Merge branch 'master' into nija-at/exppkgs-assertions

mergify[bot] · web-flow · commit c5a77ac08e26 · 2021-08-03T14:45:44.000Z
diff --git a/package.json b/package.json
@@ -93,6 +93,8 @@
       "@aws-cdk/aws-eks/yaml/**",
       "@aws-cdk/aws-events-targets/aws-sdk",
       "@aws-cdk/aws-events-targets/aws-sdk/**",
+      "@aws-cdk/aws-s3-deployment/case",
+      "@aws-cdk/aws-s3-deployment/case/**",
       "@aws-cdk/cloud-assembly-schema/jsonschema",
       "@aws-cdk/cloud-assembly-schema/jsonschema/**",
       "@aws-cdk/cloud-assembly-schema/semver",
diff --git a/packages/@aws-cdk/aws-chatbot/lib/slack-channel-configuration.ts b/packages/@aws-cdk/aws-chatbot/lib/slack-channel-configuration.ts
@@ -204,9 +204,9 @@ export class SlackChannelConfiguration extends SlackChannelConfigurationBase {
    */
   public static fromSlackChannelConfigurationArn(scope: Construct, id: string, slackChannelConfigurationArn: string): ISlackChannelConfiguration {
     const re = /^slack-channel\//;
-    const resourceName = cdk.Stack.of(scope).parseArn(slackChannelConfigurationArn).resourceName as string;
+    const resourceName = cdk.Arn.extractResourceName(slackChannelConfigurationArn, 'chat-configuration');
 
-    if (!re.test(resourceName)) {
+    if (!cdk.Token.isUnresolved(slackChannelConfigurationArn) && !re.test(resourceName)) {
       throw new Error('The ARN of a Slack integration must be in the form: arn:aws:chatbot:{region}:{account}:chat-configuration/slack-channel/{slackChannelName}');
     }
 
@@ -227,11 +227,19 @@ export class SlackChannelConfiguration extends SlackChannelConfigurationBase {
        * The ArnComponents API will return `slack-channel/my-slack`
        * It need to handle that to gets a correct name.`my-slack`
        */
-      readonly slackChannelConfigurationName = resourceName.substring('slack-channel/'.length);
+      readonly slackChannelConfigurationName: string;
 
       constructor(s: Construct, i: string) {
         super(s, i);
         this.grantPrincipal = new iam.UnknownPrincipal({ resource: this });
+
+        // handle slackChannelConfigurationName as specified above
+        if (cdk.Token.isUnresolved(slackChannelConfigurationArn)) {
+          this.slackChannelConfigurationName = cdk.Fn.select(1, cdk.Fn.split('slack-channel/', resourceName));
+        } else {
+          this.slackChannelConfigurationName = resourceName.substring('slack-channel/'.length);
+        }
+
       }
     }
 
diff --git a/packages/@aws-cdk/aws-chatbot/test/slack-channel-configuration.test.ts b/packages/@aws-cdk/aws-chatbot/test/slack-channel-configuration.test.ts
@@ -245,4 +245,22 @@ describe('SlackChannelConfiguration', () => {
     expect(imported.slackChannelConfigurationName).toEqual('my-slack');
     expect(imported.slackChannelConfigurationArn).toEqual('arn:aws:chatbot::1234567890:chat-configuration/slack-channel/my-slack');
   });
+
+  test('skip validation for tokenized values', () => {
+    // invalid ARN because of underscores, no error because tokenized value
+    expect(() => chatbot.SlackChannelConfiguration.fromSlackChannelConfigurationArn(stack, 'MySlackChannel',
+      cdk.Lazy.string({ produce: () => 'arn:aws:chatbot::1234567890:chat-configuration/slack_channel/my_slack' }))).not.toThrow();
+  });
+
+  test('test name and ARN from slack channel configuration ARN', () => {
+    const imported = chatbot.SlackChannelConfiguration.fromSlackChannelConfigurationArn(stack, 'MySlackChannel', cdk.Token.asString({ Ref: 'ARN' }));
+
+    // THEN
+    expect(stack.resolve(imported.slackChannelConfigurationName)).toStrictEqual({
+      'Fn::Select': [1, { 'Fn::Split': ['slack-channel/', { 'Fn::Select': [1, { 'Fn::Split': [':chat-configuration/', { Ref: 'ARN' }] }] }] }],
+    });
+    expect(stack.resolve(imported.slackChannelConfigurationArn)).toStrictEqual({
+      Ref: 'ARN',
+    });
+  });
 });
diff --git a/packages/@aws-cdk/aws-lambda/lib/lambda-insights.ts b/packages/@aws-cdk/aws-lambda/lib/lambda-insights.ts
@@ -1,6 +1,5 @@
 import { Aws, CfnMapping, Fn, IResolveContext, Lazy, Stack, Token } from '@aws-cdk/core';
 import { FactName, RegionInfo } from '@aws-cdk/region-info';
-import { CLOUDWATCH_LAMBDA_INSIGHTS_ARNS } from '@aws-cdk/region-info/build-tools/fact-tables';
 
 // This is the name of the mapping that will be added to the CloudFormation template, if a stack is region agnostic
 const DEFAULT_MAPPING_PREFIX = 'LambdaInsightsVersions';
@@ -49,8 +48,9 @@ export abstract class LambdaInsightsVersion {
   private static fromInsightsVersion(insightsVersion: string): LambdaInsightsVersion {
 
     // Check if insights version is valid. This should only happen if one of the public static readonly versions are set incorrectly
-    if (!(insightsVersion in CLOUDWATCH_LAMBDA_INSIGHTS_ARNS)) {
-      throw new Error(`Insights version ${insightsVersion} does not exist. Available versions are ${CLOUDWATCH_LAMBDA_INSIGHTS_ARNS.keys()}`);
+    const versionExists = RegionInfo.regions.some(regionInfo => regionInfo.cloudwatchLambdaInsightsArn(insightsVersion));
+    if (!versionExists) {
+      throw new Error(`Insights version ${insightsVersion} does not exist.`);
     }
 
     class InsightsVersion extends LambdaInsightsVersion {
diff --git a/packages/@aws-cdk/aws-s3-deployment/NOTICE b/packages/@aws-cdk/aws-s3-deployment/NOTICE
@@ -1,2 +1,32 @@
 AWS Cloud Development Kit (AWS CDK)
 Copyright 2018-2021 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+
+-------------------------------------------------------------------------------
+
+The AWS CDK includes the following third-party software/licensing:
+
+** case - https://www.npmjs.com/package/case
+Copyright (c) 2013 Nathan Bubna
+
+Permission is hereby granted, free of charge, to any person
+obtaining a copy of this software and associated documentation
+files (the "Software"), to deal in the Software without
+restriction, including without limitation the rights to use,
+copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the
+Software is furnished to do so, subject to the following
+conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+----------------
diff --git a/packages/@aws-cdk/aws-s3-deployment/README.md b/packages/@aws-cdk/aws-s3-deployment/README.md
@@ -147,17 +147,22 @@ User-defined metadata are not used by S3 and keys always begin with `x-amz-meta-
 
 System defined metadata keys include the following:
 
-- cache-control
-- content-disposition
-- content-encoding
-- content-language
-- content-type
-- expires
-- server-side-encryption
-- storage-class
-- website-redirect-location
-- ssekms-key-id
-- sse-customer-algorithm
+- cache-control (`--cache-control` in `aws s3 sync`)
+- content-disposition (`--content-disposition` in `aws s3 sync`)
+- content-encoding (`--content-encoding` in `aws s3 sync`)
+- content-language (`--content-language` in `aws s3 sync`)
+- content-type (`--content-type` in `aws s3 sync`)
+- expires (`--expires` in `aws s3 sync`)
+- x-amz-storage-class (`--storage-class` in `aws s3 sync`)
+- x-amz-website-redirect-location (`--website-redirect` in `aws s3 sync`)
+- x-amz-server-side-encryption (`--sse` in `aws s3 sync`)
+- x-amz-server-side-encryption-aws-kms-key-id (`--sse-kms-key-id` in `aws s3 sync`)
+- x-amz-server-side-encryption-customer-algorithm (`--sse-c-copy-source` in `aws s3 sync`)
+- x-amz-acl (`--acl` in `aws s3 sync`)
+
+You can find more information about system defined metadata keys in
+[S3 PutObject documentation](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html)
+and [`aws s3 sync` documentation](https://docs.aws.amazon.com/cli/latest/reference/s3/sync.html).
 
 ```ts
 const websiteBucket = new s3.Bucket(this, 'WebsiteBucket', {
@@ -177,6 +182,7 @@ new s3deploy.BucketDeployment(this, 'DeployWebsite', {
   storageClass: StorageClass.INTELLIGENT_TIERING,
   serverSideEncryption: ServerSideEncryption.AES_256,
   cacheControl: [CacheControl.setPublic(), CacheControl.maxAge(cdk.Duration.hours(1))],
+  accessControl: s3.BucketAccessControl.BUCKET_OWNER_FULL_CONTROL,
 });
 ```
 
@@ -230,7 +236,7 @@ size of the AWS Lambda resource handler.
 ## Development
 
 The custom resource is implemented in Python 3.6 in order to be able to leverage
-the AWS CLI for "aws sync". The code is under [`lib/lambda`](https://github.com/aws/aws-cdk/tree/master/packages/%40aws-cdk/aws-s3-deployment/lib/lambda) and
+the AWS CLI for "aws s3 sync". The code is under [`lib/lambda`](https://github.com/aws/aws-cdk/tree/master/packages/%40aws-cdk/aws-s3-deployment/lib/lambda) and
 unit tests are under [`test/lambda`](https://github.com/aws/aws-cdk/tree/master/packages/%40aws-cdk/aws-s3-deployment/test/lambda).
 
 This package requires Python 3.6 during build time in order to create the custom
diff --git a/packages/@aws-cdk/aws-s3-deployment/lib/bucket-deployment.ts b/packages/@aws-cdk/aws-s3-deployment/lib/bucket-deployment.ts
@@ -6,6 +6,7 @@ import * as lambda from '@aws-cdk/aws-lambda';
 import * as s3 from '@aws-cdk/aws-s3';
 import * as cdk from '@aws-cdk/core';
 import { AwsCliLayer } from '@aws-cdk/lambda-layer-awscli';
+import { kebab as toKebabCase } from 'case';
 import { Construct } from 'constructs';
 import { ISource, SourceConfig } from './source';
 
@@ -164,6 +165,12 @@ export interface BucketDeploymentProps {
    * @see https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html#sse-c-how-to-programmatically-intro
    */
   readonly serverSideEncryptionCustomerAlgorithm?: string;
+  /**
+   * System-defined x-amz-acl metadata to be set on all objects in the deployment.
+   * @default - Not set.
+   * @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#canned-acl
+   */
+  readonly accessControl?: s3.BucketAccessControl;
 
   /**
    * The VPC network to place the deployment lambda handler in.
@@ -282,6 +289,7 @@ function mapSystemMetadata(metadata: BucketDeploymentProps) {
   if (metadata.websiteRedirectLocation) { res['website-redirect'] = metadata.websiteRedirectLocation; }
   if (metadata.serverSideEncryptionAwsKmsKeyId) { res['sse-kms-key-id'] = metadata.serverSideEncryptionAwsKmsKeyId; }
   if (metadata.serverSideEncryptionCustomerAlgorithm) { res['sse-c-copy-source'] = metadata.serverSideEncryptionCustomerAlgorithm; }
+  if (metadata.accessControl) { res.acl = toKebabCase(metadata.accessControl.toString()); }
 
   return Object.keys(res).length === 0 ? undefined : res;
 }
diff --git a/packages/@aws-cdk/aws-s3-deployment/package.json b/packages/@aws-cdk/aws-s3-deployment/package.json
@@ -96,6 +96,7 @@
     "@aws-cdk/aws-s3-assets": "0.0.0",
     "@aws-cdk/lambda-layer-awscli": "0.0.0",
     "@aws-cdk/core": "0.0.0",
+    "case": "1.6.3",
     "constructs": "^3.3.69"
   },
   "homepage": "https://github.com/aws/aws-cdk",
@@ -110,6 +111,9 @@
     "@aws-cdk/core": "0.0.0",
     "constructs": "^3.3.69"
   },
+  "bundledDependencies": [
+    "case"
+  ],
   "engines": {
     "node": ">= 10.13.0 <13 || >=13.7.0"
   },
diff --git a/packages/@aws-cdk/aws-s3-deployment/test/bucket-deployment.test.ts b/packages/@aws-cdk/aws-s3-deployment/test/bucket-deployment.test.ts
@@ -325,6 +325,7 @@ test('system metadata is correctly transformed', () => {
     websiteRedirectLocation: 'example',
     cacheControl: [s3deploy.CacheControl.setPublic(), s3deploy.CacheControl.maxAge(cdk.Duration.hours(1))],
     expires: expiration,
+    accessControl: s3.BucketAccessControl.BUCKET_OWNER_FULL_CONTROL,
   });
 
   // THEN
@@ -340,10 +341,47 @@ test('system metadata is correctly transformed', () => {
       'expires': expiration.date.toUTCString(),
       'sse-c-copy-source': 'rot13',
       'website-redirect': 'example',
+      'acl': 'bucket-owner-full-control',
     },
   });
 });
 
+// type checking structure that forces to update it if BucketAccessControl changes
+// see `--acl` here: https://docs.aws.amazon.com/cli/latest/reference/s3/sync.html
+const accessControlMap: Record<s3.BucketAccessControl, string> = {
+  [s3.BucketAccessControl.PRIVATE]: 'private',
+  [s3.BucketAccessControl.PUBLIC_READ]: 'public-read',
+  [s3.BucketAccessControl.PUBLIC_READ_WRITE]: 'public-read-write',
+  [s3.BucketAccessControl.AUTHENTICATED_READ]: 'authenticated-read',
+  [s3.BucketAccessControl.AWS_EXEC_READ]: 'aws-exec-read',
+  [s3.BucketAccessControl.BUCKET_OWNER_READ]: 'bucket-owner-read',
+  [s3.BucketAccessControl.BUCKET_OWNER_FULL_CONTROL]: 'bucket-owner-full-control',
+  [s3.BucketAccessControl.LOG_DELIVERY_WRITE]: 'log-delivery-write',
+};
+
+test.each(Object.entries(accessControlMap) as [s3.BucketAccessControl, string][])(
+  'system metadata acl %s is correctly transformed',
+  (accessControl, systemMetadataKeyword) => {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const bucket = new s3.Bucket(stack, 'Dest');
+
+    // WHEN
+    new s3deploy.BucketDeployment(stack, 'Deploy', {
+      sources: [s3deploy.Source.asset(path.join(__dirname, 'my-website.zip'))],
+      destinationBucket: bucket,
+      accessControl: accessControl,
+    });
+
+    // THEN
+    expect(stack).toHaveResource('Custom::CDKBucketDeployment', {
+      SystemMetadata: {
+        acl: systemMetadataKeyword,
+      },
+    });
+  },
+);
+
 test('expires type has correct values', () => {
   expect(cdk.Expiration.atDate(new Date('Sun, 26 Jan 2020 00:53:20 GMT')).date.toUTCString()).toEqual('Sun, 26 Jan 2020 00:53:20 GMT');
   expect(cdk.Expiration.atTimestamp(1580000000000).date.toUTCString()).toEqual('Sun, 26 Jan 2020 00:53:20 GMT');
