Merge #51
Merged
Merge #51
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…en recreated (#15405) If bootstrap stack roles have been deleted and recreated, it results in cryptic errors in the pipeline (AccessDeniedException). An elegant and robust fix to this is involved and not likely to be implemented in the near-term. In the meantime, what we can do is document ways to work around this issue, and heavily advise people not to get themselves into this scenario in the first place. This README update intends to accomplish the former, if not the latter. Tested and verified the proposed "automated" solution (re-creating bootstrap stacks). related #11934 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
#### Collaborator Shout out to @dfezzie #### REV - Adding new `meshOwner` attribute to `IMesh` - Adding `meshOwner` property for Cfn resources #### Design Note - Allowing to provide Mesh ARN from different AWS IAM account ID for IMesh.fromMeshArn() to enable working with shared mesh. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
) This change maintains the existing logic which parses statistic strings provided by the user for Simple statistics or Percentile statistics, but it also allows for any string to be passed. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…15409) A recent change to pkglint (#15064) to always include .lit.ts files in .npmignore was not also applied to the .npmignore generator in cfnspec which is created whenever a new CFN module is added. This will lead to a failed build whenever the CFN spec is next updated and forces a new module to be created. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…15401) The VPC Policy for the asset publishing roles is created as a separate policy, which is guaranteed to be created after the role, but not necessarily before it's needed. CodeBuild -- at CloudFormation deploy time -- actually verifies the roles have appropriate permissions, leading to a potential race condition and failure if VPC permissions are not present when the CodeBuild jobs are created. Add an explicit dependency on the separate policy to guarantee creation order during deployment. fixes #14343 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…port all progress steps (#15207) ### Summary This PR changes the CLI output to: - Prevent output of "Failed resources:" message when all resources were deployed successfully. - Fixes an issue where some steps were not being reported. See related issue: #15196 Before: ```shell CDK_NEW_BOOTSTRAP set, using new-style bootstrapping ⏳ Bootstrapping environment aws://##########/eu-west-1... Trusted accounts for deployment: (none) Trusted accounts for lookup: (none) Using default execution policy of 'arn:aws:iam::aws:policy/AdministratorAccess'. Pass '--cloudformation-execution-policies' to customize. AN_AWS_STACK: creating CloudFormation changeset... 0/4 |15:20:04 | UPDATE_IN_PROGRESS | AWS::CloudFormation::Stack | AN_AWS_STACK User Initiated 0/4 |15:20:11 | UPDATE_IN_PROGRESS | AWS::IAM::Role | DeploymentActionRole 0/4 |15:20:11 | UPDATE_IN_PROGRESS | AWS::IAM::Role | FilePublishingRole 0/4 |15:20:11 | UPDATE_IN_PROGRESS | AWS::IAM::Role | ImagePublishingRole 3/4 |15:20:28 | UPDATE_COMPLETE | AWS::IAM::Role | FilePublishingRole 3/4 |15:20:28 | UPDATE_COMPLETE | AWS::IAM::Role | FilePublishingRole 3/4 |15:20:28 | UPDATE_COMPLETE_CLEA | AWS::IAM::Role | ImagePublishingRole Failed resources: ✅ Environment aws://##########/eu-west-1 bootstrapped. ``` After: ```shell CDK_NEW_BOOTSTRAP set, using new-style bootstrapping ⏳ Bootstrapping environment aws://##########/eu-west-1... Trusted accounts for deployment: (none) Trusted accounts for lookup: (none) Using default execution policy of 'arn:aws:iam::aws:policy/AdministratorAccess'. Pass '--cloudformation-execution-policies' to customize. AN_AWS_STACK: creating CloudFormation changeset... 0/4 |15:20:04 | UPDATE_IN_PROGRESS | AWS::CloudFormation::Stack | AN_AWS_STACK User Initiated 0/4 |15:20:11 | UPDATE_IN_PROGRESS | AWS::IAM::Role | DeploymentActionRole 0/4 |15:20:11 | UPDATE_IN_PROGRESS | AWS::IAM::Role | FilePublishingRole 0/4 |15:20:11 | UPDATE_IN_PROGRESS | AWS::IAM::Role | ImagePublishingRole 1/4 |15:20:28 | UPDATE_COMPLETE | AWS::IAM::Role | FilePublishingRole 2/4 |15:20:28 | UPDATE_COMPLETE | AWS::IAM::Role | FilePublishingRole 3/4 |15:20:28 | UPDATE_COMPLETE_CLEA | AWS::IAM::Role | ImagePublishingRole 4/4 |15:20:28 | UPDATE_COMPLETE | AWS::IAM::Role | DeploymentActionRole ✅ Environment aws://##########/eu-west-1 bootstrapped. ``` ### TODO - [x] Prevent output of "Failed resources:" if there are no failures present. - [x] Report all steps before exiting. - [x] Add tests for changes. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ions installed (#15201) I was using yarn build and it gave an error on my local computer because I have multiple dotnet versions installed ( and the most recent one is 5.x ). With this pull request multiple dotnet versions are supported, as long as 3.1.x is installed. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Allow users to add [Docker security option](https://docs.docker.com/engine/reference/run/#security-configuration) when setting their [BundlingOptions](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_core.BundlingOptions.html). Improvement on PR [14682](#14682), related to issue #14681 Last PR [14682](#14682) only addressed [DockerRunOptions](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_core.DockerRunOptions.html) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Fixes #15239 (ec2): Add rds-data VPC interface endpoints ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Adds a convenient method to obtain the `DaysToExpiry` metric for an AWS Certificates Manager Certificate, without having to craft it yourself. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…15435) The cdk-package build tool skips packaging in private packages by looking at the value of the "private" entry in package.json. Currently, this entry must be missing for cdk-package to treat the package as public, but we should also allow an explicit `false` value. fixes #15203 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ery (#15388) #### REV: - Adding new property `responseType` to DNS `ServiceDiscovery` - Changing `.cloudMap()` factory method to accept positional argument - Adding a runtime-error to check if the service discovery is defined when listener is specified BREAKING CHANGE: `ServiceDiscovery.cloudMap()` method has been changed to accept positional arguments ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Introduce a new repo-private tool called `cdk-release` that replaces `standard-version` in our 'bump' process. It's responsible for updating the version file with the new version, generating the Changelog based on on the commit history, and performing the commit that includes the two above files. It allows us to correctly handle edge cases that we had to work around previously with `standard-version`: * For patch releases, `standard-version` always generated the main header as H3, while we want H2. We always had to correct that manually, and we sometimes forgot. This tool does the correct thing for patch releases too. * We had to hack around when we wanted to change the heading 'BREAKING CHANGES' to 'BREAKING CHANGES TO EXPERIMENTAL FEATURES'. This tool now does it natively, no hacks needed. * In V2, `standard-version` couldn't figure out the tag to compare to, because we have tags for 2 major versions present in the repo. This tool handles this without the hacks of locally removing and then re-fetching the tags. * Also in V2, we want to strip the changes to experimental packages (as those are not included in `aws-cdk-lib`). With `standard-version`, we had to grep in the resulting Changelog, which was very fragile (for example, in `2.0.0-rc.7`, our Changelog includes breaking changes to `appmesh`, which is an experimental module). This tool handles this case natively, by filtering out commits, without the need for fragile Changelog grepping. To make sure we don't break our release process, allow passing the environment variable `LEGACY_BUMP` as truthy to fall back on `standard-version`. Once we make at least one successful release, in both major versions, using this new tool, I'll remove the old `standard-version` based code in a separate PR. In a subsequent PR, the tool will be enhanced with the capability to generate separate version bumps and Changelogs for experimental packages in V2. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Correct a small typo: `initTemplateLanuages` -> `initTemplateLanguages`. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Property 'addToPrincipalPolicy' does not exist on type 'SlackChannelConfiguration'. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
The Effect enum values were changed to be upper case in #2918 (b735d1c) but this usage in the docs was missed ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Link for cdk-ecr-deployment was https://github.com/wchaws/cdk-ecr-deployment, but is now https://github.com/cdklabs/cdk-ecr-deployment. Just updated this links. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
The CodeBuild runtime allows fields that are defined as string[] to be strings and interprets them as singleton lists. When merging we need to normalize this to have the correct concat semantics ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Co-authored-by: AWS CDK Team <aws-cdk@amazon.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
…plication load balancers (#15259) This PR adds the ability to get access to the list of Listeners that have been added to an Application Load Balancer. This is necessary because when an L3 pattern creates a listener on a load balancer the caller may need to get access to the listener to customize it. I couldn't figure out a great way to make this work for Looked Up or Imported Load Balancers so I decided to throw an error. If there is a better way, let me know and I can change the PR. closes #11841 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Fixes the local bundling command when using the pnpm package manager. The args separator is now before the command as described in https://github.com/pnpm/pnpm/blob/76136751958ceac0ee77e9a0466b96d4a093a094/packages/plugin-commands-script-runners/src/exec.ts#L73. fixes #15164 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…onditions (#15430) As per to `IPrincipal` documentation `principalAccount` should be: ``` The AWS account ID of this principal. Can be undefined when the account is not known (for example, for service principals). Can be a Token - in that case, it's assumed to be AWS::AccountId. ``` This PR ensures that `AccountPrincipal` sets the principal account ID as expected. Also ensures that the same id is available after adding conditions to the account principal. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
#15376) The EventBridge Archive supports an `eventPattern` (same as EventBridge Rules). However, it does not translate `detailType` into `detail-type`. This change uses the same `renderEventPattern` utility for both rules and archives in order to fix this. Fixes #14905 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…oes not start at 0 (#15345) Before this fix, the first scaling step would be ignored whenever its lower bound was greater than zero (see linked issue). Now, instead of *replacing* the first interval with a "dummy" one, we *prepend* the list of intervals. This behavior complements what was already implemented in case the last interval's upper bound was not Infinity: a dummy one was appended. This fixes #10141 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Add DLQ and Retry policy Configuration to BatchJob targets. Using a DLQ on a rule prevents the application to loose events after all retry attempts are exhausted. Update README.md and code examples to support Rosetta translation and compiling. Resolves #15238 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This PR removes the incorrect normalization of principal like below:
`"Principal": {"AWS": "*"}` → `"Principal": "*"`
I thought this normalization was made in accordance with this doc.
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-anonymous
As discussed in #14274, this normalization sometimes cause error like `Error occurred while parsing policy: no statement block with AWS provider found.`
I also fixed all of the related tests.
Closes #14274
----
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Add the option to easily add notifications to only TERMINATION_EVENTS ( ScalingEvent.INSTANCE_TERMINATE, ScalingEvent.INSTANCE_TERMINATE_ERROR ) for ASGs ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…Bucket with the S3SourceAction (#15310) If you import an S3 bucket encrypted with a custom key, it's impossible to give the source action role permission to use that key for decryption as far as I could see. I.e. I was not able to access this source action role. By adding `encryptionKey` you can specify it at in the S3 source props, and permissions can then be granted inside this private heavy object. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Reverts #14916 This is causing issues in the v2 forward merge. ``` import * as cdk from '@aws-cdk/core'; ``` Is being rewritten as `import * as constructs from 'constructs'`, regardless of what from `cdk` we use. In the case of https://github.com/aws/aws-cdk/blob/master/packages/@aws-cdk/assert-internal/lib/synth-utils.ts for example, we only use `cdk.Stack`, but the imports turn into: ``` import * as fs from 'fs'; import * as path from 'path'; import * as core from 'aws-cdk-lib'; import * as constructs from 'constructs'; import * as cxapi from 'aws-cdk-lib/cx-api'; ``` And then TSC complains: ``` @aws-cdk/assert: lib/synth-utils.ts(4,1): error TS6133: 'constructs' is declared but its value is never read. @aws-cdk/assert: lib/expect.ts(2,1): error TS6133: 'constructs' is declared but its value is never read. @aws-cdk/assert: jest.ts(2,1): error TS6133: 'constructs' is declared but its value is never read. @aws-cdk/assert: test/assertions.test.ts(2,13): error TS2300: Duplicate identifier 'constructs'. @aws-cdk/assert: test/assertions.test.ts(4,13): error TS2300: Duplicate identifier 'constructs'. ``` (Also note `Duplicate identifier` errors)
We do validation-as-part-of-synth for legacy pipelines; also need to do the same for modern pipelines otherwise failing context lookups are too hard to diagnose. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…eline (#15669) There was confusion on Slack on why the `ShellStep` of this example did not appear in the pipeline. Make the example code more complete. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Add stack event notification constraint. Allows users to subscribe AWS `SNS` topics to stack updates on their products. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* Co-authored-by: Dillon Ponzo <dponzo18@gmail.com>
fo -> of ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Customer reports that it's not clear here what the units of the default "60" are, and furthermore that this appears as "1" (again without units) in the console. Clarify by writing this as `Duration.minutes(1)` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This change corrects the episode link, both within a browser and with the youtube-dl tool it shows as a non-existent video with the current link. youtube-dl output ```bash youtube-dl https://www.twitch.tv/aws/video/977551207 [twitch:vod] 977551207: Downloading stream metadata GraphQL ERROR: Video 977551207 does not exist ``` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Requested by AppSec to double-stress that access to the deploy role (implied by `--trust`) is dangerous and should be explicitly called out in the documentation. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.
Version 12.6 of the Aurora PostgreSQL cluster engine has been released as per https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraPostgreSQL.Updates.20180305.html <img width="1238" alt="Screen Shot 2021-07-21 at 6 39 16 pm" src="https://user-images.githubusercontent.com/712360/126459465-4c47f792-64ed-4963-aace-c21b72de61cd.png"> Can also be seen via aws CLI:  ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Did a quick review of this README and made some generally minor suggestions. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Switch the CDK Pipelines API to stable and GA. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Add a migration guide for original to modern API. [Rendered version](https://github.com/aws/aws-cdk/blob/huijbers/pipelines-migration-guide/packages/@aws-cdk/pipelines/ORIGINAL_API.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Co-authored-by: AWS CDK Team <aws-cdk@amazon.com>
…oudwatch alarms (#15720) This change adds support for alarming on custom statistics and extends the testing done for metrics to ensure if a custom statistic is passed it preserves the case ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…StackSets (#15678) Adds 2 constraints, launch role and stackset. Users can specify a specific role users must assume when launching product. StackSets deployments allows you to deploy products using Cloudformation StackSets. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…#15617) This feature adds new static methods to the CfnMapping construct that allow the creation of "lazy" mappings. A lazy mapping will only create a Mappings section in the synthesized CFN template if some "find" operation on the mapping was not able to return a value since one or more of the lookup keys were unresolved. Usage: ```ts // Register the mapping as a lazy mapping. CfnMapping.registerLazyMap('UNIQUEMAPPINGID', { TopLevelKey: { SecondLevelKey: 'value', }, }); // Later, find a value from the mapping. Since the keys are both // resolved, this returns a resolved value and does not create a // CfnMapping. CfnMapping.findInLazyMap(scope, 'UNIQUEMAPPINGID', 'TopLevelKey', 'SecondLevelKey'); // > 'value' // If we try to find a value from the mapping using unresolved keys, a // CfnMapping is created and a Fn::FindInMap is returned. CfnMapping.findInLazyMap(scope, 'UNIQUEMAPPINGID', 'TopLevelKey', Aws.REGION); // > { Fn::FindInMap: [ 'UNIQUEMAPPINGID', 'TopLevelKey', { Ref: 'AWS::Region' } ] } ``` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…versions lower than 5.1 (#15714) Fixes #15532 As discussed in #15532, this error should not have applied to slow logs in the first place, as they're supported by all Elasticsearch versions. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
#15544) This PR implements the minimum DeliveryStream API and S3 destination. More features for DeliveryStream and the S3 destination will follow in future PRs. This work is being tracked in https://github.com/aws/aws-cdk/milestone/16 For more context, see: #15505 and the RFC: aws/aws-cdk-rfcs#342 closes #10810, #15499 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Closes gh-15728. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ctly treated as objects (#14631) This doesn't actually fix the issue #12935 as currently the Json paths won't be resolved for Lambda steps where the `Resource` is the Lambda ARN and not `arn:aws:states:::lambda:invoke`, but it at least fixes the issue for Text inputs when `payloadResponseOnly: true` and will avoid the same error from happening again if the `recurseObject` is called with a value that's not an object. Ideally the `TaskInput.value` field should be changed to `{ [key: string]: any } | string` here to ensure the type check when sending the value to methods like `FieldUtils.renderObject`: https://github.com/aws/aws-cdk/blob/master/packages/@aws-cdk/aws-stepfunctions/lib/input.ts#L65 Or even better the `TaskInput` should be made generic like: ``` export class TaskInput<T extends InputType> { ... private constructor(public readonly type: T, public readonly value: ValueType[T]) {} } type ValueType = { [InputType.OBJECT]: { [key: string]: any }, [InputType.TEXT]: string } ``` However, any of the changes above wouldn't be backwards compatible and could break not only internal references in the `aws-cdk` but also on any customer packages using the CDK. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ts (#15718) We used to use an immutable singleton role with `*` permissions for the assets projects, because if there were many different destinations in a pipeline, and each asset build had to publish to each destination, the policy could grow too long and exceed the maximum policy size. However, this also disabled the automatic policy wrangling that CodeBuild would do for us, like automatically adding permissions to bind to a VPC, and adding permissions to read Secrets Manager secrets. This especially becoming relevant since that now in the modern API, it's possible to modify build the environment in a way that normally automatically adds SecretsManager permission, but now won't (and it's not possible to fix either). Replace the immutable singleton role with a mutable singleton role, but in such a way that it won't add permissions statements for which it already has a `*` statement (to cut down on duplication), and have the CB project do the automatic VPC bind permissions again. Fixes #15628. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
GitHub's MarkDown rendering doesn't recognize the `+` in a table column separator. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Property `advancedOptions` in ElasticSearch domain did have no effect because the assignment was missing. * add assignment for advancedOptions to fix issue * test cases * describe function in readme Fixes #14067 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Provide API `findResources()` that retrieves the matching resources from the template given its type and optional predicate. For complex assertions that cannot be modeled using the primitives provided by this module, this API allows an 'escape hatch' so that assertions can be written directly into the test case. This is being used in the `aws-cloudwatch` module, specifically to assert widgets in a CloudWatch Dashboard that are modeled as serialized JSON within a property in the resource. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license