chore(release): 2.70.0 #24752
Merged
chore(release): 2.70.0 #24752
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
**NOTE:** This PR bumps the version of the bootstrap stack to `16`, but there is no need to update your bootstrap stacks, unless it is to get rid of the Security Hub finding; this change has no effect on the functionality of any CDK app deployed to the environment. [Security Hub finding KMS.2](https://docs.aws.amazon.com/securityhub/latest/userguide/kms-controls.html#kms-2) says: > The control fails if the policy is open enough to allow kms:Decrypt or kms:ReEncryptFrom actions on any arbitrary KMS key. > > [...] > > The control only checks KMS keys in the Resource element and doesn't take into account any conditionals in the Condition element of a policy. This control is a "defense in depth" control. It does not mitigate any attack by itself, and there is no actual security impact from the current configuration of our policies. However, customers are anxious about the Security Hub findings reported on resources we create for them. Therefore, we turn the `Resources: *` into a list of wildcard ARNs, one for each trusted account. This should satisify Security Hub without breaking the functionality of the bootstrap resources (as this statement is only used for cross-account CodePipeline deployments using CDK Pipelines). The CloudFormation expression we use to turn a list of account IDs into a list of ARNs is quite crazy. To turn `['1111', '2222', '3333']` into `['arn:aws:kms:*:1111:*', 'arn:aws:kms:*:2222:*', 'arn:aws:kms:*:3333:*']` we do the following: * Skip the entire statement if the list is empty * Use the following equivalence if the list has at least one element (E1 cannot be expressed in CloudFormation but E2 can): ``` (E1) xs.map(x => PREFIX + x + SUFFIX).join(SEP) <==> { assuming xs.length >= 1 } (E2) PREFIX + xs.join(SUFFIX + SEP + PREFIX) + SUFFIX ``` * Finally split the string on the separator to come up with an array of elements. I would have used `${AWS::Region}` instead of allowing all regions, but `{ Fn::Join }` doesn't allow using intrinsics in its separator. I tested the new template using a CDK Pipeline that deploys in-region, cross-region, cross-account and cross-account-cross-region. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ication sharing and association behavior for cross-account stacks (#24408) Problem: * Currently, the ApplicationAssociator construct automatically shares the target Application with any accounts of cross-account stacks. [[code reference](https://github.com/aws/aws-cdk/blob/main/packages/@aws-cdk/aws-servicecatalogappregistry/lib/aspects/stack-associator.ts#L91-L95)] * If the owner of a cross-account stack is not part of the same AWS Organization as the owner of the ApplicationAssociator stack, or otherwise have not enabled cross-account sharing, during deployment the ApplicationAssociator will fail when attempting to share the application with the stack owner, with a message like below: ``` Principal 123456789012 is not in your AWS organization. You do not have permission to add external AWS accounts to a resource share. (Service: AWSRAM; Status Code: 400; Error Code: OperationNotPermittedException; Request ID: aaa; Proxy: null) ``` Feature: * We want to introduce a mechanism (`associateCrossAccountStacks` field in TargetApplicationOptions) where the user can specify if they want to allow sharing their application to any accounts of cross-account stacks in order to then subsequently associate the stack with the application. * This flag will be `false` by default. This allows customers to have their stack deployments proceed without being blocked on application sharing or cross-account associations. * If set to `false`, ApplicationAssociator will skip the application sharing and association for cross-account stacks. During synthesis, a warning will be displayed to notify that cross-account stacks were detected but sharing and association will be skipped. * If set to `true`, the application will be shared and then associated for cross-account stacks. This relies on the user properly setting up cross-account sharing beforehand. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Add troubleshooting instructions to resolve a weird error produced by Finch. Fixes #24458. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This change removes the following patch from `cfnspec`, which was blocking the build after `VpcEndpoint` was removed from `AWS::Redshift::EndpointAccess`:
```json
"AWS::Redshift::EndpointAccess": {
"patch": {
"description": "This patch fixes all types that were previously typed as Json, and CfnSpec v101.0.0 added types to them, which is a breaking change.",
"operations": [
{
"op": "remove",
"path": "/Properties/VpcEndpoint/Type"
},
{
"op": "add",
"path": "/Properties/VpcEndpoint/PrimitiveType",
"value": "Json"
}
]
}
```
The latest spec adds three new modules: `aws-internetmonitor`, `aws-ivschat` and `aws-systemsmanagersap`. All three failed to build because a dependency on `[email protected]` was missing. Dependency added.
Also, the property `aws-events/CfnArchive.attrArchiveName` was removed, breaking the `aws-events/Archive` L2. Fixed by replacing it with `archive.ref`.
The rest of the changes in this PR were auto-generated.
----
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Removes a dependency between a unit and integration test by extracting generic code into a separate file. Useful for repo restructure as integ tests are in a separate package. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ces (#24353) Introducing the `InstanceTarget` class: an EC2 instance that serves as the target for load balancing. This class allows to register an instance to a load balancer. `InstanceTarget ` takes an instance to register as the target for the load balancer. For example, ```ts const target = new elb.InstanceTarget(instance); elb.addTarget(target); ``` creates an InstanceTarget object with the specified instance and then adds it to the load balancer. > [CONTRIBUTING GUIDE]: https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md > [DESIGN GUIDELINES]: https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md Closes #23500. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
New value (1096) added to the list of valid retention periods: https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutRetentionPolicy.html#API_PutRetentionPolicy_RequestSyntax ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Our CLI's user agent is reported as `undefined/undefined`. This is because we are reading the package name and version from the CLI's `package.json` by using a relative path to the source file (using `__dirname`). However, since a good long while, our production CLI is being bundled using `esbuild` into a single JavaScript file. This means that at runtime, `__dirname` points to a completely different directory than the one it's been coded against, and so reading the `package.json` fails. Account for this by using a function that searches for `package.json`; still do it defensively so that if some other condition we didn't predict causes the search to fail, our CLI doesn't fail. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Maven uploads can fail with the following error, which indicates throttling: ``` [ERROR] Failed to execute goal org.apache.maven.plugins:maven-deploy-plugin:3.0.0:deploy-file (default-cli) on project standalone-pom: Failed to deploy artifacts: Could not transfer artifact software.amazon.awscdk:batch-alpha:jar:2.70.0-alpha.999 from/to codeartifact (https://xxxxx.d.codeartifact.us-east-1.amazonaws.com/maven/test-0ek4hpd8q2tm/): status code: 429, reason phrase: Too Many Requests (429) -> [Help 1] ``` Catch these errors and retry them. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This PR is reverting the property type names from pattern `FooAction` to `Foo` for `WAFv2` resource. This change was introduced as part of a [CFNSpec merge](affe040#diff-827a2fd012e049c7ccedffa0360c12e7d967a173f36b8150de73ef6adc42ee4cL175-L357) and would be breaking existing customers if they were using previous property names. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…thout hotswap flag (#24602) The "hotswap deployment skipped" message is printed when a full deployment is performed if no changes were detected. Before: ``` $ cdk deploy ✨ hotswap deployment skipped - no changes were detected (use --force to override) ✅ ApiStack (no changes) ``` With this PR: ``` $ cdk deploy ✅ ApiStack (no changes) ``` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
> [CONTRIBUTING GUIDE]: https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md > [DESIGN GUIDELINES]: https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md This work is tangential to code I am editing, splitting the function from non-functional changes. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Bumps [hmarr/auto-approve-action](https://github.com/hmarr/auto-approve-action) from 3.2.0 to 3.2.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/hmarr/auto-approve-action/releases">hmarr/auto-approve-action's releases</a>.</em></p> <blockquote> <h2>v3.2.1</h2> <h2>What's Changed</h2> <ul> <li>Only consider the latest review for a user when deciding whether to re-review by <a href="https://github.com/hmarr"><code>@hmarr</code></a> in <a href="https://redirect.github.com/hmarr/auto-approve-action/pull/216">hmarr/auto-approve-action#216</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/hmarr/auto-approve-action/compare/v3.2.0...v3.2.1">https://github.com/hmarr/auto-approve-action/compare/v3.2.0...v3.2.1</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/hmarr/auto-approve-action/commit/44888193675f29a83e04faf4002fa8c0b537b1e4"><code>4488819</code></a> Only consider the latest review for a user (<a href="https://redirect.github.com/hmarr/auto-approve-action/issues/216">#216</a>)</li> <li>See full diff in <a href="https://github.com/hmarr/auto-approve-action/compare/v3.2.0...v3.2.1">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
It's not too hard to enable SSM Session Manager to Instances and AutoScalingGroups (it's a matter of picking the right AMI and adding the right managed policy to the instance role). This PR adds a single boolean to turn on the policy directly and advertises the feature in the README for people who might otherwise not know this feature exists. Also consistentize the use and explanation of `MachineImage.latestAmazonLinux` a bit. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
If multiple threads of the same process attempt to acquire the same reader lock, the a race condition occurs, and the first thread to release the reader lock will release ALL the locks. Introduce a counter so that each acquire attempt uses a different file name, ensuring that the read lock is reentrant. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
CFN-init can be used to install software onto EC2 Instances that are created using CloudFormation. CFN init supports SystemD, but this was not yet available in CDK. This PR adds support for SystemD. It also adds a helper function to create a simple SystemD config files for your own services. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Upstream service teams may rename property types in the resource specification. This is strictly speaking not breaking from the point of view of the spec, because the names of the property types don't appear anywhere in the code a user would normally type (i.e., in a CloudFormation template).
However, CDK generates classes for these types, and so the name *does* matter and changing it is breaking.
To detect these instances, we check that during an upgrade, all old property type names are still present. If not, the reason is probably that they renamed a type.
Note that this is not a 100% guaranteed to catch all scenarios (I'm sure you can think of changes that would be breaking and still pass this check), but it's at least very likely to catch honest mistakes in commonly expected scenarios.
For those interested in how it works:
* During the spec upgrade, we have both the old and the new spec available.
* We iterate over all objects keys in the property types of the old spec, looking like: `{ "PropertyTypes": { "AWS::ElastiCache::ReplicationGroup.LogDeliveryConfigurationRequest": { ... }, ... }` object, and make sure that the keys are also present in the property types of the new spec.
Also change the `copy/paste` operation pair of a previous patch into a `move` operation, so that if the type definition changes in the future we won't accidentally keep it at an old definition.
----
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Follow-up to #24593. The `renderJsonPath` function is subsituting a literal `null` for `JsonPath.DISCARD`, which results in the key being dropped if the value is sent across a language boundary, which effectively changes semantics. The `JsonPath.DISCARD` value is a `Token` that ultimately resolves to `null`, and it must be preserved as such so that it is safe to exchange across languages. Thanks to @beck3905 for reporting & diagnosing this. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
* fix * update path * delete
This PR adds defaultInterval to cloudwatch dashboard, which allows interval duration in relative time eg. 7 days.
```ts
const dashboard = cw.Dashboard(stack, 'Dash', {
defaultInterval: cdk.Duration.days(7),
});
```
Here, the dashboard would show the metrics for the last 7 days.
> [CONTRIBUTING GUIDE]: https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md
> [DESIGN GUIDELINES]: https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md
Closes #<issue number here>.
----
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…al (#24572) This request fixes the ECR Repository resource to allow setting a flag on the resource to auto delete the images in the repository. This is similar to the way S3 handles the autoDeleteObjects attribute. This code base starts from a stalled PR [#15932](#15932). This also takes into account the functionality added into S3 to create tag to not delete images if the flag is flipped from true to false. Closes [#12618](#12618) References closed and not merged PR [#15932](#15932) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…on (#24672) To associate a attribute group to an application created in `ApplicationAssociator`, customers have to use `AttributeGroup` construct separately to create and associate the attribute group separately. This makes the `AttributeGroup` and `AttributeGroupAssociation` created in another stack than `ApplicationAssociator` stack. This commits provides an one-stop action, i.e. `Application.addAttributeGroup()`, to create and associate attribute group on `Application` Construct. This solution not only makes attribute group creation and association easier for customer who uses `Application` construct, but also lets customer to have attribute groups and attribute group associations for the `ApplicationAssociator` applications in the same stack. `Application.addAttributeGroup()` has `id` in the parameters, for two reasons: - consistent with the experience where customer can define logical ID when using `new AttributeGroup()` - complexity of deciding logical ID from the attribute group input: - We have to make sure update attributes/description won't trigger create and then delete but update, which will cause name conflict exception. - We also don't want to generate logical ID from attribute group name only, as if two `Application.addAttributeGroup()` method calls with the same name will result in construct ID conflict. This exposes implementation details and makes it hard to customers to debug and resolve. BREAKING CHANGE: This commit contains destructive changes to the RAM Share. Since the application RAM share name is calculated by the application construct, where one method is added. Integration test detects a breaking change where RAM share will be created. Integration test snapshot is updated to cater this destructive change. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws-cdk-automation
added
auto-approve
pr/no-squash
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
sumupitchayan
approved these changes
Mar 22, 2023
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be automatically updated and merged without squashing (do not update manually, and be sure to allow changes to be pushed to your fork). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See CHANGELOG