aws
diff --git a/‎.github/workflows/issue-label-assign.yml
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/issue-label-assign.yml
Lines changed: 3 additions & 3 deletions
diff --git a/‎packages/@aws-cdk/app-delivery/test/integ.cicd.expected.json
Lines changed: 4 additions & 0 deletions b/‎packages/@aws-cdk/app-delivery/test/integ.cicd.expected.json
Lines changed: 4 additions & 0 deletions
diff --git a/‎packages/@aws-cdk/assert-internal/README.md
Lines changed: 6 additions & 7 deletions b/‎packages/@aws-cdk/assert-internal/README.md
Lines changed: 6 additions & 7 deletions
diff --git a/‎packages/@aws-cdk/assert-internal/package.json
Lines changed: 2 additions & 2 deletions b/‎packages/@aws-cdk/assert-internal/package.json
Lines changed: 2 additions & 2 deletions
diff --git a/‎packages/@aws-cdk/assert/package.json
Lines changed: 2 additions & 2 deletions b/‎packages/@aws-cdk/assert/package.json
Lines changed: 2 additions & 2 deletions
diff --git a/‎packages/@aws-cdk/aws-apprunner/package.json
Lines changed: 0 additions & 1 deletion b/‎packages/@aws-cdk/aws-apprunner/package.json
Lines changed: 0 additions & 1 deletion
diff --git a/‎packages/@aws-cdk/aws-certificatemanager/lambda-packages/dns_validated_certificate_handler/lib/index.js
Lines changed: 96 additions & 52 deletions b/‎packages/@aws-cdk/aws-certificatemanager/lambda-packages/dns_validated_certificate_handler/lib/index.js
Lines changed: 96 additions & 52 deletions
@@ -26,7 +26,7 @@ jobs:
            {"area":"@aws-cdk/app-delivery","keywords":["app-delivery","PipelineDeployStackAction"],"labels":["@aws-cdk/app-delivery"],"assignees":["skinny85"]},
            {"area":"@aws-cdk/assert","keywords":["assert"],"labels":["@aws-cdk/assert"],"assignees":["kaizen3031593"]},
            {"area":"@aws-cdk/assertions","keywords":["assertions"],"labels":["@aws-cdk/assertions"],"assignees":["kaizen3031593"]},
-           {"area":"@aws-cdk/assets","keywords":["assets","staging"],"labels":["@aws-cdk/assets"],"assignees":["eladb"]},
+           {"area":"@aws-cdk/assets","keywords":["assets","staging"],"labels":["@aws-cdk/assets"],"assignees":["otaviomacedo"]},
            {"area":"@aws-cdk/aws-accessanalyzer","keywords":["aws-accessanalyzer","accessanalyzer","cfnanalyzer"],"labels":["@aws-cdk/aws-accessanalyzer"],"assignees":["skinny85"]},
            {"area":"@aws-cdk/aws-acmpca","keywords":["aws-acmpca","acmpca","certificateauthority"],"labels":["@aws-cdk/aws-acmpca"],"assignees":["skinny85"]},
            {"area":"@aws-cdk/aws-amazonmq","keywords":["aws-amazonmq","amazonmq","cfnbroker"],"labels":["@aws-cdk/aws-amazonmq"],"assignees":["otaviomacedo"]},
@@ -92,7 +92,7 @@ jobs:
            {"area":"@aws-cdk/aws-dynamodb-global","keywords":["aws-dynamodb-global","dynamodb global"],"labels":["@aws-cdk/aws-dynamodb-global"],"assignees":["skinny85"]},
            {"area":"@aws-cdk/aws-ec2","keywords":["aws-ec2","ec2","vpc","privatesubnet","publicsubnet","vpngateway","vpnconnection","networkacl"],"labels":["@aws-cdk/aws-ec2"],"assignees":["njlynch"]},
            {"area":"@aws-cdk/aws-ecr","keywords":["aws-ecr","ecr"],"labels":["@aws-cdk/aws-ecr"],"assignees":["madeline-k"]},
-           {"area":"@aws-cdk/aws-ecr-assets","keywords":["aws-ecr-assets","ecrassets"],"labels":["@aws-cdk/aws-ecr-assets"],"assignees":["eladb"]},
+           {"area":"@aws-cdk/aws-ecr-assets","keywords":["aws-ecr-assets","ecrassets"],"labels":["@aws-cdk/aws-ecr-assets"],"assignees":["madeline-k"]},
            {"area":"@aws-cdk/aws-ecs","keywords":["(aws-ecs)","(ecs)"],"labels":["@aws-cdk/aws-ecs"],"assignees":["madeline-k"]},
            {"area":"@aws-cdk/aws-ecs-patterns","keywords":["(aws-ecs-patterns)","(ecs-patterns)"],"labels":["@aws-cdk/aws-ecs-patterns"],"assignees":["madeline-k"]},
            {"area":"@aws-cdk/aws-efs","keywords":["aws-efs","efs","accesspoint"],"labels":["@aws-cdk/aws-efs"],"assignees":["corymhall"]},
@@ -224,7 +224,7 @@ jobs:
            {"area":"@aws-cdk/custom-resources","keywords":["custom-resource","provider"],"labels":["@aws-cdk/custom-resources"],"assignees":["rix0rrr"]},
            {"area":"@aws-cdk/cx-api","keywords":["cx-api","cloudartifact","cloudassembly"],"labels":["@aws-cdk/cx-api"],"assignees":["rix0rrr"]},
            {"area":"@aws-cdk/aws-lambda-layer-awscli","keywords":["(aws-lambda-layer-awscli)","(lambda-layer-awscli)"],"labels":["@aws-cdk/aws-lambda-layer-awscli"],"assignees":["rix0rrr"]},
-           {"area":"@aws-cdk/aws-lambda-layer-kubectl","keywords":["(aws-lambda-layer-kubectl)","(lambda-layer-kubectl)"],"labels":["@aws-cdk/aws-lambda-layer-kubectl"],"assignees":["eladb"]},
+           {"area":"@aws-cdk/aws-lambda-layer-kubectl","keywords":["(aws-lambda-layer-kubectl)","(lambda-layer-kubectl)"],"labels":["@aws-cdk/aws-lambda-layer-kubectl"],"assignees":["otaviomacedo"]},
            {"area":"@aws-cdk/pipelines","keywords":["pipelines","cdk-pipelines","sourceaction","synthaction"],"labels":["@aws-cdk/pipelines"],"assignees":["rix0rrr"]},
            {"area":"@aws-cdk/region-info","keywords":["region-info","fact"],"labels":["@aws-cdk/region-info"],"assignees":["skinny85"]},
            {"area":"aws-cdk-lib","keywords":["aws-cdk-lib","cdk-v2","v2","ubergen"],"labels":["aws-cdk-lib"],"assignees":["njlynch"]},
 
@@ -34,6 +34,10 @@
                 "s3:List*",
                 "s3:DeleteObject*",
                 "s3:PutObject",
+                "s3:PutObjectLegalHold",
+                "s3:PutObjectRetention",
+                "s3:PutObjectTagging",
+                "s3:PutObjectVersionTagging",
                 "s3:Abort*"
               ],
               "Effect": "Allow",
 
@@ -3,15 +3,14 @@
 
 ---
 
-![cdk-constructs: Experimental](https://img.shields.io/badge/cdk--constructs-experimental-important.svg?style=for-the-badge)
+![Deprecated](https://img.shields.io/badge/deprecated-critical.svg?style=for-the-badge)
 
-> The APIs of higher level constructs in this module are experimental and under active development.
-> They are subject to non-backward compatible changes or removal in any future version. These are
-> not subject to the [Semantic Versioning](https://semver.org/) model and breaking changes will be
-> announced in the release notes. This means that while you may use them, you may need to update
-> your source code when upgrading to a newer version of this package.
+ > This API may emit warnings. Backward compatibility is not guaranteed.
 
-If using monocdk, use [@monocdk-experiment/assert](https://www.npmjs.com/package/@monocdk-experiment/assert) instead.
+## Replacement recommended
+
+This library has been deprecated. We recommend you use the
+[@aws-cdk/assertions](https://docs.aws.amazon.com/cdk/api/v1/docs/assertions-readme.html) module instead.
 
 ---
 
 
@@ -55,8 +55,8 @@
   "engines": {
     "node": ">= 10.13.0 <13 || >=13.7.0"
   },
-  "stability": "experimental",
-  "maturity": "experimental",
+  "stability": "deprecated",
+  "maturity": "deprecated",
   "publishConfig": {
     "tag": "latest"
   },
 
@@ -71,8 +71,8 @@
     "exclude": true
   },
   "nozem": false,
-  "stability": "experimental",
-  "maturity": "developer-preview",
+  "stability": "deprecated",
+  "maturity": "deprecated",
   "publishConfig": {
     "tag": "latest-1"
   }
 
@@ -83,7 +83,6 @@
   },
   "license": "Apache-2.0",
   "devDependencies": {
-    "@aws-cdk/assert-internal": "0.0.0",
     "@aws-cdk/assertions": "0.0.0",
     "@aws-cdk/cdk-build-tools": "0.0.0",
     "@aws-cdk/cdk-integ-tools": "0.0.0",
 
@@ -110,69 +110,28 @@ const requestCertificate = async function (requestId, domainName, subjectAlterna
 
   console.log('Waiting for ACM to provide DNS records for validation...');
 
-  let records;
-  for (let attempt = 0; attempt < maxAttempts && !records; attempt++) {
+  let records = [];
+  for (let attempt = 0; attempt < maxAttempts && !records.length; attempt++) {
     const { Certificate } = await acm.describeCertificate({
       CertificateArn: reqCertResponse.CertificateArn
     }).promise();
-    const options = Certificate.DomainValidationOptions || [];
-    // Ensure all records are ready; there is (at least a theory there's) a chance of a partial response here in rare cases.
-    if (options.length > 0 && options.every(opt => opt && !!opt.ResourceRecord)) {
-      // some alternative names will produce the same validation record
-      // as the main domain (eg. example.com + *.example.com)
-      // filtering duplicates to avoid errors with adding the same record
-      // to the route53 zone twice
-      const unique = options
-        .map((val) => val.ResourceRecord)
-        .reduce((acc, cur) => {
-          acc[cur.Name] = cur;
-          return acc;
-        }, {});
-      records = Object.keys(unique).sort().map(key => unique[key]);
-    } else {
+
+    records = getDomainValidationRecords(Certificate);
+    if (!records.length) {
       // Exponential backoff with jitter based on 200ms base
       // component of backoff fixed to ensure minimum total wait time on
       // slow targets.
       const base = Math.pow(2, attempt);
       await sleep(random() * base * 50 + base * 150);
     }
   }
-  if (!records) {
+  if (!records.length) {
     throw new Error(`Response from describeCertificate did not contain DomainValidationOptions after ${maxAttempts} attempts.`)
   }
 
-
   console.log(`Upserting ${records.length} DNS records into zone ${hostedZoneId}:`);
 
-  const changeBatch = await route53.changeResourceRecordSets({
-    ChangeBatch: {
-      Changes: records.map((record) => {
-        console.log(`${record.Name} ${record.Type} ${record.Value}`)
-        return {
-          Action: 'UPSERT',
-          ResourceRecordSet: {
-            Name: record.Name,
-            Type: record.Type,
-            TTL: 60,
-            ResourceRecords: [{
-              Value: record.Value
-            }]
-          }
-        };
-      }),
-    },
-    HostedZoneId: hostedZoneId
-  }).promise();
-
-  console.log('Waiting for DNS records to commit...');
-  await route53.waitFor('resourceRecordSetsChanged', {
-    // Wait up to 5 minutes
-    $waiter: {
-      delay: 30,
-      maxAttempts: 10
-    },
-    Id: changeBatch.ChangeInfo.Id
-  }).promise();
+  await commitRoute53Records(route53, records, hostedZoneId);
 
   console.log('Waiting for validation...');
   await acm.waitFor('certificateValidated', {
@@ -193,47 +152,126 @@ const requestCertificate = async function (requestId, domainName, subjectAlterna
  *
  * @param {string} arn The certificate ARN
  */
-const deleteCertificate = async function (arn, region) {
+const deleteCertificate = async function (arn, region, hostedZoneId, route53Endpoint, cleanupRecords) {
   const acm = new aws.ACM({ region });
+  const route53 = route53Endpoint ? new aws.Route53({ endpoint: route53Endpoint }) : new aws.Route53();
+  if (waiter) {
+    // Used by the test suite, since waiters aren't mockable yet
+    route53.waitFor = acm.waitFor = waiter;
+  }
 
   try {
     console.log(`Waiting for certificate ${arn} to become unused`);
 
     let inUseByResources;
+    let records = [];
     for (let attempt = 0; attempt < maxAttempts; attempt++) {
       const { Certificate } = await acm.describeCertificate({
         CertificateArn: arn
       }).promise();
 
+      if (cleanupRecords) {
+        records = getDomainValidationRecords(Certificate);
+      }
       inUseByResources = Certificate.InUseBy || [];
 
-      if (inUseByResources.length) {
+      if (inUseByResources.length || !records.length) {
         // Exponential backoff with jitter based on 200ms base
         // component of backoff fixed to ensure minimum total wait time on
         // slow targets.
         const base = Math.pow(2, attempt);
         await sleep(random() * base * 50 + base * 150);
       } else {
-        break
+        break;
       }
     }
 
     if (inUseByResources.length) {
       throw new Error(`Response from describeCertificate did not contain an empty InUseBy list after ${maxAttempts} attempts.`)
     }
+    if (cleanupRecords && !records.length) {
+      throw new Error(`Response from describeCertificate did not contain DomainValidationOptions after ${maxAttempts} attempts.`)
+    }
 
     console.log(`Deleting certificate ${arn}`);
 
     await acm.deleteCertificate({
       CertificateArn: arn
     }).promise();
+
+    if (cleanupRecords) {
+      console.log(`Deleting ${records.length} DNS records from zone ${hostedZoneId}:`);
+
+      await commitRoute53Records(route53, records, hostedZoneId, 'DELETE');
+    }
+
   } catch (err) {
     if (err.name !== 'ResourceNotFoundException') {
       throw err;
     }
   }
 };
 
+/**
+ * Retrieve the unique domain validation options as records to be upserted (or deleted) from Route53.
+ *
+ * Returns an empty array ([]) if the domain validation options is empty or the records are not yet ready.
+ */
+function getDomainValidationRecords(certificate) {
+  const options = certificate.DomainValidationOptions || [];
+  // Ensure all records are ready; there is (at least a theory there's) a chance of a partial response here in rare cases.
+  if (options.length > 0 && options.every(opt => opt && !!opt.ResourceRecord)) {
+    // some alternative names will produce the same validation record
+    // as the main domain (eg. example.com + *.example.com)
+    // filtering duplicates to avoid errors with adding the same record
+    // to the route53 zone twice
+    const unique = options
+      .map((val) => val.ResourceRecord)
+      .reduce((acc, cur) => {
+        acc[cur.Name] = cur;
+        return acc;
+      }, {});
+    return Object.keys(unique).sort().map(key => unique[key]);
+  }
+  return [];
+}
+
+/**
+ * Execute Route53 ChangeResourceRecordSets for a set of records within a Hosted Zone,
+ * and wait for the records to commit. Defaults to an 'UPSERT' action.
+ */
+async function commitRoute53Records(route53, records, hostedZoneId, action = 'UPSERT') {
+  const changeBatch = await route53.changeResourceRecordSets({
+    ChangeBatch: {
+      Changes: records.map((record) => {
+        console.log(`${record.Name} ${record.Type} ${record.Value}`);
+        return {
+          Action: action,
+          ResourceRecordSet: {
+            Name: record.Name,
+            Type: record.Type,
+            TTL: 60,
+            ResourceRecords: [{
+              Value: record.Value
+            }]
+          }
+        };
+      }),
+    },
+    HostedZoneId: hostedZoneId
+  }).promise();
+
+  console.log('Waiting for DNS records to commit...');
+  await route53.waitFor('resourceRecordSetsChanged', {
+    // Wait up to 5 minutes
+    $waiter: {
+      delay: 30,
+      maxAttempts: 10
+    },
+    Id: changeBatch.ChangeInfo.Id
+  }).promise();
+}
+
 /**
  * Main handler, invoked by Lambda
  */
@@ -262,7 +300,13 @@ exports.certificateRequestHandler = async function (event, context) {
         // If the resource didn't create correctly, the physical resource ID won't be the
         // certificate ARN, so don't try to delete it in that case.
         if (physicalResourceId.startsWith('arn:')) {
-          await deleteCertificate(physicalResourceId, event.ResourceProperties.Region);
+          await deleteCertificate(
+            physicalResourceId,
+            event.ResourceProperties.Region,
+            event.ResourceProperties.HostedZoneId,
+            event.ResourceProperties.Route53Endpoint,
+            event.ResourceProperties.CleanupRecords === "true",
+          );
         }
         break;
       default: