From ccba4a7beffddbd3437cfdba62b7e612a4eb4285 Mon Sep 17 00:00:00 2001 From: shikha372 Date: Wed, 29 May 2024 15:19:38 -0700 Subject: [PATCH 1/3] fix(ses-actions): S3 ReceiptRule cannot be created --- .../aws-cdk-ses-receipt.assets.json | 4 +- .../aws-cdk-ses-receipt.template.json | 30 +-------- .../integ.actions.js.snapshot/manifest.json | 12 +--- .../test/integ.actions.js.snapshot/tree.json | 29 +-------- packages/@aws-cdk/cx-api/FEATURE_FLAGS.md | 44 +++++++++++-- .../aws-cdk-lib/aws-ses-actions/lib/s3.ts | 61 +++++++------------ .../aws-ses-actions/test/actions.test.ts | 19 +----- .../aws-ses/lib/receipt-rule-action.ts | 8 --- .../aws-cdk-lib/aws-ses/lib/receipt-rule.ts | 17 ++---- 9 files changed, 75 insertions(+), 149 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ses-actions/test/integ.actions.js.snapshot/aws-cdk-ses-receipt.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ses-actions/test/integ.actions.js.snapshot/aws-cdk-ses-receipt.assets.json index 78acf6dcc87d2..e1f4e21c3afc9 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ses-actions/test/integ.actions.js.snapshot/aws-cdk-ses-receipt.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ses-actions/test/integ.actions.js.snapshot/aws-cdk-ses-receipt.assets.json @@ -14,7 +14,7 @@ } } }, - "e6588125503215c64027666d36868f7ca8e305ebf39630158558d6379dcc5fcb": { + "e75d52ecdaf0f3588db5bc3c10fdcd3a347911e7ec4edd2058d2cd142329a9c9": { "source": { "path": "aws-cdk-ses-receipt.template.json", "packaging": "file" @@ -22,7 +22,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "e6588125503215c64027666d36868f7ca8e305ebf39630158558d6379dcc5fcb.json", + "objectKey": "e75d52ecdaf0f3588db5bc3c10fdcd3a347911e7ec4edd2058d2cd142329a9c9.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ses-actions/test/integ.actions.js.snapshot/aws-cdk-ses-receipt.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ses-actions/test/integ.actions.js.snapshot/aws-cdk-ses-receipt.template.json index 9c28697b45e93..c83ff34cb83ec 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ses-actions/test/integ.actions.js.snapshot/aws-cdk-ses-receipt.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ses-actions/test/integ.actions.js.snapshot/aws-cdk-ses-receipt.template.json @@ -86,35 +86,8 @@ "Action": "s3:PutObject", "Condition": { "StringEquals": { - "aws:SourceAccount": { + "aws:Referer": { "Ref": "AWS::AccountId" - }, - "aws:SourceArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":ses:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":receipt-rule-set/", - { - "Ref": "RuleSetE30C6C48" - }, - ":receipt-rule/", - { - "Ref": "RuleSetFirstRule0A27C8CC" - } - ] - ] } } }, @@ -313,6 +286,7 @@ } }, "DependsOn": [ + "BucketPolicyE9A3008A", "FunctionAllowSes1829904A" ] }, diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ses-actions/test/integ.actions.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ses-actions/test/integ.actions.js.snapshot/manifest.json index 5d007e6251fac..aae99fcf97f24 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ses-actions/test/integ.actions.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ses-actions/test/integ.actions.js.snapshot/manifest.json @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/e6588125503215c64027666d36868f7ca8e305ebf39630158558d6379dcc5fcb.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/e75d52ecdaf0f3588db5bc3c10fdcd3a347911e7ec4edd2058d2cd142329a9c9.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -91,19 +91,13 @@ "/aws-cdk-ses-receipt/RuleSet/FirstRule/Resource": [ { "type": "aws:cdk:logicalId", - "data": "RuleSetFirstRule0A27C8CC", - "trace": [ - "!!DESTRUCTIVE_CHANGES: WILL_REPLACE" - ] + "data": "RuleSetFirstRule0A27C8CC" } ], "/aws-cdk-ses-receipt/RuleSet/SecondRule/Resource": [ { "type": "aws:cdk:logicalId", - "data": "RuleSetSecondRule03178AD4", - "trace": [ - "!!DESTRUCTIVE_CHANGES: WILL_REPLACE" - ] + "data": "RuleSetSecondRule03178AD4" } ], "/aws-cdk-ses-receipt/SingletonLambda224e77f9a32e4b4dac32983477abba16/ServiceRole/Resource": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ses-actions/test/integ.actions.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ses-actions/test/integ.actions.js.snapshot/tree.json index 4976261e07769..9ff4582ab6924 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ses-actions/test/integ.actions.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ses-actions/test/integ.actions.js.snapshot/tree.json @@ -180,35 +180,8 @@ "Action": "s3:PutObject", "Condition": { "StringEquals": { - "aws:SourceAccount": { + "aws:Referer": { "Ref": "AWS::AccountId" - }, - "aws:SourceArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":ses:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":receipt-rule-set/", - { - "Ref": "RuleSetE30C6C48" - }, - ":receipt-rule/", - { - "Ref": "RuleSetFirstRule0A27C8CC" - } - ] - ] } } }, diff --git a/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md b/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md index 3678e750e3617..590205503da37 100644 --- a/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md +++ b/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md @@ -68,7 +68,9 @@ Flags come in three types: | [@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2](#aws-cdkaws-codepipelinedefaultpipelinetypetov2) | Enables Pipeline to set the default pipeline type to V2. | 2.133.0 | (default) | | [@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope](#aws-cdkaws-kmsreducecrossaccountregionpolicyscope) | When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only. | 2.134.0 | (fix) | | [@aws-cdk/aws-eks:nodegroupNameAttribute](#aws-cdkaws-eksnodegroupnameattribute) | When enabled, nodegroupName attribute of the provisioned EKS NodeGroup will not have the cluster name prefix. | 2.139.0 | (fix) | -| [@aws-cdk/aws-ec2:ebsDefaultGp3Volume](#aws-cdkaws-ec2ebsdefaultgp3volume) | When enabled, the default volume type of the EBS volume will be GP3 | V2NEXT | (default) | +| [@aws-cdk/aws-ec2:ebsDefaultGp3Volume](#aws-cdkaws-ec2ebsdefaultgp3volume) | When enabled, the default volume type of the EBS volume will be GP3 | 2.140.0 | (default) | +| [@aws-cdk/pipelines:reduceAssetRoleTrustScope](#aws-cdkpipelinesreduceassetroletrustscope) | Remove the root account principal from PipelineAssetsFileRole trust policy | 2.141.0 | (default) | +| [@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm](#aws-cdkaws-ecsremovedefaultdeploymentalarm) | When enabled, remove default deployment alarm settings | 2.143.0 | (default) | @@ -128,7 +130,8 @@ The following json shows the current recommended set of flags, as `cdk init` wou "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": true, "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": true, "@aws-cdk/aws-eks:nodegroupNameAttribute": true, - "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": true + "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": true, + "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": true } } ``` @@ -171,6 +174,7 @@ are migrating a v1 CDK project to v2, explicitly set any of these flags which do | [@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId](#aws-cdkaws-apigatewayusageplankeyorderinsensitiveid) | Allow adding/removing multiple UsagePlanKeys independently | (fix) | 1.98.0 | `false` | `true` | | [@aws-cdk/aws-lambda:recognizeVersionProps](#aws-cdkaws-lambdarecognizeversionprops) | Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`. | (fix) | 1.106.0 | `false` | `true` | | [@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2\_2021](#aws-cdkaws-cloudfrontdefaultsecuritypolicytlsv12_2021) | Enable this feature flag to have cloudfront distributions use the security policy TLSv1.2_2021 by default. | (fix) | 1.117.0 | `false` | `true` | +| [@aws-cdk/pipelines:reduceAssetRoleTrustScope](#aws-cdkpipelinesreduceassetroletrustscope) | Remove the root account principal from PipelineAssetsFileRole trust policy | (default) | | `false` | `true` | @@ -185,7 +189,8 @@ Here is an example of a `cdk.json` file that restores v1 behavior for these flag "@aws-cdk/aws-rds:lowercaseDbIdentifier": false, "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": false, "@aws-cdk/aws-lambda:recognizeVersionProps": false, - "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": false + "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": false, + "@aws-cdk/pipelines:reduceAssetRoleTrustScope": false } } ``` @@ -1293,9 +1298,40 @@ When this featuer flag is enabled, the default volume type of the EBS volume wil | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | -| V2NEXT | `false` | `true` | +| 2.140.0 | `false` | `true` | **Compatibility with old behavior:** Pass `volumeType: EbsDeviceVolumeType.GENERAL_PURPOSE_SSD` to `Volume` construct to restore the previous behavior. +### @aws-cdk/pipelines:reduceAssetRoleTrustScope + +*Remove the root account principal from PipelineAssetsFileRole trust policy* (default) + +When this feature flag is enabled, the root account principal will not be added to the trust policy of asset role. +When this feature flag is disabled, it will keep the root account principal in the trust policy. + + +| Since | Default | Recommended | +| ----- | ----- | ----- | +| (not in v1) | | | +| 2.141.0 | `true` | `true` | + +**Compatibility with old behavior:** Disable the feature flag to add the root account principal back + + +### @aws-cdk/aws-ecs:removeDefaultDeploymentAlarm + +*When enabled, remove default deployment alarm settings* (default) + +When this featuer flag is enabled, remove the default deployment alarm settings when creating a AWS ECS service. + + +| Since | Default | Recommended | +| ----- | ----- | ----- | +| (not in v1) | | | +| 2.143.0 | `false` | `true` | + +**Compatibility with old behavior:** Set AWS::ECS::Service 'DeploymentAlarms' manually to restore the previous behavior. + + diff --git a/packages/aws-cdk-lib/aws-ses-actions/lib/s3.ts b/packages/aws-cdk-lib/aws-ses-actions/lib/s3.ts index 156a50813f298..bc19658117120 100644 --- a/packages/aws-cdk-lib/aws-ses-actions/lib/s3.ts +++ b/packages/aws-cdk-lib/aws-ses-actions/lib/s3.ts @@ -42,12 +42,32 @@ export interface S3Props { * a notification to Amazon SNS. */ export class S3 implements ses.IReceiptRuleAction { - private rule?: ses.IReceiptRule; + constructor(private readonly props: S3Props) { } public bind(rule: ses.IReceiptRule): ses.ReceiptRuleActionConfig { - this.rule = rule; + // Allow SES to write to S3 bucket + // See https://docs.aws.amazon.com/ses/latest/DeveloperGuide/receiving-email-permissions.html#receiving-email-permissions-s3 + const keyPattern = this.props.objectKeyPrefix || ''; + const s3Statement = new iam.PolicyStatement({ + actions: ['s3:PutObject'], + principals: [new iam.ServicePrincipal('ses.amazonaws.com')], + resources: [this.props.bucket.arnForObjects(`${keyPattern}*`)], + conditions: { + StringEquals: { + 'aws:Referer': cdk.Aws.ACCOUNT_ID, + }, + }, + }); + this.props.bucket.addToResourcePolicy(s3Statement); + + const policy = this.props.bucket.node.tryFindChild('Policy') as s3.BucketPolicy; + if (policy) { // The bucket could be imported + rule.node.addDependency(policy); + } else { + cdk.Annotations.of(rule).addWarningV2('@aws-cdk/s3:AddBucketPermissions', 'This rule is using a S3 action with an imported bucket. Ensure permission is given to SES to write to that bucket.'); + } // Allow SES to use KMS master key // See https://docs.aws.amazon.com/ses/latest/DeveloperGuide/receiving-email-permissions.html#receiving-email-permissions-kms @@ -79,41 +99,4 @@ export class S3 implements ses.IReceiptRuleAction { }, }; } - - /** - * Generate and apply the receipt rule action statement - * - * @param ruleSet The rule set the rule is being added to - * @internal - */ - public _applyPolicyStatement(receiptRuleSet: ses.IReceiptRuleSet): void { - if (!this.rule) { - throw new Error('Cannot apply policy statement before binding the action to a receipt rule'); - } - - // Allow SES to write to S3 bucket - // See https://docs.aws.amazon.com/ses/latest/DeveloperGuide/receiving-email-permissions.html#receiving-email-permissions-s3 - const keyPattern = this.props.objectKeyPrefix || ''; - const s3Statement = new iam.PolicyStatement({ - actions: ['s3:PutObject'], - principals: [new iam.ServicePrincipal('ses.amazonaws.com')], - resources: [this.props.bucket.arnForObjects(`${keyPattern}*`)], - conditions: { - StringEquals: { - 'aws:SourceAccount': cdk.Aws.ACCOUNT_ID, - 'aws:SourceArn': cdk.Arn.format({ - partition: cdk.Aws.PARTITION, - service: 'ses', - region: cdk.Aws.REGION, - account: cdk.Aws.ACCOUNT_ID, - resource: [ - `receipt-rule-set/${receiptRuleSet.receiptRuleSetName}`, - `receipt-rule/${this.rule.receiptRuleName}`, - ].join(':'), - }), - }, - }, - }); - this.props.bucket.addToResourcePolicy(s3Statement); - } } diff --git a/packages/aws-cdk-lib/aws-ses-actions/test/actions.test.ts b/packages/aws-cdk-lib/aws-ses-actions/test/actions.test.ts index dc2fa57d124f3..9769df6bcb4ab 100644 --- a/packages/aws-cdk-lib/aws-ses-actions/test/actions.test.ts +++ b/packages/aws-cdk-lib/aws-ses-actions/test/actions.test.ts @@ -190,26 +190,9 @@ test('add s3 action', () => { Action: 's3:PutObject', Condition: { StringEquals: { - 'aws:SourceAccount': { + 'aws:Referer': { Ref: 'AWS::AccountId', }, - 'aws:SourceArn': { - 'Fn::Join': [ - '', - [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':ses:', - { Ref: 'AWS::Region' }, - ':', - { Ref: 'AWS::AccountId' }, - ':receipt-rule-set/', - { Ref: 'RuleSetE30C6C48' }, - ':receipt-rule/', - { Ref: 'RuleSetRule0B1D6BCA' }, - ], - ], - }, }, }, Effect: 'Allow', diff --git a/packages/aws-cdk-lib/aws-ses/lib/receipt-rule-action.ts b/packages/aws-cdk-lib/aws-ses/lib/receipt-rule-action.ts index 8e95fb714c19c..c63fd2f4eef85 100644 --- a/packages/aws-cdk-lib/aws-ses/lib/receipt-rule-action.ts +++ b/packages/aws-cdk-lib/aws-ses/lib/receipt-rule-action.ts @@ -1,5 +1,4 @@ import { IReceiptRule } from './receipt-rule'; -import { IReceiptRuleSet } from './receipt-rule-set'; /** * An abstract action for a receipt rule. @@ -10,13 +9,6 @@ export interface IReceiptRuleAction { */ bind(receiptRule: IReceiptRule): ReceiptRuleActionConfig; - /** - * Generate and apply the receipt rule action statement - * - * @param ruleSet The rule set the rule is being added to - * @internal - */ - _applyPolicyStatement?(ruleSet: IReceiptRuleSet): void; } /** diff --git a/packages/aws-cdk-lib/aws-ses/lib/receipt-rule.ts b/packages/aws-cdk-lib/aws-ses/lib/receipt-rule.ts index 5b9dbe89f8c4a..ae662eb3f18d4 100644 --- a/packages/aws-cdk-lib/aws-ses/lib/receipt-rule.ts +++ b/packages/aws-cdk-lib/aws-ses/lib/receipt-rule.ts @@ -112,10 +112,7 @@ export class ReceiptRule extends Resource implements IReceiptRule { } public readonly receiptRuleName: string; - - private readonly ruleSet: IReceiptRuleSet; - private readonly actions: IReceiptRuleAction[] = []; - private readonly actionProperties: CfnReceiptRule.ActionProperty[] = []; + private readonly actions = new Array(); constructor(scope: Construct, id: string, props: ReceiptRuleProps) { super(scope, id, { @@ -136,7 +133,6 @@ export class ReceiptRule extends Resource implements IReceiptRule { }); this.receiptRuleName = resource.ref; - this.ruleSet = props.ruleSet; for (const action of props.actions || []) { this.addAction(action); @@ -147,20 +143,15 @@ export class ReceiptRule extends Resource implements IReceiptRule { * Adds an action to this receipt rule. */ public addAction(action: IReceiptRuleAction) { - this.actions.push(action); - this.actionProperties.push(action.bind(this)); + this.actions.push(action.bind(this)); } private renderActions() { - if (this.actionProperties.length === 0) { + if (this.actions.length === 0) { return undefined; } - for (const action of this.actions) { - action._applyPolicyStatement?.(this.ruleSet); - } - - return this.actionProperties; + return this.actions; } } From 1d64fa4293564f02cc86d578ebb05ac1a3d114a6 Mon Sep 17 00:00:00 2001 From: shikha372 Date: Wed, 29 May 2024 15:53:56 -0700 Subject: [PATCH 2/3] fix(ses-actions): S3 ReceiptRule cannot be created --- packages/@aws-cdk/cx-api/FEATURE_FLAGS.md | 41 ++--------------------- 1 file changed, 3 insertions(+), 38 deletions(-) diff --git a/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md b/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md index 590205503da37..5a39a22347fae 100644 --- a/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md +++ b/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md @@ -68,9 +68,7 @@ Flags come in three types: | [@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2](#aws-cdkaws-codepipelinedefaultpipelinetypetov2) | Enables Pipeline to set the default pipeline type to V2. | 2.133.0 | (default) | | [@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope](#aws-cdkaws-kmsreducecrossaccountregionpolicyscope) | When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only. | 2.134.0 | (fix) | | [@aws-cdk/aws-eks:nodegroupNameAttribute](#aws-cdkaws-eksnodegroupnameattribute) | When enabled, nodegroupName attribute of the provisioned EKS NodeGroup will not have the cluster name prefix. | 2.139.0 | (fix) | -| [@aws-cdk/aws-ec2:ebsDefaultGp3Volume](#aws-cdkaws-ec2ebsdefaultgp3volume) | When enabled, the default volume type of the EBS volume will be GP3 | 2.140.0 | (default) | -| [@aws-cdk/pipelines:reduceAssetRoleTrustScope](#aws-cdkpipelinesreduceassetroletrustscope) | Remove the root account principal from PipelineAssetsFileRole trust policy | 2.141.0 | (default) | -| [@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm](#aws-cdkaws-ecsremovedefaultdeploymentalarm) | When enabled, remove default deployment alarm settings | 2.143.0 | (default) | +| [@aws-cdk/aws-ec2:ebsDefaultGp3Volume](#aws-cdkaws-ec2ebsdefaultgp3volume) | When enabled, the default volume type of the EBS volume will be GP3 | V2NEXT | (default) | @@ -131,7 +129,6 @@ The following json shows the current recommended set of flags, as `cdk init` wou "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": true, "@aws-cdk/aws-eks:nodegroupNameAttribute": true, "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": true, - "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": true } } ``` @@ -174,7 +171,7 @@ are migrating a v1 CDK project to v2, explicitly set any of these flags which do | [@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId](#aws-cdkaws-apigatewayusageplankeyorderinsensitiveid) | Allow adding/removing multiple UsagePlanKeys independently | (fix) | 1.98.0 | `false` | `true` | | [@aws-cdk/aws-lambda:recognizeVersionProps](#aws-cdkaws-lambdarecognizeversionprops) | Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`. | (fix) | 1.106.0 | `false` | `true` | | [@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2\_2021](#aws-cdkaws-cloudfrontdefaultsecuritypolicytlsv12_2021) | Enable this feature flag to have cloudfront distributions use the security policy TLSv1.2_2021 by default. | (fix) | 1.117.0 | `false` | `true` | -| [@aws-cdk/pipelines:reduceAssetRoleTrustScope](#aws-cdkpipelinesreduceassetroletrustscope) | Remove the root account principal from PipelineAssetsFileRole trust policy | (default) | | `false` | `true` | + @@ -190,7 +187,6 @@ Here is an example of a `cdk.json` file that restores v1 behavior for these flag "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": false, "@aws-cdk/aws-lambda:recognizeVersionProps": false, "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": false, - "@aws-cdk/pipelines:reduceAssetRoleTrustScope": false } } ``` @@ -1298,40 +1294,9 @@ When this featuer flag is enabled, the default volume type of the EBS volume wil | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | -| 2.140.0 | `false` | `true` | +| V2NEXT | `false` | `true` | **Compatibility with old behavior:** Pass `volumeType: EbsDeviceVolumeType.GENERAL_PURPOSE_SSD` to `Volume` construct to restore the previous behavior. -### @aws-cdk/pipelines:reduceAssetRoleTrustScope - -*Remove the root account principal from PipelineAssetsFileRole trust policy* (default) - -When this feature flag is enabled, the root account principal will not be added to the trust policy of asset role. -When this feature flag is disabled, it will keep the root account principal in the trust policy. - - -| Since | Default | Recommended | -| ----- | ----- | ----- | -| (not in v1) | | | -| 2.141.0 | `true` | `true` | - -**Compatibility with old behavior:** Disable the feature flag to add the root account principal back - - -### @aws-cdk/aws-ecs:removeDefaultDeploymentAlarm - -*When enabled, remove default deployment alarm settings* (default) - -When this featuer flag is enabled, remove the default deployment alarm settings when creating a AWS ECS service. - - -| Since | Default | Recommended | -| ----- | ----- | ----- | -| (not in v1) | | | -| 2.143.0 | `false` | `true` | - -**Compatibility with old behavior:** Set AWS::ECS::Service 'DeploymentAlarms' manually to restore the previous behavior. - - From f9e5069f25a07be265d6962e5073cb64e2c114cb Mon Sep 17 00:00:00 2001 From: shikha372 Date: Wed, 29 May 2024 15:55:08 -0700 Subject: [PATCH 3/3] fix(ses-actions): S3 ReceiptRule cannot be created --- packages/@aws-cdk/cx-api/FEATURE_FLAGS.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md b/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md index 5a39a22347fae..3678e750e3617 100644 --- a/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md +++ b/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md @@ -128,7 +128,7 @@ The following json shows the current recommended set of flags, as `cdk init` wou "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": true, "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": true, "@aws-cdk/aws-eks:nodegroupNameAttribute": true, - "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": true, + "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": true } } ``` @@ -172,7 +172,6 @@ are migrating a v1 CDK project to v2, explicitly set any of these flags which do | [@aws-cdk/aws-lambda:recognizeVersionProps](#aws-cdkaws-lambdarecognizeversionprops) | Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`. | (fix) | 1.106.0 | `false` | `true` | | [@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2\_2021](#aws-cdkaws-cloudfrontdefaultsecuritypolicytlsv12_2021) | Enable this feature flag to have cloudfront distributions use the security policy TLSv1.2_2021 by default. | (fix) | 1.117.0 | `false` | `true` | - Here is an example of a `cdk.json` file that restores v1 behavior for these flags: @@ -186,7 +185,7 @@ Here is an example of a `cdk.json` file that restores v1 behavior for these flag "@aws-cdk/aws-rds:lowercaseDbIdentifier": false, "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": false, "@aws-cdk/aws-lambda:recognizeVersionProps": false, - "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": false, + "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": false } } ```