Merge branch 'master' into fix-docs-rds-admin-username

allowed-breaking-changes.txt

@@ -1,58 +1 @@
-incompatible-argument:@aws-cdk/aws-ecs.Ec2TaskDefinition.<initializer>
-incompatible-argument:@aws-cdk/aws-ecs.Ec2TaskDefinition.addVolume
-incompatible-argument:@aws-cdk/aws-ecs.FargateTaskDefinition.<initializer>
-incompatible-argument:@aws-cdk/aws-ecs.FargateTaskDefinition.addVolume
-incompatible-argument:@aws-cdk/aws-ecs.TaskDefinition.<initializer>
-incompatible-argument:@aws-cdk/aws-ecs.TaskDefinition.addVolume
-change-return-type:@aws-cdk/core.Fn.getAtt
-new-argument:@aws-cdk/aws-iam.ManagedPolicy.<initializer>
-new-argument:@aws-cdk/aws-iam.ManagedPolicy.<initializer>
-removed:@aws-cdk/aws-apigateway.AwsIntegration.props
-removed:@aws-cdk/aws-apigateway.HttpIntegration.props
-removed:@aws-cdk/aws-apigateway.Integration.props
-removed:@aws-cdk/aws-apigateway.LambdaIntegration.props
-removed:@aws-cdk/aws-apigateway.MockIntegration.props
-removed:@aws-cdk/aws-ecs-patterns.ScheduledEc2TaskDefinitionOptions.schedule
-removed:@aws-cdk/aws-ecs-patterns.ScheduledEc2TaskDefinitionOptions.cluster
-removed:@aws-cdk/aws-ecs-patterns.ScheduledEc2TaskDefinitionOptions.desiredTaskCount
-removed:@aws-cdk/aws-ecs-patterns.ScheduledEc2TaskDefinitionOptions.vpc
-removed:@aws-cdk/aws-ecs-patterns.ScheduledFargateTaskDefinitionOptions.schedule
-removed:@aws-cdk/aws-ecs-patterns.ScheduledFargateTaskDefinitionOptions.cluster
-removed:@aws-cdk/aws-ecs-patterns.ScheduledFargateTaskDefinitionOptions.desiredTaskCount
-removed:@aws-cdk/aws-ecs-patterns.ScheduledFargateTaskDefinitionOptions.vpc
-incompatible-argument:@aws-cdk/aws-lambda.Function.<initializer>
-incompatible-argument:@aws-cdk/aws-lambda.SingletonFunction.<initializer>
-incompatible-argument:@aws-cdk/aws-lambda.Function.addEnvironment
-changed-type:@aws-cdk/aws-dynamodb.Table.tableStreamArn
-incompatible-argument:@aws-cdk/aws-apigateway.LambdaRestApi.addModel
-incompatible-argument:@aws-cdk/aws-apigateway.Model.<initializer>
-incompatible-argument:@aws-cdk/aws-apigateway.RestApi.addModel
-incompatible-argument:@aws-cdk/aws-apigateway.ProxyResource.addProxy
-incompatible-argument:@aws-cdk/aws-apigateway.Resource.addProxy
-incompatible-argument:@aws-cdk/aws-apigateway.ResourceBase.addProxy
-incompatible-argument:@aws-cdk/aws-apigateway.IResource.addProxy
-incompatible-argument:@aws-cdk/aws-apigateway.RequestAuthorizer.<initializer>
-incompatible-argument:@aws-cdk/aws-servicediscovery.Service.fromServiceAttributes
-removed:@aws-cdk/core.ConstructNode.addReference
-removed:@aws-cdk/core.ConstructNode.references
-removed:@aws-cdk/core.OutgoingReference
-change-return-type:@aws-cdk/aws-lambda-destinations.EventBridgeDestination.bind
-change-return-type:@aws-cdk/aws-lambda-destinations.LambdaDestination.bind
-change-return-type:@aws-cdk/aws-lambda-destinations.SnsDestination.bind
-change-return-type:@aws-cdk/aws-lambda-destinations.SqsDestination.bind
-removed:@aws-cdk/cdk-assets-schema.DockerImageDestination.imageUri
-incompatible-argument:@aws-cdk/aws-iam.FederatedPrincipal.<initializer>
-incompatible-argument:@aws-cdk/aws-iam.PolicyStatement.addCondition
-incompatible-argument:@aws-cdk/aws-iam.PolicyStatement.addConditions
-incompatible-argument:@aws-cdk/aws-iam.PolicyStatement.addFederatedPrincipal
-incompatible-argument:@aws-cdk/aws-iam.PrincipalPolicyFragment.<initializer>
-changed-type:@aws-cdk/aws-iam.FederatedPrincipal.conditions
-changed-type:@aws-cdk/aws-iam.PrincipalPolicyFragment.conditions
-changed-type:@aws-cdk/aws-iam.PrincipalWithConditions.conditions
-removed:@aws-cdk/cdk-assets-schema.Placeholders
-# Following two are because we're turning: properties: {string=>any} into a union of typed interfaces
-# Needs to be removed after next release.
-incompatible-argument:@aws-cdk/cloud-assembly-schema.Manifest.save
-change-return-type:@aws-cdk/cloud-assembly-schema.Manifest.load
-removed:@aws-cdk/core.DefaultStackSynthesizer.DEFAULT_DEPLOY_ACTION_ROLE_ARN
-removed:@aws-cdk/core.DefaultStackSynthesizerProps.deployActionRoleArn
+

packages/@aws-cdk/aws-backup/lib/resource.ts

@@ -64,14 +64,14 @@ export class BackupResource {
   /**
    * A DynamoDB table
    */
-  public static fromDynamoDbTable(table: dynamodb.Table) {
+  public static fromDynamoDbTable(table: dynamodb.ITable) {
     return BackupResource.fromArn(table.tableArn);
   }
 
   /**
    * An EC2 instance
    */
-  public static fromEc2Instance(instance: ec2.Instance) {
+  public static fromEc2Instance(instance: ec2.IInstance) {
     return BackupResource.fromArn(Stack.of(instance).formatArn({
       service: 'ec2',
       resource: 'instance',
@@ -82,7 +82,7 @@ export class BackupResource {
   /**
    * An EFS file system
    */
-  public static fromEfsFileSystem(fileSystem: efs.FileSystem) {
+  public static fromEfsFileSystem(fileSystem: efs.IFileSystem) {
     return BackupResource.fromArn(Stack.of(fileSystem).formatArn({
       service: 'elasticfilesystem',
       resource: 'file-system',
@@ -93,7 +93,7 @@ export class BackupResource {
   /**
    * A RDS database instance
    */
-  public static fromRdsDatabaseInstance(instance: rds.DatabaseInstance) {
+  public static fromRdsDatabaseInstance(instance: rds.IDatabaseInstance) {
     return BackupResource.fromArn(instance.instanceArn);
   }
 

packages/@aws-cdk/aws-backup/test/selection.test.ts

@@ -290,3 +290,44 @@ test('fromEc2Instance', () => {
     },
   });
 });
+
+test('fromDynamoDbTable', () => {
+  // GIVEN
+  const newTable = new dynamodb.Table(stack, 'New', {
+    partitionKey: {
+      name: 'id',
+      type: dynamodb.AttributeType.STRING,
+    },
+  });
+  const existingTable = dynamodb.Table.fromTableArn(stack, 'Existing', 'arn:aws:dynamodb:eu-west-1:123456789012:table/existing');
+
+  // WHEN
+  plan.addSelection('Selection', {
+    resources: [
+      BackupResource.fromDynamoDbTable(newTable),
+      BackupResource.fromDynamoDbTable(existingTable),
+    ],
+  });
+
+  // THEN
+  expect(stack).toHaveResource('AWS::Backup::BackupSelection', {
+    BackupSelection: {
+      IamRoleArn: {
+        'Fn::GetAtt': [
+          'PlanSelectionRole6D10F4B7',
+          'Arn',
+        ],
+      },
+      Resources: [
+        {
+          'Fn::GetAtt': [
+            'New8A81B073',
+            'Arn',
+          ],
+        },
+        'arn:aws:dynamodb:eu-west-1:123456789012:table/existing',
+      ],
+      SelectionName: 'Selection',
+    },
+  });
+});

packages/@aws-cdk/aws-codeguruprofiler/README.md

@@ -9,8 +9,26 @@
 ---
 <!--END STABILITY BANNER-->
 
-This module is part of the [AWS Cloud Development Kit](https://github.com/aws/aws-cdk) project.
+Amazon CodeGuru Profiler collects runtime performance data from your live applications, and provides recommendations that can help you fine-tune your application performance.
+
+### Installation
+
+Import to your project:
 
 ```ts
 import * as codeguruprofiler from '@aws-cdk/aws-codeguruprofiler';
 ```
+
+### Basic usage
+
+Here's how to setup a profiling group and give your compute role permissions to publish to the profiling group to the profiling agent can publish profiling information:
+
+```ts
+// The execution role of your application that publishes to the ProfilingGroup via CodeGuru Profiler Profiling Agent. (the following is merely an example)
+const publishAppRole = new Role(stack, 'PublishAppRole', {
+  assumedBy: new AccountRootPrincipal(),
+});
+
+const profilingGroup = new ProfilingGroup(stack, 'MyProfilingGroup');
+profilingGroup.grantPublish(publishAppRole);
+```

packages/@aws-cdk/aws-codeguruprofiler/lib/index.ts

@@ -1,2 +1,3 @@
 // AWS::CodeGuruProfiler CloudFormation Resources:
 export * from './codeguruprofiler.generated';
+export * from './profiling-group';

packages/@aws-cdk/aws-codeguruprofiler/lib/profiling-group.ts

@@ -0,0 +1,180 @@
+import { Grant, IGrantable } from '@aws-cdk/aws-iam';
+import { Construct, IResource, Lazy, Resource, Stack } from '@aws-cdk/core';
+import { CfnProfilingGroup } from './codeguruprofiler.generated';
+
+/**
+ * IResource represents a Profiling Group.
+ */
+export interface IProfilingGroup extends IResource {
+
+  /**
+   * A name for the profiling group.
+   *
+   * @attribute
+   */
+  readonly profilingGroupName: string;
+
+  /**
+   * Grant access to publish profiling information to the Profiling Group to the given identity.
+   *
+   * This will grant the following permissions:
+   *
+   *  - codeguru-profiler:ConfigureAgent
+   *  - codeguru-profiler:PostAgentProfile
+   *
+   * @param grantee Principal to grant publish rights to
+   */
+  grantPublish(grantee: IGrantable): Grant;
+
+  /**
+   * Grant access to read profiling information from the Profiling Group to the given identity.
+   *
+   * This will grant the following permissions:
+   *
+   *  - codeguru-profiler:GetProfile
+   *  - codeguru-profiler:DescribeProfilingGroup
+   *
+   * @param grantee Principal to grant read rights to
+   */
+  grantRead(grantee: IGrantable): Grant;
+
+}
+
+abstract class ProfilingGroupBase extends Resource implements IProfilingGroup {
+
+  public abstract readonly profilingGroupName: string;
+
+  public abstract readonly profilingGroupArn: string;
+
+  /**
+   * Grant access to publish profiling information to the Profiling Group to the given identity.
+   *
+   * This will grant the following permissions:
+   *
+   *  - codeguru-profiler:ConfigureAgent
+   *  - codeguru-profiler:PostAgentProfile
+   *
+   * @param grantee Principal to grant publish rights to
+   */
+  public grantPublish(grantee: IGrantable) {
+    // https://docs.aws.amazon.com/codeguru/latest/profiler-ug/security-iam.html#security-iam-access-control
+    return Grant.addToPrincipal({
+      grantee,
+      actions: ['codeguru-profiler:ConfigureAgent', 'codeguru-profiler:PostAgentProfile'],
+      resourceArns: [this.profilingGroupArn],
+    });
+  }
+
+  /**
+   * Grant access to read profiling information from the Profiling Group to the given identity.
+   *
+   * This will grant the following permissions:
+   *
+   *  - codeguru-profiler:GetProfile
+   *  - codeguru-profiler:DescribeProfilingGroup
+   *
+   * @param grantee Principal to grant read rights to
+   */
+  public grantRead(grantee: IGrantable) {
+    // https://docs.aws.amazon.com/codeguru/latest/profiler-ug/security-iam.html#security-iam-access-control
+    return Grant.addToPrincipal({
+      grantee,
+      actions: ['codeguru-profiler:GetProfile', 'codeguru-profiler:DescribeProfilingGroup'],
+      resourceArns: [this.profilingGroupArn],
+    });
+  }
+
+}
+
+/**
+ * Properties for creating a new Profiling Group.
+ */
+export interface ProfilingGroupProps {
+
+  /**
+   * A name for the profiling group.
+   * @default - automatically generated name.
+   */
+  readonly profilingGroupName?: string;
+
+}
+
+/**
+ * A new Profiling Group.
+ */
+export class ProfilingGroup extends ProfilingGroupBase {
+
+  /**
+   * Import an existing Profiling Group provided a Profiling Group Name.
+   *
+   * @param scope The parent creating construct
+   * @param id The construct's name
+   * @param profilingGroupName Profiling Group Name
+   */
+  public static fromProfilingGroupName(scope: Construct, id: string, profilingGroupName: string): IProfilingGroup {
+    const stack = Stack.of(scope);
+
+    return this.fromProfilingGroupArn(scope, id, stack.formatArn({
+      service: 'codeguru-profiler',
+      resource: 'profilingGroup',
+      resourceName: profilingGroupName,
+    }));
+  }
+
+  /**
+   * Import an existing Profiling Group provided an ARN.
+   *
+   * @param scope The parent creating construct
+   * @param id The construct's name
+   * @param profilingGroupArn Profiling Group ARN
+   */
+  public static fromProfilingGroupArn(scope: Construct, id: string, profilingGroupArn: string): IProfilingGroup {
+    class Import extends ProfilingGroupBase {
+      public readonly profilingGroupName = Stack.of(scope).parseArn(profilingGroupArn).resource;
+      public readonly profilingGroupArn = profilingGroupArn;
+    }
+
+    return new Import(scope, id);
+  }
+
+  /**
+   * The name of the Profiling Group.
+   *
+   * @attribute
+   */
+  public readonly profilingGroupName: string;
+
+  /**
+   * The ARN of the Profiling Group.
+   *
+   * @attribute
+   */
+  public readonly profilingGroupArn: string;
+
+  constructor(scope: Construct, id: string, props: ProfilingGroupProps = {}) {
+    super(scope, id, {
+      physicalName: props.profilingGroupName ?? Lazy.stringValue({ produce: () => this.generateUniqueId() }),
+    });
+
+    const profilingGroup = new CfnProfilingGroup(this, 'ProfilingGroup', {
+      profilingGroupName: this.physicalName,
+    });
+
+    this.profilingGroupName = this.getResourceNameAttribute(profilingGroup.ref);
+
+    this.profilingGroupArn = this.getResourceArnAttribute(profilingGroup.attrArn, {
+      service: 'codeguru-profiler',
+      resource: 'profilingGroup',
+      resourceName: this.physicalName,
+    });
+  }
+
+  private generateUniqueId(): string {
+    const name = this.node.uniqueId;
+    if (name.length > 240) {
+      return name.substring(0, 120) + name.substring(name.length - 120);
+    }
+    return name;
+  }
+
+}

packages/@aws-cdk/aws-codeguruprofiler/package.json

@@ -67,14 +67,18 @@
   "devDependencies": {
     "@aws-cdk/assert": "0.0.0",
     "cdk-build-tools": "0.0.0",
+    "cdk-integ-tools": "0.0.0",
     "cfn2ts": "0.0.0",
     "pkglint": "0.0.0"
   },
   "dependencies": {
+    "@aws-cdk/aws-iam": "0.0.0",
     "@aws-cdk/core": "0.0.0"
   },
   "peerDependencies": {
-    "@aws-cdk/core": "0.0.0"
+    "@aws-cdk/core": "0.0.0",
+    "@aws-cdk/aws-iam": "0.0.0",
+    "constructs": "^3.0.2"
   },
   "engines": {
     "node": ">= 10.13.0 <13 || >=13.7.0"