Merge branch 'main' into cognito-update-error

aws · Feb 16, 2023 · 2a98289 · 2a98289
2 parents d5ff298 + ce18037
commit 2a98289
Show file tree

Hide file tree

Showing 45 changed files with 1,341 additions and 231 deletions.
diff --git a/CHANGELOG.v2.alpha.md b/CHANGELOG.v2.alpha.md
@@ -2,6 +2,15 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.65.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.64.0-alpha.0...v2.65.0-alpha.0) (2023-02-15)
+
+
+### Features
+
+* **glue:** support Ray jobs ([#23822](https://github.com/aws/aws-cdk/issues/23822)) ([8de50d6](https://github.com/aws/aws-cdk/commit/8de50d624c8703a12713dcffbc764688868f22b0))
+* **redshift:** IAM roles can be attached to a cluster, post creation ([#23791](https://github.com/aws/aws-cdk/issues/23791)) ([1a46808](https://github.com/aws/aws-cdk/commit/1a46808b03e8f6d09846f999ae3dc65b190f5f26)), closes [#22632](https://github.com/aws/aws-cdk/issues/22632)
+* **synthetics:** support runtime 3.9 ([#24101](https://github.com/aws/aws-cdk/issues/24101)) ([9d23cad](https://github.com/aws/aws-cdk/commit/9d23caded8aca42d3b78de1bc7e89c38a4d6805e))
+
 ## [2.64.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.63.2-alpha.0...v2.64.0-alpha.0) (2023-02-09)
 
 

diff --git a/CHANGELOG.v2.md b/CHANGELOG.v2.md
@@ -2,6 +2,32 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.65.0](https://github.com/aws/aws-cdk/compare/v2.64.0...v2.65.0) (2023-02-15)
+
+
+### Features
+
+* **autoscaling:** L2 construct for enabling capacity rebalance of autoscaling ([#24025](https://github.com/aws/aws-cdk/issues/24025)) ([d2c63f5](https://github.com/aws/aws-cdk/commit/d2c63f55f8657315ad4e4dd463cfcae07cb66e53)), closes [#22625](https://github.com/aws/aws-cdk/issues/22625)
+* **chatbot:** support guardrail policies ([#24114](https://github.com/aws/aws-cdk/issues/24114)) ([4c72a7d](https://github.com/aws/aws-cdk/commit/4c72a7dc3994ba190f1e1aa467d3087228bcb881)), closes [#20788](https://github.com/aws/aws-cdk/issues/20788)
+* **core:** Allow passing Docker build secrets ([#23778](https://github.com/aws/aws-cdk/issues/23778)) ([74512fa](https://github.com/aws/aws-cdk/commit/74512fa339e0a2937213f519c109ef1207e9d0c6)), closes [#14910](https://github.com/aws/aws-cdk/issues/14910) [#14395](https://github.com/aws/aws-cdk/issues/14395)
+* **elbv2:** add metrics to INetworkTargetGroup and IApplicationTargetGroup ([#23993](https://github.com/aws/aws-cdk/issues/23993)) ([6a9e43f](https://github.com/aws/aws-cdk/commit/6a9e43f0c6f966df4671267eeda21638611dfb1c)), closes [#23853](https://github.com/aws/aws-cdk/issues/23853) [#10850](https://github.com/aws/aws-cdk/issues/10850)
+* **lambda:** add insights version 1.0.178.0 ([#23836](https://github.com/aws/aws-cdk/issues/23836)) ([5272908](https://github.com/aws/aws-cdk/commit/527290854d0fa31e7f41497ede0c1b8b0e1b9ad4))
+
+
+### Bug Fixes
+
+* **bootstrap:** remove Security Hub finding S3.10 ([#24175](https://github.com/aws/aws-cdk/issues/24175)) ([a1da757](https://github.com/aws/aws-cdk/commit/a1da757ce348b4bd66a6d0e7776f2ff8e9f531b6)), closes [/docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-10](https://github.com/aws//docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html/issues/fsbp-s3-10)
+* **codedeploy:** unable to remove alarms from deployment group ([#23308](https://github.com/aws/aws-cdk/issues/23308)) ([eee005f](https://github.com/aws/aws-cdk/commit/eee005f4949d7438467c7448ba8326efa4b79221))
+* **codepipeline:** x-env ECS deployment lacking support stack-dependency ([#24053](https://github.com/aws/aws-cdk/issues/24053)) ([adfe4fa](https://github.com/aws/aws-cdk/commit/adfe4fa137bb748961b4a767d538335490e13ed1)), closes [#24050](https://github.com/aws/aws-cdk/issues/24050) [#24051](https://github.com/aws/aws-cdk/issues/24051)
+* **core:** messages are displayed multiple times per construct ([#24019](https://github.com/aws/aws-cdk/issues/24019)) ([57770bb](https://github.com/aws/aws-cdk/commit/57770bb12ea6d77373f1e9e8e04f6757b440f277)), closes [#9565](https://github.com/aws/aws-cdk/issues/9565)
+* **ec2:** enable set throughput param to CfnVolume ([#24118](https://github.com/aws/aws-cdk/issues/24118)) ([32781f8](https://github.com/aws/aws-cdk/commit/32781f825352f9cb43d8fed5c122b454275b3076)), closes [#24107](https://github.com/aws/aws-cdk/issues/24107) [#24107](https://github.com/aws/aws-cdk/issues/24107)
+* **elbv2:** healthcheck interval is overly restrictive ([#24157](https://github.com/aws/aws-cdk/issues/24157)) ([4f83e02](https://github.com/aws/aws-cdk/commit/4f83e02b85229ebdff3f32ba6fd662ffd707d8db)), closes [#24156](https://github.com/aws/aws-cdk/issues/24156)
+* **iam:** PrincipalWithConditions.addCondition fails with a new key ([#23782](https://github.com/aws/aws-cdk/issues/23782)) ([8951d01](https://github.com/aws/aws-cdk/commit/8951d013bea5dad54b94a6a683f56275ff4e6dba)), closes [#23781](https://github.com/aws/aws-cdk/issues/23781)
+* **iam:** SamlConsolePrincipal does not work in China [#22091](https://github.com/aws/aws-cdk/issues/22091) ([#24034](https://github.com/aws/aws-cdk/issues/24034)) ([2902043](https://github.com/aws/aws-cdk/commit/29020435aeb1a9fb6401572520d0adca8155dc60))
+* **pipelines:** SelfMutation CodeBuild project not accessible ([#24073](https://github.com/aws/aws-cdk/issues/24073)) ([5942978](https://github.com/aws/aws-cdk/commit/594297862f2626b64b174d6998886a40f1b316be))
+* **rds:** database proxies use ids as their resource names directly (under feature flag) ([#23703](https://github.com/aws/aws-cdk/issues/23703)) ([03a0f79](https://github.com/aws/aws-cdk/commit/03a0f79b40e3be95de5421370703eb54c06b7dd7)), closes [#18578](https://github.com/aws/aws-cdk/issues/18578)
+* **s3:** logging bucket blocks KMS_MANAGED encryption ([#23514](https://github.com/aws/aws-cdk/issues/23514)) ([1e8926f](https://github.com/aws/aws-cdk/commit/1e8926fa9bcf561135beaa31379ec1f1e6f79901))
+
 ## [2.64.0](https://github.com/aws/aws-cdk/compare/v2.63.2...v2.64.0) (2023-02-09)
 
 

diff --git a/packages/@aws-cdk/aws-apigateway/README.md b/packages/@aws-cdk/aws-apigateway/README.md
@@ -945,6 +945,18 @@ to allow users revert the stage to an old deployment manually.
 [Deployment]: https://docs.aws.amazon.com/apigateway/api-reference/resource/deployment/
 [Stage]: https://docs.aws.amazon.com/apigateway/api-reference/resource/stage/
 
+In order to also create a new deployment when changes are made to any authorizer attached to the API,
+the `@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId` [feature flag](https://docs.aws.amazon.com/cdk/v2/guide/featureflags.html) can be enabled. This can be set
+in the `cdk.json` file.
+
+```json
+{
+  "context": {
+    "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true
+  }
+}
+```
+
 ## Custom Domains
 
 To associate an API with a custom domain, use the `domainName` configuration when

diff --git a/packages/@aws-cdk/aws-apigateway/lib/authorizers/cognito.ts b/packages/@aws-cdk/aws-apigateway/lib/authorizers/cognito.ts
@@ -1,7 +1,8 @@
 import * as cognito from '@aws-cdk/aws-cognito';
-import { Duration, Lazy, Names, Stack } from '@aws-cdk/core';
+import { Duration, FeatureFlags, Lazy, Names, Stack } from '@aws-cdk/core';
+import { APIGATEWAY_AUTHORIZER_CHANGE_DEPLOYMENT_LOGICAL_ID } from '@aws-cdk/cx-api';
 import { Construct } from 'constructs';
-import { CfnAuthorizer } from '../apigateway.generated';
+import { CfnAuthorizer, CfnAuthorizerProps } from '../apigateway.generated';
 import { Authorizer, IAuthorizer } from '../authorizer';
 import { AuthorizationType } from '../method';
 import { IRestApi } from '../restapi';
@@ -64,18 +65,25 @@ export class CognitoUserPoolsAuthorizer extends Authorizer implements IAuthorize
 
   private restApiId?: string;
 
+  private readonly authorizerProps: CfnAuthorizerProps;
+
   constructor(scope: Construct, id: string, props: CognitoUserPoolsAuthorizerProps) {
     super(scope, id);
 
     const restApiId = this.lazyRestApiId();
-    const resource = new CfnAuthorizer(this, 'Resource', {
+
+    const authorizerProps = {
       name: props.authorizerName ?? Names.uniqueId(this),
       restApiId,
       type: 'COGNITO_USER_POOLS',
       providerArns: props.cognitoUserPools.map(userPool => userPool.userPoolArn),
       authorizerResultTtlInSeconds: props.resultsCacheTtl?.toSeconds(),
       identitySource: props.identitySource || 'method.request.header.Authorization',
-    });
+    };
+
+    this.authorizerProps = authorizerProps;
+
+    const resource = new CfnAuthorizer(this, 'Resource', authorizerProps);
 
     this.authorizerId = resource.ref;
     this.authorizerArn = Stack.of(this).formatArn({
@@ -96,6 +104,16 @@ export class CognitoUserPoolsAuthorizer extends Authorizer implements IAuthorize
     }
 
     this.restApiId = restApi.restApiId;
+
+    const addToLogicalId = FeatureFlags.of(this).isEnabled(APIGATEWAY_AUTHORIZER_CHANGE_DEPLOYMENT_LOGICAL_ID);
+
+    const deployment = restApi.latestDeployment;
+    if (deployment && addToLogicalId) {
+      deployment.node.addDependency(this);
+      deployment.addToLogicalId({
+        authorizer: this.authorizerProps,
+      });
+    }
   }
 
   /**

diff --git a/packages/@aws-cdk/aws-apigateway/lib/authorizers/lambda.ts b/packages/@aws-cdk/aws-apigateway/lib/authorizers/lambda.ts
@@ -1,8 +1,9 @@
 import * as iam from '@aws-cdk/aws-iam';
 import * as lambda from '@aws-cdk/aws-lambda';
-import { Arn, ArnFormat, Duration, Lazy, Names, Stack } from '@aws-cdk/core';
+import { Arn, ArnFormat, Duration, FeatureFlags, Lazy, Names, Stack } from '@aws-cdk/core';
+import { APIGATEWAY_AUTHORIZER_CHANGE_DEPLOYMENT_LOGICAL_ID } from '@aws-cdk/cx-api';
 import { Construct } from 'constructs';
-import { CfnAuthorizer } from '../apigateway.generated';
+import { CfnAuthorizer, CfnAuthorizerProps } from '../apigateway.generated';
 import { Authorizer, IAuthorizer } from '../authorizer';
 import { IRestApi } from '../restapi';
 
@@ -69,6 +70,8 @@ abstract class LambdaAuthorizer extends Authorizer implements IAuthorizer {
 
   protected restApiId?: string;
 
+  protected abstract readonly authorizerProps: CfnAuthorizerProps;
+
   protected constructor(scope: Construct, id: string, props: LambdaAuthorizerProps) {
     super(scope, id);
 
@@ -90,6 +93,28 @@ abstract class LambdaAuthorizer extends Authorizer implements IAuthorizer {
     }
 
     this.restApiId = restApi.restApiId;
+
+    const deployment = restApi.latestDeployment;
+    const addToLogicalId = FeatureFlags.of(this).isEnabled(APIGATEWAY_AUTHORIZER_CHANGE_DEPLOYMENT_LOGICAL_ID);
+
+    if (deployment && addToLogicalId) {
+      let functionName;
+
+      if (this.handler instanceof lambda.Function) {
+        // if not imported, attempt to get the function name, which
+        // may be a token
+        functionName = (this.handler.node.defaultChild as lambda.CfnFunction).functionName;
+      } else {
+        // if imported, the function name will be a token
+        functionName = this.handler.functionName;
+      }
+
+      deployment.node.addDependency(this);
+      deployment.addToLogicalId({
+        authorizer: this.authorizerProps,
+        authorizerToken: functionName,
+      });
+    }
   }
 
   /**
@@ -163,11 +188,14 @@ export class TokenAuthorizer extends LambdaAuthorizer {
 
   public readonly authorizerArn: string;
 
+  protected readonly authorizerProps: CfnAuthorizerProps;
+
   constructor(scope: Construct, id: string, props: TokenAuthorizerProps) {
     super(scope, id, props);
 
     const restApiId = this.lazyRestApiId();
-    const resource = new CfnAuthorizer(this, 'Resource', {
+
+    const authorizerProps: CfnAuthorizerProps = {
       name: props.authorizerName ?? Names.uniqueId(this),
       restApiId,
       type: 'TOKEN',
@@ -176,7 +204,11 @@ export class TokenAuthorizer extends LambdaAuthorizer {
       authorizerResultTtlInSeconds: props.resultsCacheTtl?.toSeconds(),
       identitySource: props.identitySource || 'method.request.header.Authorization',
       identityValidationExpression: props.validationRegex,
-    });
+    };
+
+    this.authorizerProps = authorizerProps;
+
+    const resource = new CfnAuthorizer(this, 'Resource', authorizerProps);
 
     this.authorizerId = resource.ref;
     this.authorizerArn = Stack.of(this).formatArn({
@@ -221,6 +253,8 @@ export class RequestAuthorizer extends LambdaAuthorizer {
 
   public readonly authorizerArn: string;
 
+  protected readonly authorizerProps: CfnAuthorizerProps;
+
   constructor(scope: Construct, id: string, props: RequestAuthorizerProps) {
     super(scope, id, props);
 
@@ -229,15 +263,20 @@ export class RequestAuthorizer extends LambdaAuthorizer {
     }
 
     const restApiId = this.lazyRestApiId();
-    const resource = new CfnAuthorizer(this, 'Resource', {
+
+    const authorizerProps: CfnAuthorizerProps = {
       name: props.authorizerName ?? Names.uniqueId(this),
       restApiId,
       type: 'REQUEST',
       authorizerUri: lambdaAuthorizerArn(props.handler),
       authorizerCredentials: props.assumeRole?.roleArn,
       authorizerResultTtlInSeconds: props.resultsCacheTtl?.toSeconds(),
       identitySource: props.identitySources.map(is => is.toString()).join(','),
-    });
+    };
+
+    this.authorizerProps = authorizerProps;
+
+    const resource = new CfnAuthorizer(this, 'Resource', authorizerProps);
 
     this.authorizerId = resource.ref;
     this.authorizerArn = Stack.of(this).formatArn({

diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/cognito.test.ts b/packages/@aws-cdk/aws-apigateway/test/authorizers/cognito.test.ts
@@ -63,4 +63,58 @@ describe('Cognito Authorizer', () => {
 
     expect(authorizer.authorizerArn.endsWith(`/authorizers/${authorizer.authorizerId}`)).toBeTruthy();
   });
+
+  test('rest api depends on the authorizer when @aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId is enabled', () => {
+    const stack = new Stack();
+    stack.node.setContext('@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId', true);
+    const userPool1 = new cognito.UserPool(stack, 'UserPool');
+
+    const authorizer = new CognitoUserPoolsAuthorizer(stack, 'Authorizer', {
+      cognitoUserPools: [userPool1],
+    });
+
+    const restApi = new RestApi(stack, 'Api');
+
+    restApi.root.addMethod('ANY', undefined, {
+      authorizer,
+      authorizationType: AuthorizationType.COGNITO,
+    });
+
+    const template = Template.fromStack(stack);
+
+    const authorizerId = Object.keys(template.findResources('AWS::ApiGateway::Authorizer'))[0];
+    const deployment = Object.values(template.findResources('AWS::ApiGateway::Deployment'))[0];
+
+    expect(deployment.DependsOn).toEqual(expect.arrayContaining([authorizerId]));
+  });
+
+  test('a new deployment is created when a cognito user pool is re-created and @aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId is enabled', () => {
+    const createApiTemplate = (userPoolId: string) => {
+      const stack = new Stack();
+      stack.node.setContext('@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId', true);
+
+      const userPool = new cognito.UserPool(stack, userPoolId);
+
+      const auth = new CognitoUserPoolsAuthorizer(stack, 'myauthorizer', {
+        resultsCacheTtl: Duration.seconds(0),
+        cognitoUserPools: [userPool],
+      });
+
+      const restApi = new RestApi(stack, 'myrestapi');
+      restApi.root.addMethod('ANY', undefined, {
+        authorizer: auth,
+        authorizationType: AuthorizationType.COGNITO,
+      });
+
+      return Template.fromStack(stack);
+    };
+
+    const oldTemplate = createApiTemplate('foo');
+    const newTemplate = createApiTemplate('bar');
+
+    const oldDeploymentId = Object.keys(oldTemplate.findResources('AWS::ApiGateway::Deployment'))[0];
+    const newDeploymentId = Object.keys(newTemplate.findResources('AWS::ApiGateway::Deployment'))[0];
+
+    expect(oldDeploymentId).not.toEqual(newDeploymentId);
+  });
 });
diff --git a/...horizers/integ.cognito-authorizer.js.snapshot/CognitoUserPoolsAuthorizerInteg.assets.json b/...horizers/integ.cognito-authorizer.js.snapshot/CognitoUserPoolsAuthorizerInteg.assets.json
@@ -1,15 +1,15 @@
 {
-  "version": "20.0.0",
+  "version": "22.0.0",
   "files": {
-    "551baa1ebfdea9d8d905ffd1e2e8ac09982d0a49e669c97ad0d8f8c092cb96df": {
+    "81ccfaff55790eb0a0ba90c4ede5ca2168072939afb21004c5dcb5ca74295b40": {
       "source": {
         "path": "CognitoUserPoolsAuthorizerInteg.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "551baa1ebfdea9d8d905ffd1e2e8ac09982d0a49e669c97ad0d8f8c092cb96df.json",
+          "objectKey": "81ccfaff55790eb0a0ba90c4ede5ca2168072939afb21004c5dcb5ca74295b40.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

diff --git a/...rizers/integ.cognito-authorizer.js.snapshot/CognitoUserPoolsAuthorizerInteg.template.json b/...rizers/integ.cognito-authorizer.js.snapshot/CognitoUserPoolsAuthorizerInteg.template.json
@@ -105,7 +105,7 @@
    "UpdateReplacePolicy": "Retain",
    "DeletionPolicy": "Retain"
   },
-  "myrestapiDeployment419B1464b903292b53d7532ca4296973bcb95b1a": {
+  "myrestapiDeployment419B1464d5146a3a0aa3a9f79024a52930571dc6": {
    "Type": "AWS::ApiGateway::Deployment",
    "Properties": {
     "RestApiId": {
@@ -114,6 +114,7 @@
     "Description": "Automatically created by the RestApi construct"
    },
    "DependsOn": [
+    "myauthorizer23CB99DD",
     "myrestapiANY94B0497F"
    ]
   },
@@ -124,7 +125,7 @@
      "Ref": "myrestapi551C8392"
     },
     "DeploymentId": {
-     "Ref": "myrestapiDeployment419B1464b903292b53d7532ca4296973bcb95b1a"
+     "Ref": "myrestapiDeployment419B1464d5146a3a0aa3a9f79024a52930571dc6"
     },
     "StageName": "prod"
    },

diff --git a/...ges/@aws-cdk/aws-apigateway/test/authorizers/integ.cognito-authorizer.js.snapshot/cdk.out b/...ges/@aws-cdk/aws-apigateway/test/authorizers/integ.cognito-authorizer.js.snapshot/cdk.out
@@ -1 +1 @@
-{"version":"20.0.0"}
+{"version":"22.0.0"}
diff --git a/...gnito-authorizer.js.snapshot/cognitoauthorizerDefaultTestDeployAssert4551574C.assets.json b/...gnito-authorizer.js.snapshot/cognitoauthorizerDefaultTestDeployAssert4551574C.assets.json
@@ -1,5 +1,5 @@
 {
-  "version": "20.0.0",
+  "version": "22.0.0",
   "files": {
     "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
       "source": {

diff --git a/.../@aws-cdk/aws-apigateway/test/authorizers/integ.cognito-authorizer.js.snapshot/integ.json b/.../@aws-cdk/aws-apigateway/test/authorizers/integ.cognito-authorizer.js.snapshot/integ.json
@@ -1,11 +1,12 @@
 {
-  "version": "20.0.0",
+  "version": "22.0.0",
   "testCases": {
     "cognito-authorizer/DefaultTest": {
       "stacks": [
         "CognitoUserPoolsAuthorizerInteg"
       ],
-      "assertionStack": "cognito-authorizer/DefaultTest/DeployAssert"
+      "assertionStack": "cognito-authorizer/DefaultTest/DeployAssert",
+      "assertionStackName": "cognitoauthorizerDefaultTestDeployAssert4551574C"
     }
   }
 }