Merge branch 'main' into events-new-filtering

CHANGELOG.v2.alpha.md

@@ -2,14 +2,35 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.51.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.51.0-alpha.0...v2.51.1-alpha.0) (2022-11-18)
+
+## [2.51.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.50.0-alpha.0...v2.51.0-alpha.0) (2022-11-18)
+
+
+### Features
+
+* **gamelift:** add BuildFleet L2 Construct for GameLift ([#22835](https://github.com/aws/aws-cdk/issues/22835)) ([834fab4](https://github.com/aws/aws-cdk/commit/834fab4983526eced3ddbdd58c5bfefbe757715d))
+* **gamelift:** add GameServerGroup L2 Construct for GameLift ([#22762](https://github.com/aws/aws-cdk/issues/22762)) ([ef74116](https://github.com/aws/aws-cdk/commit/ef74116aad56abbcea788ef3662a6ae6e74c4145))
+* **integ-runner:** support config file ([#22937](https://github.com/aws/aws-cdk/issues/22937)) ([4f49efe](https://github.com/aws/aws-cdk/commit/4f49efe35eaffd662c22e0d80e9b7fadeb25ab37))
+* **integ-runner:** support custom `--app` commands ([#22761](https://github.com/aws/aws-cdk/issues/22761)) ([a7bb6e1](https://github.com/aws/aws-cdk/commit/a7bb6e1a8a9a9f3fe534069ec77b4f6b10307c9f)), closes [#22521](https://github.com/aws/aws-cdk/issues/22521)
+* **integ-runner:** support custom `--test-regex` to match integ test files ([#22786](https://github.com/aws/aws-cdk/issues/22786)) ([fa1a439](https://github.com/aws/aws-cdk/commit/fa1a4395230790c89d5c468306759f4a6c5f7e0c)), closes [#22761](https://github.com/aws/aws-cdk/issues/22761) [#22521](https://github.com/aws/aws-cdk/issues/22521)
+* **integ-runner:** support snapshot diff on nested stacks ([#22881](https://github.com/aws/aws-cdk/issues/22881)) ([5b3d06d](https://github.com/aws/aws-cdk/commit/5b3d06d808d1eb110943b2c68de75ae6d5b5e624))
+* **sagemaker:** add EndpointConfig L2 construct ([#22865](https://github.com/aws/aws-cdk/issues/22865)) ([0e97c15](https://github.com/aws/aws-cdk/commit/0e97c15b49d02b44ea4916a3f29a156ca69a5a23)), closes [#2809](https://github.com/aws/aws-cdk/issues/2809)
+* **sagemaker:** add Model L2 construct ([#22549](https://github.com/aws/aws-cdk/issues/22549)) ([93915f1](https://github.com/aws/aws-cdk/commit/93915f113e656de8374c99e42135f698f0877685)), closes [#2809](https://github.com/aws/aws-cdk/issues/2809)
+
+
+### Bug Fixes
+
+* **gamelift:** restrict policy to access Script / Build content in S3 ([#22767](https://github.com/aws/aws-cdk/issues/22767)) ([c936002](https://github.com/aws/aws-cdk/commit/c93600260c86dfbc6a8f8f2399a6ac9d0f4b4d35))
+
 ## [2.50.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.49.1-alpha.0...v2.50.0-alpha.0) (2022-11-01)
 
 
 ### Features
 
 * **synthetics:** aws synthetics runtime version syn-nodejs-puppeteer-3.8 ([#22707](https://github.com/aws/aws-cdk/issues/22707)) ([228c865](https://github.com/aws/aws-cdk/commit/228c86532118b143e365b2268d06ee3a36fcf3a7))
 
-## [2.49.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.49.0-alpha.0...v2.49.1-alpha.0) (2022-10-31) 
+## [2.49.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.49.0-alpha.0...v2.49.1-alpha.0) (2022-10-31)
 
 ## [2.49.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.48.0-alpha.0...v2.49.0-alpha.0) (2022-10-27)
 

CHANGELOG.v2.md

@@ -2,6 +2,54 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.51.1](https://github.com/aws/aws-cdk/compare/v2.51.0...v2.51.1) (2022-11-18)
+
+
+### Bug Fixes
+
+* ECS service replacement regression ([#22978](https://github.com/aws/aws-cdk/issues/22978)) ([680e048](https://github.com/aws/aws-cdk/commit/680e048abc0c1e778b64c4e29fefcff0704f4d30)), closes [#22467](https://github.com/aws/aws-cdk/issues/22467)
+
+## [2.51.0](https://github.com/aws/aws-cdk/compare/v2.50.0...v2.51.0) (2022-11-18)
+
+
+### Features
+
+* **assertions:** allResources and allResourcesProperties methods ([#22007](https://github.com/aws/aws-cdk/issues/22007)) ([2430537](https://github.com/aws/aws-cdk/commit/24305376260407ea4101ffc6637470c1ecd97ec5)), closes [#21269](https://github.com/aws/aws-cdk/issues/21269)
+* **cfnspec:** cloudformation spec v96.0.0 ([#22775](https://github.com/aws/aws-cdk/issues/22775)) ([aa19ec0](https://github.com/aws/aws-cdk/commit/aa19ec05835a7c71e1aa01dcd649a4d933ef1fd8))
+* **cfnspec:** cloudformation spec v97.0.0 ([#22876](https://github.com/aws/aws-cdk/issues/22876)) ([e29df69](https://github.com/aws/aws-cdk/commit/e29df698fbd1f5365edf4f71a91417d47806fc1c))
+* **codebuild:** interactive breakpoints using SSM ([#22728](https://github.com/aws/aws-cdk/issues/22728)) ([bf165a1](https://github.com/aws/aws-cdk/commit/bf165a1f76f44114f0c37b0c1dace6f2ac0e828f))
+* **cognito:** deletion protection for user pools ([#22765](https://github.com/aws/aws-cdk/issues/22765)) ([9bde9f3](https://github.com/aws/aws-cdk/commit/9bde9f3149cbfa6e7b97204f54e7cef5c9127971))
+* **ec2:** change log format in Vpc flow logs ([#22430](https://github.com/aws/aws-cdk/issues/22430)) ([26779f8](https://github.com/aws/aws-cdk/commit/26779f8b233a1ff6ba35fe2b364df4971bfcce9f)), closes [#16279](https://github.com/aws/aws-cdk/issues/16279) [/github.com/aws/aws-cdk/pull/16279#discussion_r808075037](https://github.com/aws//github.com/aws/aws-cdk/pull/16279/issues/discussion_r808075037) [#19316](https://github.com/aws/aws-cdk/issues/19316)
+* **iam:** customize IAM role creation behavior ([#22856](https://github.com/aws/aws-cdk/issues/22856)) ([b25e526](https://github.com/aws/aws-cdk/commit/b25e52616717b55a309c5d6d0998f2fd4cc6fe39)), closes [#22749](https://github.com/aws/aws-cdk/issues/22749) [#22862](https://github.com/aws/aws-cdk/issues/22862)
+* **lambda:** add nodejs18.x runtime ([#22964](https://github.com/aws/aws-cdk/issues/22964)) ([176feef](https://github.com/aws/aws-cdk/commit/176feefd7ceb4e8dc622283e2b40cab306705580))
+* lambda-layer-awscli): depend on @awscdk/asset-awscli-v1 and reduce aws-cdk-lib size ([#22823](https://github.com/aws/aws-cdk/issues/22823)) ([4bdb18e](https://github.com/aws/aws-cdk/commit/4bdb18e6a43c41ad403c16ab836fe7b991f9531c))
+* **lambda-layer-kubectl:** depend on @awscdk/asset-kubectl-v20 and reduce aws-cdk-lib size ([#22677](https://github.com/aws/aws-cdk/issues/22677)) ([6c606d0](https://github.com/aws/aws-cdk/commit/6c606d0f103681db2632d614843233632327693e))
+* **lambda-layer-node-proxy-agent:** depend on @awscdk/asset-node-proxy-agent-v5 and reduce aws-cdk-lib size ([#22769](https://github.com/aws/aws-cdk/issues/22769)) ([4d4e8cc](https://github.com/aws/aws-cdk/commit/4d4e8cc455a2828d76374a3174a1ce8bb600aac5))
+
+
+### Bug Fixes
+
+* **cli:** asset prebuild breaks some custom bootstrap scenarios ([#22930](https://github.com/aws/aws-cdk/issues/22930)) ([fc4668d](https://github.com/aws/aws-cdk/commit/fc4668d6ef23702547890549568a9205c79149f8)), closes [#21965](https://github.com/aws/aws-cdk/issues/21965)
+* **cli:** assetParallelism option in cdk.json is not recognized ([#22781](https://github.com/aws/aws-cdk/issues/22781)) ([e2a9c77](https://github.com/aws/aws-cdk/commit/e2a9c778f48c098990d2492bf7e269651056d667))
+* **cli:** synthesis stops on expired AWS credentials ([#22861](https://github.com/aws/aws-cdk/issues/22861)) ([0a55e91](https://github.com/aws/aws-cdk/commit/0a55e91950c00daa4fc1a29ca8bad268620a64f3))
+* **cloudfront:** custom originId not used for multiple behaviors with same origin ([#22830](https://github.com/aws/aws-cdk/issues/22830)) ([2f1e2e9](https://github.com/aws/aws-cdk/commit/2f1e2e9a3c87ecf7b76b253c6445c5099e15218a)), closes [#22758](https://github.com/aws/aws-cdk/issues/22758)
+* **cloudfront:** OriginShield not easily disabled once enabled on an origin ([#22791](https://github.com/aws/aws-cdk/issues/22791)) ([6be4cf6](https://github.com/aws/aws-cdk/commit/6be4cf63470239db7ea402a20fdd6099e53a185a))
+* **ecs:** adding a circuit breaker causes Service replacement (under feature flag) ([#22467](https://github.com/aws/aws-cdk/issues/22467)) ([9437d4f](https://github.com/aws/aws-cdk/commit/9437d4fd5957419145b70209e9ab06a8d415efa1)), closes [#16126](https://github.com/aws/aws-cdk/issues/16126) [#16919](https://github.com/aws/aws-cdk/issues/16919) [#22328](https://github.com/aws/aws-cdk/issues/22328)
+* **events-targets:** encrypted queues get too wide permissions (under feature flag) ([#22740](https://github.com/aws/aws-cdk/issues/22740)) ([a36f2f0](https://github.com/aws/aws-cdk/commit/a36f2f0d3e71e0b2467812a9d93d4b0b26629a60))
+* **iam:** oidc provider fetches leaf certificate thumbprint instead of root ([#22802](https://github.com/aws/aws-cdk/issues/22802)) ([280b876](https://github.com/aws/aws-cdk/commit/280b876d426522fd043f13ff0b188e29acaa0fbf)), closes [40aws-cdk/aws-iam/lib/oidc-provider/external.ts#L40](https://github.com/40aws-cdk/aws-iam/lib/oidc-provider/external.ts/issues/L40) [40aws-cdk/aws-iam/lib/oidc-provider/external.ts#L46](https://github.com/40aws-cdk/aws-iam/lib/oidc-provider/external.ts/issues/L46) [40aws-cdk/aws-eks/lib/oidc-provider.ts#L49](https://github.com/40aws-cdk/aws-eks/lib/oidc-provider.ts/issues/L49)
+* **s3-deployment:** `responseURL` is in CloudWatch Logs ([#22952](https://github.com/aws/aws-cdk/issues/22952)) ([863548d](https://github.com/aws/aws-cdk/commit/863548d9e5d643c18e939556661cc8a05b6f7742))
+* CDK does not work in FIPS-restricted environments ([#22878](https://github.com/aws/aws-cdk/issues/22878)) ([76a56ad](https://github.com/aws/aws-cdk/commit/76a56adf72bde721bd2da22fc25d1730ab751e3a))
+* **events-targets:** policy restricts access to the same account as the Queue, not the Rule ([#22766](https://github.com/aws/aws-cdk/issues/22766)) ([0083256](https://github.com/aws/aws-cdk/commit/0083256d2329e6195c96a45589079f678b67a184))
+* **iam:** service principals use unnecessary exceptions (under feature flag) ([#22819](https://github.com/aws/aws-cdk/issues/22819)) ([65d8e3d](https://github.com/aws/aws-cdk/commit/65d8e3d7814ac69d6cfa2bfd0d4219817028a14b))
+* **region-info:** EC2 service principal is incorrect in GovCloud regions ([#22589](https://github.com/aws/aws-cdk/issues/22589)) ([1c707eb](https://github.com/aws/aws-cdk/commit/1c707eb9456bbe9226471c0930713d3bfde42130))
+* **s3:** remove restriction of creating lifecycle rule for noncurrent objects when bucket versionining is not set up ([#22803](https://github.com/aws/aws-cdk/issues/22803)) ([b20a6b4](https://github.com/aws/aws-cdk/commit/b20a6b4964bdb6939c35db20362aaf681192cc95)), closes [#22392](https://github.com/aws/aws-cdk/issues/22392)
+* **stepfunctions-tasks:** custom resource uses subprocess with Shell=true ([#22752](https://github.com/aws/aws-cdk/issues/22752)) ([bd056d1](https://github.com/aws/aws-cdk/commit/bd056d1d38a2d3f43efe4f857c4d38b30fb9b681))
+
+
+### Reverts
+
+* "chore: add AWSLINT_SAVE to the PR buildspec ([#22743](https://github.com/aws/aws-cdk/issues/22743))" ([#22782](https://github.com/aws/aws-cdk/issues/22782)) ([df5830c](https://github.com/aws/aws-cdk/commit/df5830cc20ea3e7010ffba3aee9f29c31a4533e1))
+
 ## [2.50.0](https://github.com/aws/aws-cdk/compare/v2.49.1...v2.50.0) (2022-11-01)
 
 

docs/NEW_CONSTRUCTS_GUIDE.md

@@ -0,0 +1,62 @@
+# New Constructs Creation Guide
+
+By design and convention, `aws-cdk-lib` contains [different "levels" of constructs](https://github.com/aws/aws-cdk/blob/e4fdb0217edd7ecccdd4cbc20de958e3ba1a2349/docs/DESIGN_GUIDELINES.md?plain=1#L123-L188). Since L1 constructs are auto-generated from the [AWS CloudFormation resource specification](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-resource-specification.html), new resources are automatically released when a new version of the specification is consumed. However, higher level constructs, such as L2 and L3 constructs, are written by hand and therefore do not currently cover 100% of the resources available in cloudformation.
+
+Depending on demand from the community, developers at aws from the aws-cdk team or any other team may contribute L2 constructs that were previously not defined. Additionally, a lot of times users of the aws-cdk from outside of AWS are using a service that currently has no L2 constructs and may wish to create these constructs for themselves and others to use.
+
+If you wish to create new L2 (or potentially L3) constructs, this guide can help you get started.
+
+## Do My Constructs Belong in aws-cdk-lib?
+
+Users of the aws-cdk can use constructs from a number of packages within their application. `aws-cdk-lib` and/or any of the other constructs vended from npm, maven, pypi, nuget, or GitHub (for go) that are publicly available are indexed and searchable on [Construct Hub](constructs.dev). Anyone can create and publish new constructs that will be indexed on Construct Hub using repositories and packages that they own. However, if you believe your constructs should be part of the core aws construct library, here are some guidelines that they must adhere to.
+
+1. They meet the definition of [L2 constructs](https://github.com/aws/aws-cdk/blob/e4fdb0217edd7ecccdd4cbc20de958e3ba1a2349/docs/DESIGN_GUIDELINES.md?plain=1#L139-L147)
+2. They follow the relevant [design guidelines](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)
+3. They can follow the aws-cdk's versioning and release strategy, ie: if they are to be vended in aws-cdk-lib they must be stable or instead be vended in an `-alpha` package.
+
+If your constructs do not meet these guidelines, see the [publishing your own package](#publishing-your-own-package) section of this guide, otherwise, you may choose to [publish your own package](#publishing-your-own-package) or [open a PR to aws-cdk-lib](#open-a-pr-to-aws-cdk-lib).
+
+## Publishing Your Own Package
+
+Whether you want to pursue inclusion of your new constructs in aws-cdk-lib or not, the easiest way to get started is to create your own package. This will allow you to create, publish, test, and gather feedback on your new constructs as fast as possible without waiting for the aws cdk team to review the design and implementation of them. This also will allow you to deviate from the design and conventions of `aws-cdk-lib` if you wish to explore a more experimental or alternative api design. This also will enable you to gather feedback from users, make additions and changes, including breaking changes, without worrying about the versioning and support lifecycle of `aws-cdk-lib`.
+
+To get started creating your own construct package, we recommend using [`projen`](https://github.com/projen/projen). Additionally you can follow [this guide](https://dev.to/aws-builders/a-beginner-s-guide-to-create-aws-cdk-construct-library-with-projen-5eh4) which will help you setup your repository, packages and tooling step by step.
+
+Once your constructs have been published for some time and you feel that the apis are stable and bugs have been identified, you can continue to distribute it as a separate package and/or attempt to add them to `aws-cdk-lib` via a PR
+
+## Open a PR to `aws-cdk-lib`
+
+You can [create a PR](https://github.com/aws/aws-cdk/compare) in the `aws/aws-cdk` repository with your constructs at any time if you believe they are ready for inclusion. Here are some cases where opening a PR directly without publishing your own package first is ideal.
+
+1. It is a small addition to a service that has had stable L2 constructs for some time
+2. The service usage is well known and the API is unlikely to change.
+3. The defaults provided by the L2 are well known best practice
+
+If any of the above are true and your constructs adhere to [the relevant guidelines](#do-my-constructs-belong-in-aws-cdk-lib), we encourage you to follow the [contributing guide](../CONTRIBUTING.md) and create a new pull request. Since the bandwidth of the aws-cdk team is limited, reviews and iteration may take some time. Additionally pull requests for new constructs are more likely to be accepted if they have any of the following:
+
+1. An [RFC](https://github.com/aws/aws-cdk-rfcs) with detailed design that has been reviewed by a member of AWS
+2. An existing package with users who have used and tested the Constructs and provided feedback
+3. Strong documentation
+4. Good unit and integration test coverage
+
+## New Construct Development lifecycle
+
+Whether publishing your own package or making a PR against aws-cdk-lib immediately, the following is the recommended lifecycle for new construct development.
+
+![construct development lifecycle diagram](l2-workflow.jpg)
+
+### Self Publishing
+1. Publish: design, write, and publish your new constructs
+2. Iterate: respond to issues from users, fix bugs, optimize usage patterns and gain consensus
+3. Stabilize: settle on the api
+
+*Optionally*
+4. Upstream: open a PR to aws-cdk-lib to include if still relevant
+
+### Alpha CDK Package
+1. Design: create an [rfc](http://github.com/aws/aws-cdk-rfcs), socialize, and gain consensus
+2. Implement: write the construct as designed and create a new pull requests
+3. Iterate: respond to feedback from pull request reviewers on the aws-cdk team
+4. Publish: publish your new constructs as an alpha module
+5. Iterate: respond to issues from users, fix bugs and optimize usage patterns
+6. Stabilize: settle on the api and create a new PR migrating all constructs stability to "stable"

package.json

@@ -18,7 +18,7 @@
   "devDependencies": {
     "@types/prettier": "2.6.0",
     "@yarnpkg/lockfile": "^1.1.0",
-    "cdk-generate-synthetic-examples": "^0.1.57",
+    "cdk-generate-synthetic-examples": "^0.1.64",
     "conventional-changelog-cli": "^2.2.2",
     "fs-extra": "^9.1.0",
     "graceful-fs": "^4.2.10",

packages/@aws-cdk/assert-internal/lib/assertions/have-resource-matchers.ts

@@ -422,7 +422,7 @@ export function matcherFrom(matcher: any): PropertyMatcher {
  * would show (in traditional JS fashion) something like '[function Function]', or more
  * accurately nothing at all since functions cannot be JSONified.
  *
- * We override to JSON() in order to produce a readadable version of the matcher.
+ * We override to JSON() in order to produce a readable version of the matcher.
  */
 export function annotateMatcher<A extends object>(how: A, matcher: PropertyMatcher): PropertyMatcher {
   (matcher as any).toJSON = () => how;

packages/@aws-cdk/assertions/README.md

@@ -594,7 +594,7 @@ Here are the available APIs for `Annotations`:
 The corresponding `findXxx()` API is complementary to the `hasXxx()` API, except instead
 of asserting its presence, it returns the set of matching messages.
 
-In addition, this suite of APIs is compatable with `Matchers` for more fine-grained control.
+In addition, this suite of APIs is compatible with `Matchers` for more fine-grained control.
 For example, the following assertion works as well:
 
 ```ts

packages/@aws-cdk/aws-apigateway/README.md

@@ -313,7 +313,7 @@ A usage plan specifies who can access one or more deployed API stages and method
 accessed. The plan uses API keys to identify API clients and meters access to the associated API stages for each key.
 Usage plans also allow configuring throttling limits and quota limits that are enforced on individual client API keys.
 
-The following example shows how to create and asscociate a usage plan and an API key:
+The following example shows how to create and associate a usage plan and an API key:
 
 ```ts
 declare const integration: apigateway.LambdaIntegration;
@@ -1378,8 +1378,9 @@ api.addGatewayResponse('test-response', {
   type: apigateway.ResponseType.ACCESS_DENIED,
   statusCode: '500',
   responseHeaders: {
-    'Access-Control-Allow-Origin': 'test.com',
-    'test-key': 'test-value',
+    // Note that values must be enclosed within a pair of single quotes
+    'Access-Control-Allow-Origin': "'test.com'",
+    'test-key': "'test-value'",
   },
   templates: {
     'application/json': '{ "message": $context.error.messageString, "statusCode": "488", "type": "$context.error.responseType" }'