Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'master' into feature/kms-iam-control
Browse files Browse the repository at this point in the history
moofish32 committed Feb 18, 2020
2 parents bd199db + f9996f3 commit 7474c68
Showing 128 changed files with 5,768 additions and 681 deletions.
312 changes: 2 additions & 310 deletions design/cdk-bootstrap.md
Original file line number Diff line number Diff line change
@@ -337,313 +337,5 @@ This should make sure the CFN update succeeds.

## Bootstrap template

Here is the JSON of the bootstrap CloudFormation template:

```json
{
"Description": "The CDK Toolkit Stack. It was created by `cdk bootstrap` and manages resources necessary for managing your Cloud Applications with AWS CDK.",
"Parameters": {
"TrustedPrincipals": {
"Description": "List of AWS principals that the publish and action roles should trust to be assumed from",
"Default": "",
"Type": "CommaDelimitedList"
},
"CloudFormationExecutionPolicies": {
"Description": "List of the ManagedPolicy ARN(s) to attach to the CloudFormation deployment role",
"Default": "",
"Type": "CommaDelimitedList"
}
},
"Conditions": {
"HasTrustedPrincipals": {
"Fn::Not": [
{
"Fn::Equals": [
"",
{
"Fn::Join": [
"",
{
"Ref": "TrustedPrincipals"
}
]
}
]
}
]
}
},
"Resources": {
"FileAssetsBucketEncryptionKey": {
"Type": "AWS::KMS::Key",
"Properties": {
"KeyPolicy": {
"Statement": [
{
"Action": [
"kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*",
"kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*",
"kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion", "kms:GenerateDataKey"
],
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:root"
}
},
"Resource": "*"
},
{
"Action": [
"kms:Decrypt", "kms:DescribeKey", "kms:Encrypt",
"kms:ReEncrypt*", "kms:GenerateDataKey*"
],
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Sub": "${PublishingRole.Arn}"
}
},
"Resource": "*"
}
]
}
}
},
"StagingBucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": {
"Fn::Sub": "cdk-bootstrap-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
},
"AccessControl": "Private",
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [{
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "aws:kms",
"KMSMasterKeyID": {
"Fn::Sub": "${FileAssetsBucketEncryptionKey.Arn}"
}
}
}]
},
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
"IgnorePublicAcls": true,
"RestrictPublicBuckets": true
}
},
"UpdateReplacePolicy": "Retain"
},
"ContainerAssetsRepository": {
"Type": "AWS::ECR::Repository",
"Properties": {
"RepositoryName": {
"Fn::Sub": "cdk-bootstrap-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}"
}
}
},
"PublishingRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"AWS": {
"Ref": "AWS::AccountId"
}
}
},
{
"Fn::If": [
"HasTrustedPrincipals",
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"AWS": {
"Ref": "TrustedPrincipals"
}
}
},
{
"Ref": "AWS::NoValue"
}
]
}
]
},
"RoleName": {
"Fn::Sub": "cdk-bootstrap-hnb659fds-publishing-role-${AWS::AccountId}-${AWS::Region}"
}
}
},
"PublishingRoleDefaultPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"s3:GetObject*", "s3:GetBucket*", "s3:List*",
"s3:DeleteObject*", "s3:PutObject*", "s3:Abort*"
],
"Resource": [
{
"Fn::Sub": "${StagingBucket.Arn}"
},
{
"Fn::Sub": "${StagingBucket.Arn}/*"
}
]
},
{
"Action": [
"kms:Decrypt", "kms:DescribeKey", "kms:Encrypt",
"kms:ReEncrypt*", "kms:GenerateDataKey*"
],
"Effect": "Allow",
"Resource": {
"Fn::Sub": "${FileAssetsBucketEncryptionKey.Arn}"
}
},
{
"Action": [
"ecr:PutImage", "ecr:InitiateLayerUpload",
"ecr:UploadLayerPart", "ecr:CompleteLayerUpload"
],
"Resource": {
"Fn::Sub": "${ContainerAssetsRepository.Arn}"
}
}
],
"Version": "2012-10-17"
},
"Roles": [{
"Ref": "PublishingRole"
}],
"PolicyName": {
"Fn::Sub": "cdk-bootstrap-hnb659fds-publishing-role-default-policy-${AWS::AccountId}-${AWS::Region}"
}
}
},
"DeploymentActionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"AWS": {
"Ref": "AWS::AccountId"
}
}
},
{
"Fn::If": [
"HasTrustedPrincipals",
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"AWS": {
"Ref": "TrustedPrincipals"
}
}
},
{
"Ref": "AWS::NoValue"
}
]
}
]
},
"Policies": [
{
"PolicyDocument": {
"Statement": [
{
"Action": [
"cloudformation:CreateChangeSet", "cloudformation:DeleteChangeSet",
"cloudformation:DescribeChangeSet", "cloudformation:DescribeStacks",
"cloudformation:ExecuteChangeSet",
"s3:GetObject*", "s3:GetBucket*",
"s3:List*", "s3:Abort*",
"s3:DeleteObject*", "s3:PutObject*",
"kms:Decrypt", "kms:DescribeKey"
],
"Resource": "*"
},
{
"Action": "iam:PassRole",
"Resource": {
"Fn::Sub": "${CloudFormationExecutionRole.Arn}"
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "default"
}
],
"RoleName": {
"Fn::Sub": "cdk-bootstrap-hnb659fds-deployment-action-role-${AWS::AccountId}-${AWS::Region}"
},
"Condition": "HasTrustedPrincipals"
}
},
"CloudFormationExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "cloudformation.amazonaws.com"
}
}
]
},
"ManagedPolicyArns": {
"Ref": "CloudFormationExecutionPolicies"
},
"RoleName": {
"Fn::Sub": "cdk-bootstrap-hnb659fds-cloudformation-execution-role-${AWS::AccountId}-${AWS::Region}"
},
"Condition": "HasTrustedPrincipals"
}
}
},
"Outputs": {
"BucketName": {
"Description": "The name of the S3 bucket owned by the CDK toolkit stack",
"Value": { "Fn::Sub": "${StagingBucket.Arn}" },
"Export": {
"Name": { "Fn::Sub": "${AWS::StackName}:BucketName" }
}
},
"BucketDomainName": {
"Description": "The domain name of the S3 bucket owned by the CDK toolkit stack",
"Value": { "Fn::Sub": "${StagingBucket.RegionalDomainName}" },
"Export": {
"Name": { "Fn::Sub": "${AWS::StackName}:BucketDomainName" }
}
},
"BootstrapVersion": {
"Description": "The version of the bootstrap resources that are currently mastered in this stack",
"Value": "1",
"Export": {
"Name": { "Fn::Sub": "AwsCdkBootstrapVersion" }
}
}
}
}
```
The bootstrap template used by the CLI command can be found in the
[aws-cdk package](../packages/aws-cdk/lib/api/bootstrap/bootstrap-template.json).
8 changes: 5 additions & 3 deletions package.json
Original file line number Diff line number Diff line change
@@ -47,17 +47,19 @@
"nohoist": [
"**/jszip",
"**/jszip/**",
"@aws-cdk/cdk-assets-schema/semver",
"@aws-cdk/cdk-assets-schema/semver/**",
"@aws-cdk/assets/minimatch",
"@aws-cdk/assets/minimatch/**",
"@aws-cdk/aws-codepipeline-actions/case",
"@aws-cdk/aws-codepipeline-actions/case/**",
"@aws-cdk/aws-ecr-assets/minimatch",
"@aws-cdk/aws-ecr-assets/minimatch/**",
"@aws-cdk/aws-lambda-nodejs/parcel-bundler",
"@aws-cdk/aws-lambda-nodejs/parcel-bundler/**",
"@aws-cdk/cx-api/semver",
"@aws-cdk/cx-api/semver/**",
"@aws-cdk/cx-api/semver/**",
"@aws-cdk/aws-lambda-nodejs/parcel-bundler",
"@aws-cdk/aws-lambda-nodejs/parcel-bundler/**"
"@aws-cdk/cx-api/semver/**"
]
}
}
2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-applicationautoscaling/README.md
Original file line number Diff line number Diff line change
@@ -11,7 +11,7 @@

**Application AutoScaling** is used to configure autoscaling for all
services other than scaling EC2 instances. For example, you will use this to
scale ECS tasks, DynamoDB capacity, Spot Fleet sizes and more.
scale ECS tasks, DynamoDB capacity, Spot Fleet sizes, Comprehend document classification endpoints, Lambda function provisioned concurrency and more.

As a CDK user, you will probably not have to interact with this library
directly; instead, it will be used by other construct libraries to
Original file line number Diff line number Diff line change
@@ -263,4 +263,14 @@ export enum ServiceNamespace {
* Custom Resource
*/
CUSTOM_RESOURCE = 'custom-resource',

/**
* Lambda
*/
LAMBDA = 'lambda',

/**
* Comprehend
*/
COMPREHEND = 'comprehend',
}
Original file line number Diff line number Diff line change
@@ -140,4 +140,18 @@ export = {

test.done();
},

'test service namespace enum'(test: Test) {
test.equals(appscaling.ServiceNamespace.APPSTREAM, 'appstream');
test.equals(appscaling.ServiceNamespace.COMPREHEND, 'comprehend');
test.equals(appscaling.ServiceNamespace.CUSTOM_RESOURCE, 'custom-resource');
test.equals(appscaling.ServiceNamespace.DYNAMODB, 'dynamodb');
test.equals(appscaling.ServiceNamespace.EC2, 'ec2');
test.equals(appscaling.ServiceNamespace.ECS, 'ecs');
test.equals(appscaling.ServiceNamespace.ELASTIC_MAP_REDUCE, 'elasticmapreduce');
test.equals(appscaling.ServiceNamespace.LAMBDA, 'lambda');
test.equals(appscaling.ServiceNamespace.RDS, 'rds');
test.equals(appscaling.ServiceNamespace.SAGEMAKER, 'sagemaker');
test.done();
},
};
Loading

0 comments on commit 7474c68

Please sign in to comment.