Merge branch 'master' into patch-1

.github/workflows/yarn-upgrade.yml

@@ -18,7 +18,7 @@ jobs:
         uses: actions/checkout@v2
 
       - name: Set up Node
-        uses: actions/setup-node@v2.5.1
+        uses: actions/setup-node@v3
         with:
           node-version: 12
 

CHANGELOG.md

@@ -2,6 +2,35 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [1.147.0](https://github.com/aws/aws-cdk/compare/v1.146.0...v1.147.0) (2022-03-01)
+
+
+### Features
+
+* **cfnspec:** cloudformation spec v58.0.0 ([#19153](https://github.com/aws/aws-cdk/issues/19153)) ([a6b0a10](https://github.com/aws/aws-cdk/commit/a6b0a1018694a0696ed27635d4def5d1630b8f9a))
+* **cli:** hotswap support for resources in nested stacks ([#18950](https://github.com/aws/aws-cdk/issues/18950)) ([2ea9da1](https://github.com/aws/aws-cdk/commit/2ea9da118794809265d215e3d2f554bbcb91b271))
+* **ec2:** add c6a instances ([#19113](https://github.com/aws/aws-cdk/issues/19113)) ([427cdfd](https://github.com/aws/aws-cdk/commit/427cdfde5e8c48ed7c1f86b275ccb2516a901239))
+
+
+### Bug Fixes
+
+* **apigateway:** fix strange vtl template for cors preflight request ([#19104](https://github.com/aws/aws-cdk/issues/19104)) ([59ef06a](https://github.com/aws/aws-cdk/commit/59ef06ae2a70fcb1800fcc1f40eec671c77440f0)), closes [/datatracker.ietf.org/doc/html/rfc6454#section-7](https://github.com/aws//datatracker.ietf.org/doc/html/rfc6454/issues/section-7)
+* **aws-apigateway:** api gateway usage plan ([#19023](https://github.com/aws/aws-cdk/issues/19023)) ([5b764cc](https://github.com/aws/aws-cdk/commit/5b764cc397de4f4b203f5c69fa0128c6dced49f9)), closes [#18994](https://github.com/aws/aws-cdk/issues/18994)
+* **aws-lambda-python:** skip default docker build when image passed ([#19143](https://github.com/aws/aws-cdk/issues/19143)) ([7300f2e](https://github.com/aws/aws-cdk/commit/7300f2eee9e1593eef271d7a953edf80a8962e08)), closes [#18082](https://github.com/aws/aws-cdk/issues/18082)
+* **cli:** cdk version displays notices ([#19181](https://github.com/aws/aws-cdk/issues/19181)) ([fa16f7a](https://github.com/aws/aws-cdk/commit/fa16f7a9c11981da75e44ffc83adcdc6edad94fc))
+* **cli:** long connection timeout slows the CLI down ([#19187](https://github.com/aws/aws-cdk/issues/19187)) ([6595d04](https://github.com/aws/aws-cdk/commit/6595d044e29fb262fb62430783ad08359e16bc30))
+* **custom-resources:** physical resource id must be determined before isComplete ([#18630](https://github.com/aws/aws-cdk/issues/18630)) ([c190367](https://github.com/aws/aws-cdk/commit/c1903678aba31ca5b23a3bebb84249921e15dd5c))
+* **dynamodb:** `grant*Data()` methods are missing the `dynamodb:DescribeTable` permission ([#19129](https://github.com/aws/aws-cdk/issues/19129)) ([4a44a65](https://github.com/aws/aws-cdk/commit/4a44a65bb4634081e04811966d5f4e2fd49bc7c6)), closes [#18773](https://github.com/aws/aws-cdk/issues/18773)
+* **dynamodb:** `Table.grantWriteData()` doesn't include enough KMS permissions ([#19102](https://github.com/aws/aws-cdk/issues/19102)) ([77f1e0b](https://github.com/aws/aws-cdk/commit/77f1e0b57bd4508ade86be7733e71e94a47d7f4c)), closes [#10010](https://github.com/aws/aws-cdk/issues/10010)
+* **ec2:** invalid volume type check for iops ([#19073](https://github.com/aws/aws-cdk/issues/19073)) ([3f49f02](https://github.com/aws/aws-cdk/commit/3f49f020090142c77feb892894c54e62dc4de7ae))
+* **eks:** Helm charts fail to install when provided as an asset ([#19180](https://github.com/aws/aws-cdk/issues/19180)) ([9961257](https://github.com/aws/aws-cdk/commit/99612574bbaf97379482e9e424e1d1115809d74b))
+* **lambda-nodejs:** `logLevel` property of `BundlingOptions` is ignored when `nodeModules` are defined ([#18456](https://github.com/aws/aws-cdk/issues/18456)) ([5c40b90](https://github.com/aws/aws-cdk/commit/5c40b90707b869f62e59613d50d5deaafbaa52f1)), closes [#18383](https://github.com/aws/aws-cdk/issues/18383)
+* **stepfunctions-tasks:** RUN_JOB integration pattern not supported for CallAwsService ([#19186](https://github.com/aws/aws-cdk/issues/19186)) ([4b134b7](https://github.com/aws/aws-cdk/commit/4b134b785115f026a0eaa37b699cd32c85ff8e73)), closes [#19174](https://github.com/aws/aws-cdk/issues/19174)
+* apply tags to nested stack ([#19128](https://github.com/aws/aws-cdk/issues/19128)) ([3af329b](https://github.com/aws/aws-cdk/commit/3af329bcb66b9dffce0c03f0816b33e91e901808)), closes [#17463](https://github.com/aws/aws-cdk/issues/17463)
+* **triggers:** not published as part of v2 ([#19168](https://github.com/aws/aws-cdk/issues/19168)) ([8f727d1](https://github.com/aws/aws-cdk/commit/8f727d15f8f87d4ca323fee449826908db7971a4)), closes [#19164](https://github.com/aws/aws-cdk/issues/19164)
+* construct paths are not printed for nested stacks in CLI output ([#18725](https://github.com/aws/aws-cdk/issues/18725)) ([b0e0155](https://github.com/aws/aws-cdk/commit/b0e0155f87a65c34a75e11776f98d55b83d2b220))
+* **rds:** MySQL Cluster version 8.0 uses wrong Parameter for S3 import ([#19145](https://github.com/aws/aws-cdk/issues/19145)) ([96b2034](https://github.com/aws/aws-cdk/commit/96b2034c44b441a96cfe19855d343b0f983c8772)), closes [#19126](https://github.com/aws/aws-cdk/issues/19126)
+
 ## [1.146.0](https://github.com/aws/aws-cdk/compare/v1.145.0...v1.146.0) (2022-02-24)
 
 

packages/@aws-cdk/aws-cloudformation/test/nested-stack.test.ts

@@ -4,7 +4,7 @@ import { Template } from '@aws-cdk/assertions';
 import * as s3_assets from '@aws-cdk/aws-s3-assets';
 import * as sns from '@aws-cdk/aws-sns';
 import { describeDeprecated } from '@aws-cdk/cdk-build-tools';
-import { App, CfnParameter, CfnResource, ContextProvider, LegacyStackSynthesizer, Names, Stack } from '@aws-cdk/core';
+import { App, CfnParameter, CfnResource, ContextProvider, LegacyStackSynthesizer, Names, Stack, Tags } from '@aws-cdk/core';
 import { NestedStack } from '../lib/nested-stack';
 
 // keep this import separate from other imports to reduce chance for merge conflicts with v2-main
@@ -1085,4 +1085,49 @@ describeDeprecated('NestedStack', () => {
     });
   });
 
+  test('nested stack should get the tags added in root stack', () =>{
+    const app = new App();
+    const parentStack = new Stack(app, 'parent-stack');
+    const nestedStack = new NestedStack(parentStack, 'MyNestedStack');
+
+    // add tags
+    Tags.of(nestedStack).add('tag-1', '22');
+    Tags.of(nestedStack).add('tag-2', '33');
+
+    new sns.Topic(nestedStack, 'MyTopic');
+
+    // THEN
+    Template.fromStack(parentStack).hasResourceProperties(
+      'AWS::CloudFormation::Stack',
+      {
+        Tags: [
+          {
+            Key: 'tag-1',
+            Value: '22',
+          },
+          {
+            Key: 'tag-2',
+            Value: '33',
+          },
+        ],
+      },
+    );
+
+    Template.fromStack(nestedStack).hasResourceProperties(
+      'AWS::SNS::Topic',
+      {
+        Tags: [
+          {
+            Key: 'tag-1',
+            Value: '22',
+          },
+          {
+            Key: 'tag-2',
+            Value: '33',
+          },
+        ],
+      },
+    );
+  });
+
 });

packages/@aws-cdk/aws-ec2/README.md

@@ -663,7 +663,7 @@ vpc.addVpnConnection('Dynamic', {
 ```
 
 By default, routes will be propagated on the route tables associated with the private subnets. If no
-private subnets exists, isolated subnets are used. If no isolated subnets exists, public subnets are
+private subnets exist, isolated subnets are used. If no isolated subnets exist, public subnets are
 used. Use the `Vpc` property `vpnRoutePropagation` to customize this behavior.
 
 VPN connections expose [metrics (cloudwatch.Metric)](https://github.com/aws/aws-cdk/blob/master/packages/%40aws-cdk/aws-cloudwatch/README.md) across all tunnels in the account/region and per connection:
@@ -810,7 +810,7 @@ The endpoint must use at least one [authentication method](https://docs.aws.amaz
 If user-based authentication is used, the [self-service portal URL](https://docs.aws.amazon.com/vpn/latest/clientvpn-user/self-service-portal.html)
 is made available via a CloudFormation output.
 
-By default, a new security group is created and logging is enabled. Moreover, a rule to
+By default, a new security group is created, and logging is enabled. Moreover, a rule to
 authorize all users to the VPC CIDR is created.
 
 To customize authorization rules, set the `authorizeAllUsersToVpcCidr` prop to `false`
@@ -898,7 +898,7 @@ new ec2.Instance(this, 'Instance4', {
 
 CloudFormation Init allows you to configure your instances by writing files to them, installing software
 packages, starting services and running arbitrary commands. By default, if any of the instance setup
-commands throw an error, the deployment will fail and roll back to the previously known good state.
+commands throw an error; the deployment will fail and roll back to the previously known good state.
 The following documentation also applies to `AutoScalingGroup`s.
 
 For the full set of capabilities of this system, see the documentation for
@@ -1201,7 +1201,7 @@ Aspects.of(this).add(aspect);
 
 VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data can be published to Amazon CloudWatch Logs and Amazon S3. After you've created a flow log, you can retrieve and view its data in the chosen destination. (<https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html>).
 
-By default a flow log will be created with CloudWatch Logs as the destination.
+By default, a flow log will be created with CloudWatch Logs as the destination.
 
 You can create a flow log like this:
 
@@ -1235,7 +1235,7 @@ vpc.addFlowLog('FlowLogCloudWatch', {
 });
 ```
 
-By default the CDK will create the necessary resources for the destination. For the CloudWatch Logs destination
+By default, the CDK will create the necessary resources for the destination. For the CloudWatch Logs destination
 it will create a CloudWatch Logs Log Group as well as the IAM role with the necessary permissions to publish to
 the log group. In the case of an S3 destination, it will create the S3 bucket.
 
@@ -1311,9 +1311,9 @@ from separate parts forming archive. The most common parts are scripts executed
 kinds, too.
 
 The advantage of multipart archive is in flexibility when it's needed to add additional parts or to use specialized parts to
-fine tune instance startup. Some services (like AWS Batch) supports only `MultipartUserData`.
+fine tune instance startup. Some services (like AWS Batch) support only `MultipartUserData`.
 
-The parts can be executed at different moment of instance start-up and can serve a different purposes. This is controlled by `contentType` property.
+The parts can be executed at different moment of instance start-up and can serve a different purpose. This is controlled by `contentType` property.
 For common scripts, `text/x-shellscript; charset="utf-8"` can be used as content type.
 
 In order to create archive the `MultipartUserData` has to be instantiated. Than, user can add parts to multipart archive using `addPart`. The `MultipartBody` contains methods supporting creation of body parts.

packages/@aws-cdk/aws-ec2/lib/instance-types.ts

@@ -298,16 +298,6 @@ export enum InstanceClass {
    */
   C5 = 'c5',
 
-  /**
-   * Compute optimized instances, 6th generation
-   */
-  COMPUTE6_INTEL = 'c6i',
-
-  /**
-   * Compute optimized instances, 6th generation
-   */
-  C6I = 'c6i',
-
   /**
    * Compute optimized instances with local NVME drive, 5th generation
    */
@@ -319,7 +309,7 @@ export enum InstanceClass {
   C5D = 'c5d',
 
   /**
-   * Compute optimized instances based on AMD EPYC, 5th generation.
+   * Compute optimized instances based on AMD EPYC, 5th generation
    */
   COMPUTE5_AMD = 'c5a',
 
@@ -329,12 +319,12 @@ export enum InstanceClass {
   C5A = 'c5a',
 
   /**
-   * Compute optimized instances with local NVME drive based on AMD EPYC, 5th generation.
+   * Compute optimized instances with local NVME drive based on AMD EPYC, 5th generation
    */
   COMPUTE5_AMD_NVME_DRIVE = 'c5ad',
 
   /**
-   * Compute optimized instances with local NVME drive based on AMD EPYC, 5th generation.
+   * Compute optimized instances with local NVME drive based on AMD EPYC, 5th generation
    */
   C5AD = 'c5ad',
 
@@ -348,6 +338,26 @@ export enum InstanceClass {
    */
   C5N = 'c5n',
 
+  /**
+   * Compute optimized instances, 6th generation
+   */
+  COMPUTE6_INTEL = 'c6i',
+
+  /**
+  * Compute optimized instances, 6th generation
+  */
+  C6I = 'c6i',
+
+  /**
+  * Compute optimized instances based on AMD EPYC (codename Milan), 6th generation
+  */
+  COMPUTE6_AMD = 'c6a',
+
+  /**
+  * Compute optimized instances based on AMD EPYC (codename Milan), 6th generation
+  */
+  C6A = 'c6a',
+
   /**
    * Compute optimized instances for high performance computing, 6th generation with Graviton2 processors
    */

packages/@aws-cdk/aws-ec2/lib/private/ebs-util.ts

@@ -31,11 +31,11 @@ function synthesizeBlockDeviceMappings<RT, NDT>(construct: Construct, blockDevic
       const { iops, volumeType, kmsKey, ...rest } = ebs;
 
       if (!iops) {
-        if (volumeType === EbsDeviceVolumeType.IO1) {
-          throw new Error('iops property is required with volumeType: EbsDeviceVolumeType.IO1');
+        if (volumeType === EbsDeviceVolumeType.IO1 || volumeType === EbsDeviceVolumeType.IO2) {
+          throw new Error('iops property is required with volumeType: EbsDeviceVolumeType.IO1 and EbsDeviceVolumeType.IO2');
         }
-      } else if (volumeType !== EbsDeviceVolumeType.IO1) {
-        Annotations.of(construct).addWarning('iops will be ignored without volumeType: EbsDeviceVolumeType.IO1');
+      } else if (volumeType !== EbsDeviceVolumeType.IO1 && volumeType !== EbsDeviceVolumeType.IO2 && volumeType !== EbsDeviceVolumeType.GP3) {
+        Annotations.of(construct).addWarning('iops will be ignored without volumeType: IO1, IO2, or GP3');
       }
 
       /**

packages/@aws-cdk/aws-ec2/test/instance.test.ts

@@ -199,6 +199,15 @@ describe('instance', () => {
             volumeType: EbsDeviceVolumeType.IO1,
             iops: 5000,
           }),
+        }, {
+          deviceName: 'ebs-gp3',
+          mappingEnabled: true,
+          volume: BlockDeviceVolume.ebs(15, {
+            deleteOnTermination: true,
+            encrypted: true,
+            volumeType: EbsDeviceVolumeType.GP3,
+            iops: 5000,
+          }),
         }, {
           deviceName: 'ebs-cmk',
           mappingEnabled: true,
@@ -236,6 +245,16 @@ describe('instance', () => {
               VolumeType: 'io1',
             },
           },
+          {
+            DeviceName: 'ebs-gp3',
+            Ebs: {
+              DeleteOnTermination: true,
+              Encrypted: true,
+              Iops: 5000,
+              VolumeSize: 15,
+              VolumeType: 'gp3',
+            },
+          },
           {
             DeviceName: 'ebs-cmk',
             Ebs: {
@@ -306,8 +325,25 @@ describe('instance', () => {
           }],
         });
       }).toThrow(/ops property is required with volumeType: EbsDeviceVolumeType.IO1/);
+    });
 
-
+    test('throws if volumeType === IO2 without iops', () => {
+      // THEN
+      expect(() => {
+        new Instance(stack, 'Instance', {
+          vpc,
+          machineImage: new AmazonLinuxImage(),
+          instanceType: InstanceType.of(InstanceClass.T3, InstanceSize.LARGE),
+          blockDevices: [{
+            deviceName: 'ebs',
+            volume: BlockDeviceVolume.ebs(15, {
+              deleteOnTermination: true,
+              encrypted: true,
+              volumeType: EbsDeviceVolumeType.IO2,
+            }),
+          }],
+        });
+      }).toThrow(/ops property is required with volumeType: EbsDeviceVolumeType.IO1 and EbsDeviceVolumeType.IO2/);
     });
 
     test('warning if iops without volumeType', () => {
@@ -327,12 +363,10 @@ describe('instance', () => {
 
       // THEN
       expect(instance.node.metadataEntry[0].type).toEqual(cxschema.ArtifactMetadataEntryType.WARN);
-      expect(instance.node.metadataEntry[0].data).toEqual('iops will be ignored without volumeType: EbsDeviceVolumeType.IO1');
-
-
+      expect(instance.node.metadataEntry[0].data).toEqual('iops will be ignored without volumeType: IO1, IO2, or GP3');
     });
 
-    test('warning if iops and volumeType !== IO1', () => {
+    test('warning if iops and invalid volumeType', () => {
       const instance = new Instance(stack, 'Instance', {
         vpc,
         machineImage: new AmazonLinuxImage(),
@@ -350,9 +384,7 @@ describe('instance', () => {
 
       // THEN
       expect(instance.node.metadataEntry[0].type).toEqual(cxschema.ArtifactMetadataEntryType.WARN);
-      expect(instance.node.metadataEntry[0].data).toEqual('iops will be ignored without volumeType: EbsDeviceVolumeType.IO1');
-
-
+      expect(instance.node.metadataEntry[0].data).toEqual('iops will be ignored without volumeType: IO1, IO2, or GP3');
     });
   });
 

packages/@aws-cdk/aws-efs/lib/efs-file-system.ts

@@ -341,15 +341,21 @@ export class FileSystem extends FileSystemBase {
     const encrypted = props.encrypted ?? (FeatureFlags.of(this).isEnabled(
       cxapi.EFS_DEFAULT_ENCRYPTION_AT_REST) ? true : undefined);
 
+    // LifecyclePolicies is an array of lists containing a single policy
+    let lifecyclePolicies = [];
+
+    if (props.lifecyclePolicy) {
+      lifecyclePolicies.push({ transitionToIa: props.lifecyclePolicy });
+    }
+
+    if (props.outOfInfrequentAccessPolicy) {
+      lifecyclePolicies.push({ transitionToPrimaryStorageClass: props.outOfInfrequentAccessPolicy });
+    }
+
     const filesystem = new CfnFileSystem(this, 'Resource', {
       encrypted: encrypted,
       kmsKeyId: props.kmsKey?.keyArn,
-      lifecyclePolicies: (
-        (props.lifecyclePolicy || props.outOfInfrequentAccessPolicy) ?
-          [{
-            transitionToIa: props.lifecyclePolicy,
-            transitionToPrimaryStorageClass: props.outOfInfrequentAccessPolicy,
-          }] : undefined),
+      lifecyclePolicies: lifecyclePolicies.length > 0 ? lifecyclePolicies : undefined,
       performanceMode: props.performanceMode,
       throughputMode: props.throughputMode,
       provisionedThroughputInMibps: props.provisionedThroughputPerSecond?.toMebibytes(),

packages/@aws-cdk/aws-efs/test/efs-file-system.test.ts

@@ -137,10 +137,14 @@ test('file system is created correctly with a life cycle property and out of inf
   });
   // THEN
   Template.fromStack(stack).hasResourceProperties('AWS::EFS::FileSystem', {
-    LifecyclePolicies: [{
-      TransitionToIA: 'AFTER_7_DAYS',
-      TransitionToPrimaryStorageClass: 'AFTER_1_ACCESS',
-    }],
+    LifecyclePolicies: [
+      {
+        TransitionToIA: 'AFTER_7_DAYS',
+      },
+      {
+        TransitionToPrimaryStorageClass: 'AFTER_1_ACCESS',
+      },
+    ],
   });
 });
 

packages/@aws-cdk/aws-eks/lib/kubectl-handler/helm/__init__.py

@@ -80,8 +80,7 @@ def helm_handler(event, context):
             # future work: support versions from s3 assets
             chart = get_chart_asset_from_url(chart_asset_url)
 
-        if repository.startswith('oci://'):
-            assert(repository is not None)
+        if repository is not None and repository.startswith('oci://'):
             tmpdir = tempfile.TemporaryDirectory()
             chart_dir = get_chart_from_oci(tmpdir.name, release, repository, version)
             chart = chart_dir