chore(release): 1.61.0 #10000
Merged
chore(release): 1.61.0 #10000
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Added dependency between the CfnApiKey and CfnSchema. The dependency here is to prevent a `ConcurrencyModificationError` as seen in #8168. We allow this dependency to exist because from referencing the [docs](https://docs.aws.amazon.com/appsync/latest/APIReference/API_CreateApiKey.html#API_CreateApiKey_Errors) there shouldn't be any issue between creating an api key before or after schema creation. Also make ApiKeyConfig correctly configure the ApiKey when used in `additionalAuthorizationModes`. Fixes #9736 Fixes #8168 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ons (#9569) CDK metadata is not supported in either region. ELV logging accounts were already present. ALIAS records to S3 Websites are not supported in eu-south-1. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Configure `keyword-spacing`, `brace-style` and `space-before-blocks` to
uniformize spacing.
Valid `if`:
```ts
if (condition) {
// code
} else {
// code
}
```
----
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
) CloudFormation allows treating numbers and strings interchangeably. We previously allowed passing strings as numbers, but this change allows the conversion in the second direction: passing numbers as strings. Fixes #9784 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
better advertise this change.
There was a branch that obviously contained a bug, and yet all tests worked fine. It's because this code didn't do what I thought it did. The `~/.aws/credentials` file is something we read *explicitly*, but the `~/.aws/config` file is read *implicitly* by the `SharedIniFileCredentials` if the right environment variable is set, so we don't have to do that one explicitly. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Introduce `Annotations.addDeprecation()` which will attach a warning to the construct indicating that a deprecated API is used. At the moment, we only use this to warn when `.node` is used instead of `.construct`, but we will gradually use this to report the usage of all deprecated APIs as a preparation for v2.0. If the environment variable `CDK_BLOCK_DEPRECATIONS` is set (and it is set in `cdk-test`), it will cause usage of deprecated APIs to throw an error instead. Related: aws/aws-cdk-rfcs#192 ---- #### Build will be failing until #9584 is merged ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…9831) We always intended the FileAsset KMS Key to be transparently usable by any IAM identity allowed to read from and write to the FileAsset Bucket. We incorrectly implemented this, however. We used to use the following key policy: ``` - Action: [...] Principal: { AWS: "123456789012" } Condition: StringEquals: kms:ViaService: Fn::Sub: s3.${AWS::Region}.amazonaws.com ``` And this was intended to mean "any identity from the given account". That is *not* how KMS interprets it, though. `Principal: { AWS: "123456789012" }` is equivalent to `Principal: { AWS: "arn:aws:iam::123456789012:root" }`, and `arn:aws:iam::123456789012:root` is a principal which is treated in a special way by KMS, and it means "use the caller's IAM Identity Policy instead". So while I was under the impression that it was strictly necessary for KMS usage permissions to exist both on the key and on the identity, this is only true if you use the `arn:aws:iam::123456789012:root` principal. The correct way to express the condition we had intended to express was instead to use a condition called `kms:CallerAccount` in combination with the principal `*`: ``` - Action: [...] Principal: { AWS: "*" } Condition: StringEquals: kms:CallerAccount: "123456789012" kms:ViaService: Fn::Sub: s3.${AWS::Region}.amazonaws.com ``` This PR changes the key policy in the bootstrap resources to use the policy that we always had intended. This now gets rid of the requirement for IAM identities to list `kms:Decrypt` in their role policy, and so gets rid of the requirement for them to know the KMS key ARN. This makes the stack synthesized by the legacy stack synthesizer work with the new bootstrap stack, and also removes the need for the new synthesizer to import the KMS key ARN using `Fn::ImportValue`. --- However, the new stack synthesizer *does* now require that you have the newest bootstrap stack installed, and since templates are likely deployed using a pipeline, the CLI is not involved to do the `MINIMUM_BOOTSTRAP_STACK` version check. Originally I had intended to use the version `Export` to add version checking to the template, but that doesn't actually work for 2 reasons: - `Fn::ImportValue` can only occur in a limited set of positions in the CloudFormation template. - If an `Export` is used by a Stack, it cannot be changed anymore. That means that even if we had done the check using `Fn::ImportValue`, users wouldn't have been allowed to update the bootstrap stack anymore. What we should have done from the start, and what this PR introduces, is storing the bootstrap stack version in an SSM Parameter Store Parameter. This value can be inspected in a CloudFormation **Rules** section, which will produce a readable error message about why the template cannot be deployed. Any assertion failure reasons will be reported on a `ROLLBACK_IN_PROGRESS` event, so classify those appropriately in the stack monitor so the error message gets displayed. Fixes #9607. BREAKING CHANGE: (cdk-pipelines) users of CDK Pipelines (and other users of the new stack synthesizer) will need to update their bootstrap stack by running `cdk bootstrap` with the new CLI. Until they do, deployments will fail with the error: `Unable to fetch parameters [/aws-cdk-bootstrap/hnb659fds/version]` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Add an alias (effectively, a display name) for the file asset bucket encryption key, so it is easier to recognize in the console. This change is otherwise not functional, the alias is not used to refer to the key. Fixes #6719. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
chore: update ownership in auto label/assign action
Change the "BREAKING CHANGES" header in the CHANGELOG to "BREAKING CHANGES TO EXPERIMENTAL FEATURES" to make it sure that stable features are not being broken. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Add YAML support for the short form of Condition: `!Condition`. fixes #9785 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…9757) **Implementation** Update package `@aws-cdk/aws-stepfunctions-tasks` to include support for CodeBuild **StartBuild** API as per documentation here: https://docs.aws.amazon.com/step-functions/latest/dg/connect-codebuild.html Includes support for the following Amazon SageMaker API calls: * `StartBuild` Closes #8043 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ns (#9893) The existing `CloudFrontWebDistribution` construct needs to be configured quite differently depending on whether the backing bucket is configured for website hosting or not; this can lead to confusion and incorrect results if the wrong origin type is used. This doc update explicitly calls out the different options, including the newer experimental construct that hides this complexity entirely. fixes #7434 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
feat(eks): envelope encryption for secrets
This PR adds envelope encryption support for Amazon EKS. Added a new key `secretsEncryptionKey` in `ClusterProps` for users to specify their own KMS CMK upon cluster creation:
```ts
new eks.Cluster(this, 'Cluster', {
version: eks.KubernetesVersion.V1_16,
secretsEncryptionKey,
});
```
Closes: #9140
----
## Considerations
1. Confirmed `Secrets Encryption` is enabled in the provisioned Amazon EKS (both standard resource `AWS::EKS::Cluster` and custom resource `Custom::AWSCDK-EKS-Cluster`) after running an integration test from scratch.
2. By inspecting the CloudTrail logs after the integration test, confirmed the exact KMS IAM permission required for the cluster creation role as `['kms:Encrypt', 'kms:Decrypt', 'kms:DescribeKey', 'kms:CreateGrant']`. Note: The encryption provider is using its own way to generate data encryption key, not using KMS GenerateDataKey, and hence IAM permission`kms:GenerateDataKey*` is not required.
----
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Added unit tests for default and additional auth config and cleaning up the code. Fixes: #9846 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
In some odd cases, a scope will not declare any properties, and will not have an empty object their either. Gracefully handle this situation.
It used to be `aws-cdk-bootstrap` but we're not allowed to start strings with the letters `aws`, those names are reserved. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
#8280 enabled imported resources to be account & region aware. However, while this set the region on the object itself, it didn't adjust the various region-aware properties of imported buckets (e.g., regional domain names). This change makes the regional properties of the imported bucket use the correct region. fixes #9556 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
#9933) The `aws-auto-scaling-group` and `aws-elasticloadbalancingv2` modules both contain a `HealthCheck` class, meaning those copy/pasting from the Javadocs will get an error on the HealthCheck usage in the Lambda example. Update the import for ASGs to be qualified to remove the conflict. fixes #9895 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
As a follow-on to enabling IAM database auth, this change makes it easier to grant a user/role access to the database via policy. fixes #1558 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Enable setting deletionProtection for a DatabaseCluster. Note - Marking as 'exempt-readme' as I don't think this is big enough to merit a README change. Feel free to disagree. fixes #6944 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Implemented interfaces and resolvable fields for code-first schema.
`Field` extends `GraphqlType` and will allow you to define arguments.
<details>
<summary> Field Example </summary>
```gql
type Node {
test(argument: string): String
}
```
The CDK code required would be:
```ts
const field = new appsync.Field(appsync.GraphqlType.string(), {
args: {
argument: appsync.GraphqlType.string(),
},
});
const type = new appsynce.ObjectType('Node', {
definition: { test: field },
});
```
</details>
`ResolvableField` extends `Field` and will allow you to define arguments and its resolvers.
[**Object Types**](#Object-Types) can have fields that resolve and perform operations on
your backend.
<details>
<summary> Resolvable Field Example </summary>
For example, if we want to create the following type:
```gql
type Query {
get(argument: string): String
}
```
The CDK code required would be:
```ts
const field = new appsync.Field(appsync.GraphqlType.string(), {
args: {
argument: appsync.GraphqlType.string(),
},
dataSource: api.addNoneDataSource('none'),
requestMappingTemplate: dummyRequest,
responseMappingTemplate: dummyResponse,
});
const type = new appsynce.ObjectType('Query', {
definition: { get: field },
});
</details>
----
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
The `vpnGatewayId` property is already declared as a dynamic property (a getter) in `VpcBase`, and it is being overridden by a "plain" property declaration. This pattern is disallowed in TypeScript 4 due to the risk of runtime errors when this is done incorrectly (see more details in microsoft/TypeScript#37894). In any case, the override was likely a mistake, as no value was ever set to the overridden property (values were correctly set on `this._vpnGatewayId`, which backs the dynamic getter on `VpcBase`). ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Enables EC2 instances to automatically determine their current region by querying the Instance Metadata Service (IMDS). Both IMDSv1 and v2 are supported. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Add the `functionName` prop to customize the name of the Lambda function implementing the custom resource. Closes #9771 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
We used to render all periods as `PT...`, but the correct formatting is `P(days)T(hms)`. Fixes #9906. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
When building MonoCDK, `jsii` generates project references for all the discovered dependencies, which will then make the TypeScript compiler re-validate them before building. This effort is however unnecessary since those dependencies are actually not used during compilation! This adds a new `pkglint` rule to require explicit configuration of the `jsii.projectReferences` parameter in `package.json`, instead of always enabling it in `cdk-build`. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
I myself keep on forgetting whether it's spelled 'BREAKING CHANGE:' or 'BREAKING CHANGES:', and maybe whether or not to put a `(topic)` there, that I prefer a machine checks this for me.
Make sure all dependencies are on the latest, in particular ensure all instances of `dot-prop` are versions that are patched against CVE-2020-8116 (i.e. >= 5.2.0 or >= 4.2.1).
…9808) move LogRetention construct definition from lambda to logs while refactoring it so it does not depend on lambda constructs this required reimplementing the functionality provided by lambda.SingletonFunction using CfnResource keep declared classes/interfaces in lambda for compatability while marking them as deprecated they should be removed in an upcoming breaking change for their current customers in lambda and rds Fixes #9671
Part of my continuing campaign to update everything to Jest. There were a small
enough number of tests to opt for full rewrites, rather than using the
`nodeunitshim` helper.
One little hack for the diff's sake. I added a dummy `describe('tests')` group
to the top of each test to keep the indentation the same as with nodeunit. This
fixed git's delta detection algorithm to only show actual changes, rather than
showing the old and new files as completely unrelated.
Following up on #9928 which changed the name of the job from `mandatory-changes` to `validate-pr`.
…utions (#9966) The error produced is around construct collision, i.e., "There is already a Construct with name '$LATEST'". The fix is to cache the latest version on the instance. fixes #4459 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Add `currentVersion` for singleton functions. This makes it possible to use them for Lambda@Edge. To achieve this, make `ensureLambda()` return a `Function` and not an `IFunction` (which now allows to remove the default implementation of `_checkEdgeCompatibilty()` in `FunctionBase`). Also remove deprecated calls to `addVersion()` introduced in #9562. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…9870) Execute local bundling from the directory containing the entry file. Without this change, in a monorepo with multiple `package.json` files or when consuming a module exposing a construct, Parcel doesn't look for the right `package.json`. Also fix a regression introduced in #9632 for the working directory in the container. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…(revisited) (#9576) This PR changes `AssetStaging` so that the bundler will re-use pre-existing output. Before, the bundler would re-run Docker without considering pre-existing assets, which was slow. Now, when handling a `SOURCE` hash type, the bundler detects and returns pre-existing asset output without re-running Docker. For all other hash types, the bundler outputs to an intermediate directory before calculating asset hashes, then renames the intermediate directory into its final location. This PR revisits #8916 which originally closed #8882. Here are some details from the previous PR which have been addressed in this PR: - The bundler now outputs directly into the assembly directory - The bundler's assets can be reused between multiple syntheses - The bundler keeps output from failed bundling attempts for diagnosability purposes (renamed with an `-error` suffix) - Bundler options are hashed together with custom and source hashes - Removed the check for a docker run from `throws with assetHash and not CUSTOM hash type` as docker is no longer run before the AssetStaging props are validated. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Updated the `aws-sdk` dependency to prevent build error form aws-logs. [Changes](https://github.com/aws/aws-sdk-js/blob/master/CHANGELOG.md) to the `aws-sdk` have moved `RetryDelayOptions` [out](https://github.com/aws/aws-sdk-js/blob/9bd7fdbda9929d4f259996d468de80e210a4ce78/lib/config-base.d.ts) of `Config`. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Separating GraphQL Schema from GraphQL Api to simplify GraphQL Api Props. `GraphQL Schema` is now its own class and employs static functions to construct GraphQL API.
By default, GraphQL Api will be configured to a code-first approach. To override this, use the `schema` property to specify a method of schema declaration. For example,
```ts
const api = appsync.GraphQLApi(stack, 'api', {
name: 'myApi',
schema: appsync.Schema.fromAsset(join(__dirname, 'schema.graphl')),
});
```
**BREAKING CHANGES**: AppSync GraphQL Schema declared through static functions as opposed to two separate properties
- **appsync**: props `SchemaDefinition` and `SchemaDefinitionFile` have been condensed down to a singular property `schema`
- **appsync**: no longer directly exposes `CfnGraphQLSchema` from `GraphQLApi.schema`
----
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
If `grantInvoke()` is called twice for the same principal, the second call fails due to attempting to create two `CfnPermission` nodes with the same id. This (simple) fix skips the second creation if the node already exists. A more robust check would be to check the existing `CfnPermission`, comparing every field, skipping creation if the two are identical and throwing an error otherwise, as well as handling that in the upstream `grantInvoke` call. I opted for the simpler solution for now, but willing to take arguments for something more complex. I also nested the existing grantInvoke tests for future readability. The tests weren't changed, just the last one added. fixes #8553 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws-cdk-automation
added
the
pr/no-squash
eladb
approved these changes
Aug 27, 2020
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically without squashing (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See CHANGELOG