aws
diff --git a/‎packages/@aws-cdk/aws-cognito/lib/user-pool-client.ts‎
Lines changed: 2 additions & 7 deletions b/‎packages/@aws-cdk/aws-cognito/lib/user-pool-client.ts‎
Lines changed: 2 additions & 7 deletions
diff --git a/‎packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts‎
Lines changed: 37 additions & 0 deletions b/‎packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts‎
Lines changed: 37 additions & 0 deletions
diff --git a/‎packages/@aws-cdk/aws-config/lib/rule.ts‎
Lines changed: 12 additions & 0 deletions b/‎packages/@aws-cdk/aws-config/lib/rule.ts‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎packages/@aws-cdk/aws-config/test/rule.test.ts‎
Lines changed: 34 additions & 0 deletions b/‎packages/@aws-cdk/aws-config/test/rule.test.ts‎
Lines changed: 34 additions & 0 deletions
diff --git a/‎packages/@aws-cdk/aws-dynamodb/lib/table.ts‎
Lines changed: 4 additions & 2 deletions b/‎packages/@aws-cdk/aws-dynamodb/lib/table.ts‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎packages/@aws-cdk/aws-ecs-patterns/README.md‎
Lines changed: 16 additions & 0 deletions b/‎packages/@aws-cdk/aws-ecs-patterns/README.md‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎packages/@aws-cdk/aws-ecs-patterns/lib/base/application-load-balanced-service-base.ts‎
Lines changed: 15 additions & 0 deletions b/‎packages/@aws-cdk/aws-ecs-patterns/lib/base/application-load-balanced-service-base.ts‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎packages/@aws-cdk/aws-ecs-patterns/test/ec2/l3s.test.ts‎
Lines changed: 116 additions & 0 deletions b/‎packages/@aws-cdk/aws-ecs-patterns/test/ec2/l3s.test.ts‎
Lines changed: 116 additions & 0 deletions
@@ -408,7 +408,7 @@ export class UserPoolClient extends Resource implements IUserPoolClient {
   }
 
   private configureAuthFlows(props: UserPoolClientProps): string[] | undefined {
-    if (!props.authFlows) return undefined;
+    if (!props.authFlows || Object.keys(props.authFlows).length === 0) return undefined;
 
     const authFlows: string[] = [];
     if (props.authFlows.userPassword) { authFlows.push('ALLOW_USER_PASSWORD_AUTH'); }
@@ -417,13 +417,8 @@ export class UserPoolClient extends Resource implements IUserPoolClient {
     if (props.authFlows.userSrp) { authFlows.push('ALLOW_USER_SRP_AUTH'); }
 
     // refreshToken should always be allowed if authFlows are present
-    if (authFlows.length > 0) {
-      authFlows.push('ALLOW_REFRESH_TOKEN_AUTH');
-    }
+    authFlows.push('ALLOW_REFRESH_TOKEN_AUTH');
 
-    if (authFlows.length === 0) {
-      return undefined;
-    }
     return authFlows;
   }
 
 
@@ -93,6 +93,43 @@ describe('User Pool Client', () => {
     });
   });
 
+  test('ExplicitAuthFlows makes only refreshToken true when all options are false', () => {
+    // GIVEN
+    const stack = new Stack();
+    const pool = new UserPool(stack, 'Pool');
+
+    // WHEN
+    pool.addClient('Client', {
+      authFlows: {
+        adminUserPassword: false,
+        custom: false,
+        userPassword: false,
+        userSrp: false,
+      },
+    });
+
+    Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolClient', {
+      ExplicitAuthFlows: [
+        'ALLOW_REFRESH_TOKEN_AUTH',
+      ],
+    });
+  });
+
+  test('ExplicitAuthFlows is absent when authFlows is empty', () => {
+    // GIVEN
+    const stack = new Stack();
+    const pool = new UserPool(stack, 'Pool');
+
+    // WHEN
+    pool.addClient('Client', {
+      authFlows: {},
+    });
+
+    Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolClient', {
+      ExplicitAuthFlows: Match.absent(),
+    });
+  });
+
   test('ExplicitAuthFlows makes refreshToken true by default', () => {
     // GIVEN
     const stack = new Stack();
 
@@ -783,6 +783,16 @@ export class ManagedRuleIdentifiers {
    * @see https://docs.aws.amazon.com/config/latest/developerguide/ec2-imdsv2-check.html
    */
   public static readonly EC2_IMDSV2_CHECK = 'EC2_IMDSV2_CHECK';
+  /**
+   * Checks if an Amazon Elastic Kubernetes Service (EKS) cluster is running the oldest supported version.
+   * @see https://docs.aws.amazon.com/config/latest/developerguide/eks-cluster-oldest-supported-version.html
+   */
+  public static readonly EKS_CLUSTER_OLDEST_SUPPORTED_VERSION = 'EKS_CLUSTER_OLDEST_SUPPORTED_VERSION';
+  /**
+    * Checks if an Amazon Elastic Kubernetes Service (EKS) cluster is running a supported Kubernetes version.
+    * @see https://docs.aws.amazon.com/config/latest/developerguide/eks-cluster-supported-version.html
+    */
+  public static readonly EKS_CLUSTER_SUPPORTED_VERSION = 'EKS_CLUSTER_SUPPORTED_VERSION';
   /**
    * Checks whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoint is not publicly accessible.
    * @see https://docs.aws.amazon.com/config/latest/developerguide/eks-endpoint-no-public-access.html
@@ -1322,6 +1332,8 @@ export class ResourceType {
   public static readonly EC2_VPC_ENDPOINT_SERVICE = new ResourceType('AWS::EC2::VPCEndpointService');
   /** EC2 VPC peering connection */
   public static readonly EC2_VPC_PEERING_CONNECTION = new ResourceType('AWS::EC2::VPCPeeringConnection');
+  /** Amazon Elastic Kubernetes Service cluster */
+  public static readonly EKS_CLUSTER = new ResourceType('AWS::EKS::Cluster');
   /** Amazon ElasticSearch domain */
   public static readonly ELASTICSEARCH_DOMAIN = new ResourceType('AWS::Elasticsearch::Domain');
   /** Amazon QLDB ledger */
 
@@ -264,4 +264,38 @@ describe('rule', () => {
       },
     });
   });
+
+  test('Add EKS Cluster check to ManagedRule', () => {
+    // GIVEN
+    const stack1 = new cdk.Stack();
+    const stack2 = new cdk.Stack();
+
+    // WHEN
+    new config.ManagedRule(stack1, 'RuleEksClusterOldest', {
+      identifier: config.ManagedRuleIdentifiers.EKS_CLUSTER_OLDEST_SUPPORTED_VERSION,
+      ruleScope: config.RuleScope.fromResource(config.ResourceType.EKS_CLUSTER),
+    });
+    new config.ManagedRule(stack2, 'RuleEksClusterVersion', {
+      identifier: config.ManagedRuleIdentifiers.EKS_CLUSTER_SUPPORTED_VERSION,
+      ruleScope: config.RuleScope.fromResources([config.ResourceType.EKS_CLUSTER]),
+    });
+
+    // THEN
+    Template.fromStack(stack1).hasResourceProperties('AWS::Config::ConfigRule', {
+      Source: {
+        SourceIdentifier: 'EKS_CLUSTER_OLDEST_SUPPORTED_VERSION',
+      },
+      Scope: {
+        ComplianceResourceTypes: ['AWS::EKS::Cluster'],
+      },
+    });
+    Template.fromStack(stack2).hasResourceProperties('AWS::Config::ConfigRule', {
+      Source: {
+        SourceIdentifier: 'EKS_CLUSTER_SUPPORTED_VERSION',
+      },
+      Scope: {
+        ComplianceResourceTypes: ['AWS::EKS::Cluster'],
+      },
+    });
+  });
 });
@@ -188,7 +188,7 @@ export interface TableOptions extends SchemaOptions {
    *
    * This property cannot be set if `encryption` and/or `encryptionKey` is set.
    *
-   * @default - server-side encryption is enabled with an AWS owned customer master key
+   * @default - The table is encrypted with an encryption key managed by DynamoDB, and you are not charged any fee for using it.
    *
    * @deprecated This property is deprecated. In order to obtain the same behavior as
    * enabling this, set the `encryption` property to `TableEncryption.AWS_MANAGED` instead.
@@ -213,7 +213,7 @@ export interface TableOptions extends SchemaOptions {
    * > using CDKv1, make sure the feature flag
    * > `@aws-cdk/aws-kms:defaultKeyPolicies` is set to `true` in your `cdk.json`.
    *
-   * @default - server-side encryption is enabled with an AWS owned customer master key
+   * @default - The table is encrypted with an encryption key managed by DynamoDB, and you are not charged any fee for using it.
    */
   readonly encryption?: TableEncryption;
 
@@ -224,6 +224,8 @@ export interface TableOptions extends SchemaOptions {
    *
    * @default - If `encryption` is set to `TableEncryption.CUSTOMER_MANAGED` and this
    * property is undefined, a new KMS key will be created and associated with this table.
+   * If `encryption` and this property are both undefined, then the table is encrypted with
+   * an encryption key managed by DynamoDB, and you are not charged any fee for using it.
    */
   readonly encryptionKey?: kms.IKey;
 
 
@@ -637,6 +637,22 @@ const loadBalancedFargateService = new ecsPatterns.ApplicationLoadBalancedFargat
 });
 ```
 
+### Select idleTimeout for ApplicationLoadBalancedFargateService
+
+```ts
+declare const cluster: ecs.Cluster;
+const loadBalancedFargateService = new ecsPatterns.ApplicationLoadBalancedFargateService(this, 'Service', {
+  cluster,
+  memoryLimitMiB: 1024,
+  desiredCount: 1,
+  cpu: 512,
+  taskImageOptions: {
+    image: ecs.ContainerImage.fromRegistry("amazon/amazon-ecs-sample"),
+  },
+  idleTimeout: Duration.seconds(120),
+});
+```
+
 ### Set PlatformVersion for ScheduledFargateTask
 
 ```ts
 
@@ -12,6 +12,7 @@ import { IRole } from '@aws-cdk/aws-iam';
 import { ARecord, IHostedZone, RecordTarget, CnameRecord } from '@aws-cdk/aws-route53';
 import { LoadBalancerTarget } from '@aws-cdk/aws-route53-targets';
 import * as cdk from '@aws-cdk/core';
+import { Duration } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 
 /**
@@ -269,6 +270,13 @@ export interface ApplicationLoadBalancedServiceBaseProps {
    * @default - false
    */
   readonly enableExecuteCommand?: boolean;
+
+  /**
+   * The load balancer idle timeout, in seconds
+   *
+   * @default - CloudFormation sets idle timeout to 60 seconds
+   */
+  readonly idleTimeout?: Duration;
 }
 
 export interface ApplicationLoadBalancedTaskImageOptions {
@@ -434,10 +442,17 @@ export abstract class ApplicationLoadBalancedServiceBase extends Construct {
 
     const internetFacing = props.publicLoadBalancer ?? true;
 
+    if (props.idleTimeout) {
+      if (props.idleTimeout > Duration.seconds(4000) || props.idleTimeout < Duration.seconds(1)) {
+        throw new Error('Load balancer idle timeout must be between 1 and 4000 seconds.');
+      }
+    }
+
     const lbProps = {
       vpc: this.cluster.vpc,
       loadBalancerName: props.loadBalancerName,
       internetFacing,
+      idleTimeout: props.idleTimeout,
     };
 
     const loadBalancer = props.loadBalancer ?? new ApplicationLoadBalancer(this, 'LB', lbProps);
 
@@ -10,6 +10,7 @@ import { PublicHostedZone } from '@aws-cdk/aws-route53';
 import * as cloudmap from '@aws-cdk/aws-servicediscovery';
 import { testLegacyBehavior } from '@aws-cdk/cdk-build-tools';
 import * as cdk from '@aws-cdk/core';
+import { Duration } from '@aws-cdk/core';
 import * as cxapi from '@aws-cdk/cx-api';
 import * as ecsPatterns from '../../lib';
 
@@ -811,6 +812,121 @@ test('errors when setting HTTPS protocol but not domain name', () => {
   }).toThrow();
 });
 
+test('errors when idleTimeout is over 4000 seconds', () => {
+  // GIVEN
+  const stack = new cdk.Stack();
+  const vpc = new ec2.Vpc(stack, 'VPC');
+  const cluster = new ecs.Cluster(stack, 'Cluster', { vpc });
+
+  // THEN
+  expect(() => {
+    new ecsPatterns.ApplicationLoadBalancedFargateService(stack, 'Service', {
+      cluster,
+      taskImageOptions: {
+        image: ecs.ContainerImage.fromRegistry('test'),
+        enableLogging: false,
+        environment: {
+          TEST_ENVIRONMENT_VARIABLE1: 'test environment variable 1 value',
+          TEST_ENVIRONMENT_VARIABLE2: 'test environment variable 2 value',
+        },
+        logDriver: new ecs.AwsLogDriver({
+          streamPrefix: 'TestStream',
+        }),
+      },
+      idleTimeout: Duration.seconds(5000),
+      desiredCount: 2,
+    });
+  }).toThrowError();
+});
+
+test('errors when idleTimeout is under 1 seconds', () => {
+  // GIVEN
+  const stack = new cdk.Stack();
+  const vpc = new ec2.Vpc(stack, 'VPC');
+  const cluster = new ecs.Cluster(stack, 'Cluster', { vpc });
+
+  // THEN
+  expect(() => {
+    new ecsPatterns.ApplicationLoadBalancedFargateService(stack, 'Service', {
+      cluster,
+      taskImageOptions: {
+        image: ecs.ContainerImage.fromRegistry('test'),
+        enableLogging: false,
+        environment: {
+          TEST_ENVIRONMENT_VARIABLE1: 'test environment variable 1 value',
+          TEST_ENVIRONMENT_VARIABLE2: 'test environment variable 2 value',
+        },
+        logDriver: new ecs.AwsLogDriver({
+          streamPrefix: 'TestStream',
+        }),
+      },
+      idleTimeout: Duration.seconds(0),
+      desiredCount: 2,
+    });
+  }).toThrowError();
+});
+
+test('passes when idleTimeout is between 1 and 4000 seconds', () => {
+  // GIVEN
+  const stack = new cdk.Stack();
+  const vpc = new ec2.Vpc(stack, 'VPC');
+  const cluster = new ecs.Cluster(stack, 'Cluster', { vpc });
+
+  // THEN
+  expect(() => {
+    new ecsPatterns.ApplicationLoadBalancedFargateService(stack, 'Service', {
+      cluster,
+      taskImageOptions: {
+        image: ecs.ContainerImage.fromRegistry('test'),
+        enableLogging: false,
+        environment: {
+          TEST_ENVIRONMENT_VARIABLE1: 'test environment variable 1 value',
+          TEST_ENVIRONMENT_VARIABLE2: 'test environment variable 2 value',
+        },
+        logDriver: new ecs.AwsLogDriver({
+          streamPrefix: 'TestStream',
+        }),
+      },
+      idleTimeout: Duration.seconds(120),
+      desiredCount: 2,
+    });
+  }).toBeTruthy();
+});
+
+test('idletime is undefined when not set', () => {
+  // GIVEN
+  const stack = new cdk.Stack();
+  const vpc = new ec2.Vpc(stack, 'VPC');
+  const cluster = new ecs.Cluster(stack, 'Cluster', { vpc });
+
+  // WHEN
+  new ecsPatterns.ApplicationLoadBalancedFargateService(stack, 'Service', {
+    cluster,
+    taskImageOptions: {
+      image: ecs.ContainerImage.fromRegistry('test'),
+      enableLogging: false,
+      environment: {
+        TEST_ENVIRONMENT_VARIABLE1: 'test environment variable 1 value',
+        TEST_ENVIRONMENT_VARIABLE2: 'test environment variable 2 value',
+      },
+      logDriver: new ecs.AwsLogDriver({
+        streamPrefix: 'TestStream',
+      }),
+    },
+    desiredCount: 2,
+  });
+
+  // THEN - stack contains default LoadBalancer Attributes
+  Template.fromStack(stack).hasResourceProperties('AWS::ElasticLoadBalancingV2::LoadBalancer', {
+    LoadBalancerAttributes: [
+      {
+        Key: 'deletion_protection.enabled',
+        Value: 'false',
+      },
+    ],
+  });
+});
+
 test('test Fargate loadbalanced construct with optional log driver input', () => {
   // GIVEN
   const stack = new cdk.Stack();
Original file line number	Diff line number	Diff line change
`@@ -188,7 +188,7 @@ export interface TableOptions extends SchemaOptions {`
`188`	`188`	`*`
`189`	`189`	* This property cannot be set if `encryption` and/or `encryptionKey` is set.
`190`	`190`	`*`
`191`		`- * @default - server-side encryption is enabled with an AWS owned customer master key`
	`191`	`+ * @default - The table is encrypted with an encryption key managed by DynamoDB, and you are not charged any fee for using it.`
`192`	`192`	`*`
`193`	`193`	`* @deprecated This property is deprecated. In order to obtain the same behavior as`
`194`	`194`	* enabling this, set the `encryption` property to `TableEncryption.AWS_MANAGED` instead.
`@@ -213,7 +213,7 @@ export interface TableOptions extends SchemaOptions {`
`213`	`213`	`* > using CDKv1, make sure the feature flag`
`214`	`214`	* > `@aws-cdk/aws-kms:defaultKeyPolicies` is set to `true` in your `cdk.json`.
`215`	`215`	`*`
`216`		`- * @default - server-side encryption is enabled with an AWS owned customer master key`
	`216`	`+ * @default - The table is encrypted with an encryption key managed by DynamoDB, and you are not charged any fee for using it.`
`217`	`217`	`*/`
`218`	`218`	`readonly encryption?: TableEncryption;`
`219`	`219`
`@@ -224,6 +224,8 @@ export interface TableOptions extends SchemaOptions {`
`224`	`224`	`*`
`225`	`225`	* @default - If `encryption` is set to `TableEncryption.CUSTOMER_MANAGED` and this
`226`	`226`	`* property is undefined, a new KMS key will be created and associated with this table.`
	`227`	+ * If `encryption` and this property are both undefined, then the table is encrypted with
	`228`	`+ * an encryption key managed by DynamoDB, and you are not charged any fee for using it.`
`227`	`229`	`*/`
`228`	`230`	`readonly encryptionKey?: kms.IKey;`
`229`	`231`