Merge branch 'main' into 29614-ipv6Nlb

.github/workflows/github-merit-badger.yml

@@ -17,4 +17,4 @@ jobs:
           badges: '[beginning-contributor,repeat-contributor,valued-contributor,admired-contributor,star-contributor,distinguished-contributor]'
           thresholds: '[0,3,6,13,25,50]'
           badge-type: 'achievement'
-          ignore-usernames: '[rix0rrr,iliapolo,otaviomacedo,kaizencc,comcalvi,TheRealAmazonKendra,vinayak-kukreja,mrgrain,pahud,cgarvis,kellertk,HBobertz,sumupitchayan,SankyRed,udaypant,colifran,khushail,scanlonp,mikewrighton,moelasmar,paulhcsun,awsmjs,evgenyka,GavinZZ,aaythapa,xazhao,ConnorRobertson,ssenchenko,gracelu0,jfuss,SimonCMoore,shikha372,kirtishrinkhala,godwingrs22,bergjaak,aws-cdk-automation,dependabot[bot],mergify[bot]]'
+          ignore-usernames: '[rix0rrr,iliapolo,otaviomacedo,kaizencc,comcalvi,TheRealAmazonKendra,vinayak-kukreja,mrgrain,pahud,cgarvis,kellertk,HBobertz,sumupitchayan,SankyRed,udaypant,colifran,khushail,scanlonp,mikewrighton,moelasmar,paulhcsun,awsmjs,evgenyka,GavinZZ,aaythapa,xazhao,ConnorRobertson,ssenchenko,gracelu0,jfuss,SimonCMoore,shikha372,kirtishrinkhala,godwingrs22,bergjaak,Leo10Gama,aws-cdk-automation,dependabot[bot],mergify[bot]]'

.mergify.yml

@@ -11,7 +11,7 @@ pull_request_rules:
       label:
         add: [ contribution/core ]
     conditions:
-      - author~=^(rix0rrr|iliapolo|otaviomacedo|kaizencc|comcalvi|TheRealAmazonKendra|vinayak-kukreja|mrgrain|pahud|cgarvis|kellertk|HBobertz|sumupitchayan|SankyRed|udaypant|colifran|scanlonp|mikewrighton|moelasmar|paulhcsun|awsmjs|evgenyka|GavinZZ|aaythapa|xazhao|ConnorRobertson|ssenchenko|gracelu0|jfuss|SimonCMoore|shikha372|kirtishrinkhala|godwingrs22|bergjaak)$
+      - author~=^(rix0rrr|iliapolo|otaviomacedo|kaizencc|comcalvi|TheRealAmazonKendra|vinayak-kukreja|mrgrain|pahud|cgarvis|kellertk|HBobertz|sumupitchayan|SankyRed|udaypant|colifran|scanlonp|mikewrighton|moelasmar|paulhcsun|awsmjs|evgenyka|GavinZZ|aaythapa|xazhao|ConnorRobertson|ssenchenko|gracelu0|jfuss|SimonCMoore|shikha372|kirtishrinkhala|godwingrs22|bergjaak|Leo10Gama)$
       - -label~="contribution/core"
   - name: automatic merge
     actions:

CHANGELOG.v2.alpha.md

@@ -2,6 +2,8 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.141.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.140.0-alpha.0...v2.141.0-alpha.0) (2024-05-08)
+
 ## [2.140.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.139.1-alpha.0...v2.140.0-alpha.0) (2024-05-02)
 
 ## [2.139.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.139.0-alpha.0...v2.139.1-alpha.0) (2024-04-29)

CHANGELOG.v2.md

@@ -2,6 +2,21 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.141.0](https://github.com/aws/aws-cdk/compare/v2.140.0...v2.141.0) (2024-05-08)
+
+
+### Features
+
+* **rds:** implement setting parameter group name ([#29965](https://github.com/aws/aws-cdk/issues/29965)) ([50331a1](https://github.com/aws/aws-cdk/commit/50331a19cfbe30e3d46f8eed15d74d5975fb1527))
+* support for IAM Identity Center in security diff ([#30009](https://github.com/aws/aws-cdk/issues/30009)) ([0a3cb94](https://github.com/aws/aws-cdk/commit/0a3cb94b9c3c945fa52d36f402b628a330066e5b)), closes [#29835](https://github.com/aws/aws-cdk/issues/29835)
+* update L1 CloudFormation resource definitions ([#30074](https://github.com/aws/aws-cdk/issues/30074)) ([8e98078](https://github.com/aws/aws-cdk/commit/8e98078a54896b7a9531ba4b11bb0c6221383e34))
+
+
+### Bug Fixes
+
+* **ecr:** incorrect format for rule pattern ([#29243](https://github.com/aws/aws-cdk/issues/29243)) ([fff9cf6](https://github.com/aws/aws-cdk/commit/fff9cf694b14811682c8671a1e55afa53151df8b)), closes [#29225](https://github.com/aws/aws-cdk/issues/29225)
+* **pipelines:** pipeline asset role trust policy has account root principal ([#30084](https://github.com/aws/aws-cdk/issues/30084)) ([3928eae](https://github.com/aws/aws-cdk/commit/3928eae1ee92a03ba9959288f05f59d6bd5edcba))
+
 ## [2.140.0](https://github.com/aws/aws-cdk/compare/v2.139.1...v2.140.0) (2024-05-02)
 
 

packages/@aws-cdk-testing/cli-integ/lib/aws.ts

@@ -20,6 +20,7 @@ export class AwsClients {
   public readonly ecr: AwsCaller<AWS.ECR>;
   public readonly ecs: AwsCaller<AWS.ECS>;
   public readonly sso: AwsCaller<AWS.SSO>;
+  public readonly ssm: AwsCaller<AWS.SSM>;
   public readonly sns: AwsCaller<AWS.SNS>;
   public readonly iam: AwsCaller<AWS.IAM>;
   public readonly lambda: AwsCaller<AWS.Lambda>;
@@ -39,6 +40,7 @@ export class AwsClients {
     this.ecs = makeAwsCaller(AWS.ECS, this.config);
     this.sso = makeAwsCaller(AWS.SSO, this.config);
     this.sns = makeAwsCaller(AWS.SNS, this.config);
+    this.ssm = makeAwsCaller(AWS.SSM, this.config);
     this.iam = makeAwsCaller(AWS.IAM, this.config);
     this.lambda = makeAwsCaller(AWS.Lambda, this.config);
     this.sts = makeAwsCaller(AWS.STS, this.config);

packages/@aws-cdk-testing/cli-integ/package.json

@@ -30,12 +30,12 @@
   "license": "Apache-2.0",
   "devDependencies": {
     "@aws-cdk/cdk-build-tools": "0.0.0",
-    "@types/semver": "^7.5.8",
-    "@types/yargs": "^15.0.19",
+    "@aws-cdk/pkglint": "0.0.0",
     "@types/fs-extra": "^9.0.13",
     "@types/glob": "^7.2.0",
     "@types/npm": "^7.19.3",
-    "@aws-cdk/pkglint": "0.0.0"
+    "@types/semver": "^7.5.8",
+    "@types/yargs": "^15.0.19"
   },
   "dependencies": {
     "@octokit/rest": "^18.12.0",

packages/@aws-cdk-testing/cli-integ/resources/cdk-apps/app/app.js

@@ -126,6 +126,22 @@ class SsoInstanceAccessControlConfig extends Stack {
   }
 }
 
+class DiffFromChangeSetStack extends Stack {
+  constructor(scope, id) {
+    super(scope, id);
+
+    const queueNameFromParameter = ssm.StringParameter.valueForStringParameter(this, 'for-queue-name-defined-by-ssm-param');
+    new sqs.Queue(this, "DiffFromChangeSetQueue", {
+      queueName: queueNameFromParameter,
+    })
+
+    new ssm.StringParameter(this, 'DiffFromChangeSetSSMParam', {
+      parameterName: 'DiffFromChangeSetSSMParamName',
+      stringValue: queueNameFromParameter,
+    });
+  }
+}
+
 class ListMultipleDependentStack extends Stack {
   constructor(scope, id) {
     super(scope, id);
@@ -232,10 +248,37 @@ class MigrateStack extends cdk.Stack {
   }
 }
 
-class ImportableStack extends MigrateStack {
+class ImportableStack extends cdk.Stack {
   constructor(parent, id, props) {
     super(parent, id, props);
     new cdk.CfnWaitConditionHandle(this, 'Handle');
+
+    if (process.env.INCLUDE_SINGLE_QUEUE === '1') {
+      const queue = new sqs.Queue(this, 'Queue', {
+        removalPolicy: (process.env.RETAIN_SINGLE_QUEUE === '1') ? cdk.RemovalPolicy.RETAIN : cdk.RemovalPolicy.DESTROY,
+      });
+
+      new cdk.CfnOutput(this, 'QueueName', {
+        value: queue.queueName,
+      });
+
+      new cdk.CfnOutput(this, 'QueueUrl', {
+        value: queue.queueUrl,
+      });
+
+      new cdk.CfnOutput(this, 'QueueLogicalId', {
+        value: queue.node.defaultChild.logicalId,
+      });
+    }
+
+    if (process.env.LARGE_TEMPLATE === '1') {
+      for (let i = 1; i <= 70; i++) {
+        new sqs.Queue(this, `cdk-import-queue-test${i}`, {
+          enforceSSL: true,
+          removalPolicy: cdk.RemovalPolicy.DESTROY,
+        });
+      }
+    }
   }
 }
 
@@ -658,6 +701,8 @@ switch (stackSet) {
 
     const failed = new FailedStack(app, `${stackPrefix}-failed`)
 
+    new DiffFromChangeSetStack(app, `${stackPrefix}-queue-name-defined-by-ssm-param`)
+
     // A stack that depends on the failed stack -- used to test that '-e' does not deploy the failing stack
     const dependsOnFailed = new OutputsStack(app, `${stackPrefix}-depends-on-failed`);
     dependsOnFailed.addDependency(failed);

packages/@aws-cdk-testing/cli-integ/tests/cli-integ-tests/cli.integtest.ts

@@ -1,7 +1,7 @@
 import { promises as fs, existsSync } from 'fs';
 import * as os from 'os';
 import * as path from 'path';
-import { integTest, cloneDirectory, shell, withDefaultFixture, retry, sleep, randomInteger, withSamIntegrationFixture, RESOURCES_DIR, withCDKMigrateFixture, withExtendedTimeoutFixture } from '../../lib';
+import { integTest, cloneDirectory, shell, withDefaultFixture, retry, sleep, randomInteger, withSamIntegrationFixture, RESOURCES_DIR, withCDKMigrateFixture, withExtendedTimeoutFixture, randomString } from '../../lib';
 
 jest.setTimeout(2 * 60 * 60_000); // Includes the time to acquire locks, worst-case single-threaded runtime
 
@@ -944,6 +944,50 @@ integTest('cdk diff --quiet does not print \'There were no differences\' message
   expect(diff).not.toContain('There were no differences');
 }));
 
+integTest('cdk diff picks up changes that are only present in changeset', withDefaultFixture(async (fixture) => {
+  // GIVEN
+  await fixture.aws.ssm('putParameter', {
+    Name: 'for-queue-name-defined-by-ssm-param',
+    Value: randomString(),
+    Type: 'String',
+    Overwrite: true,
+  });
+
+  try {
+    await fixture.cdkDeploy('queue-name-defined-by-ssm-param');
+
+    // WHEN
+    // We want to change the ssm value. Then the CFN changeset will detect that the queue will be changed upon deploy.
+    await fixture.aws.ssm('putParameter', {
+      Name: 'for-queue-name-defined-by-ssm-param',
+      Value: randomString(),
+      Type: 'String',
+      Overwrite: true,
+    });
+
+    const diff = await fixture.cdk(['diff', fixture.fullStackName('queue-name-defined-by-ssm-param')]);
+
+    // THEN
+    const normalizedPlainTextOutput = diff.replace(/\x1B\[[0-?]*[ -/]*[@-~]/g, '') // remove all color and formatting (bolding, italic, etc)
+      .replace(/ /g, '') // remove all spaces
+      .replace(/\n/g, '') // remove all new lines
+      .replace(/\d+/g, ''); // remove all digits
+
+    const normalizedExpectedOutput = `
+      Resources
+      [~] AWS::SQS::Queue DiffFromChangeSetQueue DiffFromChangeSetQueue06622C07 replace
+       └─ [~] QueueName (requires replacement)
+      [~] AWS::SSM::Parameter DiffFromChangeSetSSMParam DiffFromChangeSetSSMParam92A9A723
+       └─ [~] Value`
+      .replace(/ /g, '')
+      .replace(/\n/g, '')
+      .replace(/\d+/g, '');
+    expect(normalizedPlainTextOutput).toContain(normalizedExpectedOutput);
+  } finally {
+    await fixture.cdkDestroy('queue-name-defined-by-ssm-param');
+  }
+}));
+
 integTest('deploy stack with docker asset', withDefaultFixture(async (fixture) => {
   await fixture.cdkDeploy('docker');
 }));
@@ -1575,37 +1619,60 @@ integTest('skips notice refresh', withDefaultFixture(async (fixture) => {
 }));
 
 /**
- * Create a queue with a fresh name, redeploy orphaning the queue, then import it again
+ * Create a queue, orphan that queue, then import the queue.
+ *
+ * We want to test with a large template to make sure large templates can work with import.
  */
 integTest('test resource import', withDefaultFixture(async (fixture) => {
-  const outputsFile = path.join(fixture.integTestDir, 'outputs', 'outputs.json');
+  // GIVEN
+  const randomPrefix = randomString();
+  const uniqueOutputsFileName = `${randomPrefix}Outputs.json`; // other tests use the outputs file. Make sure we don't collide.
+  const outputsFile = path.join(fixture.integTestDir, 'outputs', uniqueOutputsFileName);
   await fs.mkdir(path.dirname(outputsFile), { recursive: true });
 
-  // Initial deploy
+  // First, create a stack that includes many queues, and one queue that will be removed from the stack but NOT deleted from AWS.
   await fixture.cdkDeploy('importable-stack', {
-    modEnv: { ORPHAN_TOPIC: '1' },
+    modEnv: { LARGE_TEMPLATE: '1', INCLUDE_SINGLE_QUEUE: '1', RETAIN_SINGLE_QUEUE: '1' },
     options: ['--outputs-file', outputsFile],
   });
 
-  const outputs = JSON.parse((await fs.readFile(outputsFile, { encoding: 'utf-8' })).toString());
-  const queueName = outputs.QueueName;
-  const queueLogicalId = outputs.QueueLogicalId;
-  fixture.log(`Setup complete, created queue ${queueName}`);
   try {
-    // Deploy again, orphaning the queue
+
+    // Second, now the queue we will remove is in the stack and has a logicalId. We can now make the resource mapping file.
+    // This resource mapping file will be used to tell the import operation what queue to bring into the stack.
+    const fullStackName = fixture.fullStackName('importable-stack');
+    const outputs = JSON.parse((await fs.readFile(outputsFile, { encoding: 'utf-8' })).toString());
+    const queueLogicalId = outputs[fullStackName].QueueLogicalId;
+    const queueResourceMap = {
+      [queueLogicalId]: { QueueUrl: outputs[fullStackName].QueueUrl },
+    };
+    const mappingFile = path.join(fixture.integTestDir, 'outputs', `${randomPrefix}Mapping.json`);
+    await fs.writeFile(
+      mappingFile,
+      JSON.stringify(queueResourceMap),
+      { encoding: 'utf-8' },
+    );
+
+    // Third, remove the queue from the stack, but don't delete the queue from AWS.
     await fixture.cdkDeploy('importable-stack', {
-      modEnv: { OMIT_TOPIC: '1' },
+      modEnv: { LARGE_TEMPLATE: '1', INCLUDE_SINGLE_QUEUE: '0', RETAIN_SINGLE_QUEUE: '0' },
     });
+    const cfnTemplateBeforeImport = await fixture.aws.cloudFormation('getTemplate', { StackName: fullStackName });
+    expect(cfnTemplateBeforeImport.TemplateBody).not.toContain(queueLogicalId);
 
-    // Write a resource mapping file based on the ID from step one, then run an import
-    const mappingFile = path.join(fixture.integTestDir, 'outputs', 'mapping.json');
-    await fs.writeFile(mappingFile, JSON.stringify({ [queueLogicalId]: { QueueName: queueName } }), { encoding: 'utf-8' });
+    // WHEN
+    await fixture.cdk(
+      ['import', '--resource-mapping', mappingFile, fixture.fullStackName('importable-stack')],
+      { modEnv: { LARGE_TEMPLATE: '1', INCLUDE_SINGLE_QUEUE: '1', RETAIN_SINGLE_QUEUE: '0' } },
+    );
 
-    await fixture.cdk(['import',
-      '--resource-mapping', mappingFile,
-      fixture.fullStackName('importable-stack')]);
+    // THEN
+    const describeStacksResponse = await fixture.aws.cloudFormation('describeStacks', { StackName: fullStackName });
+    const cfnTemplateAfterImport = await fixture.aws.cloudFormation('getTemplate', { StackName: fullStackName });
+    expect(describeStacksResponse.Stacks![0].StackStatus).toEqual('IMPORT_COMPLETE');
+    expect(cfnTemplateAfterImport.TemplateBody).toContain(queueLogicalId);
   } finally {
-    // Cleanup
+    // Clean up
     await fixture.cdkDestroy('importable-stack');
   }
 }));

packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/assets/index.py

@@ -0,0 +1,8 @@
+import json
+
+def handler(event, context):
+    print("Event: ", event)
+    return {
+        'statusCode': 200,
+        'body': json.dumps({'message': 'Hello from Lambda l2!'})
+    }