diff --git a/.github/workflows/request-cli-integ-test.yml b/.github/workflows/request-cli-integ-test.yml index 1b37dede1a153..e32c61ffb4988 100644 --- a/.github/workflows/request-cli-integ-test.yml +++ b/.github/workflows/request-cli-integ-test.yml @@ -27,6 +27,15 @@ jobs: - packages/aws-cdk/bin/** - packages/aws-cdk/lib/** - packages/aws-cdk/test/** + - packages/cdk-assets/bin/** + - packages/cdk-assets/lib/** + - packages/cdk-assets/test/** + - packages/aws-cdk-lib/cloud-assembly-schema/lib/** + - packages/aws-cdk-lib/cloud-assembly-schema/schema/** + - packages/aws-cdk-lib/cloud-assembly-schema/scripts/** + - packages/aws-cdk-lib/cloud-assembly-schema/test/** + - packages/@aws-cdk/cloudformation-diff/lib/** + - packages/@aws-cdk/cloudformation-diff/test/** submit-to-test-pipeline: environment: test-pipeline needs: cli-changes diff --git a/CHANGELOG.v2.alpha.md b/CHANGELOG.v2.alpha.md index fb7bf38ee141a..735b0f999e0c4 100644 --- a/CHANGELOG.v2.alpha.md +++ b/CHANGELOG.v2.alpha.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. +## [2.137.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.136.1-alpha.0...v2.137.0-alpha.0) (2024-04-10) + + +### Bug Fixes + +* **integ-tests:** `httpApiCall.expect` with resolved URL ([#29705](https://github.com/aws/aws-cdk/issues/29705)) ([49b4aa1](https://github.com/aws/aws-cdk/commit/49b4aa1e22062a3183dce7092e740af49fa951bf)), closes [#29700](https://github.com/aws/aws-cdk/issues/29700) [#29701](https://github.com/aws/aws-cdk/issues/29701) + ## [2.136.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.136.0-alpha.0...v2.136.1-alpha.0) (2024-04-09) ## [2.136.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.135.0-alpha.0...v2.136.0-alpha.0) (2024-04-06) diff --git a/CHANGELOG.v2.md b/CHANGELOG.v2.md index 22ac37b76807f..2492d8dc5d974 100644 --- a/CHANGELOG.v2.md +++ b/CHANGELOG.v2.md @@ -2,6 +2,24 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. +## [2.137.0](https://github.com/aws/aws-cdk/compare/v2.136.1...v2.137.0) (2024-04-10) + + +### Features + +* **assertions:** add stack tagging assertions ([#29247](https://github.com/aws/aws-cdk/issues/29247)) ([72f189d](https://github.com/aws/aws-cdk/commit/72f189d3287313a03b1a73a03cb098340f7b2530)), closes [#27620](https://github.com/aws/aws-cdk/issues/27620) +* **cloudfront:** adding support for inline KeyValueStore sources ([#29419](https://github.com/aws/aws-cdk/issues/29419)) ([5675010](https://github.com/aws/aws-cdk/commit/56750107ab1946d3ff0842b3615c5f37c4bc719f)), closes [#29204](https://github.com/aws/aws-cdk/issues/29204) +* **ec2:** `NatInstanceProviderV2` improvements ([#29729](https://github.com/aws/aws-cdk/issues/29729)) ([4eb02a4](https://github.com/aws/aws-cdk/commit/4eb02a4692f87cd9c2cea9aec6d67a25d23ba9f7)), closes [#29720](https://github.com/aws/aws-cdk/issues/29720) +* **elasticloadbalancingv2:** application load balancer attributes ([#29586](https://github.com/aws/aws-cdk/issues/29586)) ([067c4a5](https://github.com/aws/aws-cdk/commit/067c4a5740dfdcc6c383b85bbbe65798e02b2431)), closes [#29585](https://github.com/aws/aws-cdk/issues/29585) + + +### Bug Fixes + +* **appsync:** source api association does not depend on schema ([#29455](https://github.com/aws/aws-cdk/issues/29455)) ([92a160b](https://github.com/aws/aws-cdk/commit/92a160bb0a2c6ca528fc3f4e3ca036d0c70e6ca5)), closes [#29044](https://github.com/aws/aws-cdk/issues/29044) +* **s3-deployment:** `BucketDeployment` fails when bootstrap stack's `StagingBucket` is encrypted with customer managed KMS key ([#29540](https://github.com/aws/aws-cdk/issues/29540)) ([0b429fb](https://github.com/aws/aws-cdk/commit/0b429fb80e7820afb606d5424476444940166ade)), closes [#25100](https://github.com/aws/aws-cdk/issues/25100) [#25100](https://github.com/aws/aws-cdk/issues/25100) [#25100](https://github.com/aws/aws-cdk/issues/25100) +* **sns:** contentBasedDeduplication is always false for imported topic ([#29542](https://github.com/aws/aws-cdk/issues/29542)) ([4a9e683](https://github.com/aws/aws-cdk/commit/4a9e68311018a42bc5961646dda4be6861f916a5)), closes [#29532](https://github.com/aws/aws-cdk/issues/29532) + + ## [2.136.1](https://github.com/aws/aws-cdk/compare/v2.136.0...v2.136.1) (2024-04-09) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.js.snapshot/asset.30d328e47ab6c6a4d0d137aac9e53e30955ac7469bcb2be4a49f9baf5cfc2f9c.bundle/index.js b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.js.snapshot/asset.980ab41b674bbe2a714081b8b83c3b7bc45c4f8bb52a347bc93fc308857eadec.bundle/index.js similarity index 99% rename from packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.js.snapshot/asset.30d328e47ab6c6a4d0d137aac9e53e30955ac7469bcb2be4a49f9baf5cfc2f9c.bundle/index.js rename to packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.js.snapshot/asset.980ab41b674bbe2a714081b8b83c3b7bc45c4f8bb52a347bc93fc308857eadec.bundle/index.js index 1e875e7c41543..4f4e11774c3cd 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.js.snapshot/asset.30d328e47ab6c6a4d0d137aac9e53e30955ac7469bcb2be4a49f9baf5cfc2f9c.bundle/index.js +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.js.snapshot/asset.980ab41b674bbe2a714081b8b83c3b7bc45c4f8bb52a347bc93fc308857eadec.bundle/index.js @@ -1,3 +1,4 @@ +"use strict"; var __create = Object.create; var __defProp = Object.defineProperty; var __getOwnPropDesc = Object.getOwnPropertyDescriptor; @@ -32410,6 +32411,7 @@ var CustomResourceHandler = class { constructor(event, context) { this.event = event; this.context = context; + this.timedOut = false; this.timeout = setTimeout(async () => { await this.respond({ status: "FAILED", @@ -32421,9 +32423,6 @@ var CustomResourceHandler = class { this.event = event; this.physicalResourceId = extractPhysicalResourceId(event); } - physicalResourceId; - timeout; - timedOut = false; /** * Handles executing the custom resource event. If `stateMachineArn` is present * in the props then trigger the waiter statemachine @@ -32557,7 +32556,6 @@ var AssertionHandler = class extends CustomResourceHandler { } }; var MatchCreator = class { - parsedObj; constructor(obj) { this.parsedObj = { matcher: obj diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.js.snapshot/aws-cdk-vpc-nat-instance-v2-custom.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.js.snapshot/aws-cdk-vpc-nat-instance-v2-custom.assets.json index 361185f0cc5eb..ab1f44a945a44 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.js.snapshot/aws-cdk-vpc-nat-instance-v2-custom.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.js.snapshot/aws-cdk-vpc-nat-instance-v2-custom.assets.json @@ -14,7 +14,7 @@ } } }, - "507d58d75d14568b58322e0f4a8794e043b357384bf381e8a0ec11115ffcea18": { + "88889d54b71a3d53a33cda01fae683ece81a3b92b13206de07579e5dcb02d45e": { "source": { "path": "aws-cdk-vpc-nat-instance-v2-custom.template.json", "packaging": "file" @@ -22,7 +22,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "507d58d75d14568b58322e0f4a8794e043b357384bf381e8a0ec11115ffcea18.json", + "objectKey": "88889d54b71a3d53a33cda01fae683ece81a3b92b13206de07579e5dcb02d45e.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.js.snapshot/aws-cdk-vpc-nat-instance-v2-custom.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.js.snapshot/aws-cdk-vpc-nat-instance-v2-custom.template.json index d7b519b7e0449..d798760c99e2b 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.js.snapshot/aws-cdk-vpc-nat-instance-v2-custom.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.js.snapshot/aws-cdk-vpc-nat-instance-v2-custom.template.json @@ -350,6 +350,12 @@ "MyVpcNatSecurityGroupAA76397E", "GroupId" ] + }, + { + "Fn::GetAtt": [ + "SecurityGroupDD263621", + "GroupId" + ] } ], "SourceDestCheck": false, @@ -566,6 +572,12 @@ "MyVpcNatSecurityGroupAA76397E", "GroupId" ] + }, + { + "Fn::GetAtt": [ + "SecurityGroupDD263621", + "GroupId" + ] } ], "SourceDestCheck": false, @@ -763,9 +775,11 @@ "GroupDescription": "Security Group for NAT instances", "SecurityGroupEgress": [ { - "CidrIp": "0.0.0.0/0", - "Description": "Allow all outbound traffic by default", - "IpProtocol": "-1" + "CidrIp": "255.255.255.255/32", + "Description": "Disallow all traffic", + "FromPort": 252, + "IpProtocol": "icmp", + "ToPort": 86 } ], "Tags": [ @@ -779,6 +793,24 @@ } } }, + "SecurityGroupDD263621": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "aws-cdk-vpc-nat-instance-v2-custom/SecurityGroup", + "SecurityGroupEgress": [ + { + "CidrIp": "0.0.0.0/0", + "Description": "Allow egress to S3", + "FromPort": 443, + "IpProtocol": "tcp", + "ToPort": 443 + } + ], + "VpcId": { + "Ref": "MyVpcF9F0CA6F" + } + } + }, "ALBAEE750D2": { "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", "Properties": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.js.snapshot/manifest.json index 8c22b72e08ce7..0f297c556df29 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.js.snapshot/manifest.json @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/507d58d75d14568b58322e0f4a8794e043b357384bf381e8a0ec11115ffcea18.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/88889d54b71a3d53a33cda01fae683ece81a3b92b13206de07579e5dcb02d45e.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -121,10 +121,7 @@ "/aws-cdk-vpc-nat-instance-v2-custom/MyVpc/PublicSubnet1/NatInstance/Resource": [ { "type": "aws:cdk:logicalId", - "data": "MyVpcPublicSubnet1NatInstance8E94E5F7", - "trace": [ - "!!DESTRUCTIVE_CHANGES: WILL_REPLACE" - ] + "data": "MyVpcPublicSubnet1NatInstance8E94E5F7" } ], "/aws-cdk-vpc-nat-instance-v2-custom/MyVpc/PublicSubnet2/Subnet": [ @@ -172,10 +169,7 @@ "/aws-cdk-vpc-nat-instance-v2-custom/MyVpc/PublicSubnet2/NatInstance/Resource": [ { "type": "aws:cdk:logicalId", - "data": "MyVpcPublicSubnet2NatInstance04BCE4E3", - "trace": [ - "!!DESTRUCTIVE_CHANGES: WILL_REPLACE" - ] + "data": "MyVpcPublicSubnet2NatInstance04BCE4E3" } ], "/aws-cdk-vpc-nat-instance-v2-custom/MyVpc/PrivateSubnet1/Subnet": [ @@ -250,6 +244,12 @@ "data": "SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61x8664C96584B6F00A464EAD1953AFF4B05118Parameter" } ], + "/aws-cdk-vpc-nat-instance-v2-custom/SecurityGroup/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "SecurityGroupDD263621" + } + ], "/aws-cdk-vpc-nat-instance-v2-custom/ALB/Resource": [ { "type": "aws:cdk:logicalId", @@ -339,15 +339,6 @@ "type": "aws:cdk:logicalId", "data": "CheckBootstrapVersion" } - ], - "SecurityGroupDD263621": [ - { - "type": "aws:cdk:logicalId", - "data": "SecurityGroupDD263621", - "trace": [ - "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" - ] - } ] }, "displayName": "aws-cdk-vpc-nat-instance-v2-custom" @@ -369,7 +360,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/5cd83a484875f9d6233167e37f30b900302111df0c13da4284a653312d75d2f0.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/27e505f777e93eb29657c433163eea53b041327f682383a9fcd815c1527ee71f.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.js.snapshot/natinstancev2customintegtestDefaultTestDeployAssertEFDD468A.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.js.snapshot/natinstancev2customintegtestDefaultTestDeployAssertEFDD468A.assets.json index ed4b8aece8af6..7a39028441a19 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.js.snapshot/natinstancev2customintegtestDefaultTestDeployAssertEFDD468A.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.js.snapshot/natinstancev2customintegtestDefaultTestDeployAssertEFDD468A.assets.json @@ -1,20 +1,20 @@ { "version": "36.0.0", "files": { - "30d328e47ab6c6a4d0d137aac9e53e30955ac7469bcb2be4a49f9baf5cfc2f9c": { + "980ab41b674bbe2a714081b8b83c3b7bc45c4f8bb52a347bc93fc308857eadec": { "source": { - "path": "asset.30d328e47ab6c6a4d0d137aac9e53e30955ac7469bcb2be4a49f9baf5cfc2f9c.bundle", + "path": "asset.980ab41b674bbe2a714081b8b83c3b7bc45c4f8bb52a347bc93fc308857eadec.bundle", "packaging": "zip" }, "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "30d328e47ab6c6a4d0d137aac9e53e30955ac7469bcb2be4a49f9baf5cfc2f9c.zip", + "objectKey": "980ab41b674bbe2a714081b8b83c3b7bc45c4f8bb52a347bc93fc308857eadec.zip", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } }, - "5cd83a484875f9d6233167e37f30b900302111df0c13da4284a653312d75d2f0": { + "27e505f777e93eb29657c433163eea53b041327f682383a9fcd815c1527ee71f": { "source": { "path": "natinstancev2customintegtestDefaultTestDeployAssertEFDD468A.template.json", "packaging": "file" @@ -22,7 +22,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "5cd83a484875f9d6233167e37f30b900302111df0c13da4284a653312d75d2f0.json", + "objectKey": "27e505f777e93eb29657c433163eea53b041327f682383a9fcd815c1527ee71f.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.js.snapshot/natinstancev2customintegtestDefaultTestDeployAssertEFDD468A.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.js.snapshot/natinstancev2customintegtestDefaultTestDeployAssertEFDD468A.template.json index 0a19b5e70bef0..ccce466e50fd0 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.js.snapshot/natinstancev2customintegtestDefaultTestDeployAssertEFDD468A.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.js.snapshot/natinstancev2customintegtestDefaultTestDeployAssertEFDD468A.template.json @@ -33,7 +33,7 @@ "fetchOptions": {} }, "expected": "{\"$ObjectLike\":{\"status\":200}}", - "salt": "1712258454703" + "salt": "1712646801664" }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" @@ -97,7 +97,7 @@ "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" }, - "S3Key": "30d328e47ab6c6a4d0d137aac9e53e30955ac7469bcb2be4a49f9baf5cfc2f9c.zip" + "S3Key": "980ab41b674bbe2a714081b8b83c3b7bc45c4f8bb52a347bc93fc308857eadec.zip" }, "Timeout": 120, "Handler": "index.handler", @@ -136,7 +136,7 @@ "Key": "\"hello.txt\"" }, "flattenResponse": "false", - "salt": "1712258454704" + "salt": "1712646801666" }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.js.snapshot/tree.json index 3615c055695b5..b3c44bcd12863 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.js.snapshot/tree.json @@ -497,6 +497,12 @@ "MyVpcNatSecurityGroupAA76397E", "GroupId" ] + }, + { + "Fn::GetAtt": [ + "SecurityGroupDD263621", + "GroupId" + ] } ], "sourceDestCheck": false, @@ -826,6 +832,12 @@ "MyVpcNatSecurityGroupAA76397E", "GroupId" ] + }, + { + "Fn::GetAtt": [ + "SecurityGroupDD263621", + "GroupId" + ] } ], "sourceDestCheck": false, @@ -1159,9 +1171,11 @@ "groupDescription": "Security Group for NAT instances", "securityGroupEgress": [ { - "cidrIp": "0.0.0.0/0", - "description": "Allow all outbound traffic by default", - "ipProtocol": "-1" + "cidrIp": "255.255.255.255/32", + "description": "Disallow all traffic", + "ipProtocol": "icmp", + "fromPort": 252, + "toPort": 86 } ], "tags": [ @@ -1208,6 +1222,42 @@ "version": "0.0.0" } }, + "SecurityGroup": { + "id": "SecurityGroup", + "path": "aws-cdk-vpc-nat-instance-v2-custom/SecurityGroup", + "children": { + "Resource": { + "id": "Resource", + "path": "aws-cdk-vpc-nat-instance-v2-custom/SecurityGroup/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::SecurityGroup", + "aws:cdk:cloudformation:props": { + "groupDescription": "aws-cdk-vpc-nat-instance-v2-custom/SecurityGroup", + "securityGroupEgress": [ + { + "cidrIp": "0.0.0.0/0", + "ipProtocol": "tcp", + "fromPort": 443, + "toPort": 443, + "description": "Allow egress to S3" + } + ], + "vpcId": { + "Ref": "MyVpcF9F0CA6F" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnSecurityGroup", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.SecurityGroup", + "version": "0.0.0" + } + }, "ALB": { "id": "ALB", "path": "aws-cdk-vpc-nat-instance-v2-custom/ALB", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.ts index 6a4aeb07cd315..1ae702884cd31 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.ts @@ -32,18 +32,21 @@ class NatInstanceStack extends cdk.Stack { const natGatewayProvider = ec2.NatProvider.instanceV2({ instanceType: new ec2.InstanceType('t3.small'), creditSpecification: ec2.CpuCredits.UNLIMITED, - defaultAllowedTraffic: ec2.NatTrafficDirection.OUTBOUND_ONLY, + defaultAllowedTraffic: ec2.NatTrafficDirection.NONE, keyPair, userData, }); - const vpc = new ec2.Vpc(this, 'MyVpc', { - natGatewayProvider, - natGateways: 2, - }); + const vpc = new ec2.Vpc(this, 'MyVpc', { natGatewayProvider }); + const securityGroup = new ec2.SecurityGroup(this, 'SecurityGroup', { + vpc, + allowAllOutbound: false, + }); + securityGroup.addEgressRule(ec2.Peer.anyIpv4(), ec2.Port.tcp(443), 'Allow egress to S3'); for (const gateway of natGatewayProvider.gatewayInstances) { bucket.grantWrite(gateway); + gateway.addSecurityGroup(securityGroup); } Array.isArray(vpc); @@ -70,7 +73,6 @@ const stack = new NatInstanceStack(app, 'aws-cdk-vpc-nat-instance-v2-custom'); const integ = new IntegTest(app, 'nat-instance-v2-custom-integ-test', { testCases: [stack], - }); integ.assertions.httpApiCall(stack.apiUrl, {}) diff --git a/packages/aws-cdk-lib/aws-ec2/README.md b/packages/aws-cdk-lib/aws-ec2/README.md index e99fd6b019cae..511d194a8bf69 100644 --- a/packages/aws-cdk-lib/aws-ec2/README.md +++ b/packages/aws-cdk-lib/aws-ec2/README.md @@ -218,7 +218,8 @@ new ec2.Vpc(this, 'TheVPC', { provider.connections.allowFrom(ec2.Peer.ipv4('1.2.3.4/8'), ec2.Port.tcp(80)); ``` -You can also customize the characteristics of your NAT instances, as well as their initialization scripts: +You can also customize the characteristics of your NAT instances, including their security group, +as well as their initialization scripts: ```ts declare const bucket: s3.Bucket; @@ -233,15 +234,19 @@ userData.addCommands( const provider = ec2.NatProvider.instanceV2({ instanceType: new ec2.InstanceType('t3.small'), creditSpecification: ec2.CpuCredits.UNLIMITED, + defaultAllowedTraffic: ec2.NatTrafficDirection.NONE, }); -new ec2.Vpc(this, 'TheVPC', { +const vpc = new ec2.Vpc(this, 'TheVPC', { natGatewayProvider: provider, natGateways: 2, }); +const securityGroup = new ec2.SecurityGroup(this, 'SecurityGroup', { vpc }); + securityGroup.addEgressRule(ec2.Peer.anyIpv4(), ec2.Port.tcp(443)); for (const gateway of provider.gatewayInstances) { bucket.grantWrite(gateway); + gateway.addSecurityGroup(securityGroup); } ``` diff --git a/packages/aws-cdk-lib/aws-ec2/lib/nat.ts b/packages/aws-cdk-lib/aws-ec2/lib/nat.ts index 2a6983f671c58..a2e56b2bd15bf 100644 --- a/packages/aws-cdk-lib/aws-ec2/lib/nat.ts +++ b/packages/aws-cdk-lib/aws-ec2/lib/nat.ts @@ -207,6 +207,27 @@ export interface NatInstanceProps { * Security Group for NAT instances * * @default - A new security group will be created + * @deprecated - Cannot create a new security group before the VPC is created, + * and cannot create the VPC without the NAT provider. + * Set {@link defaultAllowedTraffic} to {@link NatTrafficDirection.NONE} + * and use {@link NatInstanceProviderV2.gatewayInstances} to retrieve + * the instances on the fly and add security groups + * + * @example + * const natGatewayProvider = ec2.NatProvider.instanceV2({ + * instanceType: new ec2.InstanceType('t3.small'), + * defaultAllowedTraffic: ec2.NatTrafficDirection.NONE, + * }); + * const vpc = new ec2.Vpc(this, 'Vpc', { natGatewayProvider }); + * + * const securityGroup = new ec2.SecurityGroup(this, 'SecurityGroup', { + * vpc, + * allowAllOutbound: false, + * }); + * securityGroup.addEgressRule(ec2.Peer.anyIpv4(), ec2.Port.tcp(443)); + * for (const gatewayInstance of natGatewayProvider.gatewayInstances) { + * gatewayInstance.addSecurityGroup(securityGroup); + * } */ readonly securityGroup?: ISecurityGroup; diff --git a/version.v2.json b/version.v2.json index 34cc5b570a819..c0e2e15211bf5 100644 --- a/version.v2.json +++ b/version.v2.json @@ -1,4 +1,4 @@ { - "version": "2.136.1", - "alphaVersion": "2.136.1-alpha.0" + "version": "2.137.0", + "alphaVersion": "2.137.0-alpha.0" } \ No newline at end of file