Skip to content

Commit

Permalink
Merge branch 'main' into warn-for-resource-in-ecr-policy
Browse files Browse the repository at this point in the history
  • Loading branch information
ahammond authored Mar 5, 2023
2 parents 597c190 + 29bdd6c commit f8d2d27
Show file tree
Hide file tree
Showing 133 changed files with 7,620 additions and 1,175 deletions.
12 changes: 12 additions & 0 deletions CHANGELOG.v2.alpha.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,18 @@

All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.

## [2.67.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.66.1-alpha.0...v2.67.0-alpha.0) (2023-03-02)


### Features

* **msk:** add Kafka versions 3.1.1, 3.2.0, and and 3.3.1 ([#23918](https://github.com/aws/aws-cdk/issues/23918)) ([53a1d5f](https://github.com/aws/aws-cdk/commit/53a1d5fd81eabf5e9d846411754a554549f9f62c)), closes [#23899](https://github.com/aws/aws-cdk/issues/23899)


### Bug Fixes

* **servicecatalogappregistry:** applicationName can not be changed after deployment ([#24409](https://github.com/aws/aws-cdk/issues/24409)) ([6aa763f](https://github.com/aws/aws-cdk/commit/6aa763f100e5561f4554627116a458abba930480))

## [2.66.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.66.0-alpha.0...v2.66.1-alpha.0) (2023-02-23)

## [2.66.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.65.0-alpha.0...v2.66.0-alpha.0) (2023-02-21)
Expand Down
30 changes: 30 additions & 0 deletions CHANGELOG.v2.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,36 @@

All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.

## [2.67.0](https://github.com/aws/aws-cdk/compare/v2.66.1...v2.67.0) (2023-03-02)


### Features

* **apigateway:** minCompressionSize on SpecRestApi ([#24067](https://github.com/aws/aws-cdk/issues/24067)) ([2a81f0f](https://github.com/aws/aws-cdk/commit/2a81f0f7d9eb73cd0e807904357a5daf7d6e5017)), closes [#22926](https://github.com/aws/aws-cdk/issues/22926)
* **bootstrap:** prevent accidental bootstrap overwrites ([#24302](https://github.com/aws/aws-cdk/issues/24302)) ([3b251a5](https://github.com/aws/aws-cdk/commit/3b251a5e8e74332076c9e5dc810a80775fa77d61))
* **cli:** update csharp & fsharp template to net6.0 ([#23926](https://github.com/aws/aws-cdk/issues/23926)) ([3bd611d](https://github.com/aws/aws-cdk/commit/3bd611dcbdf802dbc918d0ecedaf3ac3d9d73503)), closes [#23921](https://github.com/aws/aws-cdk/issues/23921)
* **codebuild:** adds file asset support to build-spec ([#24289](https://github.com/aws/aws-cdk/issues/24289)) ([7cda567](https://github.com/aws/aws-cdk/commit/7cda5673fd3f6c5cd56ea59d71b14115f2a388f2)), closes [#1138](https://github.com/aws/aws-cdk/issues/1138)
* **ecs:** enable default capacity provider strategy ([#23955](https://github.com/aws/aws-cdk/issues/23955)) ([5a30ea6](https://github.com/aws/aws-cdk/commit/5a30ea6536df0fda0e0e7bb89d45666f57fb8890))
* **eks:** add helm flag --skip-crds ([#24213](https://github.com/aws/aws-cdk/issues/24213)) ([f68dbc2](https://github.com/aws/aws-cdk/commit/f68dbc2ce76a2df51081e959aa70e373a9bf5ac6)), closes [#24296](https://github.com/aws/aws-cdk/issues/24296)
* **sns:** Add FilterPolicyScope support ([#23108](https://github.com/aws/aws-cdk/issues/23108)) ([d986e14](https://github.com/aws/aws-cdk/commit/d986e143df3cf9b42031eba0f5a2d9a71d6d9208))
* **stepfunctions-tasks:** add revision number ([#24226](https://github.com/aws/aws-cdk/issues/24226)) ([643042b](https://github.com/aws/aws-cdk/commit/643042b8a15779b8a535567085b31424f4373515)), closes [#23491](https://github.com/aws/aws-cdk/issues/23491)


### Bug Fixes

* **cdk-assets:** Error when building Docker Image Assets with Podman ([#24003](https://github.com/aws/aws-cdk/issues/24003)) ([4b08e20](https://github.com/aws/aws-cdk/commit/4b08e20be3b829c752e425883da09188b2dcff72)), closes [/github.com/aws/aws-cdk/issues/16209#issue-978267269](https://github.com/aws//github.com/aws/aws-cdk/issues/16209/issues/issue-978267269) [#16209](https://github.com/aws/aws-cdk/issues/16209)
* **cloudwatch:** math expressions incorrectly warn about search and metrics ([#24313](https://github.com/aws/aws-cdk/issues/24313)) ([f3596eb](https://github.com/aws/aws-cdk/commit/f3596eb26f1e4ab360875bf5f79a7de991d2a9ec)), closes [#20136](https://github.com/aws/aws-cdk/issues/20136)
* **ec2:** userData in launchTemplate is created automatically when machineImege is provided ([#23593](https://github.com/aws/aws-cdk/issues/23593)) ([bb4311b](https://github.com/aws/aws-cdk/commit/bb4311bf05b64cc95a89a319743e3883fd3c5b15)), closes [#23592](https://github.com/aws/aws-cdk/issues/23592) [/github.com/aws/aws-cdk/pull/12385#discussion_r564614928](https://github.com/aws//github.com/aws/aws-cdk/pull/12385/issues/discussion_r564614928)
* **ecr-assets:** fix repeated deploys of stacks with tar assets ([#23497](https://github.com/aws/aws-cdk/issues/23497)) ([c2296a8](https://github.com/aws/aws-cdk/commit/c2296a87116c7bbaf6103a03364326c760a8f952)), closes [#18823](https://github.com/aws/aws-cdk/issues/18823) [#18822](https://github.com/aws/aws-cdk/issues/18822)
* **efs:** support tagging for access point ([#24336](https://github.com/aws/aws-cdk/issues/24336)) ([f9af47f](https://github.com/aws/aws-cdk/commit/f9af47f1fe48e66412d95f3eeef931c9322ba5b7)), closes [#20743](https://github.com/aws/aws-cdk/issues/20743)
* **eks:** changing the subnets or securityGroupIds order causes an error ([#24163](https://github.com/aws/aws-cdk/issues/24163)) ([09c2c19](https://github.com/aws/aws-cdk/commit/09c2c19f22979482020652d902a73dfcc4e593bd)), closes [#24162](https://github.com/aws/aws-cdk/issues/24162)
* **eks:** fix helm deploy login for public ECR repositories ([#24104](https://github.com/aws/aws-cdk/issues/24104)) ([71ec6b6](https://github.com/aws/aws-cdk/commit/71ec6b660cf5062c12c5205dadfc28f893251e4f)), closes [#23977](https://github.com/aws/aws-cdk/issues/23977)
* **eks:** integ tests errors ([#24276](https://github.com/aws/aws-cdk/issues/24276)) ([07f2d7b](https://github.com/aws/aws-cdk/commit/07f2d7b0b947cec31ed3132b95372b9975efa01e))
* **secretsmanager:** secret resource policy already exists in stack (under feature flag) ([#24365](https://github.com/aws/aws-cdk/issues/24365)) ([7dd8b7e](https://github.com/aws/aws-cdk/commit/7dd8b7e1ce88a13e597e52ff95353d74ab4807f1)), closes [#24383](https://github.com/aws/aws-cdk/issues/24383)
* **servicecatalog:** wrong asset path is generated in case outdir is absolute ([#24393](https://github.com/aws/aws-cdk/issues/24393)) ([0ebbf58](https://github.com/aws/aws-cdk/commit/0ebbf58bdd3307f536334beb5d1153e3ef660f18)), closes [#24392](https://github.com/aws/aws-cdk/issues/24392)
* **sns:** sns subscription filter policy condition limit should be 150 ([#24269](https://github.com/aws/aws-cdk/issues/24269)) ([1e1131c](https://github.com/aws/aws-cdk/commit/1e1131c207de2df7d5881a57cc28daa59bad975a))
* Correct SamlConsolePrincipal for non-China ([#24277](https://github.com/aws/aws-cdk/issues/24277)) ([e47646c](https://github.com/aws/aws-cdk/commit/e47646c0ff317a421b2f042158fcc0c7ae1aa2cf)), closes [#24243](https://github.com/aws/aws-cdk/issues/24243)

## [2.66.1](https://github.com/aws/aws-cdk/compare/v2.66.0...v2.66.1) (2023-02-23)


Expand Down
41 changes: 28 additions & 13 deletions packages/@aws-cdk/aws-apigateway/lib/authorizers/lambda.ts
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import { CfnAuthorizer, CfnAuthorizerProps } from '../apigateway.generated';
import { Authorizer, IAuthorizer } from '../authorizer';
import { IRestApi } from '../restapi';


/**
* Base properties for all lambda authorizers
*/
Expand Down Expand Up @@ -122,22 +123,36 @@ abstract class LambdaAuthorizer extends Authorizer implements IAuthorizer {
*/
protected setupPermissions() {
if (!this.role) {
this.handler.addPermission(`${Names.uniqueId(this)}:Permissions`, {
principal: new iam.ServicePrincipal('apigateway.amazonaws.com'),
sourceArn: this.authorizerArn,
});
} else if (this.role instanceof iam.Role) { // i.e. not imported
this.role.attachInlinePolicy(new iam.Policy(this, 'authorizerInvokePolicy', {
statements: [
new iam.PolicyStatement({
resources: this.handler.resourceArnsForGrantInvoke,
actions: ['lambda:InvokeFunction'],
}),
],
}));
this.addDefaultPermisionRole();
} else if (iam.Role.isRole(this.role)) {
this.addLambdaInvokePermission(this.role);
}
}

/**
* Add Default Permission Role for handler
*/
private addDefaultPermisionRole() :void {
this.handler.addPermission(`${Names.uniqueId(this)}:Permissions`, {
principal: new iam.ServicePrincipal('apigateway.amazonaws.com'),
sourceArn: this.authorizerArn,
});
}

/**
* Add Lambda Invoke Permission for LambdaAurhorizer's role
*/
private addLambdaInvokePermission(role: iam.Role) :void {
role.attachInlinePolicy(new iam.Policy(this, 'authorizerInvokePolicy', {
statements: [
new iam.PolicyStatement({
resources: this.handler.resourceArnsForGrantInvoke,
actions: ['lambda:InvokeFunction'],
}),
],
}));
}

/**
* Returns a token that resolves to the Rest Api Id at the time of synthesis.
* Throws an error, during token resolution, if no RestApi is attached to this authorizer.
Expand Down
Original file line number Diff line number Diff line change
@@ -1,9 +1,7 @@
import * as path from 'path';
import * as lambda from '@aws-cdk/aws-lambda';
import { App, Stack } from '@aws-cdk/core';
import { MockIntegration, PassthroughBehavior, RestApi } from '../../lib';
import { RequestAuthorizer } from '../../lib/authorizers';
import { IdentitySource } from '../../lib/authorizers/identity-source';
import { MockIntegration, PassthroughBehavior, RestApi, RequestAuthorizer, IdentitySource } from '../../lib';

// Against the RestApi endpoint from the stack output, run
// `curl -s -o /dev/null -w "%{http_code}" <url>` should return 401
Expand Down
62 changes: 25 additions & 37 deletions packages/@aws-cdk/aws-apprunner/lib/service.ts
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import * as iam from '@aws-cdk/aws-iam';
import * as secretsmanager from '@aws-cdk/aws-secretsmanager';
import * as ssm from '@aws-cdk/aws-ssm';
import * as cdk from '@aws-cdk/core';
import { Lazy } from '@aws-cdk/core';
import { Construct } from 'constructs';
import { CfnService } from './apprunner.generated';
import { IVpcConnector } from './vpc-connector';
Expand Down Expand Up @@ -924,16 +925,6 @@ export class Service extends cdk.Resource {
*/
readonly environment: { [key: string]: string } = {};

/**
* Environment variables for this service.
*/
private environmentVariables: { [key: string]: string } = {};

/**
* Environment secrets for this service.
*/
private environmentSecrets: { [key: string]: Secret; } = {};

/**
* Environment secrets for this service.
*/
Expand Down Expand Up @@ -981,17 +972,22 @@ export class Service extends cdk.Resource {
this.source = source;
this.props = props;

this.environmentVariables = this.getEnvironmentVariables();
this.environmentSecrets = this.getEnvironmentSecrets();
this.instanceRole = this.props.instanceRole;

const environmentVariables = this.getEnvironmentVariables();
const environmentSecrets = this.getEnvironmentSecrets();

for (const [key, value] of Object.entries(environmentVariables)) {
this.addEnvironmentVariable(key, value);
}
for (const [key, value] of Object.entries(environmentSecrets)) {
this.addSecret(key, value);
}

// generate an IAM role only when ImageRepositoryType is ECR and props.accessRole is undefined
this.accessRole = (this.source.imageRepository?.imageRepositoryType == ImageRepositoryType.ECR) ?
this.props.accessRole ?? this.generateDefaultRole() : undefined;

// generalte an IAM role only when environmentSecrets has values and props.instanceRole is undefined
this.instanceRole = (Object.keys(this.environmentSecrets).length > 0 && !this.props.instanceRole) ?
this.createInstanceRole() : this.props.instanceRole;

if (this.source.codeRepository?.codeConfiguration.configurationSource == ConfigurationSourceType.REPOSITORY &&
this.source.codeRepository?.codeConfiguration.configurationValues) {
throw new Error('configurationValues cannot be provided if the ConfigurationSource is Repository');
Expand All @@ -1001,7 +997,7 @@ export class Service extends cdk.Resource {
instanceConfiguration: {
cpu: this.props.cpu?.unit,
memory: this.props.memory?.unit,
instanceRoleArn: this.instanceRole?.roleArn,
instanceRoleArn: Lazy.string({ produce: () => this.instanceRole?.roleArn }),
},
sourceConfiguration: {
authenticationConfiguration: this.renderAuthenticationConfiguration(),
Expand Down Expand Up @@ -1036,13 +1032,19 @@ export class Service extends cdk.Resource {
* This method adds an environment variable to the App Runner service.
*/
public addEnvironmentVariable(name: string, value: string) {
if (name.startsWith('AWSAPPRUNNER')) {
throw new Error(`Environment variable key ${name} with a prefix of AWSAPPRUNNER is not allowed`);
}
this.variables.push({ name: name, value: value });
}

/**
* This method adds a secret as environment variable to the App Runner service.
*/
public addSecret(name: string, secret: Secret) {
if (name.startsWith('AWSAPPRUNNER')) {
throw new Error(`Environment secret key ${name} with a prefix of AWSAPPRUNNER is not allowed`);
}
if (!this.instanceRole) {
this.instanceRole = this.createInstanceRole();
}
Expand Down Expand Up @@ -1130,36 +1132,22 @@ export class Service extends cdk.Resource {
port: props.port,
buildCommand: props.buildCommand,
runtime: props.runtime.name,
runtimeEnvironmentVariables: this.renderEnvironmentVariables(),
runtimeEnvironmentSecrets: this.renderEnvironmentSecrets(),
runtimeEnvironmentVariables: Lazy.any({ produce: () => this.renderEnvironmentVariables() }),
runtimeEnvironmentSecrets: Lazy.any({ produce: () => this.renderEnvironmentSecrets() }),
startCommand: props.startCommand,
};
}

private renderEnvironmentVariables(): EnvironmentVariable[] | undefined {
if (Object.keys(this.environmentVariables).length > 0) {
for (const [key, value] of Object.entries(this.environmentVariables)) {
if (key.startsWith('AWSAPPRUNNER')) {
throw new Error(`Environment variable key ${key} with a prefix of AWSAPPRUNNER is not allowed`);
}
this.variables.push({ name: key, value: value });
}
if (this.variables.length > 0) {
return this.variables;
} else {
return undefined;
}
}

private renderEnvironmentSecrets(): EnvironmentSecret[] | undefined {
if (Object.keys(this.environmentSecrets).length > 0 && this.instanceRole) {
for (const [key, value] of Object.entries(this.environmentSecrets)) {
if (key.startsWith('AWSAPPRUNNER')) {
throw new Error(`Environment secret key ${key} with a prefix of AWSAPPRUNNER is not allowed`);
}

value.grantRead(this.instanceRole);
this.secrets.push({ name: key, value: value.arn });
}
if (this.secrets.length > 0 && this.instanceRole) {
return this.secrets;
} else {
return undefined;
Expand All @@ -1171,8 +1159,8 @@ export class Service extends cdk.Resource {
imageConfiguration: {
port: repo.imageConfiguration?.port?.toString(),
startCommand: repo.imageConfiguration?.startCommand,
runtimeEnvironmentVariables: this.renderEnvironmentVariables(),
runtimeEnvironmentSecrets: this.renderEnvironmentSecrets(),
runtimeEnvironmentVariables: Lazy.any({ produce: () => this.renderEnvironmentVariables() }),
runtimeEnvironmentSecrets: Lazy.any({ produce: () => this.renderEnvironmentSecrets() }),
},
});
}
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{
"version": "30.1.0",
"files": {
"21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
"source": {
"path": "AppRunnerLaterSecretsEnvVarsDefaultTestDeployAssert07867A67.template.json",
"packaging": "file"
},
"destinations": {
"current_account-current_region": {
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
"objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
}
}
}
},
"dockerImages": {}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
{
"Parameters": {
"BootstrapVersion": {
"Type": "AWS::SSM::Parameter::Value<String>",
"Default": "/cdk-bootstrap/hnb659fds/version",
"Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
}
},
"Rules": {
"CheckBootstrapVersion": {
"Assertions": [
{
"Assert": {
"Fn::Not": [
{
"Fn::Contains": [
[
"1",
"2",
"3",
"4",
"5"
],
{
"Ref": "BootstrapVersion"
}
]
}
]
},
"AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
}
]
}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
{"version":"30.1.0"}
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{
"version": "30.1.0",
"files": {
"7cbdc4561bb7693ec11f95d96ee8a14d99732d386c66f27cb36e08a108d4ef30": {
"source": {
"path": "integ-apprunner-later-secrets-env-vars.template.json",
"packaging": "file"
},
"destinations": {
"current_account-current_region": {
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
"objectKey": "7cbdc4561bb7693ec11f95d96ee8a14d99732d386c66f27cb36e08a108d4ef30.json",
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
}
}
}
},
"dockerImages": {}
}
Loading

0 comments on commit f8d2d27

Please sign in to comment.