chore: make all examples compile (#18651)

Fixes erroneous examples in these modules and turn on strict mode for each.

- cloudformation
- region-info
- elasticloadbalancing
- apigatewayv2
- codestarnotifications
- codestar
- chatbot
- panorama
- rekognition
- efs
- lambda-layer-node-proxy-agent
- dynamodb-global
- amplify
- cloudwatch-actions
- app-delivery

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

packages/@aws-cdk/app-delivery/README.md

@@ -59,6 +59,10 @@ import * as codepipeline from '@aws-cdk/aws-codepipeline';
 import * as codepipeline_actions from '@aws-cdk/aws-codepipeline-actions';
 import * as cdk from '@aws-cdk/core';
 import * as cicd from '@aws-cdk/app-delivery';
+import * as iam from '@aws-cdk/aws-iam';
+
+class MyServiceStackA extends cdk.Stack {}
+class MyServiceStackB extends cdk.Stack {}
 
 const app = new cdk.App();
 
@@ -77,7 +81,9 @@ const sourceOutput = new codepipeline.Artifact();
 const source = new codepipeline_actions.GitHubSourceAction({
   actionName: 'GitHub',
   output: sourceOutput,
-  /* ... */
+  owner: 'myName',
+  repo: 'myRepo',
+  oauthToken: cdk.SecretValue.plainText('secret'),
 });
 pipeline.addStage({
   stageName: 'source',
@@ -129,10 +135,11 @@ deployStage.addAction(deployServiceAAction);
 // is passed to CloudFormation and needs the permissions necessary to deploy
 // stack. Alternatively you can enable [Administrator](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator) permissions above,
 // users should understand the privileged nature of this role.
-deployServiceAAction.addToRolePolicy(new iam.PolicyStatement({
-    actions: ['service:SomeAction'],
-    resources: [myResource.myResourceArn],
-    // add more Action(s) and/or Resource(s) here, as needed
+const myResourceArn = 'arn:partition:service:region:account-id:resource-id';
+deployServiceAAction.addToDeploymentRolePolicy(new iam.PolicyStatement({
+  actions: ['service:SomeAction'],
+  resources: [myResourceArn],
+  // add more Action(s) and/or Resource(s) here, as needed
 }));
 
 const serviceStackB = new MyServiceStackB(app, 'ServiceStackB', { /* ... */ });

packages/@aws-cdk/app-delivery/package.json

@@ -29,7 +29,14 @@
       }
     },
     "outdir": "dist",
-    "projectReferences": true
+    "projectReferences": true,
+    "metadata": {
+      "jsii": {
+        "rosetta": {
+          "strict": true
+        }
+      }
+    }
   },
   "scripts": {
     "build": "cdk-build",

packages/@aws-cdk/aws-amplify/README.md

@@ -29,37 +29,36 @@ To set up an Amplify Console app, define an `App`:
 
 ```ts
 import * as codebuild from '@aws-cdk/aws-codebuild';
-import * as amplify from '@aws-cdk/aws-amplify';
-import * as cdk from '@aws-cdk/core';
 
 const amplifyApp = new amplify.App(this, 'MyApp', {
   sourceCodeProvider: new amplify.GitHubSourceCodeProvider({
     owner: '<user>',
     repository: '<repo>',
-    oauthToken: cdk.SecretValue.secretsManager('my-github-token')
+    oauthToken: SecretValue.secretsManager('my-github-token'),
   }),
-  buildSpec: codebuild.BuildSpec.fromObjectToYaml({ // Alternatively add a `amplify.yml` to the repo
+  buildSpec: codebuild.BuildSpec.fromObjectToYaml({
+    // Alternatively add a `amplify.yml` to the repo
     version: '1.0',
     frontend: {
       phases: {
         preBuild: {
           commands: [
-            'yarn'
-          ]
+            'yarn',
+          ],
         },
         build: {
           commands: [
-            'yarn build'
-          ]
-        }
+            'yarn build',
+          ],
+        },
       },
       artifacts: {
         baseDirectory: 'public',
         files:
-        - '**/*'
-      }
-    }
-  })
+        - '**/*',
+      },
+    },
+  }),
 });
 ```
 
@@ -70,20 +69,22 @@ const amplifyApp = new amplify.App(this, 'MyApp', {
   sourceCodeProvider: new amplify.GitLabSourceCodeProvider({
     owner: '<user>',
     repository: '<repo>',
-    oauthToken: cdk.SecretValue.secretsManager('my-gitlab-token')
-  })
+    oauthToken: SecretValue.secretsManager('my-gitlab-token'),
+  }),
 });
 ```
 
 To connect your `App` to CodeCommit, use the `CodeCommitSourceCodeProvider`:
 
 ```ts
+import * as codecommit from '@aws-cdk/aws-codecommit';
+
 const repository = new codecommit.Repository(this, 'Repo', {
-  repositoryName: 'my-repo'
+  repositoryName: 'my-repo',
 });
 
 const amplifyApp = new amplify.App(this, 'App', {
-  sourceCodeProvider: new amplify.CodeCommitSourceCodeProvider({ repository })
+  sourceCodeProvider: new amplify.CodeCommitSourceCodeProvider({ repository }),
 });
 ```
 
@@ -93,6 +94,8 @@ to pull the CodeCommit repository.
 Add branches:
 
 ```ts
+declare const amplifyApp: amplify.App;
+
 const master = amplifyApp.addBranch('master'); // `id` will be used as repo branch name
 const dev = amplifyApp.addBranch('dev');
 dev.addEnvironment('STAGE', 'dev');
@@ -103,10 +106,11 @@ Auto build and pull request preview are enabled by default.
 Add custom rules for redirection:
 
 ```ts
+declare const amplifyApp: amplify.App;
 amplifyApp.addCustomRule({
   source: '/docs/specific-filename.html',
   target: '/documents/different-filename.html',
-  status: amplify.RedirectStatus.TEMPORARY_REDIRECT
+  status: amplify.RedirectStatus.TEMPORARY_REDIRECT,
 });
 ```
 
@@ -117,12 +121,18 @@ file extensions: css, gif, ico, jpg, js, png, txt, svg, woff,
 ttf, map, json, webmanifest.
 
 ```ts
+declare const mySinglePageApp: amplify.App;
+
 mySinglePageApp.addCustomRule(amplify.CustomRule.SINGLE_PAGE_APPLICATION_REDIRECT);
 ```
 
 Add a domain and map sub domains to branches:
 
 ```ts
+declare const amplifyApp: amplify.App;
+declare const master: amplify.Branch;
+declare const dev: amplify.Branch;
+
 const domain = amplifyApp.addDomain('example.com', {
   enableAutoSubdomain: true, // in case subdomains should be auto registered for branches
   autoSubdomainCreationPatterns: ['*', 'pr*'], // regex for branches that should auto register subdomains
@@ -140,27 +150,34 @@ Use `BasicAuth.fromCredentials` when referencing an existing secret:
 
 ```ts
 const amplifyApp = new amplify.App(this, 'MyApp', {
-  repository: 'https://github.com/<user>/<repo>',
-  oauthToken: cdk.SecretValue.secretsManager('my-github-token'),
-  basicAuth: amplify.BasicAuth.fromCredentials('username', cdk.SecretValue.secretsManager('my-github-token'))
+  sourceCodeProvider: new amplify.GitHubSourceCodeProvider({
+    owner: '<user>',
+    repository: '<repo>',
+    oauthToken: SecretValue.secretsManager('my-github-token'),
+  }),
+  basicAuth: amplify.BasicAuth.fromCredentials('username', SecretValue.secretsManager('my-github-token')),
 });
 ```
 
 Use `BasicAuth.fromGeneratedPassword` to generate a password in Secrets Manager:
 
 ```ts
 const amplifyApp = new amplify.App(this, 'MyApp', {
-  repository: 'https://github.com/<user>/<repo>',
-  oauthToken: cdk.SecretValue.secretsManager('my-github-token'),
-  basicAuth: amplify.BasicAuth.fromGeneratedPassword('username')
+  sourceCodeProvider: new amplify.GitHubSourceCodeProvider({
+    owner: '<user>',
+    repository: '<repo>',
+    oauthToken: SecretValue.secretsManager('my-github-token'),
+  }),
+  basicAuth: amplify.BasicAuth.fromGeneratedPassword('username'),
 });
 ```
 
 Basic auth can be added to specific branches:
 
 ```ts
-app.addBranch('feature/next', {
-  basicAuth: amplify.BasicAuth.fromGeneratedPassword('username')
+declare const amplifyApp: amplify.App;
+amplifyApp.addBranch('feature/next', {
+  basicAuth: amplify.BasicAuth.fromGeneratedPassword('username'),
 });
 ```
 
@@ -171,11 +188,14 @@ of branches:
 
 ```ts
 const amplifyApp = new amplify.App(this, 'MyApp', {
-  repository: 'https://github.com/<user>/<repo>',
-  oauthToken: cdk.SecretValue.secretsManager('my-github-token'),
+  sourceCodeProvider: new amplify.GitHubSourceCodeProvider({
+    owner: '<user>',
+    repository: '<repo>',
+    oauthToken: SecretValue.secretsManager('my-github-token'),
+  }),
   autoBranchCreation: { // Automatically connect branches that match a pattern set
-    patterns: ['feature/*', 'test/*']
-  }
+    patterns: ['feature/*', 'test/*'],
+  },
   autoBranchDeletion: true, // Automatically disconnect a branch when you delete a branch from your repository
 });
 ```
@@ -185,11 +205,11 @@ const amplifyApp = new amplify.App(this, 'MyApp', {
 Use the `customResponseHeaders` prop to configure custom response headers for an Amplify app:
 
 ```ts
-const amplifyApp = new amplify.App(stack, 'App', {
+const amplifyApp = new amplify.App(this, 'App', {
   sourceCodeProvider: new amplify.GitHubSourceCodeProvider({
     owner: '<user>',
     repository: '<repo>',
-    oauthToken: cdk.SecretValue.secretsManager('my-github-token')
+    oauthToken: SecretValue.secretsManager('my-github-token'),
   }),
   customResponseHeaders: [
     {
@@ -214,7 +234,9 @@ const amplifyApp = new amplify.App(stack, 'App', {
 `sourceCodeProvider` is optional; when this is not specified the Amplify app can be deployed to using `.zip` packages. The `asset` property can be used to deploy S3 assets to Amplify as part of the CDK:
 
 ```ts
-const asset = new assets.Asset(this, "SampleAsset", {});
-const amplifyApp = new amplify.App(this, 'MyApp', {});
+import * as assets from '@aws-cdk/aws-s3-assets';
+
+declare const asset: assets.Asset;
+declare const amplifyApp: amplify.App;
 const branch = amplifyApp.addBranch("dev", { asset: asset });
 ```

packages/@aws-cdk/aws-amplify/lib/app.ts

@@ -28,7 +28,7 @@ export interface SourceCodeProviderConfig {
   /**
    * The repository for the application. Must use the `HTTPS` protocol.
    *
-   * @example https://github.com/aws/aws-cdk
+   * For example, `https://github.com/aws/aws-cdk`.
    */
   readonly repository: string;
 

packages/@aws-cdk/aws-amplify/package.json

@@ -28,7 +28,14 @@
         ]
       }
     },
-    "projectReferences": true
+    "projectReferences": true,
+    "metadata": {
+      "jsii": {
+        "rosetta": {
+          "strict": true
+        }
+      }
+    }
   },
   "repository": {
     "type": "git",

packages/@aws-cdk/aws-amplify/rosetta/default.ts-fixture

@@ -0,0 +1,11 @@
+// Fixture with packages imported, but nothing else
+import { SecretValue, Stack } from '@aws-cdk/core';
+import { Construct } from 'constructs';
+import * as amplify from '@aws-cdk/aws-amplify';
+
+class Fixture extends Stack {
+  constructor(scope: Construct, id: string) {
+    super(scope, id);
+    /// here
+  }
+}

packages/@aws-cdk/aws-apigatewayv2/README.md

@@ -79,7 +79,7 @@ configures all other HTTP method calls to `/books` to a lambda proxy.
 ```ts
 import { HttpUrlIntegration, HttpLambdaIntegration } from '@aws-cdk/aws-apigatewayv2-integrations';
 
-const getBooksIntegration = new HttpUrlIntegration('GetBooksIntegration' 'https://get-books-proxy.myproxy.internal');
+const getBooksIntegration = new HttpUrlIntegration('GetBooksIntegration', 'https://get-books-proxy.myproxy.internal');
 
 declare const booksDefaultFn: lambda.Function;
 const booksDefaultIntegration = new HttpLambdaIntegration('BooksIntegration', booksDefaultFn);
@@ -261,19 +261,21 @@ Mutual TLS can be configured to limit access to your API based by using client c
 
 ```ts
 import * as s3 from '@aws-cdk/aws-s3';
+import * as acm from '@aws-cdk/aws-certificatemanager';
+
 const certArn = 'arn:aws:acm:us-east-1:111111111111:certificate';
 const domainName = 'example.com';
-const bucket = new s3.Bucket.fromBucketName(stack, 'TrustStoreBucket', ...);
+declare const bucket: s3.Bucket;
 
-new DomainName(stack, 'DomainName', {
+new apigwv2.DomainName(this, 'DomainName', {
   domainName,
-  certificate: Certificate.fromCertificateArn(stack, 'cert', certArn),
+  certificate: acm.Certificate.fromCertificateArn(this, 'cert', certArn),
   mtls: {
     bucket,
     key: 'someca.pem',
     version: 'version',
   },
-})
+});
 ```
 
 Instructions for configuring your trust store can be found [here](https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/)
@@ -408,17 +410,17 @@ Grant permission to use API Gateway Management API of a WebSocket API by calling
 You can use Management API to send a callback message to a connected client, get connection information, or disconnect the client. Learn more at [Use @connections commands in your backend service](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-how-to-call-websocket-api-connections.html).
 
 ```ts
-const lambda = new lambda.Function(this, 'lambda', { /* ... */ });
+declare const fn: lambda.Function;
 
-const webSocketApi = new WebSocketApi(stack, 'mywsapi');
-const stage = new WebSocketStage(stack, 'mystage', {
+const webSocketApi = new apigwv2.WebSocketApi(this, 'mywsapi');
+const stage = new apigwv2.WebSocketStage(this, 'mystage', {
   webSocketApi,
   stageName: 'dev',
 });
 // per stage permission
-stage.grantManageConnections(lambda);
+stage.grantManagementApiAccess(fn);
 // for all the stages permission
-webSocketApi.grantManageConnections(lambda);
+webSocketApi.grantManageConnections(fn);
 ```
 
 ### Managing access to WebSocket APIs
@@ -434,9 +436,8 @@ Websocket APIs also support usage of API Keys. An API Key is a key that is used
 To require an API Key when accessing the Websocket API:
 
 ```ts
-const webSocketApi = new WebSocketApi(stack, 'mywsapi',{
-      apiKeySelectionExpression: WebSocketApiKeySelectionExpression.HEADER_X_API_KEY,
-    });
-...
+const webSocketApi = new apigwv2.WebSocketApi(this, 'mywsapi',{
+  apiKeySelectionExpression: apigwv2.WebSocketApiKeySelectionExpression.HEADER_X_API_KEY,
+});
 ```
 

packages/@aws-cdk/aws-apigatewayv2/package.json

@@ -32,7 +32,14 @@
         ]
       }
     },
-    "projectReferences": true
+    "projectReferences": true,
+    "metadata": {
+      "jsii": {
+        "rosetta": {
+          "strict": true
+        }
+      }
+    }
   },
   "repository": {
     "type": "git",