Merge branch 'main' into 20467-batchSize-lambda-direct-resolvers

aws · Jul 13, 2022 · 9a9c7b0 · 9a9c7b0
2 parents 87e8609 + 5f0eff2
commit 9a9c7b0
Show file tree

Hide file tree

Showing 700 changed files with 20,113 additions and 8,197 deletions.
diff --git a/.github/workflows/issue-reprioritization.yml b/.github/workflows/issue-reprioritization.yml
@@ -1,5 +1,6 @@
 name: issue-reprioritization
-on: 
+on:
+  workflow_dispatch: {}
   schedule:
     - cron: "0 0 * * 0"
 

diff --git a/.mergify.yml b/.mergify.yml
@@ -10,7 +10,7 @@ pull_request_rules:
       label:
         add: [ contribution/core ]
     conditions:
-      - author~=^(RomainMuller|garnaat|skinny85|rix0rrr|NGL321|Jerry-AWS|MrArnoldPalmer|iliapolo|pkandasamy91|SoManyHs|uttarasridhar|otaviomacedo|madeline-k|kaizencc|comcalvi|Chriscbr|corymhall|peterwoodworth|ryparker|TheRealAmazonKendra|yuth|vinayak-kukreja)$
+      - author~=^(RomainMuller|rix0rrr|Jerry-AWS|MrArnoldPalmer|iliapolo|uttarasridhar|otaviomacedo|madeline-k|kaizencc|comcalvi|corymhall|peterwoodworth|ryparker|TheRealAmazonKendra|yuth|vinayak-kukreja|Naumel|mrgrain)$
       - -label~="contribution/core"
   - name: automatic merge
     actions:

diff --git a/CHANGELOG.v2.alpha.md b/CHANGELOG.v2.alpha.md
@@ -2,6 +2,15 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.31.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.31.0-alpha.0...v2.31.1-alpha.0) (2022-07-08)
+
+## [2.31.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.30.0-alpha.0...v2.31.0-alpha.0) (2022-07-06)
+
+
+### Features
+
+* **batch:** add secrets props to job definition ([#20871](https://github.com/aws/aws-cdk/issues/20871)) ([9b1051f](https://github.com/aws/aws-cdk/commit/9b1051f86abdfa6448b14cdae8e1ef9acb1e6688)), closes [#19506](https://github.com/aws/aws-cdk/issues/19506) [#10976](https://github.com/aws/aws-cdk/issues/10976)
+
 ## [2.30.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.29.1-alpha.0...v2.30.0-alpha.0) (2022-07-01)
 
 ## [2.29.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.29.0-alpha.0...v2.29.1-alpha.0) (2022-06-24)

diff --git a/CHANGELOG.v2.md b/CHANGELOG.v2.md
@@ -2,6 +2,35 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.31.1](https://github.com/aws/aws-cdk/compare/v2.31.0...v2.31.1) (2022-07-08)
+
+
+### Bug Fixes
+
+* **custom-resources:** Custom resource provider framework not passing `ResponseURL` to user function ([#21065](https://github.com/aws/aws-cdk/issues/21065)) ([f7b25b6](https://github.com/aws/aws-cdk/commit/f7b25b671003b8d6c7400811484beb4284bebacb)), closes [#21058](https://github.com/aws/aws-cdk/issues/21058)
+
+## [2.31.0](https://github.com/aws/aws-cdk/compare/v2.30.0...v2.31.0) (2022-07-06)
+
+
+### Features
+
+* **autoscaling:** step scaling policy supports estimatedInstanceWarmup property ([#20936](https://github.com/aws/aws-cdk/issues/20936)) ([e4c7b97](https://github.com/aws/aws-cdk/commit/e4c7b9770573e3c102e4be0c2ba0378a0b2b8767))
+* **aws-s3:** create default bucket policy when required (under feature flag) ([#20765](https://github.com/aws/aws-cdk/issues/20765)) ([cefa453](https://github.com/aws/aws-cdk/commit/cefa453bb3f98eb9c3f894c308ae703522de8f22)), closes [/docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-logs-infrastructure-S3](https://github.com/aws//docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html/issues/AWS-logs-infrastructure-S3) [#18816](https://github.com/aws/aws-cdk/issues/18816)
+* **cfnspec:** cloudformation spec v78.1.0 ([#20952](https://github.com/aws/aws-cdk/issues/20952)) ([20d6e09](https://github.com/aws/aws-cdk/commit/20d6e0980ba9483fb0187a8cf5a256f5b59a7ba8))
+* **dynamodb:** imported tables always grant permissions for indexes ([#20682](https://github.com/aws/aws-cdk/issues/20682)) ([4d003a5](https://github.com/aws/aws-cdk/commit/4d003a50ae96a6c2be915edc2f6ca09eeb747fd5)), closes [#13703](https://github.com/aws/aws-cdk/issues/13703)
+* **ec2:** add additional instance type classes ([#20972](https://github.com/aws/aws-cdk/issues/20972)) ([400ad91](https://github.com/aws/aws-cdk/commit/400ad91cb926fb0a6d71039f8eba3bb63e7c8ca8)), closes [#20924](https://github.com/aws/aws-cdk/issues/20924)
+* **s3:** Event Bridge notification can be enabled after the bucket is created ([#20913](https://github.com/aws/aws-cdk/issues/20913)) ([b0b7a32](https://github.com/aws/aws-cdk/commit/b0b7a3217b1c110bcbe4580addf1ae2865ebfdf5))
+
+
+### Bug Fixes
+
+* **cli:** standard log messages are sent to stderr when CI=true ([#20957](https://github.com/aws/aws-cdk/issues/20957)) ([277340d](https://github.com/aws/aws-cdk/commit/277340d4a67f81d3b80907e1899001d091780698)), closes [#7717](https://github.com/aws/aws-cdk/issues/7717)
+* **cloudfront:** fromOriginAccessIdentityName is a misnomer ([#20772](https://github.com/aws/aws-cdk/issues/20772)) ([3e58e5a](https://github.com/aws/aws-cdk/commit/3e58e5a3c5e12a859e4076b867444980d4b1e8e9)), closes [#20141](https://github.com/aws/aws-cdk/issues/20141)
+* **eks:** latest `AlbController` version isn't compatible with the chart version  ([#20826](https://github.com/aws/aws-cdk/issues/20826)) ([43a0cec](https://github.com/aws/aws-cdk/commit/43a0cec380f39618f18f15da8c60cb0a4a769d37))
+* **route53:** cannot delete existing alias record ([#20858](https://github.com/aws/aws-cdk/issues/20858)) ([22681b1](https://github.com/aws/aws-cdk/commit/22681b1bc29ee48b3092d60cfc22726912ae607a)), closes [#20847](https://github.com/aws/aws-cdk/issues/20847)
+* **stepfunctions-tasks:** SqsSendMessage is missing KMS permissions ([#20990](https://github.com/aws/aws-cdk/issues/20990)) ([52b7019](https://github.com/aws/aws-cdk/commit/52b70194c946c3074b0205318564775be10f29a8))
+* custom resources log sensitive `ResponseURL` field ([#20899](https://github.com/aws/aws-cdk/issues/20899)) ([6b4f92f](https://github.com/aws/aws-cdk/commit/6b4f92f2437c7ff782c88ce23925a04168728d7c))
+
 ## [2.30.0](https://github.com/aws/aws-cdk/compare/v2.29.1...v2.30.0) (2022-07-01)
 
 ### Features

diff --git a/packages/@aws-cdk/aws-backup/README.md b/packages/@aws-cdk/aws-backup/README.md
@@ -176,6 +176,16 @@ backupVault.blockRecoveryPointDeletion();
 
 By default access is not restricted.
 
+Use the `lockConfiguration` property to enable [AWS Backup Vault Lock](https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html):
+
+```ts
+new BackupVault(stack, 'Vault', {
+  lockConfiguration: {
+    minRetention: Duration.days(30),
+  },
+});
+```
+
 ## Importing existing backup vault
 
 To import an existing backup vault into your CDK application, use the `BackupVault.fromBackupVaultArn` or `BackupVault.fromBackupVaultName`

diff --git a/packages/@aws-cdk/aws-backup/lib/vault.ts b/packages/@aws-cdk/aws-backup/lib/vault.ts
@@ -1,7 +1,7 @@
 import * as iam from '@aws-cdk/aws-iam';
 import * as kms from '@aws-cdk/aws-kms';
 import * as sns from '@aws-cdk/aws-sns';
-import { ArnFormat, IResource, Lazy, Names, RemovalPolicy, Resource, Stack } from '@aws-cdk/core';
+import { ArnFormat, Duration, IResource, Lazy, Names, RemovalPolicy, Resource, Stack } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { CfnBackupVault } from './backup.generated';
 
@@ -91,6 +91,15 @@ export interface BackupVaultProps {
    * @default false
    */
   readonly blockRecoveryPointDeletion?: boolean;
+
+  /**
+   * Configuration for AWS Backup Vault Lock
+   *
+   * @see https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html
+   *
+   * @default - AWS Backup Vault Lock is disabled
+   */
+  readonly lockConfiguration?: LockConfiguration;
 }
 
 /**
@@ -129,6 +138,55 @@ export enum BackupVaultEvents {
   BACKUP_PLAN_MODIFIED = 'BACKUP_PLAN_MODIFIED',
 }
 
+/**
+ * Configuration for AWS Backup Vault Lock
+ *
+ * @see https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html
+ */
+export interface LockConfiguration {
+  /**
+   * The minimum retention period that the vault retains its recovery points.
+   *
+   * If this parameter is specified, any backup or copy job to the vault must
+   * have a lifecycle policy with a retention period equal to or longer than
+   * the minimum retention period. If the job's retention period is shorter than
+   * that minimum retention period, then the vault fails that backup or copy job,
+   * and you should either modify your lifecycle settings or use a different
+   * vault. Recovery points already saved in the vault prior to Vault Lock are
+   * not affected.
+   */
+  readonly minRetention: Duration;
+
+  /**
+   * The maximum retention period that the vault retains its recovery points.
+   *
+   * If this parameter is specified, any backup or copy job to the vault must
+   * have a lifecycle policy with a retention period equal to or shorter than
+   * the maximum retention period. If the job's retention period is longer than
+   * that maximum retention period, then the vault fails the backup or copy job,
+   * and you should either modify your lifecycle settings or use a different
+   * vault. Recovery points already saved in the vault prior to Vault Lock are
+   * not affected.
+   *
+   * @default - Vault Lock does not enforce a maximum retention period
+   */
+  readonly maxRetention?: Duration;
+
+  /**
+   * The duration before the lock date.
+   *
+   * AWS Backup enforces a 72-hour cooling-off period before Vault Lock takes
+   * effect and becomes immutable.
+   *
+   * Before the lock date, you can delete Vault Lock from the vault or change
+   * the Vault Lock configuration. On and after the lock date, the Vault Lock
+   * becomes immutable and cannot be changed or deleted.
+   *
+   * @default - Vault Lock can be deleted or changed at any time
+   */
+  readonly changeableFor?: Duration;
+}
+
 abstract class BackupVaultBase extends Resource implements IBackupVault {
   public abstract readonly backupVaultName: string;
   public abstract readonly backupVaultArn: string;
@@ -226,6 +284,7 @@ export class BackupVault extends BackupVaultBase {
       accessPolicy: Lazy.any({ produce: () => this.accessPolicy.toJSON() }),
       encryptionKeyArn: props.encryptionKey && props.encryptionKey.keyArn,
       notifications,
+      lockConfiguration: renderLockConfiguration(props.lockConfiguration),
     });
     vault.applyRemovalPolicy(props.removalPolicy);
 
@@ -262,3 +321,32 @@ export class BackupVault extends BackupVaultBase {
     return id.substring(Math.max(id.length - 50, 0), id.length);
   }
 }
+
+function renderLockConfiguration(config?: LockConfiguration): CfnBackupVault.LockConfigurationTypeProperty | undefined {
+  if (!config) {
+    return undefined;
+  }
+
+  if (config.changeableFor && config.changeableFor.toHours() < 72) {
+    throw new Error(`AWS Backup enforces a 72-hour cooling-off period before Vault Lock takes effect and becomes immutable, got ${config.changeableFor.toHours()} hours`);
+  }
+
+  if (config.maxRetention) {
+    if (config.maxRetention.toDays() > 36500) {
+      throw new Error(`The longest maximum retention period you can specify is 36500 days, got ${config.maxRetention.toDays()} days`);
+    }
+    if (config.maxRetention.toDays() <= config.minRetention.toDays()) {
+      throw new Error(`The maximum retention period (${config.maxRetention.toDays()} days) must be greater than the minimum retention period (${config.minRetention.toDays()} days)`);
+    }
+  }
+
+  if (config.minRetention.toHours() < 24) {
+    throw new Error(`The shortest minimum retention period you can specify is 1 day, got ${config.minRetention.toHours()} hours`);
+  }
+
+  return {
+    minRetentionDays: config.minRetention.toDays(),
+    maxRetentionDays: config.maxRetention?.toDays(),
+    changeableForDays: config.changeableFor?.toDays(),
+  };
+}
diff --git a/packages/@aws-cdk/aws-backup/test/backup.integ.snapshot/cdk-backup.template.json b/packages/@aws-cdk/aws-backup/test/backup.integ.snapshot/cdk-backup.template.json
@@ -31,7 +31,10 @@
   "Vault23237E5B": {
    "Type": "AWS::Backup::BackupVault",
    "Properties": {
-    "BackupVaultName": "cdkbackupVaultC2A6D3CB"
+    "BackupVaultName": "cdkbackupVaultC2A6D3CB",
+    "LockConfiguration": {
+     "MinRetentionDays": 5
+    }
    },
    "UpdateReplacePolicy": "Delete",
    "DeletionPolicy": "Delete"

diff --git a/packages/@aws-cdk/aws-backup/test/backup.integ.snapshot/cdk.out b/packages/@aws-cdk/aws-backup/test/backup.integ.snapshot/cdk.out
@@ -1 +1 @@
-{"version":"17.0.0"}
+{"version":"20.0.0"}
diff --git a/packages/@aws-cdk/aws-backup/test/backup.integ.snapshot/integ.json b/packages/@aws-cdk/aws-backup/test/backup.integ.snapshot/integ.json
@@ -1,7 +1,7 @@
 {
-  "version": "18.0.0",
+  "version": "20.0.0",
   "testCases": {
-    "aws-backup/test/integ.backup": {
+    "integ.backup": {
       "stacks": [
         "cdk-backup"
       ],

diff --git a/packages/@aws-cdk/aws-backup/test/backup.integ.snapshot/manifest.json b/packages/@aws-cdk/aws-backup/test/backup.integ.snapshot/manifest.json
@@ -1,5 +1,5 @@
 {
-  "version": "17.0.0",
+  "version": "20.0.0",
   "artifacts": {
     "Tree": {
       "type": "cdk:tree",

diff --git a/packages/@aws-cdk/aws-backup/test/backup.integ.snapshot/tree.json b/packages/@aws-cdk/aws-backup/test/backup.integ.snapshot/tree.json
@@ -8,8 +8,8 @@
         "id": "Tree",
         "path": "Tree",
         "constructInfo": {
-          "fqn": "@aws-cdk/core.Construct",
-          "version": "0.0.0"
+          "fqn": "constructs.Construct",
+          "version": "10.1.33"
         }
       },
       "cdk-backup": {
@@ -85,7 +85,10 @@
                 "attributes": {
                   "aws:cdk:cloudformation:type": "AWS::Backup::BackupVault",
                   "aws:cdk:cloudformation:props": {
-                    "backupVaultName": "cdkbackupVaultC2A6D3CB"
+                    "backupVaultName": "cdkbackupVaultC2A6D3CB",
+                    "lockConfiguration": {
+                      "minRetentionDays": 5
+                    }
                   }
                 },
                 "constructInfo": {

diff --git a/packages/@aws-cdk/aws-backup/test/integ.backup.ts b/packages/@aws-cdk/aws-backup/test/integ.backup.ts
@@ -1,6 +1,6 @@
 import * as dynamodb from '@aws-cdk/aws-dynamodb';
 import * as efs from '@aws-cdk/aws-efs';
-import { App, RemovalPolicy, Stack, StackProps } from '@aws-cdk/core';
+import { App, Duration, RemovalPolicy, Stack, StackProps } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import * as backup from '../lib';
 
@@ -21,6 +21,9 @@ class TestStack extends Stack {
 
     const vault = new backup.BackupVault(this, 'Vault', {
       removalPolicy: RemovalPolicy.DESTROY,
+      lockConfiguration: {
+        minRetention: Duration.days(5),
+      },
     });
     const plan = backup.BackupPlan.dailyWeeklyMonthly5YearRetention(this, 'Plan', vault);
 

diff --git a/packages/@aws-cdk/aws-backup/test/vault.test.ts b/packages/@aws-cdk/aws-backup/test/vault.test.ts
@@ -2,7 +2,7 @@ import { Template } from '@aws-cdk/assertions';
 import * as iam from '@aws-cdk/aws-iam';
 import * as kms from '@aws-cdk/aws-kms';
 import * as sns from '@aws-cdk/aws-sns';
-import { ArnFormat, Stack } from '@aws-cdk/core';
+import { ArnFormat, Duration, Stack } from '@aws-cdk/core';
 import { BackupVault, BackupVaultEvents } from '../lib';
 
 let stack: Stack;
@@ -367,3 +367,58 @@ test('throws with too short name', () => {
     backupVaultName: 'x',
   })).toThrow(/Expected vault name to match pattern/);
 });
+
+test('with lock configuration', () => {
+  // WHEN
+  new BackupVault(stack, 'Vault', {
+    lockConfiguration: {
+      minRetention: Duration.days(30),
+      maxRetention: Duration.days(365),
+      changeableFor: Duration.days(7),
+    },
+  });
+
+  // THEN
+  Template.fromStack(stack).hasResourceProperties('AWS::Backup::BackupVault', {
+    LockConfiguration: {
+      ChangeableForDays: 7,
+      MaxRetentionDays: 365,
+      MinRetentionDays: 30,
+    },
+  });
+});
+
+test('throws with incorrect lock configuration - min retention', () => {
+  expect(() => new BackupVault(stack, 'Vault', {
+    lockConfiguration: {
+      minRetention: Duration.hours(12),
+    },
+  })).toThrow(/The shortest minimum retention period you can specify is 1 day/);
+});
+
+test('throws with incorrect lock configuration - max retention', () => {
+  expect(() => new BackupVault(stack, 'Vault', {
+    lockConfiguration: {
+      minRetention: Duration.days(7),
+      maxRetention: Duration.days(40000),
+    },
+  })).toThrow(/The longest maximum retention period you can specify is 36500 days/);
+});
+
+test('throws with incorrect lock configuration - max and min retention', () => {
+  expect(() => new BackupVault(stack, 'Vault', {
+    lockConfiguration: {
+      minRetention: Duration.days(7),
+      maxRetention: Duration.days(4),
+    },
+  })).toThrow(/The maximum retention period \(4 days\) must be greater than the minimum retention period \(7 days\)/);
+});
+
+test('throws with incorrect lock configuration - changeable for', () => {
+  expect(() => new BackupVault(stack, 'Vault', {
+    lockConfiguration: {
+      minRetention: Duration.days(7),
+      changeableFor: Duration.days(1),
+    },
+  })).toThrow(/AWS Backup enforces a 72-hour cooling-off period before Vault Lock takes effect and becomes immutable/);
+});
diff --git a/packages/@aws-cdk/aws-batch/README.md b/packages/@aws-cdk/aws-batch/README.md
@@ -119,8 +119,7 @@ The alternative would be to use the `BEST_FIT_PROGRESSIVE` strategy in order for
 
 Simply define your Launch Template:
 
-```text
-// This example is only available in TypeScript
+```ts
 const myLaunchTemplate = new ec2.CfnLaunchTemplate(this, 'LaunchTemplate', {
   launchTemplateName: 'extra-storage-template',
   launchTemplateData: {
@@ -138,7 +137,7 @@ const myLaunchTemplate = new ec2.CfnLaunchTemplate(this, 'LaunchTemplate', {
 });
 ```
 
-and use it:
+And provide `launchTemplateName`:
 
 ```ts
 declare const vpc: ec2.Vpc;
@@ -155,6 +154,23 @@ const myComputeEnv = new batch.ComputeEnvironment(this, 'ComputeEnv', {
 });
 ```
 
+Or provide `launchTemplateId` instead:
+
+```ts
+declare const vpc: ec2.Vpc;
+declare const myLaunchTemplate: ec2.CfnLaunchTemplate;
+
+const myComputeEnv = new batch.ComputeEnvironment(this, 'ComputeEnv', {
+  computeResources: {
+    launchTemplate: {
+      launchTemplateId: myLaunchTemplate.ref as string,
+    },
+    vpc,
+  },
+  computeEnvironmentName: 'MyStorageCapableComputeEnvironment',
+});
+```
+
 ### Importing an existing Compute Environment
 
 To import an existing batch compute environment, call `ComputeEnvironment.fromComputeEnvironmentArn()`.