Merge branch 'master' into feature/add-removal-policy-for-secretsmanager

.github/ISSUE_TEMPLATE.md

@@ -25,6 +25,7 @@ falling prey to the [X/Y problem][2]!
 
   - **CDK CLI Version:** <!-- Output of `cdk version` -->
   - **Module Version:** <!-- Version of the module in question -->
+  - **Node.js Version:** <!-- Version of Node.js (run the command `node -v`) -->
   - **OS:** <!-- [all | Windows 10 | OSX Mojave | Ubuntu | etc... ] -->
   - **Language:** <!-- [all | TypeScript | Java | Python ] etc... ] -->
 

CHANGELOG.md

@@ -2,6 +2,24 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [1.41.0](https://github.com/aws/aws-cdk/compare/v1.40.0...v1.41.0) (2020-05-21)
+
+
+### Features
+
+* **cloudtrail:** create cloudwatch event without needing to create a Trail ([#8076](https://github.com/aws/aws-cdk/issues/8076)) ([0567a23](https://github.com/aws/aws-cdk/commit/0567a2360ac713e3171c9a82767611174dadb6c6)), closes [#6716](https://github.com/aws/aws-cdk/issues/6716)
+* **cognito:** user pool - case sensitivity for sign in ([460394f](https://github.com/aws/aws-cdk/commit/460394f3dc4737cee80504d6c8ef106ecc3b67d5)), closes [#7988](https://github.com/aws/aws-cdk/issues/7988) [#7235](https://github.com/aws/aws-cdk/issues/7235)
+* **core:** CfnJson enables intrinsics in hash keys ([#8099](https://github.com/aws/aws-cdk/issues/8099)) ([195cd40](https://github.com/aws/aws-cdk/commit/195cd405d9f0869875de2ec78661aee3af2c7c7d)), closes [#8084](https://github.com/aws/aws-cdk/issues/8084)
+* **secretsmanager:** adds grantWrite to Secret ([#7858](https://github.com/aws/aws-cdk/issues/7858)) ([3fed84b](https://github.com/aws/aws-cdk/commit/3fed84ba9eec3f53c662966e366aa629209b7bf5))
+* **sns:** add support for subscription DLQ in SNS ([383cdb8](https://github.com/aws/aws-cdk/commit/383cdb86effeafdf5d0767ed379b16b3d78a933b))
+* **stepfunctions:** new service integration classes for Lambda, SNS, and SQS ([#7946](https://github.com/aws/aws-cdk/issues/7946)) ([c038848](https://github.com/aws/aws-cdk/commit/c0388483524832ca7863de4ee9c472b8ab39de8e)), closes [#6715](https://github.com/aws/aws-cdk/issues/6715) [#6489](https://github.com/aws/aws-cdk/issues/6489)
+
+
+### Bug Fixes
+
+* **apigateway:** contextAccountId in AccessLogField incorrectly resolves to requestId ([7b89e80](https://github.com/aws/aws-cdk/commit/7b89e805c716fa73d41cc97fcb728634e7a59136)), closes [#7952](https://github.com/aws/aws-cdk/issues/7952) [#7951](https://github.com/aws/aws-cdk/issues/7951)
+* **autoscaling:** add noDevice as a volume type ([#7253](https://github.com/aws/aws-cdk/issues/7253)) ([751958b](https://github.com/aws/aws-cdk/commit/751958b69225fdfc52622781c618f5a77f881fb6)), closes [#7242](https://github.com/aws/aws-cdk/issues/7242)
+
 ## [1.40.0](https://github.com/aws/aws-cdk/compare/v1.39.0...v1.40.0) (2020-05-20)
 
 

allowed-breaking-changes.txt

@@ -1,58 +1 @@
-incompatible-argument:@aws-cdk/aws-ecs.Ec2TaskDefinition.<initializer>
-incompatible-argument:@aws-cdk/aws-ecs.Ec2TaskDefinition.addVolume
-incompatible-argument:@aws-cdk/aws-ecs.FargateTaskDefinition.<initializer>
-incompatible-argument:@aws-cdk/aws-ecs.FargateTaskDefinition.addVolume
-incompatible-argument:@aws-cdk/aws-ecs.TaskDefinition.<initializer>
-incompatible-argument:@aws-cdk/aws-ecs.TaskDefinition.addVolume
-change-return-type:@aws-cdk/core.Fn.getAtt
-new-argument:@aws-cdk/aws-iam.ManagedPolicy.<initializer>
-new-argument:@aws-cdk/aws-iam.ManagedPolicy.<initializer>
-removed:@aws-cdk/aws-apigateway.AwsIntegration.props
-removed:@aws-cdk/aws-apigateway.HttpIntegration.props
-removed:@aws-cdk/aws-apigateway.Integration.props
-removed:@aws-cdk/aws-apigateway.LambdaIntegration.props
-removed:@aws-cdk/aws-apigateway.MockIntegration.props
-removed:@aws-cdk/aws-ecs-patterns.ScheduledEc2TaskDefinitionOptions.schedule
-removed:@aws-cdk/aws-ecs-patterns.ScheduledEc2TaskDefinitionOptions.cluster
-removed:@aws-cdk/aws-ecs-patterns.ScheduledEc2TaskDefinitionOptions.desiredTaskCount
-removed:@aws-cdk/aws-ecs-patterns.ScheduledEc2TaskDefinitionOptions.vpc
-removed:@aws-cdk/aws-ecs-patterns.ScheduledFargateTaskDefinitionOptions.schedule
-removed:@aws-cdk/aws-ecs-patterns.ScheduledFargateTaskDefinitionOptions.cluster
-removed:@aws-cdk/aws-ecs-patterns.ScheduledFargateTaskDefinitionOptions.desiredTaskCount
-removed:@aws-cdk/aws-ecs-patterns.ScheduledFargateTaskDefinitionOptions.vpc
-incompatible-argument:@aws-cdk/aws-lambda.Function.<initializer>
-incompatible-argument:@aws-cdk/aws-lambda.SingletonFunction.<initializer>
-incompatible-argument:@aws-cdk/aws-lambda.Function.addEnvironment
-changed-type:@aws-cdk/aws-dynamodb.Table.tableStreamArn
-incompatible-argument:@aws-cdk/aws-apigateway.LambdaRestApi.addModel
-incompatible-argument:@aws-cdk/aws-apigateway.Model.<initializer>
-incompatible-argument:@aws-cdk/aws-apigateway.RestApi.addModel
-incompatible-argument:@aws-cdk/aws-apigateway.ProxyResource.addProxy
-incompatible-argument:@aws-cdk/aws-apigateway.Resource.addProxy
-incompatible-argument:@aws-cdk/aws-apigateway.ResourceBase.addProxy
-incompatible-argument:@aws-cdk/aws-apigateway.IResource.addProxy
-incompatible-argument:@aws-cdk/aws-apigateway.RequestAuthorizer.<initializer>
-incompatible-argument:@aws-cdk/aws-servicediscovery.Service.fromServiceAttributes
-removed:@aws-cdk/core.ConstructNode.addReference
-removed:@aws-cdk/core.ConstructNode.references
-removed:@aws-cdk/core.OutgoingReference
-change-return-type:@aws-cdk/aws-lambda-destinations.EventBridgeDestination.bind
-change-return-type:@aws-cdk/aws-lambda-destinations.LambdaDestination.bind
-change-return-type:@aws-cdk/aws-lambda-destinations.SnsDestination.bind
-change-return-type:@aws-cdk/aws-lambda-destinations.SqsDestination.bind
-removed:@aws-cdk/cdk-assets-schema.DockerImageDestination.imageUri
-incompatible-argument:@aws-cdk/aws-iam.FederatedPrincipal.<initializer>
-incompatible-argument:@aws-cdk/aws-iam.PolicyStatement.addCondition
-incompatible-argument:@aws-cdk/aws-iam.PolicyStatement.addConditions
-incompatible-argument:@aws-cdk/aws-iam.PolicyStatement.addFederatedPrincipal
-incompatible-argument:@aws-cdk/aws-iam.PrincipalPolicyFragment.<initializer>
-changed-type:@aws-cdk/aws-iam.FederatedPrincipal.conditions
-changed-type:@aws-cdk/aws-iam.PrincipalPolicyFragment.conditions
-changed-type:@aws-cdk/aws-iam.PrincipalWithConditions.conditions
-removed:@aws-cdk/cdk-assets-schema.Placeholders
-# Following two are because we're turning: properties: {string=>any} into a union of typed interfaces
-# Needs to be removed after next release.
-incompatible-argument:@aws-cdk/cloud-assembly-schema.Manifest.save
-change-return-type:@aws-cdk/cloud-assembly-schema.Manifest.load
-removed:@aws-cdk/core.DefaultStackSynthesizer.DEFAULT_DEPLOY_ACTION_ROLE_ARN
-removed:@aws-cdk/core.DefaultStackSynthesizerProps.deployActionRoleArn
+

lerna.json

@@ -10,5 +10,5 @@
     "tools/*"
   ],
   "rejectCycles": "true",
-  "version": "1.40.0"
+  "version": "1.41.0"
 }

packages/@aws-cdk/aws-cloudtrail/README.md

@@ -51,7 +51,9 @@ const trail = new cloudtrail.Trail(this, 'CloudTrail', {
 ```
 
 This creates the same setup as above - but also logs events to a created CloudWatch Log stream.
-By default, the created log group has a retention period of 365 Days, but this is also configurable.
+By default, the created log group has a retention period of 365 Days, but this is also configurable
+via the `cloudWatchLogsRetention` property. If you would like to specify the log group explicitly,
+use the `cloudwatchLogGroup` property.
 
 For using CloudTrail event selector to log specific S3 events,
 you can use the `CloudTrailProps` configuration object.

packages/@aws-cdk/aws-cloudtrail/lib/cloudtrail.ts

@@ -63,12 +63,19 @@ export interface TrailProps {
   readonly sendToCloudWatchLogs?: boolean;
 
   /**
-   * How long to retain logs in CloudWatchLogs. Ignored if sendToCloudWatchLogs is false
+   * How long to retain logs in CloudWatchLogs.
+   * Ignored if sendToCloudWatchLogs is false or if cloudWatchLogGroup is set.
    *
-   *  @default logs.RetentionDays.OneYear
+   *  @default logs.RetentionDays.ONE_YEAR
    */
   readonly cloudWatchLogsRetention?: logs.RetentionDays;
 
+  /**
+   * Log Group to which CloudTrail to push logs to. Ignored if sendToCloudWatchLogs is set to false.
+   * @default - a new log group is created and used.
+   */
+  readonly cloudWatchLogGroup?: logs.ILogGroup;
+
   /** The AWS Key Management Service (AWS KMS) key ID that you want to use to encrypt CloudTrail logs.
    *
    * @default - No encryption.
@@ -171,6 +178,12 @@ export class Trail extends Resource {
    */
   public readonly trailSnsTopicArn: string;
 
+  /**
+   * The CloudWatch log group to which CloudTrail events are sent.
+   * `undefined` if `sendToCloudWatchLogs` property is false.
+   */
+  public readonly logGroup?: logs.ILogGroup;
+
   private s3bucket: s3.IBucket;
   private eventSelectors: EventSelector[] = [];
 
@@ -200,19 +213,22 @@ export class Trail extends Resource {
       },
     }));
 
-    let logGroup: logs.CfnLogGroup | undefined;
     let logsRole: iam.IRole | undefined;
 
     if (props.sendToCloudWatchLogs) {
-      logGroup = new logs.CfnLogGroup(this, 'LogGroup', {
-        retentionInDays: props.cloudWatchLogsRetention || logs.RetentionDays.ONE_YEAR,
-      });
+      if (props.cloudWatchLogGroup) {
+        this.logGroup = props.cloudWatchLogGroup;
+      } else {
+        this.logGroup = new logs.LogGroup(this, 'LogGroup', {
+          retention: props.cloudWatchLogsRetention ?? logs.RetentionDays.ONE_YEAR,
+        });
+      }
 
       logsRole = new iam.Role(this, 'LogsRole', { assumedBy: cloudTrailPrincipal });
 
       logsRole.addToPolicy(new iam.PolicyStatement({
         actions: ['logs:PutLogEvents', 'logs:CreateLogStream'],
-        resources: [logGroup.attrArn],
+        resources: [this.logGroup.logGroupArn],
       }));
     }
 
@@ -234,8 +250,8 @@ export class Trail extends Resource {
       kmsKeyId: props.kmsKey && props.kmsKey.keyArn,
       s3BucketName: this.s3bucket.bucketName,
       s3KeyPrefix: props.s3KeyPrefix,
-      cloudWatchLogsLogGroupArn: logGroup && logGroup.attrArn,
-      cloudWatchLogsRoleArn: logsRole && logsRole.roleArn,
+      cloudWatchLogsLogGroupArn: this.logGroup?.logGroupArn,
+      cloudWatchLogsRoleArn: logsRole?.roleArn,
       snsTopicName: props.snsTopic,
       eventSelectors: this.eventSelectors,
     });

packages/@aws-cdk/aws-cloudtrail/test/cloudtrail.test.ts

@@ -2,7 +2,7 @@ import { SynthUtils } from '@aws-cdk/assert';
 import '@aws-cdk/assert/jest';
 import * as iam from '@aws-cdk/aws-iam';
 import * as lambda from '@aws-cdk/aws-lambda';
-import { RetentionDays } from '@aws-cdk/aws-logs';
+import { LogGroup, RetentionDays } from '@aws-cdk/aws-logs';
 import * as s3 from '@aws-cdk/aws-s3';
 import { Stack } from '@aws-cdk/core';
 import { ReadWriteType, Trail } from '../lib';
@@ -176,7 +176,7 @@ describe('cloudtrail', () => {
               Effect: 'Allow',
               Action: ['logs:PutLogEvents', 'logs:CreateLogStream'],
               Resource: {
-                'Fn::GetAtt': ['MyAmazingCloudTrailLogGroupAAD65144', 'Arn'],
+                'Fn::GetAtt': ['MyAmazingCloudTrailLogGroup2BE67F87', 'Arn'],
               },
             }],
           },
@@ -205,6 +205,44 @@ describe('cloudtrail', () => {
         const trail: any = SynthUtils.synthesize(stack).template.Resources.MyAmazingCloudTrail54516E8D;
         expect(trail.DependsOn).toEqual([logsRolePolicyName, logsRoleName, 'MyAmazingCloudTrailS3Policy39C120B0']);
       });
+
+      test('enabled and with custom log group', () => {
+        const stack = getTestStack();
+        const cloudWatchLogGroup = new LogGroup(stack, 'MyLogGroup', {
+          retention: RetentionDays.FIVE_DAYS,
+        });
+        new Trail(stack, 'MyAmazingCloudTrail', {
+          sendToCloudWatchLogs: true,
+          cloudWatchLogsRetention: RetentionDays.ONE_WEEK,
+          cloudWatchLogGroup,
+        });
+
+        expect(stack).toHaveResource('AWS::Logs::LogGroup', {
+          RetentionInDays: 5,
+        });
+
+        expect(stack).toHaveResource('AWS::CloudTrail::Trail', {
+          CloudWatchLogsLogGroupArn: stack.resolve(cloudWatchLogGroup.logGroupArn),
+        });
+
+        expect(stack).toHaveResourceLike('AWS::IAM::Policy', {
+          PolicyDocument: {
+            Statement: [{
+              Resource: stack.resolve(cloudWatchLogGroup.logGroupArn),
+            }],
+          },
+        });
+      });
+
+      test('disabled', () => {
+        const stack = getTestStack();
+        const t = new Trail(stack, 'MyAmazingCloudTrail', {
+          sendToCloudWatchLogs: false,
+          cloudWatchLogsRetention: RetentionDays.ONE_WEEK,
+        });
+        expect(t.logGroup).toBeUndefined();
+        expect(stack).not.toHaveResource('AWS::Logs::LogGroup');
+      });
     });
 
     describe('with event selectors', () => {

packages/@aws-cdk/aws-cloudwatch-actions/lib/appscaling.ts

@@ -9,6 +9,10 @@ export class ApplicationScalingAction implements cloudwatch.IAlarmAction {
   constructor(private readonly stepScalingAction: appscaling.StepScalingAction) {
   }
 
+  /**
+   * Returns an alarm action configuration to use an ApplicationScaling StepScalingAction
+   * as an alarm action
+   */
   public bind(_scope: cdk.Construct, _alarm: cloudwatch.IAlarm): cloudwatch.AlarmActionConfig {
     return { alarmActionArn: this.stepScalingAction.scalingPolicyArn };
   }

packages/@aws-cdk/aws-cloudwatch-actions/lib/autoscaling.ts

@@ -9,6 +9,10 @@ export class AutoScalingAction implements cloudwatch.IAlarmAction {
   constructor(private readonly stepScalingAction: autoscaling.StepScalingAction) {
   }
 
+  /**
+   * Returns an alarm action configuration to use an AutoScaling StepScalingAction
+   * as an alarm action
+   */
   public bind(_scope: cdk.Construct, _alarm: cloudwatch.IAlarm): cloudwatch.AlarmActionConfig {
     return { alarmActionArn: this.stepScalingAction.scalingPolicyArn };
   }

packages/@aws-cdk/aws-cloudwatch-actions/lib/sns.ts

@@ -9,6 +9,9 @@ export class SnsAction implements cloudwatch.IAlarmAction {
   constructor(private readonly topic: sns.ITopic) {
   }
 
+  /**
+   * Returns an alarm action configuration to use an SNS topic as an alarm action
+   */
   public bind(_scope: Construct, _alarm: cloudwatch.IAlarm): cloudwatch.AlarmActionConfig {
     return { alarmActionArn: this.topic.topicArn };
   }

packages/@aws-cdk/aws-cloudwatch-actions/package.json

@@ -90,13 +90,6 @@
     "node": ">= 10.13.0 <13 || >=13.7.0"
   },
   "stability": "stable",
-  "awslint": {
-    "exclude": [
-      "docs-public-apis:@aws-cdk/aws-cloudwatch-actions.ApplicationScalingAction.bind",
-      "docs-public-apis:@aws-cdk/aws-cloudwatch-actions.AutoScalingAction.bind",
-      "docs-public-apis:@aws-cdk/aws-cloudwatch-actions.SnsAction.bind"
-    ]
-  },
   "awscdkio": {
     "announce": false
   },

packages/@aws-cdk/aws-codepipeline/lib/cross-region-support-stack.ts

@@ -71,6 +71,8 @@ export interface CrossRegionSupportStackProps {
    * @example '012345678901'
    */
   readonly account: string;
+
+  readonly synthesizer: cdk.IStackSynthesizer | undefined;
 }
 
 /**
@@ -90,6 +92,7 @@ export class CrossRegionSupportStack extends cdk.Stack {
         region: props.region,
         account: props.account,
       },
+      synthesizer: props.synthesizer,
     });
 
     const crossRegionSupportConstruct = new CrossRegionSupportConstruct(this, 'Default');

packages/@aws-cdk/aws-codepipeline/lib/pipeline.ts

@@ -2,7 +2,10 @@ import * as events from '@aws-cdk/aws-events';
 import * as iam from '@aws-cdk/aws-iam';
 import * as kms from '@aws-cdk/aws-kms';
 import * as s3 from '@aws-cdk/aws-s3';
-import { App, Construct, Lazy, PhysicalName, RemovalPolicy, Resource, Stack, Token } from '@aws-cdk/core';
+import {
+  App, BootstraplessSynthesizer, Construct, DefaultStackSynthesizer,
+  IStackSynthesizer, Lazy, PhysicalName, RemovalPolicy, Resource, Stack, Token,
+} from '@aws-cdk/core';
 import { ActionCategory, IAction, IPipeline, IStage } from './action';
 import { CfnPipeline } from './codepipeline.generated';
 import { CrossRegionSupportConstruct, CrossRegionSupportStack } from './cross-region-support-stack';
@@ -483,6 +486,7 @@ export class Pipeline extends PipelineBase {
         pipelineStackName: pipelineStack.stackName,
         region: actionRegion,
         account: pipelineAccount,
+        synthesizer: this.getCrossRegionSupportSynthesizer(),
       });
     }
 
@@ -492,6 +496,23 @@ export class Pipeline extends PipelineBase {
     };
   }
 
+  private getCrossRegionSupportSynthesizer(): IStackSynthesizer | undefined {
+    if (this.stack.synthesizer instanceof DefaultStackSynthesizer) {
+      // if we have the new synthesizer,
+      // we need a bootstrapless copy of it,
+      // because we don't want to require bootstrapping the environment
+      // of the pipeline account in this replication region
+      return new BootstraplessSynthesizer({
+        deployRoleArn: this.stack.synthesizer.deployRoleArn,
+        cloudFormationExecutionRoleArn: this.stack.synthesizer.cloudFormationExecutionRoleArn,
+      });
+    } else {
+      // any other synthesizer: just return undefined
+      // (ie., use the default based on the context settings)
+      return undefined;
+    }
+  }
+
   private generateNameForDefaultBucketKeyAlias(): string {
     const prefix = 'alias/codepipeline-';
     const maxAliasLength = 256;

packages/@aws-cdk/aws-codepipeline/package.json

@@ -68,6 +68,7 @@
   "license": "Apache-2.0",
   "devDependencies": {
     "@aws-cdk/assert": "0.0.0",
+    "@aws-cdk/cx-api": "0.0.0",
     "@types/nodeunit": "^0.0.31",
     "cdk-build-tools": "0.0.0",
     "cdk-integ-tools": "0.0.0",