Sync with master #1
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Automatically allow ingress to VPC endpoints by default, from traffic originating in the VPC. This fixes the 99% case where interface endpoints are used to allow ISOLATED instances to access AWS services, out of the box. People that need more control over the security policy rules can specify `open: false` to disable this behavior and use the `.connections` object for fine-grained access control. Fixes #4937
If multiple similar pipelines (patch pipelines, test pipelines) are running the same CodeBuild test, they interfere with each other. In particular, the 'test' pipeline (which tests modifications to the pipeline before they are applied to the real pipeline) is triggered off of the same branch and takes about as long as the real pipeline, so tests are likely to execute at the same time and touch the same stacks, thereby causing one of the tests to fail (and our release pipeline to be flaky). They two pipelines will have different CodeBuild projects though, so name the stacks that are being touched after the CodeBuild project, thereby ensuring isolation.
* partial import with failures to address * Rewrite incomplete types to "Json" Incomplete type definitions are unusable, so we translate them into "Json" to be able to something semi-useful. Fix some broken terminology in the specs and code generator. * replace incomplete types as empty object * clean up CHANGELOG * remove conditional flow check for complex types without properties * update tests * fix codebuild tests * feat(lambda): configuration options for async invocations Add support for destinations, maximum event age and maximum retry attempts for asynchronous invocations. See https://docs.aws.amazon.com/lambda/latest/dg/invocation-async.html * add test for default event bus * add scope * PR feedback * update package.json * update README * maxEventAge and retryAttempts * integ test coverage * rename to XxxDestination * invoke config on version * setAsyncInvokeConfig * README * unnecessary default on qualifier * JSDoc * CF dependency for alias + integ test * addVersion * configureAsyncInvoke + imported alias/version * better error message for configureAsyncInvoke * 1.19.0 in aws-lambda-destinations * addVersion signature * remove apigateway file * remove committed merge conflict * eslint in lambda-destinations * Update documentation for addVersion() * Add node's path to the error message * Change qualifier to protected access * Missed changing access in a few more places * missed one more place where qualifier needs to be protected
`condition` is available under `cfnOptions` in `CfnResource`.
Some large orgs enforce HTTPS proxies to communicate with services, which means they often have internal certificate authorities that generate leaf certificates on the fly. This commit adds basic support for specifying a root CA certificate for trust. Fixes #5294
Add support for Redshift clusters, DocumentDB databases and the multi user rotation scheme. Move `SecretRotation` from `aws-rds` to `aws-secretsmanager`. Add resource policy for secrets and use it to prevent deletion of secrets for which rotation is enabled. Update instance class to `t3` in `aws-rds` integration tests (`t2` is being deprecated and Oracle `t2` instances cannot be created anymore). Closes #5194 BREAKING CHANGE: `addRotationSingleUser(id: string, options: SecretRotationOptions)` is now `addRotationSingleUser(automaticallyAfter?: Duration)`
* Add comment about requiring region to use logging * Update application-load-balancer.ts Co-authored-by: Rico Huijbers <rix0rrr@gmail.com>
Survive occasional latency spikes that exceed 1 minute.
plugins are installed centrally under cdk-build-tools and therefore resolution should happen against that module instead of the current module. otherwise, we get an error `ESLint couldn't find the plugin "eslint-plugin-node".` Furthermore, we also ignore any local .eslintrc files
since lambda destinations was a new module, it was published to npm before the actual release of the aws-lambda module. this causes the breaking change checker to fail because it could not find the required type in lambda
Bumps [eslint](https://github.com/eslint/eslint) from 6.7.2 to 6.8.0. - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/master/CHANGELOG.md) - [Commits](eslint/eslint@v6.7.2...v6.8.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Bumps [aws-sdk](https://github.com/aws/aws-sdk-js) from 2.590.0 to 2.595.0. - [Release notes](https://github.com/aws/aws-sdk-js/releases) - [Changelog](https://github.com/aws/aws-sdk-js/blob/master/CHANGELOG.md) - [Commits](aws/aws-sdk-js@v2.590.0...v2.595.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
* fix(autoscaling): every deployment resets capacity If `DesiredCapacity` is specified in the CloudFormation template, on every deployment the capacity of the AutoScalingGroup is reset to that number, even if the group had been scaled out at that point. The solution is to leave DesiredCapacity empty, in which case it will remain untouched during a deployment. Previously, CDK would use some logic to always calculate a DesiredCapacity for you, even if you left the `desiredCapacity` property unset, leading to the undesirable behavior--which frankly represents an availability risk. Now, if you don't specify `desiredCapacity`, we won't set `DesiredCapacity` either, avoiding the availability risk that we introduced beforehand. In fact, if you *do* set `desiredCapacity`, we will warn you that you probably shouldn't using a construct warning. Fixes #5215, closes #5208. BREAKING CHANGE: AutoScalingGroups without `desiredCapacity` are now initially scaled to their minimum capacity (instead of their maximum capaciety). * Add links Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
* Added HelmRelease construct * feat(eks): Add HelmRelease construct * Fix some linting problems * Remove trailing whitespace * Add the possibility to specify the chart version * Changes after code review * Add shell=True to command execution * Execute helm command in /tmp * Write a correct values.yaml * Add resources to integration tests * Change require to import * Lazy add HelmChartHandler * Add integration tests for Helm * Added convenience addChart to Cluster * Fix integration test. * Change addChart method to use options pattern * Added @default and truncate default chart name * Added the Helm entry to the README.md Co-authored-by: Elad Ben-Israel <benisrae@amazon.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
* feat(custom-resources): ignore DELETE after failed CREATE When a CREATE operation fails, CloudFormation will automatically issue a DELETE operation with the `PhysicalResourceId` submitted by the FAILED response. The provider framework currently does not support customizing the PhysicalResourceId of a failed response (as described in #5524), and therefore it makes more sense to have the framework simply ignore this DELETE operation. Otherwise, the user handler will need to special case this somehow, without proper signal. The solution is to use a special marker for the physical resource ID when a CREATE fails, and recognize this marker in the subsequent DELETE. * chore(build): resolve eslint plugins relative to cdk-build-tools plugins are installed centrally under cdk-build-tools and therefore resolution should happen against that module instead of the current module. otherwise, we get an error `ESLint couldn't find the plugin "eslint-plugin-node".` * moved MISSING_MARKER to the last minute * update expectations
Bumps [sinon](https://github.com/sinonjs/sinon) from 7.5.0 to 8.0.1. - [Release notes](https://github.com/sinonjs/sinon/releases) - [Changelog](https://github.com/sinonjs/sinon/blob/master/CHANGELOG.md) - [Commits](sinonjs/sinon@v7.5.0...v8.0.1) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Co-authored-by: Elad Ben-Israel <benisrae@amazon.com>
These get auto-merged by dependabot itself, and attempts to update them to `HEAD` will cause dependabot to stop resolving merge conflicts automatically.
) * fix(rds): do not allow aurora engines when using DatabaseInstance Aurora instances can only be created inside a cluster and should use the `DatabaseCluster` construct. Closes #5345 * compile-time error with isDatabaseInstanceEngine * remove test on engine name Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Closes #3895. Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
* fix(core): Support tags for Cognito User Pools * moved all knowledge about tag names into the schema package and included UserPoolTags as taggable name * refactored codegen to use new schema package to identify tag properties BREAKING CHANGE: * TagManager constructor now takes a property object instead of individual agruments: new TagManager(props: TagManagerProps) instead of new cdk.TagManager(cdk.TagType.STANDARD, resourceType, initialTags); Fixes #3882 * moving back to non-breaking change and simplifying the interface/type checking * fixing logic gap in tag type lookup * Update tag-manager.ts * Update tag-manager.ts * cleaning up final comments * refactor(core): create asCfnProperty on TagManager to support tag property names besides tags * Update packages/@aws-cdk/core/lib/tag-manager.ts Co-Authored-By: Elad Ben-Israel <benisrae@amazon.com> * Update packages/@aws-cdk/core/lib/tag-manager.ts Co-Authored-By: Elad Ben-Israel <benisrae@amazon.com> * refactor(core): remove asCfnProperty from tag-manager and put the logic in cfn-resource * Update cfn-resource.ts * refactor(core): clean up cfnProperties to ensure undefined returns {} Co-authored-by: Elad Ben-Israel <benisrae@amazon.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
The README incorrectly used `lambda.TokenAuthorizer` in the Lambda-based token authorizer example Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
* chore(eks): kubectl resource provider Merge the `Helm` and `KubernetesResource` providers into a single "KubectlProvider" which uses the resource type to decide which actual provider will be used. This is in order to reduce the footprint of this module and since we will need to introduce an additional provider in order to support Fargate Profiles. * update unit test expectations * update test expectations
Add support for `MathExpression`, which is a new class that can be used in place of `Metric` objects in graphs and alarms. Also in this commit, make it very clear what the purpose of the `unit` property is, and deprecate `toGraphConfig()` and `toAlarmConfig()`. Fixes #1077, fixes #5449, fixes #5261, fixes #4716.
fixes #5592 Co-authored-by: Elad Ben-Israel <benisrae@amazon.com>
Add support for `--up` in `foreach.sh` which will execute the command for the current module and all its dependencies (instead of the entire repo). Use this new feature in `buildup` so from now, `buildup` is resumable. Restart can be done through `./buildup --restart`. Update CONTRIBUTING guide.
* support custom docker files * revert tsconfig changes * doc strings modification according to conventions
Using the new "rosetta" sample compiler from aws/jsii#925, introduce fixtures and fix up sample code to make all examples in the `aws-ec2` package compile. This serves as a demonstration of how to set up fixtures and how to write the examples. Need to reverse the order between `@example` and `@attribute`; because of a bug in the TypeScript compiler, it will think a new tag starts if a `@` comes up in the example. This means that we cannot type `import s3 = require('@aws-cdk/aws-s3');` in examples (it would parse `@aws = -cdk/aws-s3');`. To fix that, we absorb non-recognized tags that follow an `@example` back into the example body, but since `@attribute` is non-recognized, we'd absorb that as well. The solution is to have `@example` as the last tag. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* <!-- Please read the contribution guidelines and follow the pull-request checklist: https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md -->
Add `blockDevice` property to EC2 `Instance`, based on `aws-autoscaling`s previous implementation. We can't unify the two implementations, as that will break API compatibility. Hence, the two libraries have different types for specifying block devices. Continuation of old PR by @nmussy for which the source branch has disappeared. Fixes #4773, closes #4781.
There is some interesting magic happening around the runtime-info module: `jest` replaces the standard `require` function so it can honor module mocking requirements, however this does (intentionally) not implement `require.cache`, which is used to determine which CDK libraries are loaded during a particular execution (in order to populate the `AWS::CDK::Metadata` resource as needed). In order to work around this, the `require.cache` reading was indirected through a proxy module, so it can be stubbed, too, with a pretend cache content, in order to make the test still workable.
* fix(eks): aws-auth username not set by default When mapping roles and users through the aws-auth config map, if a username is not specified, we need to default to the user/role ARN. Not specifying a default username will cause things like metrics server to fail. Fixes #5263 * chore(build): foreach.sh --up Add support for `--up` in `foreach.sh` which will execute the command for the current module and all its dependencies (instead of the entire repo). Use this new feature in `buildup` so from now, `buildup` is resumable. Restart can be done through `./buildup --restart`. Update CONTRIBUTING guide. * update expectations
…urce (#5658) 60 seconds turns out to be a bit on the short side when installing the latest SDK. Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
…ern (#5651) * fix(eks): default capacity uses desiredCapacity which is an anti-pattern As described in #5215, `desiredCapacity` is not the recommended way to configure an auto scaling group since it will cause the ASG to reset the number of nodes in every CloudFormation deployment. Since EKS's default capacity uses `desiredCapacity` instead of `minCapacity`, as of #5507 this would emit a warning: "desiredCapacity has been configured. Be aware this will reset the size of your AutoScalingGroup on every deployment". This change modifies the behavior of the default capacity such that it will configure the ASG using `minCapacity` instead of `desiredCapacity` as recommended by ASG. Fixes #5650 * Update integ.eks-cluster.defaults.expected.json Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
`Metric` objects always could have `region` and `account` fields, but it was the user's responsibility to set them. They can now automatically copy the `region` and `account` fields from a Construct anywhere in the Construct tree (under a `Stack`) by calling the `attachTo()` method. Predefined `Metric` objects returned by `.metricsXxx()` functions of the AWS Construct Library will automatically have the scope of the originating construct attached. In this way, cross-environment dashboards can automatically be created.
Immutably imported `Role`s could not be used for CodeBuild `Project`s, because they would create a policy but be unable to attach it to the Role. That leaves an unattached Policy, which is invalid. Fix this by making `Policy` objects only render to an `AWS::IAM::Policy` resource if they actually have any effect. It is perfectly allowed to create new unattached Policy objects, or have empty Policy objects. Only if and when they actually need to mutate the policy of an IAM identity will they render themselves to the CloudFormation template. Being able to abstract away these kinds of concerns is exactly the value of a higher-level programming model. To allow for the rare cases where an empty Policy object would be considered a programming error, we still have the flag `mustCreate` which triggers the legacy behavior of alwyas creating the `AWS::IAM::Policy` resource which must have a statement and be attached to an identity. Fixes #1408. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* <!-- Please read the contribution guidelines and follow the pull-request checklist: https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md -->
Fn.join has an optimization to flatten nested joins with the same delimiter:
Fn.join(",", [ Fn.join(",", [ "a", "b" ]), "c" ]) == Fn.join(",", [ "a", "b", "c" ])
The logic in `isSplicableFnJoinIntrinsic` checks if the object is an Fn::Join which uses the same delimiter, and then splices (`...`) the inner value onto the outer Fn::Join instead of nesting the inner Fn::Join. This can only work if the inner value is a real array (otherwise, we get `Found non-callable @@iterator`�).
The fix is to add an additional check to `isSplicableFnJoinIntrinsic` which verifies the the inner value is indeed an array.
Fixes #5655
Add an experimental `VpcEndpointService` construct, to allow exposing Network Load Balancers as endpoints in a VPC.
For people already familiar with the inner workings of Security Groups, our `.connections` pattern is a little confusing. Add some more verbiage to the documentation which points people in the right direction with respect to security group manipulation. Closes #5519. Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Co-authored-by: Elad Ben-Israel <benisrae@amazon.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license