Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[pull] master from aws:master #196

Merged
merged 241 commits into from
May 27, 2020
Merged

[pull] master from aws:master #196

merged 241 commits into from
May 27, 2020

Conversation

pull[bot]
Copy link

@pull pull bot commented Apr 30, 2020

See Commits and Changes for more details.


Created by pull[bot]. Want to support this open source service? Please star it : )

shivlaks and others added 2 commits April 30, 2020 09:13
Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
…onfig

Latest spec update #7664 broke because the expectations are currently on the wrong file.
Additionally we're missing the exclude from `.npmignore`
@pull pull bot added the ⤵️ pull label Apr 30, 2020
rix0rrr and others added 27 commits April 30, 2020 10:43
In CloudFormation, `{ Fn::GetAtt: [MyLogGroup, Arn] }` always returned
the ARN with a `:*` appended, presumably so you could stick the returned
value directly into an IAM policy and get the result you wanted (doing
something to Log Groups usually entails doing something to the Log
*Streams* inside them).

The CDK construct did not do anything special, leading to imports done
without a `:*` at the end having incorrect permissions.

This change makes the behavior between imported and constructed Log
Groups consistent.

Fixes #7096.
Currently, we install the CLI in the integration tests by simply running `npm install aws-cdk`.
We then make sure the version that gets installed is the version we have locally.

This will fail immediately after the release of a new version, and before the merge back PR was merged with the following error:

```console
|
| ============================================================================================
| Expected CDK version: 1.36.0
| ============================================================================================
| Found CDK: /tmp/cdk-rundist/node_modules/.bin/cdk
| Mismatched CDK version. Expected: 1.36.0, actual: 1.36.1
1.36.1 (build 4df7dac)
```

It happens because the verdaccio instance we have in the tests has an npm uplink configured, so the latest version as far as he is concerned is the latest published one, which doesn't match the version number we have locally since the merge back PR wasn't merged yet.

This PR makes it so we always install the CLI version we want to test (i.e the local version).
Copy paste error. `local` cannot be used outside of a function.
`MathExpression`s without submetrics (like for example, `INSIGHT_RULE_METRIC`) will end up without a `period`, which is not allowed.

Add a `period` field to the schema (it's not in the upstream schema
yet), and render it out when submetrics are missing.

Fixes #7155.
A lot of our examples still used the TypeScript `import` = `require` style.
This changes them to the standard ES6-style imports,
which we now enforce in our code.

Fixes #7554
This commit adds support for CodeBuild Artifacts to have names
controlled by a buildspec file, allowing the use of shell scripting to
sensibly name artifacts in CodeBuild projects generated from the CDK.
The previosuly required field `name` in `S3ArtifactsProps` is now optional,
and not providing it will set the `overrideArtifactName` on the underlying L1 to `true`.

Fixes #5955
Bumps [jest](https://github.com/facebook/jest) from 25.5.2 to 25.5.3.
- [Release notes](https://github.com/facebook/jest/releases)
- [Changelog](https://github.com/facebook/jest/blob/master/CHANGELOG.md)
- [Commits](jestjs/jest@v25.5.2...v25.5.3)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Bumps [aws-sdk](https://github.com/aws/aws-sdk-js) from 2.666.0 to 2.667.0.
- [Release notes](https://github.com/aws/aws-sdk-js/releases)
- [Changelog](https://github.com/aws/aws-sdk-js/blob/master/CHANGELOG.md)
- [Commits](aws/aws-sdk-js@v2.666.0...v2.667.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
- Currently `UserPool()` not support props of `signInType`.
- We able to create authorization on AppSync without any props.

Closes #7728
Two reasons:

* The `CDK_HOME` variable wasn't being consistently honored.
* Failing to write a cache file was a fatal error.

Rectify both of these issues.

Fixes #7530.
…dler

* feat(lambda-nodejs): use docker instead of npm package for parcel-bundler

* require version ^1 of parcel-bundler in Dockerfile

Co-Authored-By: Jonathan Goldwasser <jogold@users.noreply.github.com>

* update README: docker requirement

* comment in Dockerfile, make node version a build ARG

* add test for when docker not installed

* add optional nodeDockerTag to props

* Expose nodeDockerTag in NodejsFunctionProps and pass it to the Builder

* cdk-build pre

* chore(lambda-nodejs): remove dockerd pre directive

* add missing closing parenthesis

* fix linter errors

* fix linter error

* start docker daemon inside the container

* Update buildspec.yaml

* Fix docker location.

* Update buildspec.yaml

Co-authored-by: Jonathan Goldwasser <jogold@users.noreply.github.com>
Co-authored-by: Elad Ben-Israel <benisrae@amazon.com>
Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
According to the [document](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html), the path should be /**aws/service/eks/optimized-ami/1.15/amazon-linux-2/recommended/image_id**

Also fixes #6891
Fold the "assets" module, which includes the `Staging` construct that takes care of staging asset files into the cloud assembly during synthesis into "core". This is in order to allow implementing custom resources that leverage assets throughout the framework.

NOTE: since interfaces in @aws-cdk/assets are used as based types for stable APIs, we are unable to fully deprecate this module within the codebase, so these types are left in tact and a compatibility layer was added.

A subsequent commit will add a mini-framework for custom resources that leverages this capability.
When swallowing errors while writing the cache file, we should also
gracefully handle a read-only file system error (`EROFS`).
Prior to April 16, 2020, `AmazonEKSServicePolicy` was required for EKS cluster IAM role. With the new `AWSServiceRoleForAmazonEKS` service-linked role, that policy is no longer required.

This PR removes the `AmazonEKSServicePolicy` from the cluster role.

Closes #7634
…rcel-bundler" (#7738)

This reverts commit 55c4d0b.

Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Bumps [aws-sdk](https://github.com/aws/aws-sdk-js) from 2.667.0 to 2.668.0.
- [Release notes](https://github.com/aws/aws-sdk-js/releases)
- [Changelog](https://github.com/aws/aws-sdk-js/blob/master/CHANGELOG.md)
- [Commits](aws/aws-sdk-js@v2.667.0...v2.668.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Users cannot go through our current contribution guide and successfully install the repo due to the `nock` dependency, which now needs a minimum of Node 10.13.0.

Closes #7671
Bumps [jest](https://github.com/facebook/jest) from 25.5.3 to 25.5.4.
- [Release notes](https://github.com/facebook/jest/releases)
- [Changelog](https://github.com/facebook/jest/blob/master/CHANGELOG.md)
- [Commits](jestjs/jest@v25.5.3...v25.5.4)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Creating fargate profile without specifying `subnetSelection` will require extra iam policy to allow the iam role to describe subnets and route tables to select private subnets.  This PR adds the required `ec2:DescribeRouteTables` for the cluster creation role.

Closes #7614
Noticed this while massively updating integ test expectations for #7409.

Seems like lots of expectation files were modified "by hand". Ensures cleaner
diffs from now on.

Methodology:
* Comment out https://github.com/aws/aws-cdk/blob/d1b3b750cec3c514df6690e8baeffa7e9b260500/tools/cdk-integ-tools/bin/cdk-integ.ts#L38-L40
* `yarn lerna run integ --scope @aws-cdk/*`
Add a new imageScanOnPush property for the new repository creation.

Fix #7471
Correctly handle the default for `prefix`. An empty string now maps to the domain
root. Also add a `mapRoot` method.

Closes #7590

BREAKING CHANGE: `mapSubDomain()` called with an empty string for `prefix` now
maps to the domain root.
If an AppSync API is configured with the API key authorization mode,
then export it so it can be consumed as a stack output.

Signed-off-by: Duarte Nunes <duarte@uma.ni>

Co-authored-by: Mitchell Valine <valinm@amazon.com>
Added 'kms:Decrypt' action to `grantSendMessages`

Fixes: #6609
rix0rrr and others added 29 commits May 21, 2020 17:47
…8127)

We did not have a test deploying an old-style synthesized stack
to a new-style bootstrapping environment.

Now we do.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Co-authored-by: AWS CDK Team <aws-cdk@amazon.com>
Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Motivation:

Since the CLI leverages Node.js, it's a useful piece of information
about the user's environment. It would be helpful in diagnosing
and triaging issues.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Currently the `ServiceAccount`construct creates a role with no conditions to the trust relationship or assume role policy. Without this it is possible for other pods in the same namespace to assume the role. To tighten this security the conditions needs to be set.

Documentation: https://docs.aws.amazon.com/eks/latest/userguide/create-service-account-iam-policy-and-role.html#create-service-account-iam-role

- [x] Add condition to the policy document using a custom resource
- [x] Add unit tests
- [x] Add integration tests
- [x] Adjust README and remove warning

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
fix(aws-eks): kubectlEnabled: false conflicts with addNodegroup

This PR allows `cluster.addNodegroup()` when `kubectlEnabled` is `false`

Closes: #7993 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…oles (#8041)

### Commit Message
docs(lambda): document adding execution permissions to provided IAM roles

If I am providing a Role for a Lambda function, it currently isn't given the basic execution permissions, so the function cannot log anything or, in the case of a VPC Lambda, it cannot create the network interfaces. The user has to add those permissions themselves, but it isn't clear from the documentation that that needs to happen.

This commit adds documentation showing CDK users how to add the required permissions for execution.
### End Commit Message

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
added some missing tests for task, custom state, wait state

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…8143)

replacement for the current implementation of `RunGlueJob` where
service integration and state level properties are merged.

Follows the new integration pattern. Notable differences from the
`RunGlueJob` implementation:

* `arguments` prop is now of type `sfn.TaskInput`
Rationale: old implementation precluded using task input as the
arguments directly. Added a test for this as well.

Updated the README.
Note that the other unit tests and integ test have been left verbatim. This
is a light sanity test that expected templates have not changed.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
The Pass state supports JsonPath values in the `parameters`
field to filter the state input and serve as input to the field.

Added a method to render parameters which will generate the ASL
JSON format if a path is used in a parameter.

Closes #7181


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
We've been accumulating breaking change exceptions. Time to clear
them out to make sure no future breakage accidentally slips through.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
….0 (#8135)

Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 2.34.0 to 3.0.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/master/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v3.0.0/packages/eslint-plugin)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Fixes one issue where the typechecker in 3.9 is stricter when matching
type intersections. The particular issue was with a `string`-valued
`enum` attempting to match against the `string` type. Added a better
typed guard for this particular case fixed it.

Additionally, the new incremental build support would cause certain
`.json` files to not be `require`-able due to not being listed under
`include` in the `tsconfig.json` file generated by `jsii`. Instead of
copying the SDK metadata JSON document from the `aws-sdk` package,
inlined the data in a `.generated.ts` module, which provides a cleaner
type structure.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Fixing a number of small paper cuts in the CLI. Specifically:

- When using `--cloudformation-execution-policies` or `--trust`, the
  positional argument that follows (typically an environment name) would
  be ignored, because of the way we configure yargs. Make it so that the
  options takes a single argument, and must be repeated for multiple
  arguments, making it a lot easier to use.

- When a stack fails to create and is destroyed before being redeployed,
  the `deployStack()` routine would forget that the stack had been
  deleted and attempt to create a change set to update the stack, which
  would promptly fail. Remember we deleted the stack, so that we'll
  create a changeset to create a new one.

- When a stack fails to create the first time, and the next deploy uses
  the same template, the "skip deploy" optimization we introduced to
  speed up deployment of stacks with nested stacks incorrectly skips
  the deployment.

- Wrap the SDK objects, and when an AWS fails output information about
  the call that failed. Due to a lack of stack traces in NodeJS, it
  would otherwise be very hard to figure out where the error was
  happening.

- Using the SDK wrapper, when the error looks like it's an error in 
  assuming a role, replace it with an error message that describes the
  most probable cause: missing role/failure to bootstrap.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…-region support Stacks (#8091)

Fixes #8082

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…8186)

The validation for `nonKeyAttributes` count on the secondaryt indexes
was incorrectly checked at `20`, while the real limit is `100` (it has
been raised since the code was initially authored).

Fixes #8095

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Not every `e.message` is a `string`, I guess. It turns out it can
also be `undefined`?

This commit fixes the integ tests.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Bumps [uuid](https://github.com/uuidjs/uuid) from 8.0.0 to 8.1.0.
- [Release notes](https://github.com/uuidjs/uuid/releases)
- [Changelog](https://github.com/uuidjs/uuid/blob/master/CHANGELOG.md)
- [Commits](uuidjs/uuid@v8.0.0...v8.1.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Fix grammar errors from "if **there** the construct is valid." to "if the construct is valid."

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Fix typo


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…8193)

Allows to work with imported resources.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
fixes #6984 by creating L2 construct and functions to allow for policies to be assigned to execution roles.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
## Commit Message
docs(rds): invalid master username (#5076)

## End Commit Message

Fixes the following error that occurs when `username` is set to `admin`:
```
 5/9 | 10:13:25 AM | CREATE_FAILED        | AWS::RDS::DBCluster                         | Database (DatabaseB269D8BB) MasterUsername admin cannot be used as it is a reserved word used by the engine (Service: AmazonRDS; Status Code: 400; Error Code: InvalidParameterValue; Request ID: 0ac76793-...)
```
When two services accounts are added to a single cluster it will throw an error on the resource name. This is because the service account resource name is not unique to the cluster regardless the unique service account name.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
)

chore(aws-eks): update README with correct service account syntax

`serviceAccountName` should be at `spec.serviceAccountName` and add a CfnOutput sample to demo how to get the IAM role of this service account.

My working sample here
https://twitter.com/pahudnet/status/1263286407092514817



----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
added some more missing tests. now that we have increased coverage,
use the base configuration.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This is because the operations of [`path`](https://nodejs.org/api/path.html) are
OS specific. But for the container working directory and inside the container we
never want to use Windows style paths.

Fixes #8107


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
## Commit Message
chore(cloudtrail): better typed event selector apis (#8097)

The event selector APIs now take strongly typed `IFunction` and
`IBucket` instead of a string that is expected to contain the ARN.

Additionally, add APIs to log all S3 data events and to log all Lambda
data events.

Change the type of `snsTopic` from `string` to `ITopic`.

BREAKING CHANGE: API signatures of `addS3EventSelectors` and
`addLambdaEventSelectors` have changed. Their parameters are now
strongly typed to accept `IBucket` and `IFunction` respectively.
* **cloudtrail:** `addS3EventSelectors` and `addLambdaEventSelectors`
can no longer be used to configure all S3 data events or all Lambda data
events. Two new APIs `logAllS3DataEvents()` and
`logAllLambdaDataEvents()` have been introduced to achieve this.
* **cloudtrail:** The property `snsTopic` is now of the type `ITopic`.
## End Commit Message

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@eduardomourar eduardomourar merged commit 22cfab8 into eduardomourar:master May 27, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.