Merge branch 'master' into njlynch/cloudfront-dev-preview

aws · Oct 13, 2020 · 7d30c10 · 7d30c10
2 parents d3e03ec + 2cb8e22
commit 7d30c10
Show file tree

Hide file tree

Showing 52 changed files with 2,402 additions and 186 deletions.
diff --git a/packages/@aws-cdk/aws-apigateway/README.md b/packages/@aws-cdk/aws-apigateway/README.md
@@ -484,7 +484,7 @@ iamUser.attachInlinePolicy(new iam.Policy(this, 'AllowBooks', {
     new iam.PolicyStatement({
       actions: [ 'execute-api:Invoke' ],
       effect: iam.Effect.Allow,
-      resources: [ getBooks.methodArn() ]
+      resources: [ getBooks.methodArn ]
     })
   ]
 }))

diff --git a/packages/@aws-cdk/aws-cognito/README.md b/packages/@aws-cdk/aws-cognito/README.md
@@ -14,6 +14,7 @@
 
 ---
 <!--END STABILITY BANNER-->
+
 [Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html) provides
 authentication, authorization, and user management for your web and mobile apps. Your users can sign in directly with a
 user name and password, or through a third party such as Facebook, Amazon, Google or Apple.
@@ -319,6 +320,8 @@ Lambda triggers can either be specified as part of the `UserPool` initialization
 on the construct, as so -
 
 ```ts
+import * as lambda from '@aws-cdk/aws-lambda';
+
 const authChallengeFn = new lambda.Function(this, 'authChallengeFn', {
   // ...
 });
@@ -566,7 +569,7 @@ const signInUrl = domain.signInUrl(client, {
 })
 ```
 
-Exisiting domains can be imported into CDK apps using `UserPoolDomain.fromDomainName()` API
+Existing domains can be imported into CDK apps using `UserPoolDomain.fromDomainName()` API
 
 ```ts
 const stack = new Stack(app, 'my-stack');

diff --git a/packages/@aws-cdk/aws-config/README.md b/packages/@aws-cdk/aws-config/README.md
@@ -64,28 +64,30 @@ new CustomRule(this, 'CustomRule', {
 
 By default rules are triggered by changes to all [resources](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources).
 
-Use the `scopeToResource()`, `scopeToResources()` or `scopeToTag()` APIs to restrict
+Use the `Scope` APIs (`fromResource()`, `fromResources()` or `fromTag()`) to restrict
 the scope of both managed and custom rules:
 
 ```ts
-const sshRule = new ManagedRule(this, 'SSH', {
-  identifier: 'INCOMING_SSH_DISABLED'
-});
+import * as config from '@aws-cdk/aws-config';
 
-// Restrict to a specific security group
-rule.scopeToResource('AWS::EC2::SecurityGroup', 'sg-1234567890abcdefgh');
+const sshRule = new config.ManagedRule(this, 'SSH', {
+  identifier: 'INCOMING_SSH_DISABLED',
+  scope: config.Scope.fromResource(config.ResourceType.EC2_SECURITY_GROUP, 'sg-1234567890abcdefgh'), // restrict to specific security group
+});
 
-const customRule = new CustomRule(this, 'CustomRule', {
+const customRule = new config.CustomRule(this, 'CustomRule', {
   lambdaFunction: myFn,
   configurationChanges: true
+  scope: config.Scope.fromResources([config.ResourceType.CLOUDFORMATION_STACK, config.Resource.S3_BUCKET]), // restrict to all CloudFormation stacks and S3 buckets
 });
 
-// Restrict to a specific tag
-customRule.scopeToTag('Cost Center', 'MyApp');
+const customRule = new config.CustomRule(this, 'CustomRule', {
+  lambdaFunction: myFn,
+  configurationChanges: true
+  scope: config.Scope.fromTag('Cost Center', 'MyApp'), // restrict to a specific tag
+});
 ```
 
-Only one type of scope restriction can be added to a rule (the last call to `scopeToXxx()` sets the scope).
-
 #### Events
 
 To define Amazon CloudWatch event rules, use the `onComplianceChange()` or `onReEvaluationStatus()` methods:
@@ -116,10 +118,9 @@ const fn = new lambda.Function(this, 'CustomFunction', {
 const customRule = new config.CustomRule(this, 'Custom', {
   configurationChanges: true,
   lambdaFunction: fn,
+  scope: config.Scope.fromResource([config.Scope.EC2_INSTANCE]),
 });
 
-customRule.scopeToResource('AWS::EC2::Instance');
-
 // A rule to detect stack drifts
 const driftRule = new config.CloudFormationStackDriftDetectionCheck(this, 'Drift');
 

diff --git a/packages/@aws-cdk/aws-config/lib/managed-rules.ts b/packages/@aws-cdk/aws-config/lib/managed-rules.ts
@@ -2,7 +2,7 @@ import * as iam from '@aws-cdk/aws-iam';
 import * as sns from '@aws-cdk/aws-sns';
 import { Duration, Lazy, Stack } from '@aws-cdk/core';
 import { Construct } from 'constructs';
-import { ManagedRule, RuleProps } from './rule';
+import { ManagedRule, ResourceType, RuleProps, Scope } from './rule';
 
 /**
  * Construction properties for a AccessKeysRotated
@@ -82,7 +82,7 @@ export class CloudFormationStackDriftDetectionCheck extends ManagedRule {
       },
     });
 
-    this.scopeToResource('AWS::CloudFormation::Stack', props.ownStackOnly ? Stack.of(this).stackId : undefined);
+    this.scope = Scope.fromResource( ResourceType.CLOUDFORMATION_STACK, props.ownStackOnly ? Stack.of(this).stackId : undefined );
 
     this.role = props.role || new iam.Role(this, 'Role', {
       assumedBy: new iam.ServicePrincipal('config.amazonaws.com'),
@@ -126,8 +126,7 @@ export class CloudFormationStackNotificationCheck extends ManagedRule {
         (params, topic, idx) => ({ ...params, [`snsTopic${idx + 1}`]: topic.topicArn }),
         {},
       ),
+      scope: Scope.fromResources([ResourceType.CLOUDFORMATION_STACK]),
     });
-
-    this.scopeToResource('AWS::CloudFormation::Stack');
   }
 }