Merge branch 'master' into njlynch/rds-cluster-attributes

mergify[bot] · web-flow · commit 136c5237e5ff · 2020-09-11T08:46:42.000Z
diff --git a/packages/@aws-cdk/aws-cloudfront-origins/lib/s3-origin.ts b/packages/@aws-cdk/aws-cloudfront-origins/lib/s3-origin.ts
@@ -59,7 +59,7 @@ class S3BucketOrigin extends cloudfront.OriginBase {
   public bind(scope: cdk.Construct, options: cloudfront.OriginBindOptions): cloudfront.OriginBindConfig {
     if (!this.originAccessIdentity) {
       this.originAccessIdentity = new cloudfront.OriginAccessIdentity(scope, 'S3Origin', {
-        comment: `Access identity for ${options.originId}`,
+        comment: `Identity for ${options.originId}`,
       });
       this.bucket.grantRead(this.originAccessIdentity);
     }
diff --git a/packages/@aws-cdk/aws-cloudfront-origins/test/integ.origin-group.expected.json b/packages/@aws-cdk/aws-cloudfront-origins/test/integ.origin-group.expected.json
@@ -60,7 +60,7 @@
       "Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity",
       "Properties": {
         "CloudFrontOriginAccessIdentityConfig": {
-          "Comment": "Access identity for cloudfrontorigingroupDistributionOrigin137659A54"
+          "Comment": "Identity for cloudfrontorigingroupDistributionOrigin137659A54"
         }
       }
     },
@@ -153,4 +153,4 @@
       }
     }
   }
-}
+}
diff --git a/packages/@aws-cdk/aws-cloudfront-origins/test/integ.s3-origin.expected.json b/packages/@aws-cdk/aws-cloudfront-origins/test/integ.s3-origin.expected.json
@@ -60,7 +60,7 @@
       "Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity",
       "Properties": {
         "CloudFrontOriginAccessIdentityConfig": {
-          "Comment": "Access identity for cloudfronts3originDistributionOrigin1741C4E95"
+          "Comment": "Identity for cloudfronts3originDistributionOrigin1741C4E95"
         }
       }
     },
@@ -106,4 +106,4 @@
       }
     }
   }
-}
+}
diff --git a/packages/@aws-cdk/aws-cloudfront-origins/test/s3-origin.test.ts b/packages/@aws-cdk/aws-cloudfront-origins/test/s3-origin.test.ts
@@ -54,7 +54,7 @@ describe('With bucket', () => {
 
     expect(stack).toHaveResourceLike('AWS::CloudFront::CloudFrontOriginAccessIdentity', {
       CloudFrontOriginAccessIdentityConfig: {
-        Comment: 'Access identity for StackDistOrigin15754CE84',
+        Comment: 'Identity for StackDistOrigin15754CE84',
       },
     });
     expect(stack).toHaveResourceLike('AWS::S3::BucketPolicy', {
diff --git a/packages/@aws-cdk/aws-cloudfront/lib/origin_access_identity.ts b/packages/@aws-cdk/aws-cloudfront/lib/origin_access_identity.ts
@@ -106,10 +106,10 @@ export class OriginAccessIdentity extends OriginAccessIdentityBase implements IO
   constructor(scope: cdk.Construct, id: string, props?: OriginAccessIdentityProps) {
     super(scope, id);
 
+    // Comment has a max length of 128.
+    const comment = (props?.comment ?? 'Allows CloudFront to reach the bucket').substr(0, 128);
     this.resource = new CfnCloudFrontOriginAccessIdentity(this, 'Resource', {
-      cloudFrontOriginAccessIdentityConfig: {
-        comment: (props && props.comment) || 'Allows CloudFront to reach the bucket',
-      },
+      cloudFrontOriginAccessIdentityConfig: { comment },
     });
     // physical id - OAI name
     this.originAccessIdentityName = this.getResourceNameAttribute(this.resource.ref);
diff --git a/packages/@aws-cdk/aws-cloudfront/test/oai.test.ts b/packages/@aws-cdk/aws-cloudfront/test/oai.test.ts
@@ -1,69 +1,71 @@
-import { expect } from '@aws-cdk/assert';
+import '@aws-cdk/assert/jest';
 import * as cdk from '@aws-cdk/core';
-import { nodeunitShim, Test } from 'nodeunit-shim';
 import { OriginAccessIdentity } from '../lib';
 
-/* eslint-disable quote-props */
-
-nodeunitShim({
-  'Origin Access Identity with automatic comment'(test: Test) {
+describe('Origin Access Identity', () => {
+  test('With automatic comment', () => {
     const stack = new cdk.Stack();
 
     new OriginAccessIdentity(stack, 'OAI');
 
-    expect(stack).toMatch(
+    expect(stack).toMatchTemplate(
       {
-        'Resources': {
-          'OAIE1EFC67F': {
-            'Type': 'AWS::CloudFront::CloudFrontOriginAccessIdentity',
-            'Properties': {
-              'CloudFrontOriginAccessIdentityConfig': {
-                'Comment': 'Allows CloudFront to reach the bucket',
+        Resources: {
+          OAIE1EFC67F: {
+            Type: 'AWS::CloudFront::CloudFrontOriginAccessIdentity',
+            Properties: {
+              CloudFrontOriginAccessIdentityConfig: {
+                Comment: 'Allows CloudFront to reach the bucket',
               },
             },
           },
         },
       },
     );
+  });
 
-    test.done();
-  },
-  'Origin Access Identity with comment'(test: Test) {
+  test('With provided comment', () => {
     const stack = new cdk.Stack();
 
     new OriginAccessIdentity(stack, 'OAI', {
       comment: 'test comment',
     });
 
-    expect(stack).toMatch(
+    expect(stack).toMatchTemplate(
       {
-        'Resources': {
-          'OAIE1EFC67F': {
-            'Type': 'AWS::CloudFront::CloudFrontOriginAccessIdentity',
-            'Properties': {
-              'CloudFrontOriginAccessIdentityConfig': {
-                'Comment': 'test comment',
+        Resources: {
+          OAIE1EFC67F: {
+            Type: 'AWS::CloudFront::CloudFrontOriginAccessIdentity',
+            Properties: {
+              CloudFrontOriginAccessIdentityConfig: {
+                Comment: 'test comment',
               },
             },
           },
         },
       },
     );
+  });
+
+  test('Truncates long comments', () => {
+    const stack = new cdk.Stack();
+
+    new OriginAccessIdentity(stack, 'OAI', {
+      comment: 'This is a really long comment. Auto-generated comments based on ids of origins might sometimes be this long or even longer and that will break',
+    });
 
-    test.done();
-  },
+    expect(stack).toHaveResourceLike('AWS::CloudFront::CloudFrontOriginAccessIdentity', {
+      CloudFrontOriginAccessIdentityConfig: {
+        Comment: 'This is a really long comment. Auto-generated comments based on ids of origins might sometimes be this long or even longer and t',
+      },
+    });
+  });
 
-  'Builds ARN of CloudFront user'(test: Test) {
+  test('Builds ARN of CloudFront user', () => {
     const stack = new cdk.Stack();
 
     const oai = OriginAccessIdentity.fromOriginAccessIdentityName(stack, 'OAI', 'OAITest');
 
-    test.ok(
-      oai.grantPrincipal.policyFragment.principalJson.AWS[0].endsWith(
-        ':iam::cloudfront:user/CloudFront Origin Access Identity OAITest',
-      ),
-    );
-
-    test.done();
-  },
+    expect(oai.grantPrincipal.policyFragment.principalJson.AWS[0]).toMatch(/:iam::cloudfront:user\/CloudFront Origin Access Identity OAITest$/);
+  });
 });
diff --git a/packages/@aws-cdk/aws-codebuild/README.md b/packages/@aws-cdk/aws-codebuild/README.md
@@ -115,6 +115,18 @@ const bbSource = codebuild.Source.bitBucket({
 });
 ```
 
+### For all Git sources
+
+For all Git sources, you can fetch submodules while cloing git repo.
+
+```typescript
+const gitHubSource = codebuild.Source.gitHub({
+  owner: 'awslabs',
+  repo: 'aws-cdk',
+  fetchSubmodules: true,
+});
+```
+
 ## Artifacts
 
 CodeBuild Projects can produce Artifacts and upload them to S3. For example:
diff --git a/packages/@aws-cdk/aws-codebuild/lib/source.ts b/packages/@aws-cdk/aws-codebuild/lib/source.ts
@@ -119,6 +119,13 @@ interface GitSourceProps extends SourceProps {
    * @default the default branch's HEAD commit ID is used
    */
   readonly branchOrRef?: string;
+
+  /**
+   * Whether to fetch submodules while cloning git repo.
+   *
+   * @default false
+   */
+  readonly fetchSubmodules?: boolean;
 }
 
 /**
@@ -127,12 +134,14 @@ interface GitSourceProps extends SourceProps {
 abstract class GitSource extends Source {
   private readonly cloneDepth?: number;
   private readonly branchOrRef?: string;
+  private readonly fetchSubmodules?: boolean;
 
   protected constructor(props: GitSourceProps) {
     super(props);
 
     this.cloneDepth = props.cloneDepth;
     this.branchOrRef = props.branchOrRef;
+    this.fetchSubmodules = props.fetchSubmodules;
   }
 
   public bind(_scope: Construct, _project: IProject): SourceConfig {
@@ -142,6 +151,9 @@ abstract class GitSource extends Source {
       sourceProperty: {
         ...superConfig.sourceProperty,
         gitCloneDepth: this.cloneDepth,
+        gitSubmodulesConfig: this.fetchSubmodules ? {
+          fetchSubmodules: this.fetchSubmodules,
+        } : undefined,
       },
     };
   }
diff --git a/packages/@aws-cdk/aws-codebuild/test/test.codebuild.ts b/packages/@aws-cdk/aws-codebuild/test/test.codebuild.ts
@@ -546,6 +546,7 @@ export = {
           owner: 'testowner',
           repo: 'testrepo',
           cloneDepth: 3,
+          fetchSubmodules: true,
           webhook: true,
           reportBuildStatus: false,
           webhookFilters: [
@@ -561,6 +562,9 @@ export = {
           Location: 'https://github.com/testowner/testrepo.git',
           ReportBuildStatus: false,
           GitCloneDepth: 3,
+          GitSubmodulesConfig: {
+            FetchSubmodules: true,
+          },
         },
       }));
 
diff --git a/packages/@aws-cdk/aws-kms/lib/key.ts b/packages/@aws-cdk/aws-kms/lib/key.ts
@@ -1,5 +1,5 @@
 import * as iam from '@aws-cdk/aws-iam';
-import { Construct, IResource, RemovalPolicy, Resource, Stack } from '@aws-cdk/core';
+import { Construct, IConstruct, IResource, RemovalPolicy, Resource, Stack } from '@aws-cdk/core';
 import { Alias } from './alias';
 import { CfnKey } from './kms.generated';
 
@@ -207,11 +207,18 @@ abstract class KeyBase extends Resource implements IKey {
    *   undefined otherwise
    */
   private granteeStackDependsOnKeyStack(grantee: iam.IGrantable): string | undefined {
-    if (!(Construct.isConstruct(grantee))) {
+    const grantPrincipal = grantee.grantPrincipal;
+    if (!(Construct.isConstruct(grantPrincipal))) {
+      return undefined;
+    }
+    // this logic should only apply to newly created
+    // (= not imported) resources
+    if (!this.principalIsANewlyCreatedResource(grantPrincipal)) {
       return undefined;
     }
+    // return undefined;
     const keyStack = Stack.of(this);
-    const granteeStack = Stack.of(grantee);
+    const granteeStack = Stack.of(grantPrincipal);
     if (keyStack === granteeStack) {
       return undefined;
     }
@@ -220,6 +227,14 @@ abstract class KeyBase extends Resource implements IKey {
       : undefined;
   }
 
+  private principalIsANewlyCreatedResource(principal: IConstruct): boolean {
+    // yes, this sucks
+    // this is just a temporary stopgap to stem the bleeding while we work on a proper fix
+    return principal instanceof iam.Role ||
+      principal instanceof iam.User ||
+      principal instanceof iam.Group;
+  }
+
   private isGranteeFromAnotherRegion(grantee: iam.IGrantable): boolean {
     if (!(Construct.isConstruct(grantee))) {
       return false;
diff --git a/packages/@aws-cdk/aws-route53-patterns/README.md b/packages/@aws-cdk/aws-route53-patterns/README.md
@@ -27,7 +27,7 @@ The `HttpsRedirect` constructs creates:
 * Amazon CloudFront distribution - makes website available from data centres
   around the world
 * Amazon S3 bucket - empty bucket used for website hosting redirect (`websiteRedirect`) capabilities.
-* Amazon Route 53 Alias record - routes traffic to the CloudFront distribution
+* Amazon Route 53 A/AAAA Alias records - routes traffic to the CloudFront distribution
 * AWS Certificate Manager certificate - SSL/TLS certificate used by
   CloudFront for your domain
 
diff --git a/packages/@aws-cdk/aws-route53-patterns/lib/website-redirect.ts b/packages/@aws-cdk/aws-route53-patterns/lib/website-redirect.ts
@@ -1,7 +1,7 @@
 import * as crypto from 'crypto';
 import { DnsValidatedCertificate, ICertificate } from '@aws-cdk/aws-certificatemanager';
 import { CloudFrontWebDistribution, OriginProtocolPolicy, PriceClass, ViewerProtocolPolicy } from '@aws-cdk/aws-cloudfront';
-import { ARecord, IHostedZone, RecordTarget } from '@aws-cdk/aws-route53';
+import { ARecord, AaaaRecord, IHostedZone, RecordTarget } from '@aws-cdk/aws-route53';
 import { CloudFrontTarget } from '@aws-cdk/aws-route53-targets';
 import { Bucket, RedirectProtocol } from '@aws-cdk/aws-s3';
 import { Construct, RemovalPolicy, Stack, Token } from '@aws-cdk/core';
@@ -97,11 +97,13 @@ export class HttpsRedirect extends Construct {
 
     domainNames.forEach((domainName) => {
       const hash = crypto.createHash('md5').update(domainName).digest('hex').substr(0, 6);
-      new ARecord(this, `RedirectAliasRecord${hash}`, {
+      const aliasProps = {
         recordName: domainName,
         zone: props.zone,
         target: RecordTarget.fromAlias(new CloudFrontTarget(redirectDist)),
-      });
+      };
+      new ARecord(this, `RedirectAliasRecord${hash}`, aliasProps);
+      new AaaaRecord(this, `RedirectAliasRecordSix${hash}`, aliasProps);
     });
   }
 }
diff --git a/packages/@aws-cdk/aws-route53-patterns/test/bucket-website-target.test.ts b/packages/@aws-cdk/aws-route53-patterns/test/bucket-website-target.test.ts
@@ -35,10 +35,22 @@ test('create HTTPS redirect', () => {
     },
   });
   expect(stack).toHaveResource('AWS::Route53::RecordSet', {
+    Type: 'A',
     Name: 'foo.example.com.',
     HostedZoneId: 'ID',
   });
   expect(stack).toHaveResource('AWS::Route53::RecordSet', {
+    Type: 'AAAA',
+    Name: 'foo.example.com.',
+    HostedZoneId: 'ID',
+  });
+  expect(stack).toHaveResource('AWS::Route53::RecordSet', {
+    Type: 'A',
+    Name: 'baz.example.com.',
+    HostedZoneId: 'ID',
+  });
+  expect(stack).toHaveResource('AWS::Route53::RecordSet', {
+    Type: 'AAAA',
     Name: 'baz.example.com.',
     HostedZoneId: 'ID',
   });
@@ -68,6 +80,11 @@ test('create HTTPS redirect for apex', () => {
     },
   });
   expect(stack).toHaveResource('AWS::Route53::RecordSet', {
+    Type: 'A',
+    Name: 'example.com.',
+  });
+  expect(stack).toHaveResource('AWS::Route53::RecordSet', {
+    Type: 'AAAA',
     Name: 'example.com.',
   });
 });
diff --git a/packages/@aws-cdk/pipelines/test/cross-environment-infra.test.ts b/packages/@aws-cdk/pipelines/test/cross-environment-infra.test.ts
@@ -45,6 +45,24 @@ test('in a cross-account/cross-region setup, artifact bucket can be read by depl
       })),
     },
   });
+
+  // And the key to go along with it
+  expect(supportStack).toHaveResourceLike('AWS::KMS::Key', {
+    KeyPolicy: {
+      Statement: arrayWith(objectLike({
+        Action: arrayWith('kms:Decrypt', 'kms:DescribeKey'),
+        Principal: {
+          AWS: {
+            'Fn::Join': ['', [
+              'arn:',
+              { Ref: 'AWS::Partition' },
+              stringLike('*-deploy-role-*'),
+            ]],
+          },
+        },
+      })),
+    },
+  });
 });
 
 test('in a cross-account/same-region setup, artifact bucket can be read by deploy role', () => {
diff --git a/packages/aws-cdk/test/integ/cli/cdk-helpers.ts b/packages/aws-cdk/test/integ/cli/cdk-helpers.ts

Original file line number	Diff line number	Diff line change
`@@ -59,7 +59,7 @@ class S3BucketOrigin extends cloudfront.OriginBase {`
`59`	`59`	`public bind(scope: cdk.Construct, options: cloudfront.OriginBindOptions): cloudfront.OriginBindConfig {`
`60`	`60`	`if (!this.originAccessIdentity) {`
`61`	`61`	`this.originAccessIdentity = new cloudfront.OriginAccessIdentity(scope, 'S3Origin', {`
`62`		- comment: `Access identity for ${options.originId}`,
	`62`	+ comment: `Identity for ${options.originId}`,
`63`	`63`	`});`
`64`	`64`	`this.bucket.grantRead(this.originAccessIdentity);`
`65`	`65`	`}`
Original file line number	Diff line number	Diff line change
`@@ -60,7 +60,7 @@`
`60`	`60`	`"Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity",`
`61`	`61`	`"Properties": {`
`62`	`62`	`"CloudFrontOriginAccessIdentityConfig": {`
`63`		`- "Comment": "Access identity for cloudfrontorigingroupDistributionOrigin137659A54"`
	`63`	`+ "Comment": "Identity for cloudfrontorigingroupDistributionOrigin137659A54"`
`64`	`64`	`}`
`65`	`65`	`}`
`66`	`66`	`},`
`@@ -153,4 +153,4 @@`
`153`	`153`	`}`
`154`	`154`	`}`
`155`	`155`	`}`
`156`		`-}`
	`156`	`+}`