chore(release): 2.70.0 (#24752)

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/bump/2.70.0/CHANGELOG.md)

.github/workflows/auto-approve.yml

@@ -12,6 +12,6 @@ jobs:
     permissions:
       pull-requests: write
     steps:
-    - uses: hmarr/auto-approve-action@v3.2.0
+    - uses: hmarr/auto-approve-action@v3.2.1
       with:
         github-token: "${{ secrets.GITHUB_TOKEN }}"

.mergify.yml

@@ -1,6 +1,7 @@
 # See https://doc.mergify.io
 queue_rules:
   - name: default
+    update_method: merge
     conditions:
       - status-success~=AWS CodeBuild us-east-1
 

CHANGELOG.v2.alpha.md

@@ -2,6 +2,18 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.70.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.69.0-alpha.0...v2.70.0-alpha.0) (2023-03-22)
+
+
+### ⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES
+
+* **servicecatalogappregistry:** This commit contains destructive changes to the RAM Share.
+Since the application RAM share name is calculated by the application construct, where one method is added. Integration test detects a breaking change where RAM share will be created. Integration test snapshot is updated to cater this destructive change.
+
+### Features
+
+* **servicecatalogappregistry:** add attribute groups to an application ([#24672](https://github.com/aws/aws-cdk/issues/24672)) ([7baffa2](https://github.com/aws/aws-cdk/commit/7baffa239a7904cd73ac73537101ed5bd40aa9a0))
+
 ## [2.69.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.68.0-alpha.0...v2.69.0-alpha.0) (2023-03-14)
 
 

CHANGELOG.v2.md

@@ -2,6 +2,30 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.70.0](https://github.com/aws/aws-cdk/compare/v2.69.0...v2.70.0) (2023-03-22)
+
+
+### Features
+
+* **cfnspec:** cloudformation spec v116.0.0 ([#24662](https://github.com/aws/aws-cdk/issues/24662)) ([e8158af](https://github.com/aws/aws-cdk/commit/e8158af34eb6402c79edbc171746fb5501775c68))
+* **cloudwatch:** added defaultInterval prop to cw-dashboard ([#24707](https://github.com/aws/aws-cdk/issues/24707)) ([d4717cf](https://github.com/aws/aws-cdk/commit/d4717cf035c9f7027d8081ea1f15a631044315e8))
+* **ec2:** CFN-init support for systemd ([#24683](https://github.com/aws/aws-cdk/issues/24683)) ([f3fe8e1](https://github.com/aws/aws-cdk/commit/f3fe8e1c4348194f89b47a276e6c85328b1044fa))
+* **ec2:** SSM sessions ([#24673](https://github.com/aws/aws-cdk/issues/24673)) ([9744a82](https://github.com/aws/aws-cdk/commit/9744a8295fab28f1e8c38a0b980935f7546990e6))
+* **ecr:** add option to auto delete images upon ECR repository removal ([#24572](https://github.com/aws/aws-cdk/issues/24572)) ([7de5b00](https://github.com/aws/aws-cdk/commit/7de5b00dcf24c4f6721317860c7e42c485e3ca58)), closes [#15932](https://github.com/aws/aws-cdk/issues/15932) [#12618](https://github.com/aws/aws-cdk/issues/12618) [#15932](https://github.com/aws/aws-cdk/issues/15932)
+* **elasticloadbalancing:** classic load balancer supports ec2 instances  ([#24353](https://github.com/aws/aws-cdk/issues/24353)) ([25b6edd](https://github.com/aws/aws-cdk/commit/25b6edd9d83e4766a2cb064b8eb8e3c6198b4f53)), closes [#23500](https://github.com/aws/aws-cdk/issues/23500)
+* **servicecatalogappregistry-alpha:** Introduce flag to control application sharing and association behavior for cross-account stacks ([#24408](https://github.com/aws/aws-cdk/issues/24408)) ([2167289](https://github.com/aws/aws-cdk/commit/2167289658e8f3431ec815c741277dc1be1aa110)), closes [aws-cdk/aws-servicecatalogappregistry/lib/aspects/stack-associator.ts#L91-L95](https://github.com/aws-cdk/aws-servicecatalogappregistry/lib/aspects/stack-associator.ts/issues/L91-L95)
+
+
+### Bug Fixes
+
+* **bootstrap:** remove Security Hub finding KMS.2 ([#24588](https://github.com/aws/aws-cdk/issues/24588)) ([274c3d5](https://github.com/aws/aws-cdk/commit/274c3d54dcc0b9534d1ede287fe3672ec9883dbe)), closes [/docs.aws.amazon.com/securityhub/latest/userguide/kms-controls.html#kms-2](https://github.com/aws//docs.aws.amazon.com/securityhub/latest/userguide/kms-controls.html/issues/kms-2)
+* **cli:** no change deployment prints "hotswap deployment skipped" without hotswap flag ([#24602](https://github.com/aws/aws-cdk/issues/24602)) ([79151fd](https://github.com/aws/aws-cdk/commit/79151fd7f4916defeb1e17d3bcdbec1e119ec994))
+* **cli:** user agent is reported as `undefined/undefined` ([#24663](https://github.com/aws/aws-cdk/issues/24663)) ([3e8d8d8](https://github.com/aws/aws-cdk/commit/3e8d8d8e1b9a88376a6460094dea0c08ce19742e))
+* **eks:** fail to update cluster by disabling logging props ([#24688](https://github.com/aws/aws-cdk/issues/24688)) ([767cf93](https://github.com/aws/aws-cdk/commit/767cf93eb131c707f8243e8f3779dd3bad89271a))
+* **sfn:** stop replacing JsonPath.DISCARD with `null` ([#24717](https://github.com/aws/aws-cdk/issues/24717)) ([413b643](https://github.com/aws/aws-cdk/commit/413b64347f333573b2a07150e87244bd4c11d264)), closes [#24593](https://github.com/aws/aws-cdk/issues/24593)
+* **toolkit:** RWLock.acquireRead is not re-entrant ([#24702](https://github.com/aws/aws-cdk/issues/24702)) ([3b7431b](https://github.com/aws/aws-cdk/commit/3b7431b6ac27f8557c22a8959ae1ce431f6d2167))
+* **WAFv2:** add patch to revert struct names ([#24651](https://github.com/aws/aws-cdk/issues/24651)) ([dfa09d1](https://github.com/aws/aws-cdk/commit/dfa09d133523f0457a9ab2369bde13b44c398c30)), closes [/github.com/aws/aws-cdk/commit/affe040c8443be074822254d1e75a28b264cd801#diff-827a2fd012e049c7ccedffa0360c12e7d967a173f36b8150de73ef6adc42ee4cL175-L357](https://github.com/aws//github.com/aws/aws-cdk/commit/affe040c8443be074822254d1e75a28b264cd801/issues/diff-827a2fd012e049c7ccedffa0360c12e7d967a173f36b8150de73ef6adc42ee4cL175-L357)
+
 ## [2.69.0](https://github.com/aws/aws-cdk/compare/v2.68.0...v2.69.0) (2023-03-14)
 
 

packages/@aws-cdk-testing/cli-integ/lib/staging/maven.ts

@@ -52,6 +52,10 @@ export async function uploadJavaPackages(packages: string[], login: LoginInforma
       console.log(`❌ ${pkg}: already exists. Skipped.`);
       return 'skip';
     }
+    if (output.toString().includes('Too Many Requests')) {
+      console.log(`♻️ ${pkg}: Too many requests. Retrying.`);
+      return 'retry';
+    }
     return 'fail';
   });
 }

packages/@aws-cdk/aws-autoscaling/README.md

@@ -25,7 +25,11 @@ declare const vpc: ec2.Vpc;
 new autoscaling.AutoScalingGroup(this, 'ASG', {
   vpc,
   instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.MICRO),
-  machineImage: new ec2.AmazonLinuxImage() // get the latest Amazon Linux image
+
+  // The latest Amazon Linux image of a particular generation
+  machineImage: ec2.MachineImage.latestAmazonLinux({
+    generation: ec2.AmazonLinuxGeneration.AMAZON_LINUX_2,
+  }),
 });
 ```
 
@@ -41,7 +45,9 @@ const mySecurityGroup = new ec2.SecurityGroup(this, 'SecurityGroup', { vpc });
 new autoscaling.AutoScalingGroup(this, 'ASG', {
   vpc,
   instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.MICRO),
-  machineImage: new ec2.AmazonLinuxImage(),
+  machineImage: ec2.MachineImage.latestAmazonLinux({
+    generation: ec2.AmazonLinuxGeneration.AMAZON_LINUX_2,
+  }),
   securityGroup: mySecurityGroup,
 });
 ```
@@ -538,6 +544,40 @@ new autoscaling.AutoScalingGroup(this, 'ASG', {
 });
 ```
 
+## Connecting to your instances using SSM Session Manager
+
+SSM Session Manager makes it possible to connect to your instances from the
+AWS Console, without preparing SSH keys.
+
+To do so, you need to:
+
+* Use an image with [SSM agent](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html) installed
+  and configured. [Many images come with SSM Agent
+  preinstalled](https://docs.aws.amazon.com/systems-manager/latest/userguide/ami-preinstalled-agent.html), otherwise you
+  may need to manually put instructions to [install SSM
+  Agent](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-manual-agent-install.html) into your
+  instance's UserData or use EC2 Init).
+* Create the AutoScalingGroup with `ssmSessionPermissions: true`.
+
+If these conditions are met, you can connect to the instance from the EC2 Console. Example:
+
+```ts
+declare const vpc: ec2.Vpc;
+
+new autoscaling.AutoScalingGroup(this, 'ASG', {
+  vpc,
+  instanceType: ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.MICRO),
+
+  // Amazon Linux 2 comes with SSM Agent by default
+  machineImage: ec2.MachineImage.latestAmazonLinux({
+    generation: ec2.AmazonLinuxGeneration.AMAZON_LINUX_2,
+  }),
+
+  // Turn on SSM
+  ssmSessionPermissions: true,
+});
+```
+
 ## Configuring Instance Metadata Service (IMDS)
 
 ### Toggling IMDSv1
@@ -596,13 +636,13 @@ autoScalingGroup.addWarmPool({
 
 ### Default Instance Warming
 
-You can use the default instance warmup feature to improve the Amazon CloudWatch metrics used for dynamic scaling. 
-When default instance warmup is not enabled, each instance starts contributing usage data to the aggregated metrics 
-as soon as the instance reaches the InService state. However, if you enable default instance warmup, this lets 
+You can use the default instance warmup feature to improve the Amazon CloudWatch metrics used for dynamic scaling.
+When default instance warmup is not enabled, each instance starts contributing usage data to the aggregated metrics
+as soon as the instance reaches the InService state. However, if you enable default instance warmup, this lets
 your instances finish warming up before they contribute the usage data.
 
-To optimize the performance of scaling policies that scale continuously, such as target tracking and step scaling 
-policies, we strongly recommend that you enable the default instance warmup, even if its value is set to 0 seconds. 
+To optimize the performance of scaling policies that scale continuously, such as target tracking and step scaling
+policies, we strongly recommend that you enable the default instance warmup, even if its value is set to 0 seconds.
 
 To set up Default Instance Warming for an autoscaling group, simply pass it in as a prop
 

packages/@aws-cdk/aws-autoscaling/lib/auto-scaling-group.ts

@@ -365,6 +365,23 @@ export interface CommonAutoScalingGroupProps {
    *
    */
   readonly capacityRebalance?: boolean;
+
+  /**
+   * Add SSM session permissions to the instance role
+   *
+   * Setting this to `true` adds the necessary permissions to connect
+   * to the instance using SSM Session Manager. You can do this
+   * from the AWS Console.
+   *
+   * NOTE: Setting this flag to `true` may not be enough by itself.
+   * You must also use an AMI that comes with the SSM Agent, or install
+   * the SSM Agent yourself. See
+   * [Working with SSM Agent](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html)
+   * in the SSM Developer Guide.
+   *
+   * @default false
+   */
+  readonly ssmSessionPermissions?: boolean;
 }
 
 /**
@@ -1278,6 +1295,10 @@ export class AutoScalingGroup extends AutoScalingGroupBase implements
 
       this.grantPrincipal = this._role;
 
+      if (props.ssmSessionPermissions) {
+        this.role.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonSSMManagedInstanceCore'));
+      }
+
       const iamProfile = new iam.CfnInstanceProfile(this, 'InstanceProfile', {
         roles: [this.role.roleName],
       });

packages/@aws-cdk/aws-autoscaling/test/auto-scaling-group.test.ts

@@ -2051,6 +2051,30 @@ test('add price-capacity-optimized', () => {
   });
 });
 
+test('ssm permissions adds right managed policy', () => {
+  // GIVEN
+  const stack = new cdk.Stack();
+
+  // WHEN
+  new autoscaling.AutoScalingGroup(stack, 'mip-asg', {
+    vpc: mockVpc(stack),
+    machineImage: new AmazonLinuxImage(),
+    instanceType: InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.LARGE),
+    ssmSessionPermissions: true,
+  });
+
+  Template.fromStack(stack).hasResourceProperties('AWS::IAM::Role', {
+    ManagedPolicyArns: [
+      {
+        'Fn::Join': ['', [
+          'arn:',
+          { Ref: 'AWS::Partition' },
+          ':iam::aws:policy/AmazonSSMManagedInstanceCore',
+        ]],
+      },
+    ],
+  });
+});
 
 function mockSecurityGroup(stack: cdk.Stack) {
   return ec2.SecurityGroup.fromSecurityGroupId(stack, 'MySG', 'most-secure');

packages/@aws-cdk/aws-cloudwatch/README.md

@@ -697,3 +697,18 @@ new cloudwatch.Row(widgetA, widgetB);
 
 You can add a widget after object instantiation with the method
 `addWidget()`.
+
+### Interval duration for dashboard
+
+Interval duration for metrics in dashboard. You can specify `defaultInterval` with
+the relative time(eg. 7 days) as `cdk.Duration.days(7)`.
+
+```ts
+import * as cw from '@aws-cdk/aws-cloudwatch';
+
+const dashboard = new cw.Dashboard(stack, 'Dash', {
+  defaultInterval: cdk.Duration.days(7),
+});
+```
+
+Here, the dashboard would show the metrics for the last 7 days.

packages/@aws-cdk/aws-cloudwatch/lib/dashboard.ts

@@ -1,4 +1,4 @@
-import { Lazy, Resource, Stack, Token, Annotations } from '@aws-cdk/core';
+import { Lazy, Resource, Stack, Token, Annotations, Duration } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { CfnDashboard } from './cloudwatch.generated';
 import { Column, Row } from './layout';
@@ -31,6 +31,14 @@ export interface DashboardProps {
    */
   readonly dashboardName?: string;
 
+  /**
+   * Interval duration for metrics.
+   * You can specify defaultInterval with the relative time(eg. cdk.Duration.days(7)).
+   *
+   * @default When the dashboard loads, the defaultInterval time will be the default time range.
+   */
+  readonly defaultInterval?: Duration
+
   /**
    * The start of the time range to use for each widget on the dashboard.
    * You can specify start without specifying end to specify a relative time range that ends with the current time.
@@ -107,15 +115,19 @@ export class Dashboard extends Resource {
       }
     }
 
+    if (props.start !== undefined && props.defaultInterval !== undefined) {
+      throw ('both properties defaultInterval and start cannot be set at once');
+    }
+
     const dashboard = new CfnDashboard(this, 'Resource', {
       dashboardName: this.physicalName,
       dashboardBody: Lazy.string({
         produce: () => {
           const column = new Column(...this.rows);
           column.position(0, 0);
           return Stack.of(this).toJsonString({
-            start: props.start,
-            end: props.end,
+            start: props.defaultInterval !== undefined ? `-${props.defaultInterval?.toIsoString()}` : props.start,
+            end: props.defaultInterval !== undefined ? undefined : props.end,
             periodOverride: props.periodOverride,
             widgets: column.toJson(),
           });

packages/@aws-cdk/aws-cloudwatch/test/dashboard.test.ts

@@ -1,5 +1,5 @@
 import { Template, Annotations, Match } from '@aws-cdk/assertions';
-import { App, Stack } from '@aws-cdk/core';
+import { App, Duration, Stack } from '@aws-cdk/core';
 import { Dashboard, GraphWidget, PeriodOverride, TextWidget, MathExpression, TextWidgetBackground } from '../lib';
 
 describe('Dashboard', () => {
@@ -131,6 +131,31 @@ describe('Dashboard', () => {
 
   });
 
+  test('defaultInterval test', () => {
+    // GIVEN
+    const stack = new Stack();
+    // WHEN
+    const dashboard = new Dashboard(stack, 'Dash', {
+      defaultInterval: Duration.days(7),
+    });
+    dashboard.addWidgets(
+      new GraphWidget({ width: 1, height: 1 }), // GraphWidget has internal reference to current region
+    );
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::CloudWatch::Dashboard', {
+      DashboardBody: {
+        'Fn::Join': ['', [
+          '{"start":"-P7D",\
+"widgets":[{"type":"metric","width":1,"height":1,"x":0,"y":0,"properties":{"view":"timeSeries","region":"',
+          { Ref: 'AWS::Region' },
+          '","yAxis":{}}}]}',
+        ]],
+      },
+    });
+
+  });
+
   test('DashboardName is set when provided', () => {
     // GIVEN
     const app = new App();

packages/@aws-cdk/aws-cloudwatch/test/integ.dashboard.js.snapshot/DashboardIntegrationTestDefaultTestDeployAssert5BE38902.assets.json

@@ -1,5 +1,5 @@
 {
-  "version": "30.0.0",
+  "version": "31.0.0",
   "files": {
     "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
       "source": {

packages/@aws-cdk/aws-cloudwatch/test/integ.dashboard.js.snapshot/DashboardIntegrationTestStack.assets.json

@@ -1,15 +1,15 @@
 {
-  "version": "30.0.0",
+  "version": "31.0.0",
   "files": {
-    "53eb5ec97b9df3953bc84bdc2aee87ace7b502c665b7e5b9f7b7d14dd46cea69": {
+    "1a70f8470c838c02020b9010528363b17eebd55d55c1a53fb3e0f6760a606c98": {
       "source": {
         "path": "DashboardIntegrationTestStack.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "53eb5ec97b9df3953bc84bdc2aee87ace7b502c665b7e5b9f7b7d14dd46cea69.json",
+          "objectKey": "1a70f8470c838c02020b9010528363b17eebd55d55c1a53fb3e0f6760a606c98.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

packages/@aws-cdk/aws-cloudwatch/test/integ.dashboard.js.snapshot/DashboardIntegrationTestStack.template.json

@@ -3,7 +3,7 @@
   "DashCCD7F836": {
    "Type": "AWS::CloudWatch::Dashboard",
    "Properties": {
-    "DashboardBody": "{\"widgets\":[{\"type\":\"text\",\"width\":6,\"height\":2,\"x\":0,\"y\":0,\"properties\":{\"markdown\":\"I don't have a background\",\"background\":\"transparent\"}}]}"
+    "DashboardBody": "{\"start\":\"-P7D\",\"widgets\":[{\"type\":\"text\",\"width\":6,\"height\":2,\"x\":0,\"y\":0,\"properties\":{\"markdown\":\"I don't have a background\",\"background\":\"transparent\"}}]}"
    }
   }
  },

packages/@aws-cdk/aws-cloudwatch/test/integ.dashboard.js.snapshot/cdk.out

@@ -1 +1 @@
-{"version":"30.0.0"}
+{"version":"31.0.0"}

packages/@aws-cdk/aws-cloudwatch/test/integ.dashboard.js.snapshot/integ.json

@@ -1,5 +1,5 @@
 {
-  "version": "30.0.0",
+  "version": "31.0.0",
   "testCases": {
     "DashboardIntegrationTest/DefaultTest": {
       "stacks": [

packages/@aws-cdk/aws-cloudwatch/test/integ.dashboard.js.snapshot/manifest.json

@@ -1,5 +1,5 @@
 {
-  "version": "30.0.0",
+  "version": "31.0.0",
   "artifacts": {
     "DashboardIntegrationTestStack.assets": {
       "type": "cdk:asset-manifest",
@@ -17,7 +17,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/53eb5ec97b9df3953bc84bdc2aee87ace7b502c665b7e5b9f7b7d14dd46cea69.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/1a70f8470c838c02020b9010528363b17eebd55d55c1a53fb3e0f6760a606c98.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [