/Default", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2" } }, "DeployAssert": { @@ -1315,7 +1322,7 @@ "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2" } } }, diff --git a/packages/@aws-cdk/aws-ec2-alpha/README.md b/packages/@aws-cdk/aws-ec2-alpha/README.md index b387e02180ad4..a01295ac1da67 100644 --- a/packages/@aws-cdk/aws-ec2-alpha/README.md +++ b/packages/@aws-cdk/aws-ec2-alpha/README.md @@ -305,7 +305,7 @@ const acceptorVpc = new VpcV2(this, 'VpcA', { const acceptorRoleArn = acceptorVpc.createAcceptorVpcRole('000000000000'); // Requestor account ID ``` -After creating an IAM role in the acceptor account, we can initiate the peering connection request from the requestor VPC. Import accpeptorVpc to the stack using `fromVpcV2Attributes` method, it is recommended to specify owner account id of the acceptor VPC in case of cross account peering connection, if acceptor VPC is hosted in different region provide region value for import as well. +After creating an IAM role in the acceptor account, we can initiate the peering connection request from the requestor VPC. Import acceptorVpc to the stack using `fromVpcV2Attributes` method, it is recommended to specify owner account id of the acceptor VPC in case of cross account peering connection, if acceptor VPC is hosted in different region provide region value for import as well. The following code snippet demonstrates how to set up VPC peering between two VPCs in different AWS accounts using CDK: ```ts @@ -461,11 +461,11 @@ For more information, see [What is AWS Site-to-Site VPN?](https://docs.aws.amazo VPN route propagation is a feature in Amazon Web Services (AWS) that automatically updates route tables in your Virtual Private Cloud (VPC) with routes learned from a VPN connection. -To enable VPN route propogation, use the `vpnRoutePropagation` property to specify the subnets as an input to the function. VPN route propagation will then be enabled for each subnet with the corresponding route table IDs. +To enable VPN route propagation, use the `vpnRoutePropagation` property to specify the subnets as an input to the function. VPN route propagation will then be enabled for each subnet with the corresponding route table IDs. Additionally, you can set up a route in any route table with the target set to the VPN Gateway. The function `enableVpnGatewayV2` returns a `VPNGatewayV2` object that you can reference later. -The code example below provides the definition for setting up a VPN gateway with `vpnRoutePropogation` enabled: +The code example below provides the definition for setting up a VPN gateway with `vpnRoutePropagation` enabled: ```ts @@ -494,7 +494,7 @@ An internet gateway is a horizontally scaled, redundant, and highly available VP For more information, see [Enable VPC internet access using internet gateways](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-igw-internet-access.html). You can add an internet gateway to a VPC using `addInternetGateway` method. By default, this method creates a route in all Public Subnets with outbound destination set to `0.0.0.0` for IPv4 and `::0` for IPv6 enabled VPC. -Instead of using the default settings, you can configure a custom destinatation range by providing an optional input `destination` to the method. +Instead of using the default settings, you can configure a custom destination range by providing an optional input `destination` to the method. The code example below shows how to add an internet gateway with a custom outbound destination IP range: @@ -539,13 +539,13 @@ const importedVpc = VpcV2.fromVpcV2Attributes(stack, 'ImportedVpc', { In case of cross account or cross region VPC, its recommended to provide region and ownerAccountId so that these values for the VPC can be used to populate correct arn value for the VPC. If a VPC region and account ID is not provided, then region and account configured in the stack will be used. Furthermore, these fields will be referenced later while setting up VPC peering connection, so its necessary to set these fields to a correct value. -Below is an example of importing a cross region and cross acount VPC, VPC arn for this case would be 'arn:aws:ec2:us-west-2:123456789012:vpc/mockVpcID' +Below is an example of importing a cross region and cross account VPC, VPC arn for this case would be 'arn:aws:ec2:us-west-2:123456789012:vpc/mockVpcID' ``` ts const stack = new Stack(); -//Importing a cross acount or cross region VPC +//Importing a cross account or cross region VPC const importedVpc = VpcV2.fromVpcV2Attributes(stack, 'ImportedVpc', { vpcId: 'mockVpcID', vpcCidrBlock: '10.0.0.0/16', diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/README.md b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/README.md index d780b7bb410cb..82b10a3417ef6 100644 --- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/README.md +++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/README.md @@ -1,7 +1,5 @@ # Amazon Elastic Load Balancing V2 Construct Library - - The `aws-cdk-lib/aws-elasticloadbalancingv2` package provides constructs for configuring application and network load balancers. @@ -49,6 +47,13 @@ listener.addTargets('ApplicationFleet', { The security groups of the load balancer and the target are automatically updated to allow the network traffic. +> NOTE: If the `@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault` feature flag is set (the default for new projects), and `addListener()` is called with `open: true`, +the load balancer's security group will automatically include both IPv4 and IPv6 ingress rules when using `IpAddressType.DUAL_STACK_WITHOUT_PUBLIC_IPV4`. +> +> For existing projects that only have IPv4 rules, you can opt-in to IPv6 ingress rules +by enabling the feature flag in your cdk.json file. Note that enabling this feature flag +will modify existing security group rules. + One (or more) security groups can be associated with the load balancer; if a security group isn't provided, one will be automatically created. @@ -100,8 +105,8 @@ where all requests that didn't match any of the conditions will be sent. Routing traffic from a Load Balancer to a Target involves the following steps: -- Create a Target Group, register the Target into the Target Group -- Add an Action to the Listener which forwards traffic to the Target Group. +* Create a Target Group, register the Target into the Target Group +* Add an Action to the Listener which forwards traffic to the Target Group. A new listener can be added to the Load Balancer by calling `addListener()`. Listeners that have been added to the load balancer can be listed using the @@ -111,27 +116,27 @@ for imported or looked up Load Balancers. Various methods on the `Listener` take care of this work for you to a greater or lesser extent: -- `addTargets()` performs both steps: automatically creates a Target Group and the +* `addTargets()` performs both steps: automatically creates a Target Group and the required Action. -- `addTargetGroups()` gives you more control: you create the Target Group (or +* `addTargetGroups()` gives you more control: you create the Target Group (or Target Groups) yourself and the method creates Action that routes traffic to the Target Groups. -- `addAction()` gives you full control: you supply the Action and wire it up +* `addAction()` gives you full control: you supply the Action and wire it up to the Target Groups yourself (or access one of the other ELB routing features). Using `addAction()` gives you access to some of the features of an Elastic Load Balancer that the other two convenience methods don't: -- **Routing stickiness**: use `ListenerAction.forward()` and supply a +* **Routing stickiness**: use `ListenerAction.forward()` and supply a `stickinessDuration` to make sure requests are routed to the same target group for a given duration. -- **Weighted Target Groups**: use `ListenerAction.weightedForward()` +* **Weighted Target Groups**: use `ListenerAction.weightedForward()` to give different weights to different target groups. -- **Fixed Responses**: use `ListenerAction.fixedResponse()` to serve +* **Fixed Responses**: use `ListenerAction.fixedResponse()` to serve a static response (ALB only). -- **Redirects**: use `ListenerAction.redirect()` to serve an HTTP +* **Redirects**: use `ListenerAction.redirect()` to serve an HTTP redirect response (ALB only). -- **Authentication**: use `ListenerAction.authenticateOidc()` to +* **Authentication**: use `ListenerAction.authenticateOidc()` to perform OpenID authentication before serving a request (see the `aws-cdk-lib/aws-elasticloadbalancingv2-actions` package for direct authentication integration with Cognito) (ALB only). @@ -254,7 +259,7 @@ For more information, see [Load balancer attributes](https://docs.aws.amazon.com ### Setting up Access Log Bucket on Application Load Balancer The only server-side encryption option that's supported is Amazon S3-managed keys (SSE-S3). For more information -Documentation: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html +Documentation: ```ts @@ -272,7 +277,7 @@ lb.logAccessLogs(bucket); ### Setting up Connection Log Bucket on Application Load Balancer Like access log bucket, the only server-side encryption option that's supported is Amazon S3-managed keys (SSE-S3). For more information -Documentation: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-connection-logging.html +Documentation: ```ts declare const vpc: ec2.Vpc; @@ -298,13 +303,14 @@ const lb = new elbv2.ApplicationLoadBalancer(this, 'LB', { }); ``` -By setting `DUAL_STACK_WITHOUT_PUBLIC_IPV4`, you can provision load balancers without public IPv4s +By setting `DUAL_STACK_WITHOUT_PUBLIC_IPV4`, you can provision load balancers without public IPv4s: ```ts declare const vpc: ec2.Vpc; const lb = new elbv2.ApplicationLoadBalancer(this, 'LB', { vpc, + internetFacing: true, ipAddressType: elbv2.IpAddressType.DUAL_STACK_WITHOUT_PUBLIC_IPV4, }); ``` @@ -441,6 +447,7 @@ const listener = lb.addListener('Listener', { ``` ### Network Load Balancer and EC2 IConnectable interface + Network Load Balancer implements EC2 `IConnectable` and exposes `connections` property. EC2 Connections allows manage the allowed network connections for constructs with Security Groups. This class makes it easy to allow network connections to and from security groups, and between security groups individually. One thing to keep in mind is that network load balancers do not have security groups, and no automatic security group configuration is done for you. You will have to configure the security groups of the target yourself to allow traffic by clients and/or load balancer instances, depending on your target types. ```ts @@ -530,7 +537,7 @@ const tg = new elbv2.ApplicationTargetGroup(this, 'TG', { }); ``` -For more information see: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/sticky-sessions.html#application-based-stickiness +For more information see: ### Setting the target group protocol version @@ -809,12 +816,12 @@ Node.of(resource).addDependency(targetGroup.loadBalancerAttached); You may look up load balancers and load balancer listeners by using one of the following lookup methods: -- `ApplicationLoadBalancer.fromLookup(options)` - Look up an application load +* `ApplicationLoadBalancer.fromLookup(options)` - Look up an application load balancer. -- `ApplicationListener.fromLookup(options)` - Look up an application load +* `ApplicationListener.fromLookup(options)` - Look up an application load balancer listener. -- `NetworkLoadBalancer.fromLookup(options)` - Look up a network load balancer. -- `NetworkListener.fromLookup(options)` - Look up a network load balancer +* `NetworkLoadBalancer.fromLookup(options)` - Look up a network load balancer. +* `NetworkListener.fromLookup(options)` - Look up a network load balancer listener. ### Load Balancer lookup options @@ -850,11 +857,11 @@ const loadBalancer = elbv2.ApplicationLoadBalancer.fromLookup(this, 'ALB', { You may look up a load balancer listener by the following criteria: -- Associated load balancer ARN -- Associated load balancer tags -- Listener ARN -- Listener port -- Listener protocol +* Associated load balancer ARN +* Associated load balancer tags +* Listener ARN +* Listener port +* Listener protocol The lookup method will return the matching listener. If more than one listener matches, CDK will throw an error requesting that you specify additional diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts index 07cfb949f3b83..d55466374bdd5 100644 --- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts +++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts @@ -8,7 +8,7 @@ import { ListenerCondition } from './conditions'; import { ITrustStore } from './trust-store'; import * as ec2 from '../../../aws-ec2'; import * as cxschema from '../../../cloud-assembly-schema'; -import { Duration, Lazy, Resource, Token } from '../../../core'; +import { Duration, FeatureFlags, Lazy, Resource, Token } from '../../../core'; import * as cxapi from '../../../cx-api'; import { BaseListener, BaseListenerLookupOptions, IListener } from '../shared/base-listener'; import { HealthCheck } from '../shared/base-target-group'; @@ -303,7 +303,9 @@ export class ApplicationListener extends BaseListener implements IApplicationLis if (props.open !== false) { this.connections.allowDefaultPortFrom(ec2.Peer.anyIpv4(), `Allow from anyone on port ${port}`); - if (this.loadBalancer.ipAddressType === IpAddressType.DUAL_STACK) { + if (this.loadBalancer.ipAddressType === IpAddressType.DUAL_STACK || + (this.loadBalancer.ipAddressType === IpAddressType.DUAL_STACK_WITHOUT_PUBLIC_IPV4 && + FeatureFlags.of(this).isEnabled(cxapi.ALB_DUALSTACK_WITHOUT_PUBLIC_IPV4_SECURITY_GROUP_RULES_DEFAULT))) { this.connections.allowDefaultPortFrom(ec2.Peer.anyIpv6(), `Allow from anyone on port ${port}`); } } diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts index 57410eeb3a08a..89594b0654250 100644 --- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts +++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts @@ -1079,6 +1079,15 @@ export interface IApplicationLoadBalancer extends ILoadBalancerV2, ec2.IConnecta /** * The IP Address Type for this load balancer * + * If the `@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault` + * feature flag is set (the default for new projects), and `addListener()` is called with `open: true`, + * the load balancer's security group will automatically include both IPv4 and IPv6 ingress rules + * when using `IpAddressType.DUAL_STACK_WITHOUT_PUBLIC_IPV4`. + * + * For existing projects that only have IPv4 rules, you can opt-in to IPv6 ingress rules + * by enabling the feature flag in your cdk.json file. Note that enabling this feature flag + * will modify existing security group rules. + * * @default IpAddressType.IPV4 */ readonly ipAddressType?: IpAddressType; diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/listener.test.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/listener.test.ts index 1943a1945ac2a..9cb4fc15eb471 100644 --- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/listener.test.ts +++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/listener.test.ts @@ -7,6 +7,7 @@ import * as ec2 from '../../../aws-ec2'; import * as s3 from '../../../aws-s3'; import * as cdk from '../../../core'; import { SecretValue } from '../../../core'; +import * as cxapi from '../../../cx-api'; import * as elbv2 from '../../lib'; import { FakeSelfRegisteringTarget } from '../helpers'; @@ -107,6 +108,79 @@ describe('tests', () => { }); }); + test('Listener default to open - IPv6 (dual stack without public IPv4) with feature flag enabled', () => { + // GIVEN + const app = new cdk.App({ + context: { [cxapi.ALB_DUALSTACK_WITHOUT_PUBLIC_IPV4_SECURITY_GROUP_RULES_DEFAULT]: true }, + }); + const stack = new cdk.Stack(app); + const vpc = new ec2.Vpc(stack, 'Stack'); + const loadBalancer = new elbv2.ApplicationLoadBalancer(stack, 'LB', { + vpc, + internetFacing: true, + ipAddressType: elbv2.IpAddressType.DUAL_STACK_WITHOUT_PUBLIC_IPV4, + }); + + // WHEN + loadBalancer.addListener('MyListener', { + port: 80, + defaultTargetGroups: [new elbv2.ApplicationTargetGroup(stack, 'Group', { vpc, port: 80 })], + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::EC2::SecurityGroup', { + SecurityGroupIngress: [ + { + Description: 'Allow from anyone on port 80', + CidrIp: '0.0.0.0/0', + FromPort: 80, + IpProtocol: 'tcp', + ToPort: 80, + }, + { + Description: 'Allow from anyone on port 80', + CidrIpv6: '::/0', + FromPort: 80, + IpProtocol: 'tcp', + ToPort: 80, + }, + ], + }); + }); + + test('Listener default to open - IPv6 (dual stack without public IPv4) with feature flag disabled', () => { + // GIVEN + const app = new cdk.App({ + context: { [cxapi.ALB_DUALSTACK_WITHOUT_PUBLIC_IPV4_SECURITY_GROUP_RULES_DEFAULT]: false }, + }); + const stack = new cdk.Stack(app); + const vpc = new ec2.Vpc(stack, 'Stack'); + const loadBalancer = new elbv2.ApplicationLoadBalancer(stack, 'LB', { + vpc, + internetFacing: true, + ipAddressType: elbv2.IpAddressType.DUAL_STACK_WITHOUT_PUBLIC_IPV4, + }); + + // WHEN + loadBalancer.addListener('MyListener', { + port: 80, + defaultTargetGroups: [new elbv2.ApplicationTargetGroup(stack, 'Group', { vpc, port: 80 })], + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::EC2::SecurityGroup', { + SecurityGroupIngress: [ + { + Description: 'Allow from anyone on port 80', + CidrIp: '0.0.0.0/0', + FromPort: 80, + IpProtocol: 'tcp', + ToPort: 80, + }, + ], + }); + }); + test('HTTPS listener requires certificate', () => { // GIVEN const stack = new cdk.Stack(); diff --git a/packages/aws-cdk-lib/aws-lambda/lib/function.ts b/packages/aws-cdk-lib/aws-lambda/lib/function.ts index ad239483b50ef..68dc147ac5d3b 100644 --- a/packages/aws-cdk-lib/aws-lambda/lib/function.ts +++ b/packages/aws-cdk-lib/aws-lambda/lib/function.ts @@ -1620,7 +1620,7 @@ Environment variables can be marked for removal when used in Lambda@Edge by sett // so it can't be checked at function set up time // SnapStart supports the Java 11 and Java 17 (java11 and java17) managed runtimes. // See https://docs.aws.amazon.com/lambda/latest/dg/snapstart.html - Annotations.of(this).addWarningV2('@aws-cdk/aws-lambda:snapStartRequirePublish', 'SnapStart only support published Lambda versions. Ignore if function already have published versions'); + Annotations.of(this).addWarningV2('@aws-cdk/aws-lambda:snapStartRequirePublish', 'SnapStart only supports published Lambda versions. Ignore if function already has published versions.'); if (!props.runtime.supportsSnapStart) { throw new ValidationError(`SnapStart currently not supported by runtime ${props.runtime.name}`, this); diff --git a/packages/aws-cdk-lib/aws-rds/README.md b/packages/aws-cdk-lib/aws-rds/README.md index a3862eb036ec4..fd0a8a4ee66e1 100644 --- a/packages/aws-cdk-lib/aws-rds/README.md +++ b/packages/aws-cdk-lib/aws-rds/README.md @@ -1436,7 +1436,7 @@ new rds.DatabaseCluster(this, 'LimitlessDatabaseCluster', { version: rds.AuroraPostgresEngineVersion.VER_16_4_LIMITLESS, }), vpc, - clusterScailabilityType: rds.ClusterScailabilityType.LIMITLESS, + clusterScalabilityType: rds.ClusterScalabilityType.LIMITLESS, // Requires enabling Performance Insights enablePerformanceInsights: true, performanceInsightRetention: rds.PerformanceInsightRetention.MONTHS_1, diff --git a/packages/aws-cdk-lib/aws-rds/lib/cluster.ts b/packages/aws-cdk-lib/aws-rds/lib/cluster.ts index f87f14a0d3fde..f49b81b8db04c 100644 --- a/packages/aws-cdk-lib/aws-rds/lib/cluster.ts +++ b/packages/aws-cdk-lib/aws-rds/lib/cluster.ts @@ -450,7 +450,17 @@ interface DatabaseClusterBaseProps { * * Set LIMITLESS if you want to use a limitless database; otherwise, set it to STANDARD. * + * @default ClusterScalabilityType.STANDARD + */ + readonly clusterScalabilityType?: ClusterScalabilityType; + + /** + * [Misspelled] Specifies the scalability mode of the Aurora DB cluster. + * + * Set LIMITLESS if you want to use a limitless database; otherwise, set it to STANDARD. + * * @default ClusterScailabilityType.STANDARD + * @deprecated Use clusterScalabilityType instead. This will be removed in the next major version. */ readonly clusterScailabilityType?: ClusterScailabilityType; } @@ -492,6 +502,25 @@ export enum InstanceUpdateBehaviour { /** * The scalability mode of the Aurora DB cluster. */ +export enum ClusterScalabilityType { + /** + * The cluster uses normal DB instance creation. + */ + STANDARD = 'standard', + + /** + * The cluster operates as an Aurora Limitless Database, + * allowing you to create a DB shard group for horizontal scaling (sharding) capabilities. + * + * @see https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/limitless.html + */ + LIMITLESS = 'limitless', +} + +/** + * The scalability mode of the Aurora DB cluster. + * @deprecated Use ClusterScalabilityType instead. This will be removed in the next major version. + */ export enum ClusterScailabilityType { /** * The cluster uses normal DB instance creation. @@ -776,6 +805,10 @@ abstract class DatabaseClusterNew extends DatabaseClusterBase { constructor(scope: Construct, id: string, props: DatabaseClusterBaseProps) { super(scope, id); + if (props.clusterScalabilityType !== undefined && props.clusterScailabilityType !== undefined) { + throw new Error('You cannot specify both clusterScalabilityType and clusterScailabilityType (deprecated). Use clusterScalabilityType.'); + } + if ((props.vpc && props.instanceProps?.vpc) || (!props.vpc && !props.instanceProps?.vpc)) { throw new Error('Provide either vpc or instanceProps.vpc, but not both'); } @@ -926,7 +959,7 @@ abstract class DatabaseClusterNew extends DatabaseClusterBase { }), storageType: props.storageType?.toString(), enableLocalWriteForwarding: props.enableLocalWriteForwarding, - clusterScalabilityType: props.clusterScailabilityType, + clusterScalabilityType: props.clusterScalabilityType ?? props.clusterScailabilityType, // Admin backtrackWindow: props.backtrackWindow?.toSeconds(), backupRetentionPeriod: props.backup?.retention?.toDays(), @@ -1336,7 +1369,7 @@ export class DatabaseCluster extends DatabaseClusterNew { setLogRetention(this, props); // create the instances for only standard aurora clusters - if (props.clusterScailabilityType !== ClusterScailabilityType.LIMITLESS) { + if (props.clusterScalabilityType !== ClusterScalabilityType.LIMITLESS && props.clusterScailabilityType !== ClusterScailabilityType.LIMITLESS) { if ((props.writer || props.readers) && (props.instances || props.instanceProps)) { throw new Error('Cannot provide writer or readers if instances or instanceProps are provided'); } diff --git a/packages/aws-cdk-lib/aws-rds/test/cluster.test.ts b/packages/aws-cdk-lib/aws-rds/test/cluster.test.ts index 337f79e856d83..37cb96ac6a1ff 100644 --- a/packages/aws-cdk-lib/aws-rds/test/cluster.test.ts +++ b/packages/aws-cdk-lib/aws-rds/test/cluster.test.ts @@ -17,12 +17,34 @@ import { DatabaseClusterEngine, DatabaseClusterFromSnapshot, ParameterGroup, PerformanceInsightRetention, SubnetGroup, DatabaseSecret, DatabaseInstanceEngine, SqlServerEngineVersion, SnapshotCredentials, InstanceUpdateBehaviour, NetworkType, ClusterInstance, CaCertificate, IClusterEngine, + ClusterScalabilityType, ClusterScailabilityType, DBClusterStorageType, } from '../lib'; describe('cluster new api', () => { describe('errors are thrown', () => { + test('when both clusterScalabilityType and clusterScailabilityType (deprecated) props are provided', () => { + // GIVEN + const stack = testStack(); + const vpc = new ec2.Vpc(stack, 'VPC'); + + expect(() => { + // WHEN + new DatabaseCluster(stack, 'Database', { + engine: DatabaseClusterEngine.AURORA_MYSQL, + instanceProps: { + instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.SMALL), + vpc, + }, + clusterScalabilityType: ClusterScalabilityType.STANDARD, + clusterScailabilityType: ClusterScailabilityType.STANDARD, + iamAuthentication: true, + }); + // THEN + }).toThrow('You cannot specify both clusterScalabilityType and clusterScailabilityType (deprecated). Use clusterScalabilityType.'); + }); + test('when old and new props are provided', () => { // GIVEN const stack = testStack(); @@ -165,7 +187,10 @@ describe('cluster new api', () => { }); }); - test('cluster scalability option', () => { + test.each([ + ['clusterScalabilityType', 'clusterScalabilityType', ClusterScalabilityType.STANDARD], + ['clusterScailabilityType (deprecated)', 'clusterScailabilityType', ClusterScailabilityType.STANDARD], + ])('cluster scalability option with %s', (_, propName, propValue) => { // GIVEN const stack = testStack(); const vpc = new ec2.Vpc(stack, 'VPC'); @@ -174,8 +199,8 @@ describe('cluster new api', () => { new DatabaseCluster(stack, 'Cluster', { engine: DatabaseClusterEngine.AURORA_MYSQL, vpc, - clusterScailabilityType: ClusterScailabilityType.STANDARD, writer: ClusterInstance.serverlessV2('writer'), + [propName]: propValue, }); // THEN @@ -186,7 +211,10 @@ describe('cluster new api', () => { }); describe('limitless database', () => { - test('with default options', () => { + test.each([ + ['clusterScalabilityType', 'clusterScalabilityType', ClusterScalabilityType.LIMITLESS], + ['clusterScailabilityType (deprecated)', 'clusterScailabilityType', ClusterScailabilityType.LIMITLESS], + ])('with default options using %s', (_, propName, propValue) => { // GIVEN const stack = testStack(); const vpc = new ec2.Vpc(stack, 'VPC'); @@ -197,7 +225,7 @@ describe('cluster new api', () => { version: AuroraPostgresEngineVersion.VER_16_4_LIMITLESS, }), vpc, - clusterScailabilityType: ClusterScailabilityType.LIMITLESS, + [propName]: propValue, enablePerformanceInsights: true, performanceInsightRetention: PerformanceInsightRetention.MONTHS_1, monitoringInterval: cdk.Duration.minutes(1), diff --git a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md index d278d6b3064ac..12075ff16f731 100644 --- a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md +++ b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md @@ -84,8 +84,9 @@ Flags come in three types: | [@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault](#aws-cdkaws-ec2bastionhostuseamazonlinux2023bydefault) | When enabled, the BastionHost construct will use the latest Amazon Linux 2023 AMI, instead of Amazon Linux 2. | 2.172.0 | (default) | | [@aws-cdk/core:aspectStabilization](#aws-cdkcoreaspectstabilization) | When enabled, a stabilization loop will be run when invoking Aspects during synthesis. | 2.172.0 | (config) | | [@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource](#aws-cdkaws-route53-targetsuserpooldomainnamemethodwithoutcustomresource) | When enabled, use a new method for DNS Name of user pool domain target without creating a custom resource. | 2.174.0 | (fix) | -| [@aws-cdk/aws-ecs:disableEcsImdsBlocking](#aws-cdkaws-ecsdisableecsimdsblocking) | When set to true, CDK synth will throw exception if canContainersAccessInstanceRole is false. **IMPORTANT: See [details.](#aws-cdkaws-ecsdisableEcsImdsBlocking)** | 2.175.0 | (temporary) | -| [@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature](#aws-cdkaws-ecsenableimdsblockingdeprecatedfeature) | When set to true along with canContainersAccessInstanceRole=false in ECS cluster, new updated commands will be added to UserData to block container accessing IMDS. **Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)** | 2.175.0 | (temporary) | +| [@aws-cdk/aws-ecs:disableEcsImdsBlocking](#aws-cdkaws-ecsdisableecsimdsblocking) | When set to true, CDK synth will throw exception if canContainersAccessInstanceRole is false. **IMPORTANT: See [details.](#aws-cdkaws-ecsdisableEcsImdsBlocking)** | V2NEXT | (temporary) | +| [@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature](#aws-cdkaws-ecsenableimdsblockingdeprecatedfeature) | When set to true along with canContainersAccessInstanceRole=false in ECS cluster, new updated commands will be added to UserData to block container accessing IMDS. **Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)** | V2NEXT | (temporary) | +| [@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault](#aws-cdkaws-elasticloadbalancingv2albdualstackwithoutpublicipv4securitygrouprulesdefault) | When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere | V2NEXT | (fix) | @@ -159,7 +160,8 @@ The following json shows the current recommended set of flags, as `cdk init` wou "@aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages": true, "@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy": true, "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": true, - "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": true + "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": true, + "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": true } } ``` @@ -238,7 +240,6 @@ different environments). This means that the name of the synthesized template file will be based on the construct path and not on the defined `stackName` of the stack. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.16.0 | `false` | `true` | @@ -246,7 +247,6 @@ of the stack. **Compatibility with old behavior:** Pass stack identifiers to the CLI instead of stack names. - ### aws-cdk:enableDiffNoFail *Make `cdk diff` not fail when there are differences* (default) @@ -254,14 +254,13 @@ of the stack. Determines what status code `cdk diff` should return when the specified stack differs from the deployed stack or the local CloudFormation template: -* `aws-cdk:enableDiffNoFail=true` => status code == 0 -* `aws-cdk:enableDiffNoFail=false` => status code == 1 +- `aws-cdk:enableDiffNoFail=true` => status code == 0 +- `aws-cdk:enableDiffNoFail=false` => status code == 1 You can override this behavior with the --fail flag: -* `--fail` => status code == 1 -* `--no-fail` => status code == 0 - +- `--fail` => status code == 1 +- `--no-fail` => status code == 0 | Since | Default | Recommended | | ----- | ----- | ----- | @@ -270,7 +269,6 @@ You can override this behavior with the --fail flag: **Compatibility with old behavior:** Specify `--fail` to the CLI. - ### @aws-cdk/aws-ecr-assets:dockerIgnoreSupport *DockerImageAsset properly supports `.dockerignore` files by default* (default) @@ -282,7 +280,6 @@ is standard Docker ignore semantics. This is a feature flag as the old behavior was technically incorrect but users may have come to depend on it. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.73.0 | `false` | `true` | @@ -290,7 +287,6 @@ users may have come to depend on it. **Compatibility with old behavior:** Update your `.dockerignore` file to match standard Docker ignore rules, if necessary. - ### @aws-cdk/aws-secretsmanager:parseOwnedSecretName *Fix the referencing of SecretsManager names from ARNs* (default) @@ -301,7 +297,6 @@ rather than the default full resource name, which includes the SecretsManager su If this flag is not set, Secret.secretName will include the SecretsManager suffix, which cannot be directly used by SecretsManager.DescribeSecret, and must be parsed by the user first (e.g., Fn:Join, Fn:Select, Fn:Split). - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.77.0 | `false` | `true` | @@ -309,7 +304,6 @@ used by SecretsManager.DescribeSecret, and must be parsed by the user first (e.g **Compatibility with old behavior:** Use `parseArn(secret.secretName).resourceName` to emulate the incorrect old parsing. - ### @aws-cdk/aws-kms:defaultKeyPolicies *Tighten default KMS key policies* (default) @@ -326,7 +320,6 @@ true, the policy matches what happens when this feature flag is set. Additionally, if this flag is not set and the user supplies a custom key policy, this will be appended to the key's default policy (rather than replacing it). - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.78.0 | `false` | `true` | @@ -334,7 +327,6 @@ to the key's default policy (rather than replacing it). **Compatibility with old behavior:** Pass `trustAccountIdentities: false` to `Key` construct to restore the old behavior. - ### @aws-cdk/aws-s3:grantWriteWithoutAcl *Remove `PutObjectAcl` from Bucket.grantWrite* (default) @@ -345,7 +337,6 @@ which could be used to grant read/write object access to IAM principals in other Use a feature flag to make sure existing customers who might be relying on the overly-broad permissions are not broken. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.85.0 | `false` | `true` | @@ -353,7 +344,6 @@ on the overly-broad permissions are not broken. **Compatibility with old behavior:** Call `bucket.grantPutAcl()` in addition to `bucket.grantWrite()` to grant ACL permissions. - ### @aws-cdk/aws-ecs-patterns:removeDefaultDesiredCount *Do not specify a default DesiredCount for ECS services* (default) @@ -368,7 +358,6 @@ If this flag is not set, the default behaviour for CfnService.desiredCount is to desiredCount of 1, if one is not provided. If true, a default will not be defined for CfnService.desiredCount and as such desiredCount will be undefined, if one is not provided. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.92.0 | `false` | `true` | @@ -376,14 +365,12 @@ CfnService.desiredCount and as such desiredCount will be undefined, if one is no **Compatibility with old behavior:** You can pass `desiredCount: 1` explicitly, but you should never need this. - ### @aws-cdk/aws-efs:defaultEncryptionAtRest *Enable this feature flag to have elastic file systems encrypted at rest by default.* (default) Encryption can also be configured explicitly using the `encrypted` property. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.98.0 | `false` | `true` | @@ -391,7 +378,6 @@ Encryption can also be configured explicitly using the `encrypted` property. **Compatibility with old behavior:** Pass the `encrypted: false` property to the `FileSystem` construct to disable encryption. - ### @aws-cdk/core:newStyleStackSynthesis *Switch to new stack synthesis method which enables CI/CD* (fix) @@ -399,13 +385,11 @@ Encryption can also be configured explicitly using the `encrypted` property. If this flag is specified, all `Stack`s will use the `DefaultStackSynthesizer` by default. If it is not set, they will use the `LegacyStackSynthesizer`. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.39.0 | `false` | `true` | | 2.0.0 | `true` | `true` | - ### @aws-cdk/core:stackRelativeExports *Name exports based on the construct paths relative to the stack, rather than the global construct path* (fix) @@ -415,13 +399,11 @@ ensure uniqueness, and makes the export names robust against refactoring the location of the stack in the construct tree (specifically, moving the Stack into a Stage). - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.58.0 | `false` | `true` | | 2.0.0 | `true` | `true` | - ### @aws-cdk/aws-rds:lowercaseDbIdentifier *Force lowercasing of RDS Cluster names in CDK* (fix) @@ -436,13 +418,11 @@ Must be behind a permanent flag because changing a name from mixed case to lower would lead CloudFormation to think the name was changed and would trigger a cluster replacement (losing data!). - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.97.0 | `false` | `true` | | 2.0.0 | `true` | `true` | - ### @aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId *Allow adding/removing multiple UsagePlanKeys independently* (fix) @@ -460,13 +440,11 @@ which again is disallowed. In effect, there is no way to get out of this mess in a backwards compatible way, while supporting existing stacks. This flag changes the logical id layout of UsagePlanKey to not be sensitive to order. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.98.0 | `false` | `true` | | 2.0.0 | `true` | `true` | - ### @aws-cdk/aws-lambda:recognizeVersionProps *Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`.* (fix) @@ -476,26 +454,22 @@ not constitute creating a new Version. See 'currentVersion' section in the aws-lambda module's README for more details. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.106.0 | `false` | `true` | | 2.0.0 | `true` | `true` | - ### @aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021 *Enable this feature flag to have cloudfront distributions use the security policy TLSv1.2_2021 by default.* (fix) The security policy can also be configured explicitly using the `minimumProtocolVersion` property. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.117.0 | `false` | `true` | | 2.0.0 | `true` | `true` | - ### @aws-cdk/core:target-partitions *What regions to include in lookup tables of environment agnostic stacks* (config) @@ -505,13 +479,11 @@ of unnecessary regions included in stacks without a known region. The type of this value should be a list of strings. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.137.0 | `false` | `["aws","aws-cn"]` | | 2.4.0 | `false` | `["aws","aws-cn"]` | - ### @aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver *ECS extensions will automatically add an `awslogs` driver if no logging is specified* (default) @@ -521,7 +493,6 @@ Enable this feature flag to configure default logging behavior for the ECS Servi This is a feature flag as the new behavior provides a better default experience for the users. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.140.0 | `false` | `true` | @@ -529,7 +500,6 @@ This is a feature flag as the new behavior provides a better default experience **Compatibility with old behavior:** Specify a log driver explicitly. - ### @aws-cdk/aws-ec2:uniqueImdsv2TemplateName *Enable this feature flag to have Launch Templates generated by the `InstanceRequireImdsv2Aspect` use unique names.* (fix) @@ -540,13 +510,11 @@ account and region, the deployments would always fail as the generated Launch Te The new implementation addresses this issue by generating the Launch Template name with the `Names.uniqueId` method. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.140.0 | `false` | `true` | | 2.8.0 | `false` | `true` | - ### @aws-cdk/aws-iam:minimizePolicies *Minimize IAM policies by combining Statements* (config) @@ -555,13 +523,11 @@ Minimize IAM policies by combining Principals, Actions and Resources of two Statements in the policies, as long as it doesn't change the meaning of the policy. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.150.0 | `false` | `true` | | 2.18.0 | `false` | `true` | - ### @aws-cdk/core:checkSecretUsage *Enable this flag to make it impossible to accidentally use SecretValues in unsafe locations* (config) @@ -570,13 +536,11 @@ With this flag enabled, `SecretValue` instances can only be passed to constructs that accept `SecretValue`s; otherwise, `unsafeUnwrap()` must be called to use it as a regular string. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.153.0 | `false` | `true` | | 2.21.0 | `false` | `true` | - ### @aws-cdk/aws-lambda:recognizeLayerVersion *Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`.* (fix) @@ -585,13 +549,11 @@ This flag correct incorporates Lambda Layer properties into the Lambda Function See 'currentVersion' section in the aws-lambda module's README for more details. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.159.0 | `false` | `true` | | 2.27.0 | `false` | `true` | - ### @aws-cdk/core:validateSnapshotRemovalPolicy *Error on snapshot removal policies on resources that do not support it.* (default) @@ -601,7 +563,6 @@ If supplied on an unsupported resource, CloudFormation ignores the policy altoge This flag will reduce confusion and unexpected loss of data when erroneously supplying the snapshot removal policy. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -609,7 +570,6 @@ the snapshot removal policy. **Compatibility with old behavior:** The old behavior was incorrect. Update your source to not specify SNAPSHOT policies on resources that do not support it. - ### @aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName *Generate key aliases that include the stack name* (fix) @@ -621,13 +581,11 @@ the KMS key alias name created for these pipelines may be the same due to how th This new implementation creates a stack safe resource name for the alias using the stack name instead of the stack ID. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.29.0 | `false` | `true` | - ### @aws-cdk/aws-s3:createDefaultLoggingPolicy *Enable this feature flag to create an S3 bucket policy by default in cases where an AWS service would automatically create the Policy if one does not exist.* (fix) @@ -641,15 +599,13 @@ and error indicating that a bucket policy already exists. In cases where we know what the required policy is we can go ahead and create the policy so we can remain in control of it. -@see https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-logs-infrastructure-S3 - +@see | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.31.0 | `false` | `true` | - ### @aws-cdk/aws-sns-subscriptions:restrictSqsDescryption *Restrict KMS key policy for encrypted Queues a bit more* (fix) @@ -661,13 +617,11 @@ Previously the decryption was only restricted to the SNS service principal. To m secure, it is a good practice to restrict the decryption further and only allow the connected SNS topic to decryption the subscribed queue. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.32.0 | `false` | `true` | - ### @aws-cdk/aws-ecs:arnFormatIncludesClusterName *ARN format used by ECS. In the new ARN format, the cluster name is part of the resource ID.* (fix) @@ -677,35 +631,31 @@ If this flag is set, the new ARN format (with cluster name) for ECS is used. This is a feature flag as the old format is still valid for existing ECS clusters. -See https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-account-settings.html#ecs-resource-ids - +See | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.35.0 | `false` | `true` | - ### @aws-cdk/aws-apigateway:disableCloudWatchRole *Make default CloudWatch Role behavior safe for multiple API Gateways in one environment* (fix) Enable this feature flag to change the default behavior for aws-apigateway.RestApi and aws-apigateway.SpecRestApi -to _not_ create a CloudWatch role and Account. There is only a single ApiGateway account per AWS +to *not* create a CloudWatch role and Account. There is only a single ApiGateway account per AWS environment which means that each time you create a RestApi in your account the ApiGateway account is overwritten. If at some point the newest RestApi is deleted, the ApiGateway Account and CloudWatch role will also be deleted, breaking any existing ApiGateways that were depending on them. When this flag is enabled you should either create the ApiGateway account and CloudWatch role -separately _or_ only enable the cloudWatchRole on a single RestApi. - +separately *or* only enable the cloudWatchRole on a single RestApi. | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.38.0 | `false` | `true` | - ### @aws-cdk/core:enablePartitionLiterals *Make ARNs concrete if AWS partition is known* (fix) @@ -734,13 +684,11 @@ Principal: The intrinsic function will still be used in Stacks where no region is defined or the region's partition is unknown. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.38.0 | `false` | `true` | - ### @aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker *Avoid setting the "ECS" deployment controller when adding a circuit breaker* (fix) @@ -751,13 +699,11 @@ This does not change any behaviour as the default deployment controller when it This is a feature flag as the new behavior provides a better default experience for the users. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.51.0 | `false` | `true` | - ### @aws-cdk/aws-events:eventsTargetQueueSameAccount *Event Rules may only push to encrypted SQS queues in the same account* (fix) @@ -766,13 +712,11 @@ This flag applies to SQS Queues that are used as the target of event Rules. When from the same account as the Rule can send messages. If a queue is unencrypted, this restriction will always apply, regardless of the value of this flag. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.51.0 | `false` | `true` | - ### @aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName *Enable this feature to by default create default policy names for imported roles that depend on the stack the role is in.* (fix) @@ -783,13 +727,11 @@ of a role using the same default policy name. This new implementation creates default policy names based on the constructs node path in their stack. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.60.0 | `false` | `true` | - ### @aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy *Use S3 Bucket Policy instead of ACLs for Server Access Logging* (fix) @@ -801,15 +743,13 @@ enabled on the bucket. This flag uses a Bucket Policy statement to allow Server Access Log delivery, following best practices for S3. -@see https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html - +@see | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.60.0 | `false` | `true` | - ### @aws-cdk/customresources:installLatestAwsSdkDefault *Whether to install the latest SDK by default in AwsCustomResource* (default) @@ -821,7 +761,6 @@ do not have internet access, or in environments where 'npmjs.com' is not availab The recommended setting is to disable the default installation behavior, and pass the flag on a resource-by-resource basis to enable it if necessary. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -829,7 +768,6 @@ flag on a resource-by-resource basis to enable it if necessary. **Compatibility with old behavior:** Set installLatestAwsSdk: true on all resources that need it. - ### @aws-cdk/aws-route53-patters:useCertificate *Use the official `Certificate` resource instead of `DnsValidatedCertificate`* (default) @@ -839,7 +777,6 @@ of the deprecated `DnsValidatedCertificate` construct. If this flag is enabled a the stack in a region other than us-east-1 then you must also set `crossRegionReferences=true` on the stack. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -847,7 +784,6 @@ stack. **Compatibility with old behavior:** Define a `DnsValidatedCertificate` explicitly and pass in the `certificate` property - ### @aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup *Remove CloudWatch alarms from deployment group* (fix) @@ -856,13 +792,11 @@ Enable this flag to be able to remove all CloudWatch alarms from a deployment gr the alarms from the construct. If this flag is not set, removing all alarms from the construct will still leave the alarms configured for the deployment group. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.65.0 | `false` | `true` | - ### @aws-cdk/aws-rds:databaseProxyUniqueResourceName *Use unique resource name for Database Proxy* (fix) @@ -875,13 +809,11 @@ If this flag is set, the default behavior is to use unique resource names for ea This is a feature flag as the old behavior was technically incorrect, but users may have come to depend on it. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.65.0 | `false` | `true` | - ### @aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId *Include authorizer configuration in the calculation of the API deployment logical ID.* (fix) @@ -891,13 +823,11 @@ the API configuration, including methods, and resources, etc. Enable this featur to also include the configuration of any authorizer attached to the API in the calculation, so any changes made to an authorizer will create a new deployment. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.66.0 | `false` | `true` | - ### @aws-cdk/aws-ec2:launchTemplateDefaultUserData *Define user data for a launch template by default when a machine image is provided.* (fix) @@ -906,13 +836,11 @@ The ec2.LaunchTemplate construct did not define user data when a machine image i provided despite the document. If this is set, a user data is automatically defined according to the OS of the machine image. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.67.0 | `false` | `true` | - ### @aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments *SecretTargetAttachments uses the ResourcePolicy of the attached Secret.* (fix) @@ -928,13 +856,11 @@ This won't be possible without intervention due to limitation outlined above. First remove all permissions granted to the Secret and deploy without the ResourcePolicies. Then you can re-add the permissions and deploy again. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.67.0 | `false` | `true` | - ### @aws-cdk/aws-redshift:columnId *Whether to use an ID to track Redshift column changes* (fix) @@ -951,13 +877,11 @@ than their `name`. This will prevent data loss when columns are renamed. initial deployment, the columns will be dropped and recreated, causing data loss. After the initial deployment of the `id`s, the `name`s of the columns can be changed without data loss. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.68.0 | `false` | `true` | - ### @aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2 *Enable AmazonEMRServicePolicy_v2 managed policies* (fix) @@ -971,13 +895,11 @@ managed policies. This is a feature flag as the old behavior will be deprecated, but some resources may require manual intervention since they might not have the appropriate tags propagated automatically. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.72.0 | `false` | `true` | - ### @aws-cdk/aws-apigateway:requestValidatorUniqueId *Generate a unique id for each RequestValidator added to a method* (fix) @@ -988,13 +910,11 @@ providing the `RequestValidatorOptions` in the `addMethod()` method. If the flag is not set then only a single RequestValidator can be added in this way. Any additional RequestValidators have to be created directly with `new RequestValidator`. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.78.0 | `false` | `true` | - ### @aws-cdk/aws-ec2:restrictDefaultSecurityGroup *Restrict access to the VPC default security group* (default) @@ -1004,20 +924,17 @@ VPC default security group. When a VPC is created, a default security group is created as well and this cannot be deleted. The default security group is created with ingress/egress rules that allow -_all_ traffic. [AWS Security best practices recommend](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-2) +*all* traffic. [AWS Security best practices recommend](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-2) removing these ingress/egress rules in order to restrict access to the default security group. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.78.0 | `false` | `true` | -**Compatibility with old behavior:** +**Compatibility with old behavior:** To allow all ingress/egress traffic to the VPC default security group you can set the `restrictDefaultSecurityGroup: false`. - - ### @aws-cdk/aws-kms:aliasNameRef @@ -1029,13 +946,11 @@ when referencing key.aliasName or key.keyArn. If the flag is not set then a raw string is passed as the Alias name and no implicit dependencies will be set. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.83.0 | `false` | `true` | - ### @aws-cdk/core:includePrefixInUniqueNameGeneration *Include the stack prefix in the stack name generation process* (fix) @@ -1049,13 +964,11 @@ If the flag is not set, then the prefix of the stack is prepended to the generat feature flag can lead to a change in stacks' name. Changing a stack name mean recreating the whole stack, which is not viable in some productive setups. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.84.0 | `false` | `true` | - ### @aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig *Generate a launch template when creating an AutoScalingGroup* (fix) @@ -1068,17 +981,14 @@ will now create an equivalent 'launchTemplate'. Alternatively, users can provide attempt to set user data according to the OS of the machine image if explicit user data is not provided. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.88.0 | `false` | `true` | -**Compatibility with old behavior:** +**Compatibility with old behavior:** If backwards compatibility needs to be maintained due to an existing autoscaling group using a launch config, set this flag to false. - - ### @aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby @@ -1087,7 +997,6 @@ provided. If this is set, an opensearch domain will automatically be created with multi-az with standby enabled. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1095,7 +1004,6 @@ multi-az with standby enabled. **Compatibility with old behavior:** Pass `capacity.multiAzWithStandbyEnabled: false` to `Domain` construct to restore the old behavior. - ### @aws-cdk/aws-efs:denyAnonymousAccess *EFS denies anonymous clients accesses* (default) @@ -1106,7 +1014,6 @@ access to `efs.FileSystem`. If this flag is not set, `efs.FileSystem` will allow all anonymous clients that can access over the network. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1114,7 +1021,6 @@ that can access over the network. **Compatibility with old behavior:** You can pass `allowAnonymousAccess: true` so allow anonymous clients access. - ### @aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId *When enabled, mount targets will have a stable logicalId that is linked to the associated subnet.* (fix) @@ -1126,13 +1032,11 @@ subnets changes. Set this flag to false for existing mount targets. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.93.0 | `false` | `true` | - ### @aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion *Enables aws-lambda-nodejs.Function to use the latest available NodeJs runtime as the default* (default) @@ -1142,7 +1046,6 @@ functions will us the latest version of the runtime provided by the Lambda service. Do not use this if you your lambda function is reliant on dependencies shipped as part of the runtime environment. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1150,7 +1053,6 @@ shipped as part of the runtime environment. **Compatibility with old behavior:** Pass `runtime: lambda.Runtime.NODEJS_16_X` to `Function` construct to restore the previous behavior. - ### @aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier *When enabled, will always use the arn for identifiers for CfnSourceApiAssociation in the GraphqlApi construct rather than id.* (fix) @@ -1159,13 +1061,11 @@ When this feature flag is enabled, we use the IGraphqlApi ARN rather than ID whe the GraphqlApi construct. Using the ARN allows the association to support an association with a source api or merged api in another account. Note that for existing source api associations created with this flag disabled, enabling the flag will lead to a resource replacement. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.97.0 | `false` | `true` | - ### @aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters *When enabled, a scope of InstanceParameterGroup for AuroraClusterInstance with each parameters will change.* (fix) @@ -1177,13 +1077,11 @@ from AuroraCluster. If the flag is set to false then it can only make one `AuroraClusterInstance` with each `InstanceParameterGroup` in the AuroraCluster. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.97.0 | `false` | `true` | - ### @aws-cdk/aws-rds:preventRenderingDeprecatedCredentials *When enabled, creating an RDS database cluster from a snapshot will only render credentials for snapshot credentials.* (fix) @@ -1201,13 +1099,11 @@ Set this flag to prevent rendering deprecated `credentials` and creating an extra database secret when only using `snapshotCredentials` to create an RDS database cluster from a snapshot. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.98.0 | `false` | `true` | - ### @aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource *When enabled, the CodeCommit source action is using the default branch name 'main'.* (fix) @@ -1216,13 +1112,11 @@ When setting up a CodeCommit source action for the source stage of a pipeline, p default branch is 'master'. However, with the activation of this feature flag, the default branch is updated to 'main'. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.103.1 | `false` | `true` | - ### @aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction *When enabled, the logical ID of a Lambda permission for a Lambda action includes an alarm ID.* (fix) @@ -1234,13 +1128,11 @@ can be created with `LambdaAction`. If the flag is set to false then it can only make one alarm for the Lambda with `LambdaAction`. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.124.0 | `false` | `true` | - ### @aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse *Enables Pipeline to set the default value for crossAccountKeys to false.* (default) @@ -1248,7 +1140,6 @@ If the flag is set to false then it can only make one alarm for the Lambda with When this feature flag is enabled, and the `crossAccountKeys` property is not provided in a `Pipeline` construct, the construct automatically defaults the value of this property to false. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1256,7 +1147,6 @@ construct, the construct automatically defaults the value of this property to fa **Compatibility with old behavior:** Pass `crossAccountKeys: true` to `Pipeline` construct to restore the previous behavior. - ### @aws-cdk/aws-codepipeline:defaultPipelineTypeToV2 *Enables Pipeline to set the default pipeline type to V2.* (default) @@ -1264,7 +1154,6 @@ construct, the construct automatically defaults the value of this property to fa When this feature flag is enabled, and the `pipelineType` property is not provided in a `Pipeline` construct, the construct automatically defaults the value of this property to `PipelineType.V2`. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1272,7 +1161,6 @@ construct, the construct automatically defaults the value of this property to `P **Compatibility with old behavior:** Pass `pipelineType: PipelineType.V1` to `Pipeline` construct to restore the previous behavior. - ### @aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope *When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only.* (fix) @@ -1280,13 +1168,11 @@ construct, the construct automatically defaults the value of this property to `P When this feature flag is enabled and calling KMS key grant method, the created IAM policy will reduce the resource scope from '*' to this specific granting KMS key. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.134.0 | `false` | `true` | - ### @aws-cdk/aws-eks:nodegroupNameAttribute *When enabled, nodegroupName attribute of the provisioned EKS NodeGroup will not have the cluster name prefix.* (fix) @@ -1294,20 +1180,17 @@ When this feature flag is enabled and calling KMS key grant method, the created When this feature flag is enabled, the nodegroupName attribute will be exactly the name of the nodegroup without any prefix. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.139.0 | `false` | `true` | - ### @aws-cdk/aws-ec2:ebsDefaultGp3Volume *When enabled, the default volume type of the EBS volume will be GP3* (default) When this featuer flag is enabled, the default volume type of the EBS volume will be `EbsDeviceVolumeType.GENERAL_PURPOSE_SSD_GP3`. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1315,7 +1198,6 @@ When this featuer flag is enabled, the default volume type of the EBS volume wil **Compatibility with old behavior:** Pass `volumeType: EbsDeviceVolumeType.GENERAL_PURPOSE_SSD` to `Volume` construct to restore the previous behavior. - ### @aws-cdk/pipelines:reduceAssetRoleTrustScope *Remove the root account principal from PipelineAssetsFileRole trust policy* (default) @@ -1323,7 +1205,6 @@ When this featuer flag is enabled, the default volume type of the EBS volume wil When this feature flag is enabled, the root account principal will not be added to the trust policy of asset role. When this feature flag is disabled, it will keep the root account principal in the trust policy. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1331,14 +1212,12 @@ When this feature flag is disabled, it will keep the root account principal in t **Compatibility with old behavior:** Disable the feature flag to add the root account principal back - ### @aws-cdk/aws-ecs:removeDefaultDeploymentAlarm *When enabled, remove default deployment alarm settings* (default) When this featuer flag is enabled, remove the default deployment alarm settings when creating a AWS ECS service. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1346,7 +1225,6 @@ When this featuer flag is enabled, remove the default deployment alarm settings **Compatibility with old behavior:** Set AWS::ECS::Service 'DeploymentAlarms' manually to restore the previous behavior. - ### @aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault *When enabled, the custom resource used for `AwsCustomResource` will configure the `logApiResponseData` property as true by default* (fix) @@ -1354,19 +1232,17 @@ When this featuer flag is enabled, remove the default deployment alarm settings This results in 'logApiResponseData' being passed as true to the custom resource provider. This will cause the custom resource handler to receive an 'Update' event. If you don't have an SDK call configured for the 'Update' event and you're dependent on specific SDK call response data, you will see this error from CFN: -CustomResource attribute error: Vendor response doesn't contain attribute in object. See https://github.com/aws/aws-cdk/issues/29949) for more details. +CustomResource attribute error: Vendor response doesn't contain attribute in object. See ) for more details. Unlike most feature flags, we don't recommend setting this feature flag to true. However, if you're using the 'AwsCustomResource' construct with 'logApiResponseData' as true in the event object, then setting this feature flag will keep this behavior. Otherwise, setting this feature flag to false will trigger an 'Update' event by removing the 'logApiResponseData' property from the event object. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.145.0 | `false` | `false` | - ### @aws-cdk/aws-s3:keepNotificationInImportedBucket *When enabled, Adding notifications to a bucket in the current stack will not remove notification from imported stack.* (fix) @@ -1376,13 +1252,11 @@ Currently, adding notifications to a bucket where it was created by ourselves wi When this feature flag is enabled, adding notifications to a bucket in the current stack will only update notification defined in this stack. Other notifications that are not managed by this stack will be kept. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.155.0 | `false` | `false` | - ### @aws-cdk/aws-stepfunctions-tasks:useNewS3UriParametersForBedrockInvokeModelTask *When enabled, use new props for S3 URI field in task definition of state machine for bedrock invoke model.* (fix) @@ -1393,7 +1267,6 @@ of State Machine Task definition. When this feature flag is enabled, specify newly introduced props 's3InputUri' and 's3OutputUri' to populate S3 uri under input and output fields in state machine task definition for Bedrock invoke model. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1401,7 +1274,6 @@ When this feature flag is enabled, specify newly introduced props 's3InputUri' a **Compatibility with old behavior:** Disable the feature flag to use input and output path fields for s3 URI - ### @aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions *When enabled, we will only grant the necessary permissions when users specify cloudwatch log group through logConfiguration* (fix) @@ -1411,7 +1283,6 @@ specified as logConfiguration and it will grant 'Resources': ['*'] to the task r When this feature flag is enabled, we will only grant the necessary permissions when users specify cloudwatch log group. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1419,7 +1290,6 @@ When this feature flag is enabled, we will only grant the necessary permissions **Compatibility with old behavior:** Disable the feature flag to continue grant permissions to log group when no log group is specified - ### @aws-cdk/aws-ec2:ec2SumTImeoutEnabled *When enabled, initOptions.timeout and resourceSignalTimeout values will be summed together.* (fix) @@ -1429,13 +1299,11 @@ only the value from 'resourceSignalTimeout' will be used. When this feature flag is enabled, if both initOptions.timeout and resourceSignalTimeout are specified, the values will to be summed together. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.160.0 | `false` | `true` | - ### @aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission *When enabled, a Lambda authorizer Permission created when using GraphqlApi will be properly scoped with a SourceArn.* (fix) @@ -1447,13 +1315,11 @@ it allows invocations from any source. When this feature flag is enabled, the AWS::Lambda::Permission will be properly scoped with the SourceArn corresponding to the specific AppSync GraphQL API. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.161.0 | `false` | `true` | - ### @aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages *When enabled, both `@aws-sdk` and `@smithy` packages will be excluded from the Lambda Node.js 18.x runtime to prevent version mismatches in bundled applications.* (fix) @@ -1464,13 +1330,11 @@ However, this can cause version mismatches between the '@aws-sdk/*' and '@smithy When this feature flag is enabled, both '@aws-sdk/*' and '@smithy/*' packages will be excluded during the bundling process. This ensures that no mismatches occur between these tightly coupled dependencies when using the AWS SDK v3 in Lambda functions. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.161.0 | `false` | `true` | - ### @aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId *When enabled, the value of property `instanceResourceId` in construct `DatabaseInstanceReadReplica` will be set to the correct value which is `DbiResourceId` instead of currently `DbInstanceArn`* (fix) @@ -1479,7 +1343,6 @@ Currently, the value of the property 'instanceResourceId' in construct 'Database When this feature flag is enabled, the value of that property will be as expected set to 'DbiResourceId' attribute, and that will fix the grantConnect method. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1487,7 +1350,6 @@ When this feature flag is enabled, the value of that property will be as expecte **Compatibility with old behavior:** Disable the feature flag to use `DbInstanceArn` as value for property `instanceResourceId` - ### @aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics *When enabled, CFN templates added with `cfn-include` will error if the template contains Resource Update or Create policies with CFN Intrinsics that include non-primitive values.* (fix) @@ -1496,13 +1358,11 @@ Without enabling this feature flag, `cfn-include` will silently drop resource up Enabling this feature flag will make `cfn-include` throw on these templates, unless you specify the logical ID of the resource in the 'unhydratedResources' property. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.161.0 | `false` | `true` | - ### @aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy *When enabled, the resource of IAM Run Ecs policy generated by SFN EcsRunTask will reference the definition, instead of constructing ARN.* (fix) @@ -1512,13 +1372,11 @@ The revision number at the end will be replaced with a wildcard which it shouldn When this feature flag is enabled, if the task definition is created in the stack, the 'Resource' section will 'Ref' the taskDefinition. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.163.0 | `false` | `true` | - ### @aws-cdk/aws-dynamodb:resourcePolicyPerReplica *When enabled will allow you to specify a resource policy per replica, and not copy the source table policy to all replicas* (fix) @@ -1530,13 +1388,11 @@ This will prevent you from creating a new table which has an additional replica This is a feature flag as the old behavior was technically incorrect but users may have come to depend on it. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.164.0 | `false` | `true` | - ### @aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault *When enabled, the BastionHost construct will use the latest Amazon Linux 2023 AMI, instead of Amazon Linux 2.* (default) @@ -1548,7 +1404,6 @@ and secure option. When this feature flag is enabled, if you do not pass the machineImage property to the BastionHost construct, the latest Amazon Linux 2023 version will be used instead of Amazon Linux 2. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1556,7 +1411,6 @@ the latest Amazon Linux 2023 version will be used instead of Amazon Linux 2. **Compatibility with old behavior:** Disable the feature flag or explicitly pass an Amazon Linux 2 machine image to the BastionHost construct. - ### @aws-cdk/core:aspectStabilization *When enabled, a stabilization loop will be run when invoking Aspects during synthesis.* (config) @@ -1566,12 +1420,24 @@ This means that the Aspects that create other Aspects are not run and Aspects th When this feature flag is enabled, a stabilization loop is run to recurse the construct tree multiple times when invoking Aspects. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.172.0 | `true` | `true` | +### @aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource + +*When enabled, use a new method for DNS Name of user pool domain target without creating a custom resource.* (fix) + +When this feature flag is enabled, a new method will be used to get the DNS Name of the user pool domain target. The old method +creates a custom resource internally, but the new method doesn't need a custom resource. + +If the flag is set to false then a custom resource will be created when using `UserPoolDomainTarget`. + +| Since | Default | Recommended | +| ----- | ----- | ----- | +| (not in v1) | | | +| 2.174.0 | `false` | `true` | ### @aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource @@ -1595,12 +1461,11 @@ If the flag is set to false then a custom resource will be created when using `U In an ECS Cluster with `MachineImageType.AMAZON_LINUX_2`, the canContainersAccessInstanceRole=false option attempts to add commands to block containers from accessing IMDS. CDK cannot guarantee the correct execution of the feature in all platforms. Setting this feature flag -to true will ensure CDK does not attempt to implement IMDS blocking. By **end of 2025**, CDK will remove the +to true will ensure CDK does not attempt to implement IMDS blocking. By **end of 2025**, CDK will remove the IMDS blocking feature. See [Github discussion](https://github.com/aws/aws-cdk/discussions/32609) for more information. It is recommended to follow ECS documentation to block IMDS for your specific platform and cluster configuration. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1608,18 +1473,16 @@ It is recommended to follow ECS documentation to block IMDS for your specific pl **Compatibility with old behavior:** It is strongly recommended to set this flag to true. However, if necessary, set this flag to false to continue using the old implementation. - ### @aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature *When set to true along with canContainersAccessInstanceRole=false in ECS cluster, new updated commands will be added to UserData to block container accessing IMDS. **Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)*** (temporary) In an ECS Cluster with `MachineImageType.AMAZON_LINUX_2`, the canContainersAccessInstanceRole=false option attempts to add commands to block containers from -accessing IMDS. Set this flag to true in order to use new and updated commands. Please note that this -feature alone with this feature flag will be deprecated by **end of 2025** as CDK cannot +accessing IMDS. Set this flag to true in order to use new and updated commands. Please note that this +feature alone with this feature flag will be deprecated by **end of 2025** as CDK cannot guarantee the correct execution of the feature in all platforms. See [Github discussion](https://github.com/aws/aws-cdk/discussions/32609) for more information. It is recommended to follow ECS documentation to block IMDS for your specific platform and cluster configuration. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1627,5 +1490,21 @@ It is recommended to follow ECS documentation to block IMDS for your specific pl **Compatibility with old behavior:** Set this flag to false in order to continue using old and outdated commands. However, it is **not** recommended. +### @aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault + +*When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere* (fix) + +For internet facing ALBs with 'dualstack-without-public-ipv4' IP address type, the default security group rules +will allow IPv6 ingress from anywhere (::/0). Previously, the default security group rules would only allow IPv4 ingress. + +Using a feature flag to make sure existing customers who might be relying +on the overly restrictive permissions are not broken. + +| Since | Default | Recommended | +| ----- | ----- | ----- | +| (not in v1) | | | +| V2NEXT | `false` | `true` | + +**Compatibility with old behavior:** Disable the feature flag to only allow IPv4 ingress in the default security group rules. diff --git a/packages/aws-cdk-lib/cx-api/README.md b/packages/aws-cdk-lib/cx-api/README.md index e1cf51ff8364e..46da524a70ede 100644 --- a/packages/aws-cdk-lib/cx-api/README.md +++ b/packages/aws-cdk-lib/cx-api/README.md @@ -1,6 +1,5 @@ # Cloud Executable API - This module is part of the [AWS Cloud Development Kit](https://github.com/aws/aws-cdk) project. ## V2 Feature Flags @@ -19,7 +18,7 @@ and error indicating that a bucket policy already exists. In cases where we know what the required policy is we can go ahead and create the policy so we can remain in control of it. -https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-logs-infrastructure-S3 + _cdk.json_ @@ -122,7 +121,7 @@ enabled on the bucket. This flag uses a Bucket Policy statement to allow Server Access Log delivery, following best practices for S3. -https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html + ```json { @@ -172,7 +171,7 @@ Enable this feature flag to use the \`AmazonEMRServicePolicy_v2\` managed polici This is a feature flag as the old behavior will be deprecated, but some resources may require manual intervention since they might not have the appropriate tags propagated automatically. -https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-managed-iam-policies.html + _cdk.json_ @@ -189,8 +188,9 @@ _cdk.json_ Enable this feature flag to include the stack's prefixes to the name generation process. Not doing so can cause the name of stack to exceed 128 characters: -- The name generation ensures it doesn't exceed 128 characters -- Without this feature flag, the prefix is prepended to the generated name, which result can exceed 128 characters + +* The name generation ensures it doesn't exceed 128 characters +* Without this feature flag, the prefix is prepended to the generated name, which result can exceed 128 characters This is a feature flag as it changes the name generated for stacks. Any CDK application deployed prior this fix will most likely be generated with a new name, causing the stack to be recreated with the new name, and then deleting the old one. @@ -228,8 +228,8 @@ _cdk.json_ Enable this feature flag to update the default branch for CodeCommit source actions to `main`. -Previously, the default branch for CodeCommit source actions was set to `master`. -However, this convention is no longer supported, and repositories created after March 2021 now have `main` as +Previously, the default branch for CodeCommit source actions was set to `master`. +However, this convention is no longer supported, and repositories created after March 2021 now have `main` as their default branch. _cdk.json_ @@ -364,7 +364,7 @@ _cdk.json_ When enabled, IAM Policy created to run tasks won't include the task definition ARN, only the revision ARN. When this feature flag is enabled, the IAM Policy created to run tasks won't include the task definition ARN, only the revision ARN. -The revision ARN is more specific than the task definition ARN. See https://docs.aws.amazon.com/step-functions/latest/dg/ecs-iam.html +The revision ARN is more specific than the task definition ARN. See for more details. _cdk.json_ @@ -412,8 +412,8 @@ _cdk.json_ * `@aws-cdk/aws-ec2:ec2SumTImeoutEnabled` -Currently is both initOptions.timeout and resourceSignalTimeout are both specified in the options for creating an EC2 Instance, only the value from 'resourceSignalTimeout' will be used. - +Currently is both initOptions.timeout and resourceSignalTimeout are both specified in the options for creating an EC2 Instance, only the value from 'resourceSignalTimeout' will be used. + When this feature flag is enabled, if both initOptions.timeout and resourceSignalTimeout are specified, the values will to be summed together. _cdk.json_ @@ -478,7 +478,7 @@ _cdk.json_ * `@aws-cdk/aws-dynamodb:resourcePolicyPerReplica` -If this flag is not set, the default behavior for \`TableV2\` is to use a different \`resourcePolicy\` for each replica. +If this flag is not set, the default behavior for \`TableV2\` is to use a different \`resourcePolicy\` for each replica. If this flag is set to false, the behavior is that each replica shares the same \`resourcePolicy\` as the source table. This will prevent you from creating a new table which has an additional replica and a resource policy. @@ -546,7 +546,6 @@ guarantee the correct execution of the feature in all platforms. See [Github dis **It is recommended to follow ECS documentation to block IMDS for your specific platform and cluster configuration.** - _cdk.json_ ```json @@ -555,4 +554,25 @@ _cdk.json_ "@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature": false, }, } -``` \ No newline at end of file +``` + +* `@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault` + +When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere, +For internet facing ALBs with `dualstack-without-public-ipv4` IP address type, the default security group rules +will allow IPv6 ingress from anywhere (::/0). Previously, the default security group rules would only allow IPv4 ingress. + +Using a feature flag to make sure existing customers who might be relying +on the overly restrictive permissions are not broken., + +If the flag is set to false then the default security group rules will only allow IPv4 ingress. + +_cdk.json_ + +```json +{ + "context": { + "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": true + } +} +``` diff --git a/packages/aws-cdk-lib/cx-api/lib/features.ts b/packages/aws-cdk-lib/cx-api/lib/features.ts index 98189fd5a3965..b50c93df54da0 100644 --- a/packages/aws-cdk-lib/cx-api/lib/features.ts +++ b/packages/aws-cdk-lib/cx-api/lib/features.ts @@ -120,6 +120,7 @@ export const ASPECT_STABILIZATION = '@aws-cdk/core:aspectStabilization'; export const USER_POOL_DOMAIN_NAME_METHOD_WITHOUT_CUSTOM_RESOURCE = '@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource'; export const Enable_IMDS_Blocking_Deprecated_Feature = '@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature'; export const Disable_ECS_IMDS_Blocking = '@aws-cdk/aws-ecs:disableEcsImdsBlocking'; +export const ALB_DUALSTACK_WITHOUT_PUBLIC_IPV4_SECURITY_GROUP_RULES_DEFAULT = '@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault'; export const FLAGS: Record = { ////////////////////////////////////////////////////////////////////// @@ -1339,6 +1340,21 @@ export const FLAGS: Record = { introducedIn: { v2: '2.174.0' }, recommendedValue: true, }, + + ////////////////////////////////////////////////////////////////////// + [ALB_DUALSTACK_WITHOUT_PUBLIC_IPV4_SECURITY_GROUP_RULES_DEFAULT]: { + type: FlagType.BugFix, + summary: 'When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere', + detailsMd: ` + For internet facing ALBs with 'dualstack-without-public-ipv4' IP address type, the default security group rules + will allow IPv6 ingress from anywhere (::/0). Previously, the default security group rules would only allow IPv4 ingress. + + Using a feature flag to make sure existing customers who might be relying + on the overly restrictive permissions are not broken.`, + introducedIn: { v2: 'V2NEXT' }, + recommendedValue: true, + compatibilityWithOldBehaviorMd: 'Disable the feature flag to only allow IPv4 ingress in the default security group rules.', + }, }; const CURRENT_MV = 'v2'; diff --git a/packages/aws-cdk-lib/cx-api/test/features.test.ts b/packages/aws-cdk-lib/cx-api/test/features.test.ts index 6b54f5f272a14..87d06dfaa78df 100644 --- a/packages/aws-cdk-lib/cx-api/test/features.test.ts +++ b/packages/aws-cdk-lib/cx-api/test/features.test.ts @@ -5,7 +5,7 @@ import { MAGIC_V2NEXT, compareVersions } from '../lib/private/flag-modeling'; test('all future flags have defaults configured', () => { Object.keys(feats.FLAGS).forEach(flag => { - expect(typeof(feats.futureFlagDefault(flag))).toEqual('boolean'); + expect(typeof (feats.futureFlagDefault(flag))).toEqual('boolean'); }); }); diff --git a/packages/aws-cdk/CONTRIBUTING.md b/packages/aws-cdk/CONTRIBUTING.md index 7619772294894..f3c967f03c9e4 100644 --- a/packages/aws-cdk/CONTRIBUTING.md +++ b/packages/aws-cdk/CONTRIBUTING.md @@ -1,21 +1,21 @@ ## CLI Commands All CDK CLI Commands are defined in `lib/config.ts`. This file is translated -into a valid `yargs` configuration by `bin/cli-args-gen`, which is generated by `@aws-cdk/cli-args-gen`. +into a valid `yargs` configuration by `bin/user-input-gen`, which is generated by `@aws-cdk/user-input-gen`. The `yargs` configuration is generated into the function `parseCommandLineArguments()`, in `lib/parse-command-line-arguments.ts`, and is checked into git for readability and inspectability; do not edit this file by hand, as every subsequent `yarn build` will overwrite any manual edits. If you need to leverage a `yargs` feature not used by -the CLI, you must add support for it to `@aws-cdk/cli-args-gen`. +the CLI, you must add support for it to `@aws-cdk/user-input-gen`. -Note that `bin/cli-args-gen` is executed by `ts-node`, which allows `config.ts` to +Note that `bin/user-input-gen` is executed by `ts-node`, which allows `config.ts` to reference functions and other identifiers defined in the CLI before the CLI is built. ### Dynamic Values Some values, such as the user's platform, cannot be computed at build time. -Some commands depend on these values, and thus `cli-args-gen` must generate the +Some commands depend on these values, and thus `user-input-gen` must generate the code to compute these values at build time. The only way to do this today is to reference a parameter with `DynamicValue.fromParameter`. diff --git a/packages/aws-cdk/jest.config.js b/packages/aws-cdk/jest.config.js index f82ca932d08a3..23f1a71b38590 100644 --- a/packages/aws-cdk/jest.config.js +++ b/packages/aws-cdk/jest.config.js @@ -19,8 +19,8 @@ const config = { "/lib/api/aws-auth/sdk.ts", // Files generated by cli-args-gen "/lib/parse-command-line-arguments.ts", - "/lib/cli-arguments.ts", - "/lib/convert-to-cli-args.ts", + "/lib/user-input.ts", + "/lib/convert-to-user-input.ts", ], // We have many tests here that commonly time out diff --git a/packages/aws-cdk/lib/config.ts b/packages/aws-cdk/lib/config.ts index 5e881733a3606..2ef82baf3304e 100644 --- a/packages/aws-cdk/lib/config.ts +++ b/packages/aws-cdk/lib/config.ts @@ -1,5 +1,5 @@ // eslint-disable-next-line import/no-extraneous-dependencies -import { CliHelpers, type CliConfig } from '@aws-cdk/cli-args-gen'; +import { CliHelpers, type CliConfig } from '@aws-cdk/user-input-gen'; import { StackActivityProgress } from './api/util/cloudformation/stack-activity-monitor'; import { MIGRATE_SUPPORTED_LANGUAGES } from './commands/migrate'; import { RequireApproval } from './diff'; @@ -8,8 +8,11 @@ import { availableInitLanguages } from './init'; export const YARGS_HELPERS = new CliHelpers('./util/yargs-helpers'); /** - * Source of truth for all CDK CLI commands. `cli-args-gen` translates this into the `yargs` definition - * in `lib/parse-command-line-arguments.ts`. + * Source of truth for all CDK CLI commands. `user-input-gen` translates this into: + * + * - the `yargs` definition in `lib/parse-command-line-arguments.ts`. + * - the `UserInput` type in `lib/user-input.ts`. + * - the `convertXxxToUserInput` functions in `lib/convert-to-user-input.ts`. */ export async function makeConfig(): Promise { return { @@ -53,12 +56,12 @@ export async function makeConfig(): Promise { 'show-dependencies': { type: 'boolean', default: false, alias: 'd', desc: 'Display stack dependency information for each stack' }, }, }, - synthesize: { + synth: { arg: { name: 'STACKS', variadic: true, }, - aliases: ['synth'], + aliases: ['synthesize'], description: 'Synthesizes and prints the CloudFormation template for this stack', options: { exclusively: { type: 'boolean', alias: 'e', desc: 'Only synthesize requested stacks, don\'t include dependencies' }, diff --git a/packages/aws-cdk/lib/convert-to-cli-args.ts b/packages/aws-cdk/lib/convert-to-user-input.ts similarity index 96% rename from packages/aws-cdk/lib/convert-to-cli-args.ts rename to packages/aws-cdk/lib/convert-to-user-input.ts index 9b742c8b0f303..4b400aa844424 100644 --- a/packages/aws-cdk/lib/convert-to-cli-args.ts +++ b/packages/aws-cdk/lib/convert-to-user-input.ts @@ -3,11 +3,11 @@ // Do not edit by hand; all changes will be overwritten at build time from the config file. // ------------------------------------------------------------------------------------------- /* eslint-disable @stylistic/max-len */ -import { CliArguments, GlobalOptions } from './cli-arguments'; import { Command } from './settings'; +import { UserInput, GlobalOptions } from './user-input'; // @ts-ignore TS6133 -export function convertYargsToCliArgs(args: any): CliArguments { +export function convertYargsToUserInput(args: any): UserInput { const globalOptions: GlobalOptions = { app: args.app, build: args.build, @@ -46,8 +46,8 @@ export function convertYargsToCliArgs(args: any): CliArguments { }; break; - case 'synthesize': case 'synth': + case 'synthesize': commandOptions = { exclusively: args.exclusively, validation: args.validation, @@ -250,17 +250,17 @@ export function convertYargsToCliArgs(args: any): CliArguments { commandOptions = {}; break; } - const cliArguments: CliArguments = { - _: args._[0], + const userInput: UserInput = { + command: args._[0], globalOptions, [args._[0]]: commandOptions, }; - return cliArguments; + return userInput; } // @ts-ignore TS6133 -export function convertConfigToCliArgs(config: any): CliArguments { +export function convertConfigToUserInput(config: any): UserInput { const globalOptions: GlobalOptions = { app: config.app, build: config.build, @@ -292,10 +292,10 @@ export function convertConfigToCliArgs(config: any): CliArguments { long: config.list?.long, showDependencies: config.list?.showDependencies, }; - const synthesizeOptions = { - exclusively: config.synthesize?.exclusively, - validation: config.synthesize?.validation, - quiet: config.synthesize?.quiet, + const synthOptions = { + exclusively: config.synth?.exclusively, + validation: config.synth?.validation, + quiet: config.synth?.quiet, }; const bootstrapOptions = { bootstrapBucketName: config.bootstrap?.bootstrapBucketName, @@ -428,10 +428,10 @@ export function convertConfigToCliArgs(config: any): CliArguments { browser: config.docs?.browser, }; const doctorOptions = {}; - const cliArguments: CliArguments = { + const userInput: UserInput = { globalOptions, list: listOptions, - synthesize: synthesizeOptions, + synth: synthOptions, bootstrap: bootstrapOptions, gc: gcOptions, deploy: deployOptions, @@ -450,5 +450,5 @@ export function convertConfigToCliArgs(config: any): CliArguments { doctor: doctorOptions, }; - return cliArguments; + return userInput; } diff --git a/packages/aws-cdk/lib/parse-command-line-arguments.ts b/packages/aws-cdk/lib/parse-command-line-arguments.ts index b0d4f3060024e..20b09694290fa 100644 --- a/packages/aws-cdk/lib/parse-command-line-arguments.ts +++ b/packages/aws-cdk/lib/parse-command-line-arguments.ts @@ -172,7 +172,7 @@ export function parseCommandLineArguments(args: Array): any { desc: 'Display stack dependency information for each stack', }), ) - .command(['synthesize [STACKS..]', 'synth [STACKS..]'], 'Synthesizes and prints the CloudFormation template for this stack', (yargs: Argv) => + .command(['synth [STACKS..]', 'synthesize [STACKS..]'], 'Synthesizes and prints the CloudFormation template for this stack', (yargs: Argv) => yargs .option('exclusively', { default: undefined, diff --git a/packages/aws-cdk/lib/cli-arguments.ts b/packages/aws-cdk/lib/user-input.ts similarity index 98% rename from packages/aws-cdk/lib/cli-arguments.ts rename to packages/aws-cdk/lib/user-input.ts index f67451c73176a..369a7fe325515 100644 --- a/packages/aws-cdk/lib/cli-arguments.ts +++ b/packages/aws-cdk/lib/user-input.ts @@ -6,15 +6,15 @@ import { Command } from './settings'; /** - * The structure of the CLI configuration, generated from packages/aws-cdk/lib/config.ts + * The structure of the user input -- either CLI options or cdk.json -- generated from packages/aws-cdk/lib/config.ts * * @struct */ -export interface CliArguments { +export interface UserInput { /** * The CLI command name */ - readonly _?: Command; + readonly command?: Command; /** * Global options available to all CLI commands @@ -31,9 +31,9 @@ export interface CliArguments { /** * Synthesizes and prints the CloudFormation template for this stack * - * aliases: synth + * aliases: synthesize */ - readonly synthesize?: SynthesizeOptions; + readonly synth?: SynthOptions; /** * Deploys the CDK toolkit stack into an AWS environment @@ -337,11 +337,11 @@ export interface ListOptions { /** * Synthesizes and prints the CloudFormation template for this stack * - * aliases: synth + * aliases: synthesize * * @struct */ -export interface SynthesizeOptions { +export interface SynthOptions { /** * Only synthesize requested stacks, don't include dependencies * @@ -368,7 +368,7 @@ export interface SynthesizeOptions { readonly quiet?: boolean; /** - * Positional argument for synthesize + * Positional argument for synth */ readonly STACKS?: Array; } diff --git a/packages/aws-cdk/package.json b/packages/aws-cdk/package.json index 609be4d5af8fa..e77fbb90d7ea2 100644 --- a/packages/aws-cdk/package.json +++ b/packages/aws-cdk/package.json @@ -7,7 +7,7 @@ }, "scripts": { "build": "cdk-build", - "cli-args-gen": "ts-node --preferTsExts scripts/cli-args-gen.ts", + "user-input-gen": "ts-node --preferTsExts scripts/user-input-gen.ts", "watch": "cdk-watch", "lint": "cdk-lint", "pkglint": "pkglint -f", @@ -29,7 +29,7 @@ }, "cdk-build": { "pre": [ - "yarn cli-args-gen" + "yarn user-input-gen" ], "post": [ "cp ../../node_modules/cdk-from-cfn/index_bg.wasm ./lib/", @@ -70,7 +70,7 @@ "@aws-cdk/cdk-build-tools": "0.0.0", "@aws-cdk/cli-plugin-contract": "0.0.0", "@aws-cdk/pkglint": "0.0.0", - "@aws-cdk/cli-args-gen": "0.0.0", + "@aws-cdk/user-input-gen": "0.0.0", "@octokit/rest": "^18.12.0", "@types/archiver": "^5.3.4", "@types/fs-extra": "^9.0.13", diff --git a/packages/aws-cdk/scripts/cli-args-gen b/packages/aws-cdk/scripts/cli-args-gen deleted file mode 100755 index 29484fb39cf9f..0000000000000 --- a/packages/aws-cdk/scripts/cli-args-gen +++ /dev/null @@ -1,2 +0,0 @@ -#!/usr/bin/env node -require('./cli-args-gen.js'); diff --git a/packages/aws-cdk/scripts/cli-args-gen.ts b/packages/aws-cdk/scripts/cli-args-gen.ts deleted file mode 100644 index 68d53eeff0597..0000000000000 --- a/packages/aws-cdk/scripts/cli-args-gen.ts +++ /dev/null @@ -1,15 +0,0 @@ -import * as fs from 'fs'; -// eslint-disable-next-line import/no-extraneous-dependencies -import { renderYargs, renderCliArgsType, renderCliArgsFunc } from '@aws-cdk/cli-args-gen'; -import { makeConfig, YARGS_HELPERS } from '../lib/config'; - -async function main() { - fs.writeFileSync('./lib/parse-command-line-arguments.ts', await renderYargs(await makeConfig(), YARGS_HELPERS)); - fs.writeFileSync('./lib/cli-arguments.ts', await renderCliArgsType(await makeConfig())); - fs.writeFileSync('./lib/convert-to-cli-args.ts', await renderCliArgsFunc(await makeConfig())); -} - -main().then(() => { -}).catch((e) => { - throw e; -}); diff --git a/packages/aws-cdk/scripts/user-input-gen b/packages/aws-cdk/scripts/user-input-gen new file mode 100755 index 0000000000000..8e9fe2a7c9bfc --- /dev/null +++ b/packages/aws-cdk/scripts/user-input-gen @@ -0,0 +1,2 @@ +#!/usr/bin/env node +require('./user-input-gen.js'); diff --git a/packages/aws-cdk/scripts/user-input-gen.ts b/packages/aws-cdk/scripts/user-input-gen.ts new file mode 100644 index 0000000000000..3ef7e03204165 --- /dev/null +++ b/packages/aws-cdk/scripts/user-input-gen.ts @@ -0,0 +1,16 @@ +import * as fs from 'fs'; +// eslint-disable-next-line import/no-extraneous-dependencies +import { renderYargs, renderUserInputType, renderUserInputFuncs } from '@aws-cdk/user-input-gen'; +import { makeConfig, YARGS_HELPERS } from '../lib/config'; + +async function main() { + const config = await makeConfig(); + fs.writeFileSync('./lib/parse-command-line-arguments.ts', await renderYargs(config, YARGS_HELPERS)); + fs.writeFileSync('./lib/user-input.ts', await renderUserInputType(config)); + fs.writeFileSync('./lib/convert-to-user-input.ts', await renderUserInputFuncs(config)); +} + +main().then(() => { +}).catch((e) => { + throw e; +}); diff --git a/packages/aws-cdk/test/cli-arguments.test.ts b/packages/aws-cdk/test/cli-arguments.test.ts index ddcf9d02b6fb3..4158e6569fa80 100644 --- a/packages/aws-cdk/test/cli-arguments.test.ts +++ b/packages/aws-cdk/test/cli-arguments.test.ts @@ -1,14 +1,14 @@ -import { convertConfigToCliArgs, convertYargsToCliArgs } from '../lib/convert-to-cli-args'; +import { convertConfigToUserInput, convertYargsToUserInput } from '../lib/convert-to-user-input'; import { parseCommandLineArguments } from '../lib/parse-command-line-arguments'; describe('yargs', () => { test('yargs object can be converted to cli arguments', async () => { const input = await parseCommandLineArguments(['deploy', '-R', '-v', '--ci']); - const result = convertYargsToCliArgs(input); + const result = convertYargsToUserInput(input); expect(result).toEqual({ - _: 'deploy', + command: 'deploy', globalOptions: { app: undefined, assetMetadata: undefined, @@ -70,10 +70,10 @@ describe('yargs', () => { test('positional argument is correctly passed through -- variadic', async () => { const input = await parseCommandLineArguments(['deploy', 'stack1', 'stack2', '-R', '-v', '--ci']); - const result = convertYargsToCliArgs(input); + const result = convertYargsToUserInput(input); expect(result).toEqual({ - _: 'deploy', + command: 'deploy', deploy: expect.objectContaining({ STACKS: ['stack1', 'stack2'], }), @@ -84,10 +84,10 @@ describe('yargs', () => { test('positional argument is correctly passed through -- single', async () => { const input = await parseCommandLineArguments(['acknowledge', 'id1', '-v', '--ci']); - const result = convertYargsToCliArgs(input); + const result = convertYargsToUserInput(input); expect(result).toEqual({ - _: 'acknowledge', + command: 'acknowledge', acknowledge: expect.objectContaining({ ID: 'id1', }), @@ -109,7 +109,7 @@ describe('config', () => { }, }; - const result = convertConfigToCliArgs(input); + const result = convertConfigToUserInput(input); expect(result).toEqual({ globalOptions: expect.objectContaining({ @@ -131,7 +131,7 @@ describe('config', () => { metadata: expect.anything(), migrate: expect.anything(), rollback: expect.anything(), - synthesize: expect.anything(), + synth: expect.anything(), watch: expect.anything(), notices: expect.anything(), import: expect.anything(), diff --git a/tools/@aws-cdk/cli-args-gen/lib/index.ts b/tools/@aws-cdk/cli-args-gen/lib/index.ts deleted file mode 100644 index 6dfee4beeac38..0000000000000 --- a/tools/@aws-cdk/cli-args-gen/lib/index.ts +++ /dev/null @@ -1,4 +0,0 @@ -export * from './yargs-gen'; -export * from './yargs-types'; -export * from './cli-args-gen'; -export * from './cli-args-function-gen'; diff --git a/tools/@aws-cdk/cli-args-gen/.eslintrc.js b/tools/@aws-cdk/user-input-gen/.eslintrc.js similarity index 100% rename from tools/@aws-cdk/cli-args-gen/.eslintrc.js rename to tools/@aws-cdk/user-input-gen/.eslintrc.js diff --git a/tools/@aws-cdk/cli-args-gen/.gitignore b/tools/@aws-cdk/user-input-gen/.gitignore similarity index 100% rename from tools/@aws-cdk/cli-args-gen/.gitignore rename to tools/@aws-cdk/user-input-gen/.gitignore diff --git a/tools/@aws-cdk/cli-args-gen/.npmignore b/tools/@aws-cdk/user-input-gen/.npmignore similarity index 100% rename from tools/@aws-cdk/cli-args-gen/.npmignore rename to tools/@aws-cdk/user-input-gen/.npmignore diff --git a/tools/@aws-cdk/cli-args-gen/LICENSE b/tools/@aws-cdk/user-input-gen/LICENSE similarity index 100% rename from tools/@aws-cdk/cli-args-gen/LICENSE rename to tools/@aws-cdk/user-input-gen/LICENSE diff --git a/tools/@aws-cdk/cli-args-gen/NOTICE b/tools/@aws-cdk/user-input-gen/NOTICE similarity index 100% rename from tools/@aws-cdk/cli-args-gen/NOTICE rename to tools/@aws-cdk/user-input-gen/NOTICE diff --git a/tools/@aws-cdk/cli-args-gen/README.md b/tools/@aws-cdk/user-input-gen/README.md similarity index 76% rename from tools/@aws-cdk/cli-args-gen/README.md rename to tools/@aws-cdk/user-input-gen/README.md index 8915e8d8de23b..1bf6701f61e4d 100644 --- a/tools/@aws-cdk/cli-args-gen/README.md +++ b/tools/@aws-cdk/user-input-gen/README.md @@ -1,16 +1,16 @@ -# cli-args-gen +# user-input-gen Generates CDK CLI configurations from the source of truth in `packages/aws-cdk/lib/config.ts`. Currently generates the following files: - `packages/aws-cdk/lib/parse-command-line-arguments.ts`: `yargs` config. -- `packages/aws-cdk-lib/cli-arguments.ts`: strongly typed `CliArguments` interface. -- `packages/aws-cdk-lib/convert-to-cli-args.ts`: converts the `any` returned by `yargs` to `CliArguments`. +- `packages/aws-cdk/lib/user-input.ts`: strongly typed `UserInput` interface. +- `packages/aws-cdk/lib/convert-to-user-inpu.ts`: converts input from the CLI or `cdk.json` into `UserInput`. ## Usage ```ts -import { renderYargs } from '@aws-cdk/cli-args-gen'; +import { renderYargs } from '@aws-cdk/user-input-gen'; declare const config: CliConfig; diff --git a/tools/@aws-cdk/cli-args-gen/jest.config.js b/tools/@aws-cdk/user-input-gen/jest.config.js similarity index 100% rename from tools/@aws-cdk/cli-args-gen/jest.config.js rename to tools/@aws-cdk/user-input-gen/jest.config.js diff --git a/tools/@aws-cdk/cli-args-gen/lib/cli-args-function-gen.ts b/tools/@aws-cdk/user-input-gen/lib/convert-to-user-input-gen.ts similarity index 85% rename from tools/@aws-cdk/cli-args-gen/lib/cli-args-function-gen.ts rename to tools/@aws-cdk/user-input-gen/lib/convert-to-user-input-gen.ts index ffe1d947abed4..b348059eff33e 100644 --- a/tools/@aws-cdk/cli-args-gen/lib/cli-args-function-gen.ts +++ b/tools/@aws-cdk/user-input-gen/lib/convert-to-user-input-gen.ts @@ -7,7 +7,7 @@ import { CliAction, CliConfig } from './yargs-types'; const CLI_ARG_NAME = 'args'; const CONFIG_ARG_NAME = 'config'; -export async function renderCliArgsFunc(config: CliConfig): Promise { +export async function renderUserInputFuncs(config: CliConfig): Promise { const scope = new Module('aws-cdk'); scope.documentation.push( '-------------------------------------------------------------------------------------------'); @@ -15,25 +15,24 @@ export async function renderCliArgsFunc(config: CliConfig): Promise { scope.documentation.push('Do not edit by hand; all changes will be overwritten at build time from the config file.'); scope.documentation.push('-------------------------------------------------------------------------------------------'); - scope.addImport(new SelectiveModuleImport(scope, './cli-arguments', ['CliArguments', 'GlobalOptions'])); - const cliArgType = Type.fromName(scope, 'CliArguments'); - scope.addImport(new SelectiveModuleImport(scope, './settings', ['Command'])); + scope.addImport(new SelectiveModuleImport(scope, './user-input', ['UserInput', 'GlobalOptions'])); + const userInputType = Type.fromName(scope, 'UserInput'); - const createCliArguments = new FreeFunction(scope, { - name: 'convertYargsToCliArgs', + const convertYargsToUserInput = new FreeFunction(scope, { + name: 'convertYargsToUserInput', export: true, - returnType: cliArgType, + returnType: userInputType, parameters: [ { name: 'args', type: Type.ANY }, ], }); - createCliArguments.addBody(code.expr.directCode(buildCliArgsFunction(config))); + convertYargsToUserInput.addBody(code.expr.directCode(buildYargsToUserInputFunction(config))); const createConfigArguments = new FreeFunction(scope, { - name: 'convertConfigToCliArgs', + name: 'convertConfigToUserInput', export: true, - returnType: cliArgType, + returnType: userInputType, parameters: [ { name: 'config', type: Type.ANY }, ], @@ -52,14 +51,14 @@ export async function renderCliArgsFunc(config: CliConfig): Promise { }); } -function buildCliArgsFunction(config: CliConfig): string { +function buildYargsToUserInputFunction(config: CliConfig): string { const globalOptions = buildGlobalOptions(config, CLI_ARG_NAME); const commandSwitch = buildCommandSwitch(config, CLI_ARG_NAME); - const cliArgs = buildCliArgs(CLI_ARG_NAME); + const userInput = buildUserInput(CLI_ARG_NAME); return [ globalOptions, commandSwitch, - cliArgs, + userInput, ].join('\n'); } @@ -85,7 +84,7 @@ function buildGlobalOptions(config: CliConfig, argName: string): string { } function buildCommandsList(config: CliConfig, argName: string): string { - const commandOptions = []; + const commandOptions: string[] = []; // Note: we are intentionally not including aliases for the default options that can be // specified via `cdk.json`. These options must be specified by the command name // i.e. acknowledge rather than ack. @@ -140,27 +139,27 @@ function buildPositionalArguments(arg: { name: string; variadic: boolean }, argN return `${arg.name}: ${argName}.${arg.name}`; } -function buildCliArgs(argName: string): string { +function buildUserInput(argName: string): string { return [ - 'const cliArguments: CliArguments = {', - `_: ${argName}._[0],`, + 'const userInput: UserInput = {', + `command: ${argName}._[0],`, 'globalOptions,', `[${argName}._[0]]: commandOptions`, '}', '', - 'return cliArguments', + 'return userInput', ].join('\n'); } function buildConfigArgs(config: CliConfig): string { return [ - 'const cliArguments: CliArguments = {', + 'const userInput: UserInput = {', 'globalOptions,', ...(Object.keys(config.commands).map((commandName) => { return `'${commandName}': ${kebabToCamelCase(commandName)}Options,`; })), '}', '', - 'return cliArguments', + 'return userInput', ].join('\n'); } diff --git a/tools/@aws-cdk/user-input-gen/lib/index.ts b/tools/@aws-cdk/user-input-gen/lib/index.ts new file mode 100644 index 0000000000000..be47e3278f75e --- /dev/null +++ b/tools/@aws-cdk/user-input-gen/lib/index.ts @@ -0,0 +1,4 @@ +export * from './yargs-gen'; +export * from './yargs-types'; +export * from './user-input-gen'; +export * from './convert-to-user-input-gen'; diff --git a/tools/@aws-cdk/cli-args-gen/lib/cli-args-gen.ts b/tools/@aws-cdk/user-input-gen/lib/user-input-gen.ts similarity index 92% rename from tools/@aws-cdk/cli-args-gen/lib/cli-args-gen.ts rename to tools/@aws-cdk/user-input-gen/lib/user-input-gen.ts index b8be1e8a636a6..e6f97f90e8865 100644 --- a/tools/@aws-cdk/cli-args-gen/lib/cli-args-gen.ts +++ b/tools/@aws-cdk/user-input-gen/lib/user-input-gen.ts @@ -4,7 +4,7 @@ import * as prettier from 'prettier'; import { generateDefault, kebabToCamelCase, kebabToPascal } from './util'; import { CliConfig } from './yargs-types'; -export async function renderCliArgsType(config: CliConfig): Promise { +export async function renderUserInputType(config: CliConfig): Promise { const scope = new Module('aws-cdk'); scope.documentation.push( '-------------------------------------------------------------------------------------------'); @@ -12,11 +12,11 @@ export async function renderCliArgsType(config: CliConfig): Promise { scope.documentation.push('Do not edit by hand; all changes will be overwritten at build time from the config file.'); scope.documentation.push('-------------------------------------------------------------------------------------------'); - const cliArgType = new StructType(scope, { + const userInputType = new StructType(scope, { export: true, - name: 'CliArguments', + name: 'UserInput', docs: { - summary: 'The structure of the CLI configuration, generated from packages/aws-cdk/lib/config.ts', + summary: 'The structure of the user input -- either CLI options or cdk.json -- generated from packages/aws-cdk/lib/config.ts', }, }); @@ -24,8 +24,8 @@ export async function renderCliArgsType(config: CliConfig): Promise { scope.addImport(new SelectiveModuleImport(scope, './settings', ['Command'])); const commandEnum = Type.fromName(scope, 'Command'); - cliArgType.addProperty({ - name: '_', + userInputType.addProperty({ + name: 'command', type: commandEnum, docs: { summary: 'The CLI command name', @@ -54,7 +54,7 @@ export async function renderCliArgsType(config: CliConfig): Promise { }); } - cliArgType.addProperty({ + userInputType.addProperty({ name: 'globalOptions', type: Type.fromName(scope, globalOptionType.name), docs: { @@ -102,7 +102,7 @@ export async function renderCliArgsType(config: CliConfig): Promise { }); } - cliArgType.addProperty({ + userInputType.addProperty({ name: kebabToCamelCase(commandName), type: Type.fromName(scope, commandType.name), docs: { diff --git a/tools/@aws-cdk/cli-args-gen/lib/util.ts b/tools/@aws-cdk/user-input-gen/lib/util.ts similarity index 100% rename from tools/@aws-cdk/cli-args-gen/lib/util.ts rename to tools/@aws-cdk/user-input-gen/lib/util.ts diff --git a/tools/@aws-cdk/cli-args-gen/lib/yargs-gen.ts b/tools/@aws-cdk/user-input-gen/lib/yargs-gen.ts similarity index 100% rename from tools/@aws-cdk/cli-args-gen/lib/yargs-gen.ts rename to tools/@aws-cdk/user-input-gen/lib/yargs-gen.ts diff --git a/tools/@aws-cdk/cli-args-gen/lib/yargs-types.ts b/tools/@aws-cdk/user-input-gen/lib/yargs-types.ts similarity index 100% rename from tools/@aws-cdk/cli-args-gen/lib/yargs-types.ts rename to tools/@aws-cdk/user-input-gen/lib/yargs-types.ts diff --git a/tools/@aws-cdk/cli-args-gen/package.json b/tools/@aws-cdk/user-input-gen/package.json similarity index 90% rename from tools/@aws-cdk/cli-args-gen/package.json rename to tools/@aws-cdk/user-input-gen/package.json index 29a15729acc0c..53444e58fbfac 100644 --- a/tools/@aws-cdk/cli-args-gen/package.json +++ b/tools/@aws-cdk/user-input-gen/package.json @@ -1,12 +1,12 @@ { - "name": "@aws-cdk/cli-args-gen", + "name": "@aws-cdk/user-input-gen", "private": true, "version": "0.0.0", - "description": "Generate CLI arguments", + "description": "Generate User Inputs", "repository": { "type": "git", "url": "https://github.com/aws/aws-cdk.git", - "directory": "tools/@aws-cdk/cli-args-gen" + "directory": "tools/@aws-cdk/user-input-gen" }, "main": "./lib/index.js", "types": "./lib/index.d.ts", diff --git a/tools/@aws-cdk/cli-args-gen/test/cli-args-function-gen.test.ts b/tools/@aws-cdk/user-input-gen/test/convert-to-user-input-gen.test.ts similarity index 82% rename from tools/@aws-cdk/cli-args-gen/test/cli-args-function-gen.test.ts rename to tools/@aws-cdk/user-input-gen/test/convert-to-user-input-gen.test.ts index 0ea58ff8fde91..6afc40e224592 100644 --- a/tools/@aws-cdk/cli-args-gen/test/cli-args-function-gen.test.ts +++ b/tools/@aws-cdk/user-input-gen/test/convert-to-user-input-gen.test.ts @@ -1,4 +1,4 @@ -import { CliConfig, renderCliArgsFunc } from '../lib'; +import { CliConfig, renderUserInputFuncs } from '../lib'; describe('render', () => { test('can generate conversion function', async () => { @@ -43,17 +43,17 @@ describe('render', () => { }, }; - expect(await renderCliArgsFunc(config)).toMatchInlineSnapshot(` + expect(await renderUserInputFuncs(config)).toMatchInlineSnapshot(` "// ------------------------------------------------------------------------------------------- // GENERATED FROM packages/aws-cdk/lib/config.ts. // Do not edit by hand; all changes will be overwritten at build time from the config file. // ------------------------------------------------------------------------------------------- /* eslint-disable @stylistic/max-len */ - import { CliArguments, GlobalOptions } from './cli-arguments'; import { Command } from './settings'; + import { UserInput, GlobalOptions } from './user-input'; // @ts-ignore TS6133 - export function convertYargsToCliArgs(args: any): CliArguments { + export function convertYargsToUserInput(args: any): UserInput { const globalOptions: GlobalOptions = { app: args.app, debug: args.debug, @@ -70,17 +70,17 @@ describe('render', () => { }; break; } - const cliArguments: CliArguments = { - _: args._[0], + const userInput: UserInput = { + command: args._[0], globalOptions, [args._[0]]: commandOptions, }; - return cliArguments; + return userInput; } // @ts-ignore TS6133 - export function convertConfigToCliArgs(config: any): CliArguments { + export function convertConfigToUserInput(config: any): UserInput { const globalOptions: GlobalOptions = { app: config.app, debug: config.debug, @@ -90,12 +90,12 @@ describe('render', () => { const deployOptions = { all: config.deploy?.all, }; - const cliArguments: CliArguments = { + const userInput: UserInput = { globalOptions, deploy: deployOptions, }; - return cliArguments; + return userInput; } " `); diff --git a/tools/@aws-cdk/cli-args-gen/test/cli-args-gen.test.ts b/tools/@aws-cdk/user-input-gen/test/user-input-gen.test.ts similarity index 87% rename from tools/@aws-cdk/cli-args-gen/test/cli-args-gen.test.ts rename to tools/@aws-cdk/user-input-gen/test/user-input-gen.test.ts index 3e1fa8e69305a..f88360f34f1d7 100644 --- a/tools/@aws-cdk/cli-args-gen/test/cli-args-gen.test.ts +++ b/tools/@aws-cdk/user-input-gen/test/user-input-gen.test.ts @@ -1,7 +1,7 @@ -import { CliConfig, renderCliArgsType } from '../lib'; +import { CliConfig, renderUserInputType } from '../lib'; describe('render', () => { - test('can generate CliArguments type', async () => { + test('can generate UserInput type', async () => { const config: CliConfig = { globalOptions: { app: { @@ -43,7 +43,7 @@ describe('render', () => { }, }; - expect(await renderCliArgsType(config)).toMatchInlineSnapshot(` + expect(await renderUserInputType(config)).toMatchInlineSnapshot(` "// ------------------------------------------------------------------------------------------- // GENERATED FROM packages/aws-cdk/lib/config.ts. // Do not edit by hand; all changes will be overwritten at build time from the config file. @@ -52,15 +52,15 @@ describe('render', () => { import { Command } from './settings'; /** - * The structure of the CLI configuration, generated from packages/aws-cdk/lib/config.ts + * The structure of the user input -- either CLI options or cdk.json -- generated from packages/aws-cdk/lib/config.ts * * @struct */ - export interface CliArguments { + export interface UserInput { /** * The CLI command name */ - readonly _?: Command; + readonly command?: Command; /** * Global options available to all CLI commands @@ -152,7 +152,7 @@ describe('render', () => { globalOptions: {}, }; - expect(await renderCliArgsType(config)).toMatchInlineSnapshot(` + expect(await renderUserInputType(config)).toMatchInlineSnapshot(` "// ------------------------------------------------------------------------------------------- // GENERATED FROM packages/aws-cdk/lib/config.ts. // Do not edit by hand; all changes will be overwritten at build time from the config file. @@ -161,15 +161,15 @@ describe('render', () => { import { Command } from './settings'; /** - * The structure of the CLI configuration, generated from packages/aws-cdk/lib/config.ts + * The structure of the user input -- either CLI options or cdk.json -- generated from packages/aws-cdk/lib/config.ts * * @struct */ - export interface CliArguments { + export interface UserInput { /** * The CLI command name */ - readonly _?: Command; + readonly command?: Command; /** * Global options available to all CLI commands @@ -234,7 +234,7 @@ describe('render', () => { globalOptions: {}, }; - expect(await renderCliArgsType(config)).toMatchInlineSnapshot(` + expect(await renderUserInputType(config)).toMatchInlineSnapshot(` "// ------------------------------------------------------------------------------------------- // GENERATED FROM packages/aws-cdk/lib/config.ts. // Do not edit by hand; all changes will be overwritten at build time from the config file. @@ -243,15 +243,15 @@ describe('render', () => { import { Command } from './settings'; /** - * The structure of the CLI configuration, generated from packages/aws-cdk/lib/config.ts + * The structure of the user input -- either CLI options or cdk.json -- generated from packages/aws-cdk/lib/config.ts * * @struct */ - export interface CliArguments { + export interface UserInput { /** * The CLI command name */ - readonly _?: Command; + readonly command?: Command; /** * Global options available to all CLI commands diff --git a/tools/@aws-cdk/cli-args-gen/test/yargs-gen.test.ts b/tools/@aws-cdk/user-input-gen/test/yargs-gen.test.ts similarity index 100% rename from tools/@aws-cdk/cli-args-gen/test/yargs-gen.test.ts rename to tools/@aws-cdk/user-input-gen/test/yargs-gen.test.ts diff --git a/tools/@aws-cdk/cli-args-gen/tsconfig.json b/tools/@aws-cdk/user-input-gen/tsconfig.json similarity index 100% rename from tools/@aws-cdk/cli-args-gen/tsconfig.json rename to tools/@aws-cdk/user-input-gen/tsconfig.json