Merged
Conversation
…ns (#17984) The SSM service principal format depends on the region. Older regions have a "global" service principal (`ssm.amazonaws.com`), while newer regions have only regional service principals (`ssm.ap-east-1.amazonaws.com`). A number of things have been changed to address this: * Add the notion of a "region order" into the `region-info` library. This allows us to express things like "does this region predate or postdate the change of some convention", and allows us to express that certain regions are *after* SSM introduced this change. * For region-agnostic stacks, it is no longer possible to supply a single value for the template that will suffice in all regions, as the *format itself* will have changed (neither `"ssm.amazonaws.com"` nor `"ssm.$REGION.amazonaws.com"` will work in all regions). That means we must always introduce a lookup map for region-agnostic stacks. Add `stack.regionalFact()` to generate lookup maps from facts in case it is necessary. * Detect if all map values are just an instantiation of a token pattern, and return the simplification if possible (e.g.: if the lookup values are `service.us-east-1.amazonaws.com`, `service.us-east-2.amazonaws.com`, etc, then simplify to `service.$REGION.$URL_SUFFIX` and avoid emitting a lookup). * Simplify existing usage sites of `RegionInfo.regionMap()` in Lambda and CodeBuild to use the new `stack.regionalFact()`. * Because lookup maps would always include information for all regions, including GovCloud regions, and those are only rarely necessary: add the infrastructure for users to restrict what partitions they want to include information for, by means of a context flag. Defaults to all regions if not specified (so we don't break old templates), but for new projects restricts itself to `['aws', 'aws-cn']`. Set to just `['aws']` for integration tests so we don't break all of our snapshot tests. Fixes #16188, fixes #17646. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
… to primary storage (#16522) This PR adds support for [TransitionToPrimaryStorageClass](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-efs-filesystem-lifecyclepolicy.html) for ``AWS::EFS::FileSystem`` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Allows users to add Intelligent Tiering to their s3 buckets. Modelling of CfnBucket was done before. Fixes #16191 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
When `cloudWatchRole` is enabled, a `CfnAccount` is created for it. Since there is no explicit dependency between the the stages and the account, CloudFormation may deploy them in the wrong order, causing the deployment to fail. Add an explicit dependency between `Stage`s (whether defined by the user or created automatically) and the CloudWatch `CfnAccount`, if it exists. Fixes #10722. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
The variable namespace identifier in CodePipeline allows a maximum of 100 characters. If we ever come up with an identifier that would be too long, trim it down. While writing tests for this, discovered that actions exhibited the same length issues, and did the same there too. Fixes #17436. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
To allow session tagging, the `sts:TagSession` permission needs to be added to the role's AssumeRolePolicyDocument. Introduce a new principal which enables this, and add a convenience method `.withSessionTags()` to the `PrincipalBase` class so all built-in principals will have this convenience method by default. To build this, we had to get rid of some cruft and assumptions around policy documents and statements, and defer more power to the `IPrincipal` objects themselves. In order not to break existing implementors, introduce a new interface `IAssumeRolePrincipal` which knows how to add itself to an AssumeRolePolicyDocument and gets complete freedom doing so. That same new interface could be used to lift some old limitations on `CompositePrincipal` so did that as well. Fixes #15908, closes #16725, fixes #2041, fixes #1578. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
The `ResourceURL` property of the CloudFormation custom resource request should not be logged, as it can be used to tamper with the execution flow of a CloudFormation deployment by changing the response it sees from the Custom Resource function. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ead property 'Name' of undefined" (#18033) There have been about a dozen reports of "Cannot read property 'Name' of undefined" errors from the `DnsValidatedCertificate` over the last two years. The most likely culprit seems to be a partial response from the ACM DescribeCertificates API, where one ResourceRecord entry is present, but not the others. Updated the wait condition to verify that all records are present. fixes #8282 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Adding on to the work @plumdog started on #13496 and @pradoz in #15899. Implemented the @iliapolo's [suggested changes](https://github.com/aws/aws-cdk/pull/15899/files#r683431181) Related to #9273 ### Use Case To be able to use private helm charts without needing a private chart repository. ### Proposed Solution [Allow helm charts](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-eks.HelmChart.html) to be an asset by introducing the property `chartAsset`. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Some issues are falling through the cracks and not getting assigned to me. Hopefully this remediates it. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
As `Nodegroup` now supports different AMI types including Bottlerocket for both x86_64 and ARM_64, we cannot determine correct amiType simply from the `instanceTypes` property(#17641 ). However, when `instanceTypes` are provided, we still can check: 1. if instance types of different CPU architectures are mxied and throw an error 2. if the provided `amyType` compatible with the instanceTypes If user opt in Bottlerocket or any other AMI types other than AL2, users have to specify the `amiType` explicitly. If it's unspecified, we will use AL2 implicitly to avoid breaking changes, which is the default behavior previously. The only case `amiType` has to be undefined is that when custom AMI is defined in the launch template. As we can't check this case, users have to explicitly leave it undefined. We add a notice in the property doc string for this. Related to #12441 Fixes: #17641 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Fixes #15123 See also: [@nija-at's comments on `grantInvoke`](#14853 (comment)), #10534 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
By tagging the `<span>` with a class, some JavaScript could detect the package reference at display time and turn it into a proper hyperlink. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
There are some missing entries in the `yarn.lock` file, breaking the validation that we have on this. The validation script should have always failed the build (even on the build server), but it was not because it didn't properly handle uncaught rejected promises, and whether that would fail or not depended on the Node.js version. Rectify both issues. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
`cdk-assets` tries to opportunistically read the bucket's encryption
settings and mirror those out into the `PutObject` call, so that a
commonly-used SCP can confirm that there are no unencryped uploads
to S3 buckets, ever. When this read-out fails, we print an error
message at `debug` severity to let users know what's up.
Unfortunately, the error message was very scary and makes users
wonder what is going on:
> Why do I get a debug: ACCES_DENIED error there? Is it a problem?
>
> ```
> verbose: [0%] debug: ACCES_DENIED for getting encryption of bucket
> 'cdk-hnb659fds-assets-111111111111-us-east-1'. Either wrong account
> 111111111111 or s3:GetEncryptionConfiguration not set for cdk role. Try
> "cdk bootstrap" again.
> ```
Make the error message more clearly indicate that this is a failure
in an opportunistic code path and there's no direct action required:
```
Could not read encryption settings of bucket
'cdk-hnb659fds-assets-111111111111-us-east-1': uploading with default
settings ("cdk bootstrap" to version 9 if your organization's policies
prevent a successful upload or to get rid of this message).
```
----
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Currently running `cdk docs` points you to `/latest`. This PR updates the link to point to `/v2` since that is currently the latest version. fix #17963 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Fixes #17664 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Add additional messages to indicate that a hotswap deployment is occurring (or not) along with what resources are being hotswapped. fix #17778 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Similar to `tsc -w`, `cdk watch` should trigger an initial deployment instead of waiting for a file change event. We achieve this by pulling out the callback function for `'all'` and calling that function during the `'ready'` callback. Closes #17776. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…17602) Adds support for [continuous backup and point-in-time restores](https://docs.aws.amazon.com/aws-backup/latest/devguide/point-in-time-recovery.html). Implemented validations when continuous backup and point-in-time restores is enabled: - `deleteAfter` between 1 and 35 days. "The minimum retention period is 1 day. The maximum retention period is 35 days." (see [docs](https://docs.aws.amazon.com/aws-backup/latest/devguide/point-in-time-recovery.html#point-in-time-recovery-working-with)) - `deleteAfter` must be specified. Mandatory in AWS console. CloudFormation error if not specified: `Lifecycle must be specified for backup rule enabled continuous backup` - `moveToColdStorageAfter` is not supported. Field not available in AWS console. CloudFormation error if specified: `MoveToColdStorageAfterDays is unavailable` Closes #15922. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Add `DatabaseClusterFromSnapshot` to support creating Aurora clusters from snapshots. Closes #10936. The logic is implemented similar to PR #10130 where the same feature was implemented for database clusters. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
) Close #18054 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This resolves [issue#12107](#12107) we bring the ability to provide existing kubectl provider to the imported cluster so we can create k8s kubectl role and tight it's trusted entity to single lambda and pass this single lambda to all cdk stacks that works with imported clusters @iliapolo can you please take a look on this if this approach is fine? if it is I will add documentation and tests ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
The latest CloudFormation spec (v51) added support for selecting a capacity mode for Kinesis Data Streams. This is already supported by the generated L1 construct. This change adds support for the feature to the L2 construct class `Stream` via the constructor props `StreamProps`. closes #18050 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This PR takes one step toward improving the load times for `aws-cdk-lib`. Post-build, `esbuild` is used to minify the source and move source maps to external files. In local testing, this changed the average time for loading `aws-cdk-lib` from ~1110ms to ~830ms (25% reduction), and the size of the locally-packed JS-only source from 53MB to 45MB. Changes went through full v2 pipeline run, passing all tests. Any other suggestions for additional verification welcome. related #18036 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…7848) This PR fixes that imported alb and nlb target group be able to configure to loadBalancer property. Fixes #9677. example: ```TypeScript import * as cdk from '@aws-cdk/core'; import * as codedeploy from '@aws-cdk/aws-codedeploy'; import * as elbv2 from '@aws-cdk/aws-elasticloadbalancingv2'; const deploymentGroup = new codedeploy.ServerDeploymentGroup(this, 'deploymentGroup', { ... // configurable imported application loadbalancer targetgroup loadBalancer: codedeploy.LoadBalancer.application( elbv2.ApplicationTargetGroup.fromTargetGroupAttributes(this, 'importedAlbTg', { targetGroupArn: 'arn:aws:elasticloadbalancing:ap-northeast-2:111111111111:targetgroup/myAlbTargetgroup/abcd12345678efgf' }) ), // also network loadbalancer targetgroup loadBalancer: codedeploy.LoadBalancer.network( elbv2.NetworkTargetGroup.fromTargetGroupAttributes(this, 'importedNlbTg', { targetGroupArn: 'arn:aws:elasticloadbalancing:ap-northeast-2:111111111111:targetgroup/myNlbTargetgroup/wxyz09876543opqr' }) ), }); ``` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…18102) This PR introduces a proposed new label, `pr-linter/exempt-breaking-change` that, when added, circumvents the check that asserts stable modules do not have breaking changes. Motivation: A situation like #18027 where we have are willing to accept a functional breaking change to a stable module. The regular `allowed-breaking-changes.txt` file does not work here, since there is no breaking change to the API. We want to be able to document the breaking change, but by documenting we alert `prlint` that we are breaking a stable module. Counterargument: Functional breaking changes were explicitly banned in #14861. From the PR description: "The CDK must be more strict on preventing such changes and the impact due to their perception." I also added some "manual linting" to the file myself since it was bothering me, and now it muddies the diff. Sorry! ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ot an endpoint (#18027) imported Domain's domainEndpoint should be a endpoint and not a url. Fixes [#18017](#18017) BREAKING CHANGE: imported domain property `domainEndpoint` used to contain `https://` prefix, now the prefix is dropped and it returns the same value as a `domainEndpoint` on a created domain ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
|
Collaborator
Author
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
iliapolo
approved these changes
Dec 21, 2021
Contributor
|
Thank you for contributing! Your pull request will be automatically updated and merged without squashing (do not update manually, and be sure to allow changes to be pushed to your fork). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See CHANGELOG