Merge branch 'main' into otaviom/bump-cfnspec-awslint-save

.github/PULL_REQUEST_TEMPLATE.md

@@ -5,9 +5,9 @@
 
 * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)
 
-### Adding new Unconventional Dependencies:
+### Adding new Construct Runtime Dependencies:
 
-* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)
+* [ ] This PR adds new construct runtime dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-construct-runtime-dependencies)
 
 ### New Features
 

.github/workflows/close-stale-issues.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     name: Stale issue job
     steps:
-    - uses: aws-actions/stale-issue-cleanup@v6
+    - uses: aws-actions/stale-issue-cleanup@v5
       with:
         # Setting messages to an empty string will cause the automation to skip
         # that category

.github/workflows/yarn-upgrade.yml

@@ -24,7 +24,7 @@ jobs:
 
       - name: Locate Yarn cache
         id: yarn-cache
-        run: echo "::set-output name=dir::$(yarn cache dir)"
+        run: echo "dir=$(yarn cache dir)" >> $GITHUB_OUTPUT
 
       - name: Restore Yarn cache
         uses: actions/cache@v3
@@ -45,7 +45,7 @@ jobs:
         # These need to be ignored from the `ncu` runs!
         run: |-
           echo -n "::set-output name=list::"
-          node -p "$(lerna ls --all --json 2>/dev/null).map(item => item.name).join(',')"
+          echo "list=$(lerna ls --all --json 2>/dev/null | jq -r 'map(.name) | join(",")')" >> $GITHUB_OUTPUT 
       - name: Run "ncu -u"
         # We special-case @types/node because we want to stay on the current major (minimum supported node release)
         # We special-case @types/fs-extra because the current major (9.x) is broken with @types/node >= 10
@@ -65,10 +65,10 @@ jobs:
           lerna exec --parallel ncu -- --upgrade --reject='@types/node,@types/prettier,@types/fs-extra,constructs,typescript,aws-sdk,aws-sdk-mock,${{ steps.list-packages.outputs.list }}'  --target=minor
           # Upgrade package.jsons in init templates
           for pj in $(find packages/aws-cdk/lib/init-templates -name package.json); do
-            (cd $(dirname $pj) && ncu --upgrade --reject='@types/babel__traverse,@types/jest,@types/node,@types/prettier,@types/fs-extra,constructs,typescript,aws-sdk,aws-sdk-mock,ts-jest,jest,${{ steps.list-packages.outputs.list }}')
+            (cd $(dirname $pj) && ncu --upgrade --reject='constructs,${{ steps.list-packages.outputs.list }}')
           done
           # Upgrade dependencies at an aws-eks integ test docker image
-          cd packages/@aws-cdk/aws-eks/test/sdk-call-integ-test-docker-app/app/ && ncu --upgrade --reject='@types/jest,@types/node,@types/prettier,@types/fs-extra,constructs,typescript,aws-sdk,aws-sdk-mock,ts-jest,jest,${{ steps.list-packages.outputs.list }}'
+          cd packages/@aws-cdk/aws-eks/test/sdk-call-integ-test-docker-app/app/ && ncu --upgrade --reject='aws-sdk,${{ steps.list-packages.outputs.list }}'
 
       # This will ensure the current lockfile is up-to-date with the dependency specifications (necessary for "yarn update" to run)
       - name: Run "yarn install"

CONTRIBUTING.md

@@ -360,7 +360,7 @@ $ yarn watch & # runs in the background
 
 * Shout out to collaborators.
 
-* Call out any new [unconventional dependencies](#adding-new-unconventional-dependencies) that are created as part of your PR.
+* Call out any new [runtime dependencies](#adding-construct-runtime-dependencies) that are created as part of your PR.
 
 * If not obvious (i.e. from unit tests), describe how you verified that your change works.
 
@@ -389,27 +389,48 @@ $ yarn watch & # runs in the background
 * Make sure to update the PR title/description if things change. The PR title/description are going to be used as the
   commit title/message and will appear in the CHANGELOG, so maintain them all the way throughout the process.
 
+#### Adding construct runtime dependencies
+
+Any tool that is not part of the CDK, and needs to be used by a construct during
+deployment or runtime, can be included in the CDK Framework Library in one of two
+ways.
+
+1. Add a direct dependency on an npm package containing the tool. For example,
+   `@aws-cdk/asset-awscli-v1`.
+2. Expose a property on the construct you are creating that allows users to
+   supply their own version of the tool. For example, the `eks.Cluster`
+   construct has a construct prop called `kubectlLayer` where you must provide a
+   version of `kubectl` from one of the `@aws-cdk/asset-kubectl-vXY` packages.
+   The version of `kubectl` must be compatible with the Kubernetes version of
+   the cluster.
+
+Both options involve creating separate repositories (like this
+[one](https://github.com/cdklabs/awscdk-asset-kubectl) for kubectl). If you
+would like to introduce additional runtime dependencies, it likely involves
+discussing with a CDK maintainer and opening a new repository in cdklabs that
+vends the dependency as a lambda layer. Generally, each branch on the repository
+will focus on a specific version of the dependency. For example, in
+`awscdk-asset-kubectl`, branch `kubectl-v20/main` vends kubectl v1.20, branch
+`kubectl-v21/main` vends kubectl v1.21, and so on.
+
+**If your PR introduces runtime dependencies in lambda layers, make sure to call
+it out in the description so that we can discuss the best way to manage that
+dependency.**
+
 #### Adding new unconventional dependencies
 
+> :warning: Do not add these. If there is a tool that you want to use in your
+CDK constructs, see [Adding construct runtime
+dependencies](#Adding-construct-runtime-dependencies).
+
 **For the aws-cdk an unconventional dependency is defined as any dependency that is not managed via the module's
 `package.json` file.**
 
-Sometimes constructs introduce new unconventional dependencies.  Any new unconventional dependency that is introduced needs to have
-an auto upgrade process in place. The recommended way to update dependencies is through [dependabot](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates).
+Sometimes, constructs introduce new unconventional dependencies. Any new unconventional dependency that is introduced needs to have
+an auto upgrade process in place. The recommended way to update dependencies is through
+[dependabot](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates).
 You can find the dependabot config file [here](./.github/dependabot.yml).
 
-An example of this is the [@aws-cdk/lambda-layer-awscli](packages/@aws-cdk/lambda-layer-awscli) module.
-This module creates a lambda layer that bundles the AWS CLI. This is considered an unconventional
-dependency because the AWS CLI is bundled into the CDK as part of the build, and the version
-of the AWS CLI that is bundled is not managed by the `package.json` file.
-
-In order to automatically update the version of the AWS CLI, a custom build process was
-created that takes upgrades into consideration. You can take a look at the files in
-[packages/@aws-cdk/lambda-layer-awscli/layer](packages/@aws-cdk/lambda-layer-awscli/layer)
-to see how the build works, but at a high level a [requirements.txt](packages/@aws-cdk/lambda-layer-awscli/layer/requirements.txt)
-file was created to manage the version. This file was then added to [dependabot.yml](https://github.com/aws/aws-cdk/blob/ab57eb6d1ed69b40ed6ec774853c275785acace8/.github/dependabot.yml#L14-L20)
-so that dependabot will automatically upgrade the version as new versions are released.
-
 **If you think your PR introduces a new unconventional dependency, make sure to call it
 out in the description so that we can discuss the best way to manage that dependency.**
 

buildspec-pr.yaml

@@ -16,8 +16,8 @@ phases:
       # Install yarn if it wasn't already present in the image
       - yarn --version || npm -g install yarn
 
-      # Packing the mono-libraries (monocdk & aws-cdk-lib) can cause
-      # memory errors. Increasing this value allows our build to more consistently succeed
+      # Packing aws-cdk-lib can cause memory errors. Increasing this value
+      # allows our build to more consistently succeed
       - (command -v sysctl || yum install -y procps-ng) && /sbin/sysctl -w vm.max_map_count=2251954
   pre_build:
     commands:

buildspec.yaml

@@ -16,8 +16,8 @@ phases:
       # Install yarn if it wasn't already present in the image
       - yarn --version || npm -g install yarn
 
-      # Packing the mono-libraries (monocdk & aws-cdk-lib) can cause
-      # memory errors. Increasing this value allows our build to more consistently succeed
+      # Packing aws-cdk-lib can cause memory errors. Increasing this value
+      # allows our build to more consistently succeed
       - /sbin/sysctl -w vm.max_map_count=2251954
   pre_build:
     commands:

lerna.json

@@ -6,7 +6,6 @@
     "packages/*",
     "packages/@aws-cdk/*",
     "packages/@aws-cdk-containers/*",
-    "packages/@monocdk-experiment/*",
     "packages/@aws-cdk/*/lambda-packages/*",
     "tools/*",
     "tools/@aws-cdk/*",

package.json

@@ -67,7 +67,6 @@
       "packages/*",
       "packages/@aws-cdk/*",
       "packages/@aws-cdk-containers/*",
-      "packages/@monocdk-experiment/*",
       "packages/@aws-cdk/*/lambda-packages/*",
       "tools/*",
       "tools/@aws-cdk/*",
@@ -148,35 +147,7 @@
       "aws-cdk-lib/table",
       "aws-cdk-lib/table/**",
       "aws-cdk-lib/yaml",
-      "aws-cdk-lib/yaml/**",
-      "monocdk/@balena/dockerignore",
-      "monocdk/@balena/dockerignore/**",
-      "monocdk/case",
-      "monocdk/case/**",
-      "monocdk/chalk",
-      "monocdk/chalk/**",
-      "monocdk/diff",
-      "monocdk/diff/**",
-      "monocdk/fast-deep-equal",
-      "monocdk/fast-deep-equal/**",
-      "monocdk/fs-extra",
-      "monocdk/fs-extra/**",
-      "monocdk/ignore",
-      "monocdk/ignore/**",
-      "monocdk/jsonschema",
-      "monocdk/jsonschema/**",
-      "monocdk/minimatch",
-      "monocdk/minimatch/**",
-      "monocdk/punycode",
-      "monocdk/punycode/**",
-      "monocdk/semver",
-      "monocdk/semver/**",
-      "monocdk/string-width",
-      "monocdk/string-width/**",
-      "monocdk/table",
-      "monocdk/table/**",
-      "monocdk/yaml",
-      "monocdk/yaml/**"
+      "aws-cdk-lib/yaml/**"
     ]
   },
   "dependencies": {

packages/@aws-cdk/aws-appsync/test/appsync-auth.test.ts

@@ -90,7 +90,8 @@ describe('AppSync API Key Authorization', () => {
   });
 
   test('apiKeyConfig creates default with valid expiration date', () => {
-    const expirationDate: number = cdk.Expiration.after(cdk.Duration.days(10)).toEpoch();
+    const expires = cdk.Expiration.after(cdk.Duration.days(10));
+    const expirationDate: number = expires.toEpoch();
 
     // WHEN
     new appsync.GraphqlApi(stack, 'API', {
@@ -100,7 +101,7 @@ describe('AppSync API Key Authorization', () => {
         defaultAuthorization: {
           authorizationType: appsync.AuthorizationType.API_KEY,
           apiKeyConfig: {
-            expires: cdk.Expiration.after(cdk.Duration.days(10)),
+            expires,
           },
         },
       },

packages/@aws-cdk/aws-autoscaling/lib/auto-scaling-group.ts

@@ -408,6 +408,13 @@ export enum SpotAllocationStrategy {
    * honors the instance type priorities on a best-effort basis but optimizes for capacity first.
    */
   CAPACITY_OPTIMIZED_PRIORITIZED = 'capacity-optimized-prioritized',
+
+  /**
+   * The price and capacity optimized allocation strategy looks at both price and
+   * capacity to select the Spot Instance pools that are the least likely to be
+   * interrupted and have the lowest possible price.
+   */
+  PRICE_CAPACITY_OPTIMIZED = 'price-capacity-optimized',
 }
 
 /**

packages/@aws-cdk/aws-autoscaling/test/auto-scaling-group.test.ts

@@ -1915,6 +1915,47 @@ test('can use Vpc imported from unparseable list tokens', () => {
   });
 });
 
+test('add price-capacity-optimized', () => {
+  // GIVEN
+  const stack = new cdk.Stack();
+
+  // WHEN
+  const lt = LaunchTemplate.fromLaunchTemplateAttributes(stack, 'imported-lt', {
+    launchTemplateId: 'test-lt-id',
+    versionNumber: '0',
+  });
+
+  new autoscaling.AutoScalingGroup(stack, 'mip-asg', {
+    mixedInstancesPolicy: {
+      launchTemplate: lt,
+      launchTemplateOverrides: [{
+        instanceType: new InstanceType('t4g.micro'),
+        launchTemplate: lt,
+        weightedCapacity: 9,
+      }],
+      instancesDistribution: {
+        onDemandAllocationStrategy: OnDemandAllocationStrategy.PRIORITIZED,
+        onDemandBaseCapacity: 1,
+        onDemandPercentageAboveBaseCapacity: 2,
+        spotAllocationStrategy: SpotAllocationStrategy.PRICE_CAPACITY_OPTIMIZED,
+        spotInstancePools: 3,
+        spotMaxPrice: '4',
+      },
+    },
+    vpc: mockVpc(stack),
+  });
+
+  // THEN
+  Template.fromStack(stack).hasResourceProperties('AWS::AutoScaling::AutoScalingGroup', {
+    MixedInstancesPolicy: {
+      InstancesDistribution: {
+        SpotAllocationStrategy: 'price-capacity-optimized',
+      },
+    },
+  });
+});
+
+
 function mockSecurityGroup(stack: cdk.Stack) {
   return ec2.SecurityGroup.fromSecurityGroupId(stack, 'MySG', 'most-secure');
 }

packages/@aws-cdk/aws-certificatemanager/lib/certificate-base.ts

@@ -1,5 +1,5 @@
 import * as cloudwatch from '@aws-cdk/aws-cloudwatch';
-import { Statistic } from '@aws-cdk/aws-cloudwatch';
+import { Stats } from '@aws-cdk/aws-cloudwatch';
 import { Duration, Resource } from '@aws-cdk/core';
 import { ICertificate } from './certificate';
 
@@ -26,7 +26,7 @@ export abstract class CertificateBase extends Resource implements ICertificate {
       metricName: 'DaysToExpiry',
       namespace: 'AWS/CertificateManager',
       region: this.region,
-      statistic: Statistic.MINIMUM,
+      statistic: Stats.MINIMUM,
     });
   }
 }

packages/@aws-cdk/aws-cloudfront/README.md

@@ -590,6 +590,18 @@ const distribution = cloudfront.Distribution.fromDistributionAttributes(this, 'I
 });
 ```
 
+### Permissions
+
+Use the `grant()` method to allow actions on the distribution.
+`grantCreateInvalidation()` is a shorthand to allow `CreateInvalidation`.
+
+```ts
+declare const distribution: cloudfront.Distribution;
+declare const lambdaFn: lambda.Function;
+distribution.grant(lambdaFn, 'cloudfront:ListInvalidations', 'cloudfront:GetInvalidation');
+distribution.grantCreateInvalidation(lambdaFn);
+```
+
 ## Migrating from the original CloudFrontWebDistribution to the newer Distribution construct
 
 It's possible to migrate a distribution from the original to the modern API.

packages/@aws-cdk/aws-cloudfront/lib/distribution.ts

@@ -1,4 +1,5 @@
 import * as acm from '@aws-cdk/aws-certificatemanager';
+import * as iam from '@aws-cdk/aws-iam';
 import * as lambda from '@aws-cdk/aws-lambda';
 import * as s3 from '@aws-cdk/aws-s3';
 import { ArnFormat, IResource, Lazy, Resource, Stack, Token, Duration, Names, FeatureFlags } from '@aws-cdk/core';
@@ -12,6 +13,7 @@ import { IKeyGroup } from './key-group';
 import { IOrigin, OriginBindConfig, OriginBindOptions } from './origin';
 import { IOriginRequestPolicy } from './origin-request-policy';
 import { CacheBehavior } from './private/cache-behavior';
+import { formatDistributionArn } from './private/utils';
 import { IResponseHeadersPolicy } from './response-headers-policy';
 
 /**
@@ -39,6 +41,22 @@ export interface IDistribution extends IResource {
    * @attribute
    */
   readonly distributionId: string;
+
+  /**
+   * Adds an IAM policy statement associated with this distribution to an IAM
+   * principal's policy.
+   *
+   * @param identity The principal
+   * @param actions The set of actions to allow (i.e. "cloudfront:ListInvalidations")
+   */
+  grant(identity: iam.IGrantable, ...actions: string[]): iam.Grant;
+
+  /**
+   * Grant to create invalidations for this bucket to an IAM principal (Role/Group/User).
+   *
+   * @param identity The principal
+   */
+  grantCreateInvalidation(identity: iam.IGrantable): iam.Grant;
 }
 
 /**
@@ -257,6 +275,13 @@ export class Distribution extends Resource implements IDistribution {
         this.distributionDomainName = attrs.domainName;
         this.distributionId = attrs.distributionId;
       }
+
+      public grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant {
+        return iam.Grant.addToPrincipal({ grantee, actions, resourceArns: [formatDistributionArn(this)] });
+      }
+      public grantCreateInvalidation(grantee: iam.IGrantable): iam.Grant {
+        return this.grant(grantee, 'cloudfront:CreateInvalidation');
+      }
     }();
   }
 
@@ -345,6 +370,26 @@ export class Distribution extends Resource implements IDistribution {
     this.additionalBehaviors.push(new CacheBehavior(originId, { pathPattern, ...behaviorOptions }));
   }
 
+  /**
+   * Adds an IAM policy statement associated with this distribution to an IAM
+   * principal's policy.
+   *
+   * @param identity The principal
+   * @param actions The set of actions to allow (i.e. "cloudfront:ListInvalidations")
+   */
+  public grant(identity: iam.IGrantable, ...actions: string[]): iam.Grant {
+    return iam.Grant.addToPrincipal({ grantee: identity, actions, resourceArns: [formatDistributionArn(this)] });
+  }
+
+  /**
+   * Grant to create invalidations for this bucket to an IAM principal (Role/Group/User).
+   *
+   * @param identity The principal
+   */
+  public grantCreateInvalidation(identity: iam.IGrantable): iam.Grant {
+    return this.grant(identity, 'cloudfront:CreateInvalidation');
+  }
+
   private addOrigin(origin: IOrigin, isFailoverOrigin: boolean = false): string {
     const ORIGIN_ID_MAX_LENGTH = 128;