Merge branch 'main' into ecs-lambda-deployment-config

mergify[bot] · web-flow · commit a8112fb7de3b · 2022-09-29T14:56:18.000Z
diff --git a/CHANGELOG.v2.alpha.md b/CHANGELOG.v2.alpha.md
@@ -2,6 +2,14 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.44.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.43.1-alpha.0...v2.44.0-alpha.0) (2022-09-28)
+
+
+### Features
+
+* **integ-tests:** chain assertion api calls ([#22196](https://github.com/aws/aws-cdk/issues/22196)) ([530e07b](https://github.com/aws/aws-cdk/commit/530e07bdc87ab94bbd5ed28debac98400a8152cc))
+* **neptune:** introduce metric method to cluster and instance ([#21995](https://github.com/aws/aws-cdk/issues/21995)) ([02ed837](https://github.com/aws/aws-cdk/commit/02ed8371276d504ba9fe09687d45409ad7cca288)), closes [#20248](https://github.com/aws/aws-cdk/issues/20248)
+
 ## [2.43.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.43.0-alpha.0...v2.43.1-alpha.0) (2022-09-23)
 
 ## [2.43.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.42.1-alpha.0...v2.43.0-alpha.0) (2022-09-21)
diff --git a/CHANGELOG.v2.md b/CHANGELOG.v2.md
@@ -2,6 +2,31 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.44.0](https://github.com/aws/aws-cdk/compare/v2.43.1...v2.44.0) (2022-09-28)
+
+
+### Features
+
+* **assets:** support drop-in docker replacements by setting `$CDK_DOCKER` ([#21838](https://github.com/aws/aws-cdk/issues/21838)) ([d52310e](https://github.com/aws/aws-cdk/commit/d52310ea2104dd1ed13761944d078ffce46a299f)), closes [40aws-cdk/core/lib/bundling.ts#L523](https://github.com/40aws-cdk/core/lib/bundling.ts/issues/L523) [#21836](https://github.com/aws/aws-cdk/issues/21836)
+* **backup:** add copy actions to backup plan rules ([#22244](https://github.com/aws/aws-cdk/issues/22244)) ([d87a651](https://github.com/aws/aws-cdk/commit/d87a651608d23f3bfc3c178093d92b5bdda71084)), closes [#22173](https://github.com/aws/aws-cdk/issues/22173)
+* **cfnspec:** cloudformation spec v89.0.0 ([#22232](https://github.com/aws/aws-cdk/issues/22232)) ([953d684](https://github.com/aws/aws-cdk/commit/953d6841fa3ed43258d0454e245cebcab6323e0d))
+* **cli:** `cdk deploy --method=direct` is faster ([#22079](https://github.com/aws/aws-cdk/issues/22079)) ([dd6ead4](https://github.com/aws/aws-cdk/commit/dd6ead447a80cdec3379a3ced2e04b7d15f9c55d))
+* **cloudwatch:** add gauge widget ([#22213](https://github.com/aws/aws-cdk/issues/22213)) ([d9f0e80](https://github.com/aws/aws-cdk/commit/d9f0e809d583d23cb83b4e2855574675a669c33f)), closes [#22136](https://github.com/aws/aws-cdk/issues/22136)
+* **core:** 'postCliContext' property allows context that cannot be overridden by the CLI ([#21743](https://github.com/aws/aws-cdk/issues/21743)) ([a618096](https://github.com/aws/aws-cdk/commit/a618096432a27a808a0352ea186fe1e4db2911c4))
+* **dynamodb:** Changes how metricForOperation methods are used ([#22097](https://github.com/aws/aws-cdk/issues/22097)) ([fcb311d](https://github.com/aws/aws-cdk/commit/fcb311d615422b76f18b6be60dd466b315fcd6b0)), closes [#21963](https://github.com/aws/aws-cdk/issues/21963)
+* **logs:** add dimensions to metric filter ([#21654](https://github.com/aws/aws-cdk/issues/21654)) ([f834a45](https://github.com/aws/aws-cdk/commit/f834a4537643b32131076111be0693c6f8f96b24)), closes [/github.com/aws/aws-cdk/issues/16999#issuecomment-1005172655](https://github.com/aws//github.com/aws/aws-cdk/issues/16999/issues/issuecomment-1005172655) [#16999](https://github.com/aws/aws-cdk/issues/16999)
+* **pipelines:** allow disabling use of change sets ([#21619](https://github.com/aws/aws-cdk/issues/21619)) ([05723e7](https://github.com/aws/aws-cdk/commit/05723e74cc0e760f570c36ec02a70e8936287814)), closes [#20827](https://github.com/aws/aws-cdk/issues/20827)
+* **s3-deployment:** extract flag to disable automatic unzipping ([#21805](https://github.com/aws/aws-cdk/issues/21805)) ([91898b5](https://github.com/aws/aws-cdk/commit/91898b51573c0bfd0f26ae7610feb6a400bc8159)), closes [#8065](https://github.com/aws/aws-cdk/issues/8065)
+
+
+### Bug Fixes
+
+* **aws-elasticloadbalancingv2:** Validation for interval and timeout of application-target-group ([#22225](https://github.com/aws/aws-cdk/issues/22225)) ([6128e39](https://github.com/aws/aws-cdk/commit/6128e3908f4f6b6a1db66ebf7f77b6c966d1f9e7))
+* **cli:** SSO credentials do not work when using a proxy ([#22115](https://github.com/aws/aws-cdk/issues/22115)) ([c425e8c](https://github.com/aws/aws-cdk/commit/c425e8ca1a3d296eb6a7fd7e005d07c1eadd16aa)), closes [#21328](https://github.com/aws/aws-cdk/issues/21328)
+* **elbv2:** Use correct format for parsing imported target group ARNs ([#22153](https://github.com/aws/aws-cdk/issues/22153)) ([4704d4c](https://github.com/aws/aws-cdk/commit/4704d4c4ac065634dbada3732193a6753369dd12))
+* **rds:** changing engine versions would fail to update on DBInstances that were part of a DBCluster ([#22185](https://github.com/aws/aws-cdk/issues/22185)) ([c070ace](https://github.com/aws/aws-cdk/commit/c070acea1b12ec4f73c7d2087c5408d7e38a90a3)), closes [#21758](https://github.com/aws/aws-cdk/issues/21758) [#22180](https://github.com/aws/aws-cdk/issues/22180)
+* cannot use values that return an instance of a deprecated class for non TS / JS language ([#22204](https://github.com/aws/aws-cdk/issues/22204)) ([4cad2cf](https://github.com/aws/aws-cdk/commit/4cad2cf7e1ca41dedae6adc8866792e5f71b2123))
+
 ## [2.43.1](https://github.com/aws/aws-cdk/compare/v2.43.0...v2.43.1) (2022-09-23)
 
 
diff --git a/packages/@aws-cdk/aws-ec2/lib/security-group.ts b/packages/@aws-cdk/aws-ec2/lib/security-group.ts
@@ -63,6 +63,7 @@ abstract class SecurityGroupBase extends Resource implements ISecurityGroup {
 
   public abstract readonly securityGroupId: string;
   public abstract readonly allowAllOutbound: boolean;
+  public abstract readonly allowAllIpv6Outbound: boolean;
 
   public readonly canInlineRule = false;
   public readonly connections: Connections = new Connections({ securityGroups: [this] });
@@ -237,10 +238,25 @@ export interface SecurityGroupProps {
    * outbound traffic. If this is set to false, no outbound traffic will be allowed by
    * default and all egress traffic must be explicitly authorized.
    *
+   * To allow all ipv6 traffic use allowAllIpv6Outbound
+   *
    * @default true
    */
   readonly allowAllOutbound?: boolean;
 
+  /**
+   * Whether to allow all outbound ipv6 traffic by default.
+   *
+   * If this is set to true, there will only be a single egress rule which allows all
+   * outbound ipv6 traffic. If this is set to false, no outbound traffic will be allowed by
+   * default and all egress ipv6 traffic must be explicitly authorized.
+   *
+   * To allow all ipv4 traffic use allowAllOutbound
+   *
+   * @default false
+   */
+  readonly allowAllIpv6Outbound?: boolean;
+
   /**
    * Whether to disable inline ingress and egress rule optimization.
    *
@@ -274,6 +290,17 @@ export interface SecurityGroupImportOptions {
    */
   readonly allowAllOutbound?: boolean;
 
+  /**
+   * Mark the SecurityGroup as having been created allowing all outbound ipv6 traffic
+   *
+   * Only if this is set to false will egress rules for ipv6 be added to this security
+   * group. Be aware, this would undo any potential "all outbound traffic"
+   * default.
+   *
+   * @default false
+   */
+  readonly allowAllIpv6Outbound?: boolean;
+
   /**
    * If a SecurityGroup is mutable CDK can add rules to existing groups
    *
@@ -360,6 +387,7 @@ export class SecurityGroup extends SecurityGroupBase {
     class MutableImport extends SecurityGroupBase {
       public securityGroupId = securityGroupId;
       public allowAllOutbound = options.allowAllOutbound ?? true;
+      public allowAllIpv6Outbound = options.allowAllIpv6Outbound ?? false;
 
       public addEgressRule(peer: IPeer, connection: Port, description?: string, remoteRule?: boolean) {
         // Only if allowAllOutbound has been disabled
@@ -372,6 +400,7 @@ export class SecurityGroup extends SecurityGroupBase {
     class ImmutableImport extends SecurityGroupBase {
       public securityGroupId = securityGroupId;
       public allowAllOutbound = options.allowAllOutbound ?? true;
+      public allowAllIpv6Outbound = options.allowAllIpv6Outbound ?? false;
 
       public addEgressRule(_peer: IPeer, _connection: Port, _description?: string, _remoteRule?: boolean) {
         // do nothing
@@ -441,6 +470,11 @@ export class SecurityGroup extends SecurityGroupBase {
    */
   public readonly allowAllOutbound: boolean;
 
+  /**
+   * Whether the SecurityGroup has been configured to allow all outbound ipv6 traffic
+   */
+  public readonly allowAllIpv6Outbound: boolean;
+
   private readonly securityGroup: CfnSecurityGroup;
   private readonly directIngressRules: CfnSecurityGroup.IngressProperty[] = [];
   private readonly directEgressRules: CfnSecurityGroup.EgressProperty[] = [];
@@ -458,6 +492,7 @@ export class SecurityGroup extends SecurityGroupBase {
     const groupDescription = props.description || this.node.path;
 
     this.allowAllOutbound = props.allowAllOutbound !== false;
+    this.allowAllIpv6Outbound = props.allowAllIpv6Outbound ?? false;
 
     this.disableInlineRules = props.disableInlineRules !== undefined ?
       !!props.disableInlineRules :
@@ -476,6 +511,7 @@ export class SecurityGroup extends SecurityGroupBase {
     this.securityGroupName = this.securityGroup.ref;
 
     this.addDefaultEgressRule();
+    this.addDefaultIpv6EgressRule();
   }
 
   public addIngressRule(peer: IPeer, connection: Port, description?: string, remoteRule?: boolean) {
@@ -496,21 +532,33 @@ export class SecurityGroup extends SecurityGroupBase {
   }
 
   public addEgressRule(peer: IPeer, connection: Port, description?: string, remoteRule?: boolean) {
-    if (this.allowAllOutbound) {
+    const isIpv6 = peer.toEgressRuleConfig().hasOwnProperty('cidrIpv6');
+
+    if (!isIpv6 && this.allowAllOutbound) {
       // In the case of "allowAllOutbound", we don't add any more rules. There
       // is only one rule which allows all traffic and that subsumes any other
       // rule.
       if (!remoteRule) { // Warn only if addEgressRule() was explicitely called
         Annotations.of(this).addWarning('Ignoring Egress rule since \'allowAllOutbound\' is set to true; To add customized rules, set allowAllOutbound=false on the SecurityGroup');
       }
       return;
-    } else {
+    } else if (!isIpv6 && !this.allowAllOutbound) {
       // Otherwise, if the bogus rule exists we can now remove it because the
       // presence of any other rule will get rid of EC2's implicit "all
       // outbound" rule anyway.
       this.removeNoTrafficRule();
     }
 
+    if (isIpv6 && this.allowAllIpv6Outbound) {
+      // In the case of "allowAllIpv6Outbound", we don't add any more rules. There
+      // is only one rule which allows all traffic and that subsumes any other
+      // rule.
+      if (!remoteRule) { // Warn only if addEgressRule() was explicitely called
+        Annotations.of(this).addWarning('Ignoring Egress rule since \'allowAllIpv6Outbound\' is set to true; To add customized rules, set allowAllIpv6Outbound=false on the SecurityGroup');
+      }
+      return;
+    }
+
     if (!peer.canInlineRule || !connection.canInlineRule || this.disableInlineRules) {
       super.addEgressRule(peer, connection, description, remoteRule);
       return;
@@ -532,7 +580,7 @@ export class SecurityGroup extends SecurityGroupBase {
       // to "allOutbound=true" mode, because we might have already emitted
       // EgressRule objects (which count as rules added later) and there's no way
       // to recall those. Better to prevent this for now.
-      throw new Error('Cannot add an "all traffic" egress rule in this way; set allowAllOutbound=true on the SecurityGroup instead.');
+      throw new Error('Cannot add an "all traffic" egress rule in this way; set allowAllOutbound=true (for ipv6) or allowAllIpv6Outbound=true (for ipv6) on the SecurityGroup instead.');
     }
 
     this.addDirectEgressRule(rule);
@@ -596,6 +644,31 @@ export class SecurityGroup extends SecurityGroupBase {
     }
   }
 
+  /**
+   * Add a allow all ipv6 egress rule to the securityGroup
+   *
+   * This depends on allowAllIpv6Outbound:
+   *
+   * - If allowAllIpv6Outbound is true, we will add an allow all rule.
+   * - If allowAllOutbound is false, we don't do anything since EC2 does not add
+   *   a default allow all ipv6 rule.
+   */
+  private addDefaultIpv6EgressRule() {
+    const description = 'Allow all outbound ipv6 traffic by default';
+    const peer = Peer.anyIpv6();
+    if (this.allowAllIpv6Outbound) {
+      if (this.disableInlineRules) {
+        super.addEgressRule(peer, Port.allTraffic(), description, false);
+      } else {
+        this.directEgressRules.push({
+          ipProtocol: '-1',
+          cidrIp: peer.uniqueId,
+          description,
+        });
+      }
+    }
+  }
+
   /**
    * Remove the bogus rule if it exists
    */
@@ -721,7 +794,7 @@ function egressRulesEqual(a: CfnSecurityGroup.EgressProperty, b: CfnSecurityGrou
  * Whether this rule refers to all traffic
  */
 function isAllTrafficRule(rule: any) {
-  return rule.cidrIp === '0.0.0.0/0' && rule.ipProtocol === '-1';
+  return (rule.cidrIp === '0.0.0.0/0' || rule.cidrIpv6 === '::/0') && rule.ipProtocol === '-1';
 }
 
 /**
diff --git a/packages/@aws-cdk/aws-ec2/test/security-group.test.ts b/packages/@aws-cdk/aws-ec2/test/security-group.test.ts
@@ -24,7 +24,59 @@ describe('security group', () => {
         },
       ],
     });
+  });
+
+  test('security group can allows all ipv6 outbound traffic by default', () => {
+    // GIVEN
+    const stack = new Stack();
+    const vpc = new Vpc(stack, 'VPC');
+
+    // WHEN
+    new SecurityGroup(stack, 'SG1', { vpc, allowAllIpv6Outbound: true });
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::EC2::SecurityGroup', {
+      SecurityGroupEgress: [
+        {
+          CidrIp: '0.0.0.0/0',
+          Description: 'Allow all outbound traffic by default',
+          IpProtocol: '-1',
+        },
+        {
+          CidrIp: '::/0',
+          Description: 'Allow all outbound ipv6 traffic by default',
+          IpProtocol: '-1',
+        },
+      ],
+    });
+  });
+
+  test('can add ipv6 rules even if allowAllOutbound=true', () => {
+    // GIVEN
+    const stack = new Stack();
+    const vpc = new Vpc(stack, 'VPC');
 
+    // WHEN
+    const sg = new SecurityGroup(stack, 'SG1', { vpc });
+    sg.addEgressRule(Peer.ipv6('2001:db8::/128'), Port.tcp(80));
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::EC2::SecurityGroup', {
+      SecurityGroupEgress: [
+        {
+          CidrIp: '0.0.0.0/0',
+          Description: 'Allow all outbound traffic by default',
+          IpProtocol: '-1',
+        },
+        {
+          CidrIpv6: '2001:db8::/128',
+          Description: 'from 2001:db8::/128:80',
+          FromPort: 80,
+          ToPort: 80,
+          IpProtocol: 'tcp',
+        },
+      ],
+    });
 
   });
 
@@ -96,8 +148,6 @@ describe('security group', () => {
         },
       ],
     });
-
-
   });
 
   test('all outbound rule cannot be added after creation', () => {
@@ -110,8 +160,18 @@ describe('security group', () => {
     expect(() => {
       sg.addEgressRule(Peer.anyIpv4(), Port.allTraffic(), 'All traffic');
     }).toThrow(/Cannot add/);
+  });
 
+  test('all ipv6 outbound rule cannot be added after creation', () => {
+    // GIVEN
+    const stack = new Stack();
+    const vpc = new Vpc(stack, 'VPC');
 
+    // WHEN
+    const sg = new SecurityGroup(stack, 'SG1', { vpc, allowAllOutbound: false });
+    expect(() => {
+      sg.addEgressRule(Peer.anyIpv6(), Port.allTraffic(), 'All traffic');
+    }).toThrow(/Cannot add/);
   });
 
   test('immutable imports do not add rules', () => {
@@ -171,7 +231,7 @@ describe('security group', () => {
     // GIVEN
     const stack = new Stack(undefined, 'TestStack', { env: { account: '12345678', region: 'dummy' } });
     const vpc = new Vpc(stack, 'VPC');
-    const sg = new SecurityGroup(stack, 'SG', { vpc });
+    const sg = new SecurityGroup(stack, 'SG', { vpc, allowAllIpv6Outbound: true });
 
     const peers = [
       new SecurityGroup(stack, 'PeerGroup', { vpc }),
diff --git a/version.v2.json b/version.v2.json
@@ -1,4 +1,4 @@
 {
-  "version": "2.43.1",
-  "alphaVersion": "2.43.1-alpha.0"
+  "version": "2.44.0",
+  "alphaVersion": "2.44.0-alpha.0"
 }

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`	`1`	`{`
`2`		`- "version": "2.43.1",`
`3`		`- "alphaVersion": "2.43.1-alpha.0"`
	`2`	`+ "version": "2.44.0",`
	`3`	`+ "alphaVersion": "2.44.0-alpha.0"`
`4`	`4`	`}`