chore(release): 2.64.0 #24080
Merged
chore(release): 2.64.0 #24080
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…es bucket policies (#23889) Closes #18985. The problem is described on the issue. In short, when we enable VPC Flow log, it tries to create a bucket policy for the target S3 bucket. That's why a deployment fails if there is a bucket policy defined in a CFn template and the policy is created AFTER a flow log is enabled, which cannot replace the existing policy created by the flow log. To avoid the error, this PR adds explicit dependencies for a VPC flow log resource: * dependency 1: Flow log must be created after a corresponding bucket policy is created by CFn * dependency 2: Flow log must be deleted before a corresponding `autoDeleteObjects` custom resource removed (i.e. deleting all the objects in the bucket). Dependency 2 is actually not related to the original issue, but I'd like to add this because I saw the error relating this on the integration tests. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…Balancer (#23853) By moving the metrics methods to the `INetworkLoadBalancer` and `IApplicationLoadBalancer` interfaces it allows to create these metrics also for LBs that are imported via the `fromXXX` methods. To create the metrics for LBs requires only the full name of the LB. This attribute is available at the constructs returned by the `fromXXX` methods. To solve this problem I did: - Introduce a new interface for each LB type: `INetworkLoadBalancerMetrics`, `IApplicationLoadBalancerMetrics` - Create a concrete implementation for the new interfaces (1 for each): `NetworkLoadBalancerMetrics` and `ApplicationLoadBalancerMetrics` - Make each concrete implementation of each Load Balancer to also provide a `metrics` field. The concrete implementations of the load balancers are: `ImportedApplicationLoadBalancer`, `LookedUpApplicationLoadBalancer`, `ApplicationLoadBalancer` (and the same for the NLB classes). I chose to create a new interface because code can be reused across the 3 concrete implementations of each Load Balancer. I deprecated the `metricXXX()` methods of each load balancer because I think it is cleaner to access metrics through the new `metrics` attribute/interface. This task is a step in the direction to fix #10850, but I'd like to get feedback and merge this PR first before proceeding into the `TargetGroup` constructs. PS: I'm learning Typescript, so please, tell me if I'm doing something wrong here. ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Construct Runtime Dependencies: * [ ] This PR adds new construct runtime dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-construct-runtime-dependencies) ### New Features * [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…thor is aws-cdk-automation (#23937) This will fix the failures we're seeing in our merge-back PRs. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
#23913) AWS now supports postgres version 14.6. Changes made to support this version: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraPostgreSQLReleaseNotes/AuroraPostgreSQL.Updates.html#AuroraPostgreSQL.Updates.20180305.146X *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Elastic has followed up with a request that we remove "legacy Elasticsearch" references from our docs for legal reasons. They supplied these two links to remove the string from: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticsearch-readme.html and https://docs.aws.amazon.com/cdk/api/v1/docs/aws-elasticsearch-readme.html Internal reference: V825034754. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…3944) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.
The label has already been added to the repo. This will add the label to the bot settings to bypass the PR when it runs. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Move the useful stuff in ubergen into lib/index.ts and add `main` field to package json so packages within the repository can depend on it's functionality. Specifically useful for repo restructure work. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
docs: correct spelling in documentation ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
- [Amazon RDS for PostgreSQL now supports new minor versions 14.6, 13.9, 12.13, 11.18, and 10.23](https://aws.amazon.com/about-aws/whats-new/2023/02/amazon-rds-postgresql-new-minor-versions/) - [Amazon Aurora Supports PostgreSQL 14.6, 13.9, 12.13, 11.18](https://aws.amazon.com/about-aws/whats-new/2023/01/amazon-aurora-supports-postgresql-versions/) - [Amazon Aurora supports PostgreSQL 14.5, 13.8, 12.12, and 11.17 versions and logical replication cache](https://aws.amazon.com/about-aws/whats-new/2022/11/amazon-aurora-supports-postgresql-versions-logical-replication-cache/) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Adds comments to tables. closes #22682 ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Construct Runtime Dependencies: * [ ] This PR adds new construct runtime dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-construct-runtime-dependencies) ### New Features * [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
) DeploymentGroups grant IAM permissions to their DeploymentConfigs, by their ARN. When using a predefined DeploymentConfig (like `ECS_ALL_AT_ONCE`) however, we used to use `Aws.ACCOUNT_ID, Aws.REGION` to build the ARN for the DeploymentConfig. This would be incorrect if the DeploymentGroup is referenced in a different region (by using `DeploymentGroup.fromDeploymentGroupArn()`): the `Aws.REGION` token would resolve to the region of the *referencing Stack*, instead of the region of the *referenced DeploymentGroup*. Make all predefined DeploymentConfigs implement a hidden interface that allows the DeploymentGroup to specialize the Config to its own account and region. This behavior is not relevant for user-created deployment configs: those will still be region-bound, so customers won't need access to this interface. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This is a re-roll of #23677 which was reverted in #23994 because the `randomUUID()` function from the original solution was not available in Node versions below 14.17 (and we advertise compatibility with Node 14.*). We didn't actually need a UUID, just any random string, so replace it with a function that generates a random string in a different way. ---------- Resolves #23290 A very simple fix for the issue where builds with `--concurrency` specified can lead to corrupt archives. Rather than use the outputFile as the basis for the temp file name we simply use a random string. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…24030) This is a re-roll of #23908 which had to be reverted in #24006 because there are some cases where change set approval steps that are shared between two stacks would cause cyclic dependencies between those stacks that caused them to be mutually unsortable. Solve this by adding a mode to the toposort routine that will proceed even if there are cyclic dependencies (which is used purely for rendering). ---- Add a `pipeline.dot` file to the cloud assembly containing the graph structure of the pipeline. This change is a `chore`, not a `feat`, as I want this to be a debugging aid, but I don't want to service feature requests on it. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Hi team, Please have a look at this minor fix for a typo. Thanks ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
S3 Object Lock allows configuring various retention holds, for legal and compliance purposes, on an S3 bucket. This enables a write-once-read-many model. Object Lock can only be enabled on new buckets via the CloudFormation (and therefore via the CDK). Updates to an existing bucket will result in a CloudFormation update failure.
This behavior is possible today using Escape Hatches to modify the L1 construct (with the same limitations):
```ts
cfnBucket.addPropertyOverride("ObjectLockEnabled", true);
```
Providing L2 wrappers around this configuration can aleviate some common and easy-to-make mistakes, such as providing `ObjectLockConfiguration` without providing `ObjectLockEnabled` or specifying `"Governance"` instead of `"GOVERNANCE"` for the compliance mode.
It is possible to enable Object Lock without specifying a default duration. Therefore, there needs to be a means to set `ObjectLockEnabled`. This is done with the `ObjectLoc.enabled` property. Since this is a boolean, it can theoretically be set to `false`. If `false` and a `defaultRetention` is provided, an error is thrown.
CloudFormation allows specifying `Days` or `Years` for retention; for simplicity, this implementation always converts to `Days`. Because CloudFormation requires that to be a positive integer, this implementation also proactively performs that validation at synthesis time.
Further, CloudFormation does not allow omitting `ObjectLockEnabled` within `ObjectLockConfiguration`. The following template would result in a validation error that the input does not match the schema:
```yaml
Bucket:
Type: AWS::S3::Bucket
Properties:
ObjectLockEnabled: true
ObjectLockConfiguration:
Rule:
DefaultRetention:
Days: 1
Mode: GOVERNANCE
```
Therefore, this implementation also always sets
`ObjectLockConfiguration.ObjectLockEnabled` to `"Enabled"`.
Additionally, it seems that the behavior of doing
```yaml
Bucket:
Type: AWS::S3::Bucket
Properties:
ObjectLockEnabled: true
ObjectLockConfiguration:
ObjectLockEnabled: 'Enabled'
```
causes CloudFormation to create the buckets with Object Lock enabled and then just wait and wait and wait. Frankly I didn't wait for the operation to time out so I don't know whether that would succeed or fail, but in any case, that would be a duplicate of specifying only `ObjectLockEnabled: true` (without nested in `ObjectLockConfiguration`) so this implementation prefers the shorter variant, which CloudFormation/S3 also seem to prefer, when Object Lock is enabled without default retention.
Unfortunately, there isn't a way to check during synthesis whether the bucket already exists, so there's not really a way to detect that pitfall. Users will just get the typical CloudFormation error for this situation and a stack rollback.
More variants of Object Lock configuration in S3 and descriptions of what CloudFormation does with them can be found at: https://gist.github.com/788df029f121af14645f31152ff54e32
This _partially_ addresses #5247 (nothing here handles MFA delete).
This follows up on #21738 which has been marked as abandoned.
----
### All Submissions:
* [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)
### Adding new Construct Runtime Dependencies:
* [ ] This PR adds new construct runtime dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-construct-runtime-dependencies)
### New Features
* [X] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
* [X] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Introducing AWS Lambda runtime management controls https://aws.amazon.com/jp/blogs/compute/introducing-aws-lambda-runtime-management-controls/ This setting achieves the following set values. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html#cfn-lambda-functionruntimemanagementconfig I have not been able to test this CFn as it does not seem to be supported by cdk. It's only a design. Closes #23890. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Add the ability for GitHub, CodeStar Connections, CodeCommit source types to configure the Action Name that is added to the pipeline. This is necessary to add the same GitHub repository to the same pipeline twice with a different branch each time. By default, it would pick the same default name for each, which would then conflict. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
The example for integrating with an existing pipeline wasn't very helpful. Explain how to use the `CodePipelineFileset` class with examples. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Fix two hard-coded usages of `docker` in `aws-s3-deployment`. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…cket region (#23919) The current implementations of determining various bucket URLs was incorrectly relying on the stack's region. In practice this did not matter a lot, since the suffix depends on the partition and a cross over from one partition to another is not likely or even impossible. We also required users to determine the correct bucketWebsiteUrl format for a bucket. However this information can reliably be inferred from a bucket's region. Since bucket ARNs do not contain region information, it is best to provide the bucket region whenever bucketWebsiteUrl will be used. As a fallback we assume a bucket is placed in the region of its stack. --- By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license
) When users are using cross-stack references that are not allowed, we just tell them the stacks that are involved in the reference, but not the reference itself. For example: ``` Stack "ExampleStack" cannot consume a cross reference from stack "cross-region-stack-1111111111:us-east-2". Cross stack references are only supported for stacks deployed to the same environment or between nested stacks and their parent stack. ``` This makes it very hard to debug what's going on, and why the reference is there in the first place. Render the reference as well so that it's easier to figure out why this is happening. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Fixes #10308 ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…and causes conflict when multiple stacks deployed to the same account-region (#23823) - Replace stage association error with warning - Deprecate `stackId` in TargetApplication options - Provide a default dynamic stack name for CreateTargetApplication stack with a reference to the application name - Provide a default dynamic stack name for ExistingTargetApplication stack with a reference to the application ID This fixes: [23861](#23861) Note: With this change to `stackName`, you may run into the following error during deployment if you have been using the default stack id and name by not explicitly setting them. ``` Resource handler returned message: "You already own an application 'MyApplicationName' (Service: ServiceCatalogAppRegistry, Status Code: 409, Request ID: xxxx)" (RequestToken: yyyy, HandlerErrorCode: InvalidRequest) ``` To address this error, explicitly set the `stackName` value to the name of your existing stack. For example: ```typescript const associatedApp = new ApplicationAssociator(app, 'MyApplicationAssociator', { applications: [ TargetApplication.createApplicationStack({ applicationName: 'MyApplicationName', stackName: 'ApplicationAssociatorStack', // add your existing stack name here ... ``` ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Construct Runtime Dependencies: * [ ] This PR adds new construct runtime dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-construct-runtime-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…etWebsiteUrl (#24055) Fixes #23354 Without pass-through of all attribute values, it is currently not possible to automatically force a dependency on the deployment for every attribute. This change merely sets the bucket's region & account, so that all computed website/domain attributes will now include the correct values. Other attributes, and manually set website/domain attributes are not supported. Additionally the documentation has been extended to highlight the above issue and provide a workaround. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Closes #22474 ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Construct Runtime Dependencies: * [x] This PR adds new construct runtime dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-construct-runtime-dependencies) ### New Features 1. Setting environment owner . 2. The 'owner' now could be an IAMuser or Account root user(It allows AWS to determine who has permissions to manage the environment, either an IAM user or the account root user) * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? * [x] Unit test for ownerarn *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…fall back if necessary (#23653) Changes the behavior of `--hotswap` to ignore all non-hotswappable changes and hotswap what it can. This works at two levels: changes to non-hotswappable resources are ignored, as well as non-hotswappable changes to hotswappable resources (eg `Tags` on a Lambda Function). In addition, non-hotswappable changes are now logged; the logical ID, rejected changes, resource type, and reason why the changes were rejected are all provided for each non-hotswappable change. At some point, support for tags of lambda functions was added. This either broke or simply never worked, and so this PR removes all logic to handle Tags. The existing behavior of `--hotswap` can be used in `--hotswap-fallback`. It is preserved and unmodified by this change. Closes #22784, #21773, #21556, #23640. ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Construct Runtime Dependencies: * [ ] This PR adds new construct runtime dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-construct-runtime-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…LBs (#23972) The `Arn.split()` method doesn't parse the `resourceName` correctly when it has multiple `/`, which is the case for the resources created by by the elbv2 API. I've also refactored the `integ.nlb-lookup.ts` test because it was not well written and I couldn't really deploy it with Cloudformation. The capability to create metrics from imported Load Balancers is new. It was introduced in #23853. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws-cdk-automation
added
auto-approve
pr/no-squash
|
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
TheRealAmazonKendra
added
the
pr-linter/cli-integ-tested
TheRealAmazonKendra
approved these changes
Feb 9, 2023
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be automatically updated and merged without squashing (do not update manually, and be sure to allow changes to be pushed to your fork). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See CHANGELOG