chore(release): 2.160.0 #31540

aws-cdk-automation · 2024-09-24T09:18:09Z

### Issue # (if applicable) N/A ### Reason for this change Support new runtime. Ref: https://aws.amazon.com/about-aws/whats-new/2024/09/amazon-managed-service-apache-flink-1-20/ ### Description of changes * Add Flink 1.20 to enum * Improve unit tests and integ test to test all runtime versions ### Description of how you validated changes Ran improved unit tests and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) None ### Reason for this change The wrong URLs were set for several Interface Endpoints, so I corrected them. For example, when retrieving the freetier endpoint via CLI, it shows as `aws.api.{region}.freetier`, but in CDK, it was set to `com.amazonaws.{region}.freetire`. I believe this correction might be a breaking change, but since the previous URLs likely wouldn't have allowed access anyway, I'm unsure how to proceed. Which of the following approaches would be best? - Directly fix the incorrect URLs (the current implementation) - Implement a feature flag - Deprecate the existing method and implement a new one ### Description of changes Update URL from `com.amazonaws.{region}.{service}` to `aws.api.{region}.{service}` - freetier - bcm-data-exports ### Description of how you validated changes I've executed `described-vpc-endpoint-services` CLI. ```sh ❯ aws ec2 describe-vpc-endpoint-services --filters Name=service-type,Values=Interface Name=owner,Values=amazon --region us-east-1 --query ServiceNames | grep aws.api "aws.api.us-east-1.bcm-data-exports", "aws.api.us-east-1.freetier", "aws.api.us-east-1.kendra-ranking", "aws.api.us-east-1.qbusiness", ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…mported userPool and client (#30421) ### Issue # (if applicable) Closes #30304 ### Reason for this change Currently, we cannot use imported user pools and clients for role mapping in an identity pool. This is because the `IdentityPoolProviderUrl.userPool` method takes an L2 construct as its argument type instead of Interface (`IUserPool`, `IUserPoolClient`). ```ts const userPool = cognito.UserPool.fromUserPoolArn(this, 'CognitoUserPool', 'arn'); const userPoolClient = cognito.UserPoolClient.fromUserPoolClientId(this, 'UserPoolClientId', 'client-id'); const identityPool = new cognitoidp.IdentityPool(this, 'IdentityPool', { // ~ roleMappings: [ { mappingKey: 'cognito', providerUrl: cognitoidp.IdentityPoolProviderUrl.userPool(userPool, userPoolClient), // ! type error here ! useToken: true } ], allowUnauthenticatedIdentities: false }); ``` ### Description of changes The argument types of the `IdentityPoolProviderUrl.userPool` method are changed to `IUserPool` and `IUserPoolClient`. This method requires the `userPoolProviderName` of the userPool, but since it does not exist for `IUserPool`, a property was added. Since this property is required in the `UserPool` construct, it is also required in `IUserPool`. https://github.com/aws/aws-cdk/blob/c3003ab41f0efc763f39eb2cab490c8a005e146b/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts#L902 I add a required attribute to the Interface of the aws-cognito module(stable), but I do not think this to be a breaking change. Please let me know if it is not. ### Description of how you validated changes Unit tests and integ tests are added to verify that the imported userPool and clinet can be used. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) None ### Reason for this change GuardDuty supports private link access but AWS CDK does not support creating an interface VPC endpoint for GuardDuty. ### Description of changes Add Interface VPC Endpoint for AWS GuardDuty. ### Description of how you validated changes I executed the AWS CLI command as shown below. ```sh ❯ aws ec2 describe-vpc-endpoint-services --filters Name=service-type,Values=Interface Name=owner,Values=amazon --region us-east-1 --query ServiceNames | grep guardduty "com.amazonaws.us-east-1.guardduty", // added "com.amazonaws.us-east-1.guardduty-data", // added "com.amazonaws.us-east-1.guardduty-data-fips", "com.amazonaws.us-east-1.guardduty-fips", ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.159.0/CHANGELOG.md)

…31496) Reverts #31434 to resolve #31492

improve the doc about the code signing ### Issue # (if applicable) Closes #29474 ### Reason for this change Singing is still required by user before the deployment. This PR clarifies this in the doc. ### Description of changes ### Description of how you validated changes ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…int (#31495) ### Issue # (if applicable) None ### Reason for this change Serverless Application Repository supports private link access but AWS CDK does not support creating an interface VPC endpoint. ### Description of changes Add Interface VPC Endpoint for Serverless Application Repository . ### Description of how you validated changes I executed the AWS CLI command as shown below. ❯ aws ec2 describe-vpc-endpoint-services --filters Name=service-type,Values=Interface Name=owner,Values=amazon --region us-east-1 --query ServiceNames | grep serverlessrepo "com.amazonaws.us-east-1.serverlessrepo", ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.159.1/CHANGELOG.md)

### Issue # (if applicable) Closes #<issue number here>. ### Reason for this change This PR supports engine versions for RDS for SQL Server. - SQL Server 2016 - 13.00.6445.1 - SQL Server 2017 - 14.00.3475.1 - SQL Server 2019 - 15.00.4390.2 - SQL Server 2022 - 16.00.4140.3 https://aws.amazon.com/about-aws/whats-new/2024/09/amazon-rds-sql-server-minor-versions-september-2024/ ``` ❯ aws rds describe-db-engine-versions --engine sqlserver-ee --query "DBEngineVersions[?EngineVersion=='13.00.6445.1.v1'||EngineVersion=='14.00.3475.1.v1'||EngineVersion=='15.00.4390.2.v1'||EngineVersion=='16.00.4140.3.v1'].[DBEngineVersionDescription,EngineVersion,DBParameterGroupFamily,MajorEngineVersion,Status]" [ [ "SQL Server 2016 13.00.6445.1.v1", "13.00.6445.1.v1", "sqlserver-ee-13.0", "13.00", "available" ], [ "SQL Server 2017 14.00.3475.1.v1", "14.00.3475.1.v1", "sqlserver-ee-14.0", "14.00", "available" ], [ "SQL Server 2019 15.00.4390.2.v1", "15.00.4390.2.v1", "sqlserver-ee-15.0", "15.00", "available" ], [ "SQL Server 2022 16.00.4140.3.v1", "16.00.4140.3.v1", "sqlserver-ee-16.0", "16.00", "available" ] ] ``` ### Description of changes ### Description of how you validated changes ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) None ### Reason for this change Compute Optimizer supports private link access but AWS CDK does not support creating an interface VPC endpoint. ### Description of changes Add Interface VPC Endpoint for Compute Optimizer. ### Description of how you validated changes I executed the AWS CLI command as shown below. ```sh $ aws ec2 describe-vpc-endpoint-services --filters Name=service-type,Values=Interface Name=owner,Values=amazon --region us-east-1 --query ServiceNames | grep compute-optimizer "com.amazonaws.us-east-1.compute-optimizer", ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Reason for this change Allow customers to specify a customer managed KMS key and data key reuse period to encrypt state machine definition and execution history and activity inputs. The underlying `AWS::StepFunctions::StateMachine` and `AWS::StepFunctions::Activity` resources currently expose this through an optional `EncryptionConfiguration` property. ### Description of changes Activity and StateMachine accept a new field called encryptionConfiguration of type `EncryptionConfiguration` in their respective props. We have two separate classes which inherit the base class: 1. `CustomerManagedEncryptionConfiguration` 2. `AwsOwnedEncryptionConfiguration` `CustomerManagedEncryptionConfiguration`: `kmsKey` - Type: `IKey` - Description: Symmetric customer managed KMS key for server-side encryption of the state machine definition and execution history (when provided in StateMachine Props), and Activity Inputs (when provided in Activity Props) - Default: `undefined` `kmsDataKeyReusePeriodSeconds`: - Type: `Duration` - Description: Maximum duration that Step Functions will reuse customer managed data keys. When the period expires, Step Functions will call `GenerateDataKey`. Must be a value between 60 and 900 seconds. - Default: 300 sec `AwsOwnedEncryptionConfiguration` - Doesn't accept any fields ### Permission Changes #### Activity: - When the customer provides `kmsKey?` the key policy will be updated with the following policy statement: ``` { "Effect": "Allow", "Principal": { "Service": "states.amazonaws.com" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:aws:states:activityArn": "arn:aws:states:<region><account_id>:activity:<activity_name>" } } } ``` #### StateMachine: - When the customer provides `kmsKey?` the key policy will be updated with the following policy statement: ``` { "Effect": "Allow", "Principal": { "Service": "states.amazonaws.com" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:aws:states:stateMachineArn": "arn:aws:states:<region><account_id>:stateMachine:<statemachine_name>" } } } ``` - If the state machine contains an activity which uses KMS encryption, the state machine execution role will be updated with the following permissions ``` { "Effect": "Allow", "Principal": { "Service": "states.amazonaws.com" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "<activity_kmskey_arn>", } ``` - Customers have the option to encrypt data sent to CloudWatch Logs. To support this, if the customer provides both the `kmsKey?` and `logs?` prop, the following key policy statement will be added to the key used by the StateMachine: ``` { "Effect": "Allow", "Principal": { "Service": "delivery.logs.amazonaws.com" }, "Action": [ "kms:Decrypt", ] } ``` In addition the execution role will be updated to include a separate policy that includes kms actions and encryption context for logging (otherwise customer will not see logs) ``` { "Effect": "Allow", "Action": [ "kms:GenerateDataKey" ], "Resource": "<state_machine_kms_key_arn>", "Condition": { "StringEquals": { "kms:EncryptionContext:SourceArn": "arn:aws:logs:<region><account_id>:*" } } } ``` ### Description of how you validated changes ### Unit Test (scenarios): - Activity - Creating an Activity with a KMS Key and without specifying `kmsDataKeyReusePeriodSeconds` defaults to 300 secs - Creating an Activity with a KMS Key results in the correct KMS key policy being generated which allows only the Activity to perform `'kms:Decrypt'`, `'kms:GenerateDataKey'` actions on the associated KMS key. - Creating an Activity with invalid `kmsDataKeyReusePeriodSeconds` throws an error - Creating an Activity with `AwsOwnedEncryptionConfiguration` uses `AWS_OWNED_KEY` encryption type. - StateMachine - Creating a State Machine with a KMS Key allows only StateMachine execution role to perform `'kms:Decrypt'`, `'kms:GenerateDataKey'` actions on the key. - Creating a State Machine with `logs?` and `kmsKey?`: - Separate IAM policy statement (using encryption context for logging) being generated for the State Machine execution role - KMS key policy statement which enables log service delivery for integrations - Creating a State Machine which invokes an Activity using KMS encryption results in a IAM policy generated which allows the execution role to perform `'kms:Decrypt'`, `'kms:GenerateDataKey'` actions on the Activity KMS key - Creating a StateMachine with a KMS Key and without specifying `kmsDataKeyReusePeriodSeconds` defaults to 300 secs - Creating a State Machine with a KMS key and *invalid* `kmsDataKeyReusePeriodSeconds` throws a validation error - Creating a StateMachine with `AwsOwnedEncryptionConfiguration` uses `AWS_OWNED_KEY` encryption type. ### Integration tests - Create a State Machine and Activity which both have encryption enabled and assert the activity input is correct when calling `getActivityTask` API - Create a State Machine with encryption and logging enabled. Ensure _decrypted_ logs are being pushed to the log group. ### Code samples - #### Creating an Activity with Encryption using a Customer Managed Key ```typescript const kmsKey = new kms.Key(this, 'Key'); const activity = new sfn.Activity(this, 'ActivityWithCMKEncryptionConfiguration', { activityName: 'ActivityWithCMKEncryptionConfiguration', encryptionConfiguration: new sfn.CustomerManagedEncryptionConfiguration(kmsKey, cdk.Duration.seconds(75)) }); ``` - #### Creating a StateMachine with Encryption using a Customer Managed Key ```typescript const kmsKey = new kms.Key(this, 'Key'); const stateMachine = new sfn.StateMachine(this, 'StateMachineWithCMKEncryptionConfiguration', { stateMachineName: 'StateMachineWithCMKEncryptionConfiguration', definitionBody: sfn.DefinitionBody.fromChainable(sfn.Chain.start(new sfn.Pass(this, 'Pass'))), stateMachineType: sfn.StateMachineType.STANDARD, encryptionConfiguration: new sfn.CustomerManagedEncryptionConfiguration(kmsKey, cdk.Duration.seconds(60)), }); ``` - #### Creating a StateMachine with CWL Encryption using a Customer Managed Key ``` typescript const stateMachineKmsKey = new kms.Key(this, 'StateMachine Key'); const logGroupKey = new kms.Key(this, 'LogGroup Key'); // Required KMS key policy to enrypt the CloudWatch log group logGroupKey.addToResourcePolicy(new cdk.aws_iam.PolicyStatement({ resources: ['*'], actions: ['kms:Encrypt*', 'kms:Decrypt*', 'kms:ReEncrypt*', 'kms:GenerateDataKey*', 'kms:Describe*'], principals: [new cdk.aws_iam.ServicePrincipal(`logs.${cdk.Stack.of(this).region}.amazonaws.com`)], conditions: { ArnEquals: { 'kms:EncryptionContext:aws:logs:arn': cdk.Stack.of(this).formatArn({ service: 'logs', resource: 'log-group', sep: ':', resourceName: '/aws/vendedlogs/states/MyLogGroup', }), }, }, })); const logGroup = new logs.LogGroup(this, 'MyLogGroup', { logGroupName: '/aws/vendedlogs/states/MyLogGroup', encryptionKey: logGroupKey, }); const stateMachine = new sfn.StateMachine(this, 'StateMachineWithCMKWithCWLEncryption', { stateMachineName: 'StateMachineWithCMKWithCWLEncryption', definitionBody: sfn.DefinitionBody.fromChainable(sfn.Chain.start(new sfn.Pass(this, 'PassState', { result: sfn.Result.fromString('Hello World'), }))), stateMachineType: sfn.StateMachineType.STANDARD, encryptionConfiguration: new sfn.CustomerManagedEncryptionConfiguration(stateMachineKmsKey) logs: { destination: logGroup, level: sfn.LogLevel.ALL, includeExecutionData: true, }, }); ``` ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…uct (#31107) ### Issue # (if applicable) #8581. ### Reason for this change It is easier and clearer to specify the SNS Topic ARNs on the stack construct itself instead of passing it as a command line argument. ### Description of changes Added a new optional stack prop, `notificationArns`, that is written to the CloudAssembly and concatenated with the CLI option `--notification-arns`. Don't forget to select stacks by hierarchical ID (currently display name, in our tests) when writing certain test code. Otherwise, the tests may not select the stack you expect. Depends on: cdklabs/cdk-assets#87 and cdklabs/cloud-assembly-schema#58. ### Description of how you validated changes Unit tests + CLI integ test. Framework integ tests not included because they would require an externally-created SNS Topic, which is not what we want in integ tests; besides, the case is covered by the CLI integ test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…dk/aws-lambda-python-alpha/test/lambda-handler-project/lambda (#31527) Bumps [urllib3](https://github.com/urllib3/urllib3) from 1.26.18 to 1.26.19. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/releases">urllib3's releases</a>.</em></p> <blockquote> <h2>1.26.19</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support for 2023. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Changes</h2> <ul> <li>Added the <code>Proxy-Authorization</code> header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via <code>Retry.remove_headers_on_redirect</code>.</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/urllib3/urllib3/compare/1.26.18...1.26.19">https://github.com/urllib3/urllib3/compare/1.26.18...1.26.19</a></p> <p>Note that due to an issue with our release automation, no <code> multiple.intoto.jsonl</code> file is available for this release.</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's changelog</a>.</em></p> <blockquote> <h1>1.26.19 (2024-06-17)</h1> <ul> <li>Added the <code>Proxy-Authorization</code> header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via <code>Retry.remove_headers_on_redirect</code>.</li> <li>Fixed handling of OpenSSL 3.2.0 new error message for misconfiguring an HTTP proxy as HTTPS. (<code>[#3405](urllib3/urllib3#3405) <https://github.com/urllib3/urllib3/issues/3405></code>__)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/urllib3/urllib3/commit/d9d85c88aa644af56d5e129634e750ce76e1a765"><code>d9d85c8</code></a> Release 1.26.19</li> <li><a href="https://github.com/urllib3/urllib3/commit/8528b63b6fe5cfd7b21942cf988670de68fcd8c0"><code>8528b63</code></a> [1.26] Fix downstream tests (<a href="https://redirect.github.com/urllib3/urllib3/issues/3409">#3409</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/40b6d1605814dd1db0a46e202d6e56f2e4c9a468"><code>40b6d16</code></a> Merge pull request from GHSA-34jh-p97f-mpxf</li> <li><a href="https://github.com/urllib3/urllib3/commit/29cfd02f66376c61bd20f1725477925106321f68"><code>29cfd02</code></a> Fix handling of OpenSSL 3.2.0 new error message "record layer failure" (<a href="https://redirect.github.com/urllib3/urllib3/issues/3405">#3405</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/b60064388302f54a3455259ddab121618650a154"><code>b600643</code></a> [1.26] Bump RECENT_DATE (<a href="https://redirect.github.com/urllib3/urllib3/issues/3404">#3404</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/7e2d3890926d4788e219f63e2e36fbeb8714827f"><code>7e2d389</code></a> [1.26] Fix running CPython 2.7 tests in CI (<a href="https://redirect.github.com/urllib3/urllib3/issues/3137">#3137</a>)</li> <li>See full diff in <a href="https://github.com/urllib3/urllib3/compare/1.26.18...1.26.19">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=urllib3&package-manager=pip&previous-version=1.26.18&new-version=1.26.19)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/aws/aws-cdk/network/alerts). </details>

Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec`

Need this to run CodeQL on runners with more disk space. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Allow passing [all STS options](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html#API_AssumeRole_RequestParameters) to assume role configuration for various CDK roles. > The following PR description focuses on Session Tags because it was originally the only option we wanted to add support to. After some thought, we decided to allow all available STS options via a transparent pass-through. ### Prerequisites - cdklabs/cloud-assembly-schema#33 - cdklabs/cdk-assets#40 ### Issue # (if applicable) Closes #26157 Fixes #22535 ### Reason for this change Enabling [ABAC](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) via STS session tags. From the [AWS docs](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html): > _“Session Tags are key-value pair attributes that you pass when you assume an IAM role or federate a user in AWS STS. You do this by making an AWS CLI or AWS API request through AWS STS or through your identity provider (IdP). When you use AWS STS to request temporary security credentials, you generate a session. Sessions expire and have [credentials](https://docs.aws.amazon.com/STS/latest/APIReference/API_Credentials.html), such as an access key pair and a session token. When you use the session credentials to make a subsequent request, the [request context](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html#AccessPolicyLanguage_RequestContext) includes the [aws:PrincipalTag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principaltag) context key. You can use the aws:PrincipalTag key in the Condition element of your policies to allow or deny access based on those tags”_ ### Description of changes The CDK creates [4 IAM roles](https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping-env.html#bootstrapping-env-roles) during bootstrap. It then assumes these roles at various phases of the deployment. - [DeploymentActionRole](https://github.com/aws/aws-cdk/blob/v2.154.1/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml#L429): Assumed when invoking CloudFormation operations such as _Deploy_ and _DescribeStackEvents_. - [FilePublishingRole](https://github.com/aws/aws-cdk/blob/v2.154.1/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml#L275): Assumed when file assets are uploaded to the bootstrap bucket. - [ImagePublishingRole](https://github.com/aws/aws-cdk/blob/v2.154.1/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml#L298): Assumed when docker images are published to the bootstrap ECR registry. - [LookupRole](https://github.com/aws/aws-cdk/blob/v2.154.1/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml#L321): Assumed while performing context lookups. Each of these roles should be assumable with their own specific session tags, as they server different purposes. > Note: The [CloudFormationExecutionRole](https://github.com/aws/aws-cdk/blob/v2.154.1/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml#L536) is also created during bootstrap, but the CLI never assumes it, therefore it doesn't need session tags support. Session tags for each role will be configurable via synthesizer properties (similarly to how `externalId` is [exposed](#15604)) both for the `DefaultStackSynthesizer`, and for a custom synthesizer extending the `StackSynthesizer` class. The new properties will propagate down and will eventually be written to the cloud assembly. #### `+ manifest.json` ```json { "version": "36.0.0", "artifacts": { "MyStack.assets": { "type": "cdk:asset-manifest", "properties": { "file": "SeshTagsManifestStack.assets.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" } }, "MyStack": { "type": "aws:cloudformation:stack", "environment": "aws://unknown-account/unknown-region", "properties": { "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "assumeRoleAdditionalOptions": { "Tags": < deployRoleSessionTags > } "lookupRole": { "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", "requiresBootstrapStackVersion": 8, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" "assumeRoleAdditionalOptions": { "Tags": < lookupRoleSessionTags > } } }, ``` #### `+ assets.json` ```json { "version": "36.0.0", "files": { "9ebfd704f02f99b2711998e6435822b0dbed6e80dcac7e75f339fe894861ac20": { "source": { "path": "mystack.template.json", "packaging": "file" }, "destinations": { "current_account-current_region": { "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" "assumeRoleAdditionalOptions": { "Tags": < fileAssetPublishingRoleSessionTags > } } } } }, "dockerImages": { "dockerHash": { "source": { "directory": "." }, "destinations": { "current_account-current_region": { "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-image-publishing-role-${AWS::AccountId}-${AWS::Region}" "assumeRoleAdditionalOptions": { "Tags": < imageAssetPublishingRoleSessionTags > } } } } } } ``` ### Description of how you validated changes - CLI integration tests. - CLI and framework unit tests. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ut (#31446) ### Issue # (if applicable) Closes #30052 ### Reason for this change When specifiying both `resourceSignalTimeout` and `initOptions.timeout` in the options for creating an EC2 Instance, only the value from `resourceSignalTimeout` is used. ### Description of changes - If both `initOptions.timeout` and `resourceSignalTimeout` are set, timeout consisting of the sum of the values and a warning suggesting that only one field should be specified - Else, timeout is set to field specified, else defaults to 5 min ### Description of how you validated changes - Update integration test for `instance-init.js` with both fields and verify that warning is logged - Add unit tests: - `initOptions.timeout` and `resourceSignalTimeout` are both not set, timeout is set to default of 5 min - `initOptions.timeout` set and `resourceSignalTimeout` not set, timeout is set to initOptions.timeout - `initOptions.timeout` not set and `resourceSignalTimeout` is set, timeout is set to `resourceSignalTimeout` - `initOptions.timeout` and `resourceSignalTimeout` are both set, timeout is set to sum of timeouts and warning is logged ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

- Removed revert that was cherry-picked into main after 2.159.1 patch release. - Fix corrupt issue closure links

aws-cdk-automation · 2024-09-24T09:58:58Z

AWS CodeBuild CI Report

CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
Commit ID: 8ae448a
Result: SUCCEEDED
Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

mergify · 2024-09-24T09:59:28Z

Thank you for contributing! Your pull request will be automatically updated and merged without squashing (do not update manually, and be sure to allow changes to be pushed to your fork).

github-actions · 2024-09-24T09:59:48Z

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

mazyu36 and others added 23 commits September 18, 2024 21:12

Merge branch 'main' into merge-back/2.159.0

82d3e65

chore(merge-back): 2.159.0 (#31489)

152f32d

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.159.0/CHANGELOG.md)

revert: fix(ec2): fixing vpc endpoint pattern for ecr and ecr docker (#…

17be13f

…31496) Reverts #31434 to resolve #31492

Merge branch 'main' into merge-back/2.159.1

ba8e659

chore(merge-back): 2.159.1 (#31503)

bc2f579

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.159.1/CHANGELOG.md)

docs(hotswap): remove un-needed newline in comment (#31473)

4a7f423

feat: update L1 CloudFormation resource definitions (#31534)

cd17fed

Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec`

chore: advanced CodeQL configuration (#31506)

9952c92

Need this to run CodeQL on runners with more disk space. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

chore(release): 2.160.0

9d45831

aws-cdk-automation added auto-approve pr/no-squash This PR should be merged instead of squash-merging it labels Sep 24, 2024

aws-cdk-automation requested a review from a team September 24, 2024 09:18

github-actions bot added the p2 label Sep 24, 2024

github-actions bot approved these changes Sep 24, 2024

View reviewed changes

aws-cdk-automation had a problem deploying to test-pipeline September 24, 2024 09:19 — with GitHub Actions Failure

iliapolo added the pr/do-not-merge This PR should not be merged at this time. label Sep 24, 2024

chore: Update CHANGELOG.v2.md

8ae448a

- Removed revert that was cherry-picked into main after 2.159.1 patch release. - Fix corrupt issue closure links

iliapolo removed the pr/do-not-merge This PR should not be merged at this time. label Sep 24, 2024

iliapolo had a problem deploying to test-pipeline September 24, 2024 09:30 — with GitHub Actions Failure

mergify bot merged commit 7a8ae02 into v2-release Sep 24, 2024
15 of 16 checks passed

mergify bot deleted the bump/2.160.0 branch September 24, 2024 09:59

github-actions bot locked as resolved and limited conversation to collaborators Sep 24, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(release): 2.160.0 #31540

chore(release): 2.160.0 #31540

aws-cdk-automation commented Sep 24, 2024 •

edited by iliapolo

Loading

aws-cdk-automation commented Sep 24, 2024

mergify bot commented Sep 24, 2024

github-actions bot commented Sep 24, 2024

chore(release): 2.160.0 #31540

chore(release): 2.160.0 #31540

Conversation

aws-cdk-automation commented Sep 24, 2024 • edited by iliapolo Loading

aws-cdk-automation commented Sep 24, 2024

AWS CodeBuild CI Report

mergify bot commented Sep 24, 2024

github-actions bot commented Sep 24, 2024

aws-cdk-automation commented Sep 24, 2024 •

edited by iliapolo

Loading