Merge branch 'master' into s3-add-lifecycle-rule-param

.github/workflows/issue-reprioritization.yml

@@ -7,6 +7,7 @@ jobs:
   issue-reprioritization:
     permissions:
       issues: write
+      repository-projects: write
     runs-on: ubuntu-latest
     steps:
       - uses: kaizencc/issue-reprioritization-manager@main
@@ -16,6 +17,7 @@ jobs:
           original-label: p2
           new-label: p1
           reprioritization-threshold: 20
+          project-column-url: https://github.com/aws/aws-cdk/projects/13#column-18002436
       - uses: kaizencc/pr-triage-manager@main
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}

package.json

@@ -80,12 +80,8 @@
       "@aws-cdk/assertions-alpha/fs-extra/**",
       "@aws-cdk/assertions/fs-extra",
       "@aws-cdk/assertions/fs-extra/**",
-      "@aws-cdk/aws-amplify-alpha/yaml",
-      "@aws-cdk/aws-amplify-alpha/yaml/**",
       "@aws-cdk/aws-iot-actions-alpha/case",
       "@aws-cdk/aws-iot-actions-alpha/case/**",
-      "@aws-cdk/aws-amplify/yaml",
-      "@aws-cdk/aws-amplify/yaml/**",
       "@aws-cdk/aws-codebuild/yaml",
       "@aws-cdk/aws-codebuild/yaml/**",
       "@aws-cdk/aws-codepipeline-actions/case",

packages/@aws-cdk/aws-amplify/NOTICE

@@ -1,23 +1,2 @@
 AWS Cloud Development Kit (AWS CDK)
 Copyright 2018-2022 Amazon.com, Inc. or its affiliates. All Rights Reserved.
-
--------------------------------------------------------------------------------
-
-The AWS CDK includes the following third-party software/licensing:
-
-** yaml - https://www.npmjs.com/package/yaml
-Copyright 2018 Eemeli Aro <[email protected]>
-
-Permission to use, copy, modify, and/or distribute this software for any purpose
-with or without fee is hereby granted, provided that the above copyright notice
-and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
-REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
-FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
-INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
-OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
-TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF
-THIS SOFTWARE.
-
-----------------

packages/@aws-cdk/aws-amplify/lib/app.ts

@@ -2,7 +2,6 @@ import * as codebuild from '@aws-cdk/aws-codebuild';
 import * as iam from '@aws-cdk/aws-iam';
 import { IResource, Lazy, Resource, SecretValue } from '@aws-cdk/core';
 import { Construct } from 'constructs';
-import * as YAML from 'yaml';
 import { CfnApp } from './amplify.generated';
 import { BasicAuth } from './basic-auth';
 import { Branch, BranchOptions } from './branch';
@@ -515,11 +514,18 @@ export interface CustomResponseHeader {
 }
 
 function renderCustomResponseHeaders(customHeaders: CustomResponseHeader[]): string {
-  const modifiedHeaders = customHeaders.map(customHeader => ({
-    ...customHeader,
-    headers: Object.entries(customHeader.headers).map(([key, value]) => ({ key, value })),
-  }));
+  const yaml = [
+    'customHeaders:',
+  ];
+
+  for (const customHeader of customHeaders) {
+    yaml.push(`  - pattern: "${customHeader.pattern}"`);
+    yaml.push('    headers:');
+    for (const [key, value] of Object.entries(customHeader.headers)) {
+      yaml.push(`      - key: "${key}"`);
+      yaml.push(`        value: "${value}"`);
+    }
+  }
 
-  const customHeadersObject = { customHeaders: modifiedHeaders };
-  return YAML.stringify(customHeadersObject);
+  return `${yaml.join('\n')}\n`;
 }

packages/@aws-cdk/aws-amplify/package.json

@@ -87,7 +87,6 @@
     "@aws-cdk/cfn2ts": "0.0.0",
     "@aws-cdk/pkglint": "0.0.0",
     "@types/jest": "^27.5.0",
-    "@types/yaml": "1.9.6",
     "aws-sdk": "^2.848.0"
   },
   "dependencies": {
@@ -101,12 +100,8 @@
     "@aws-cdk/aws-secretsmanager": "0.0.0",
     "@aws-cdk/core": "0.0.0",
     "@aws-cdk/custom-resources": "0.0.0",
-    "constructs": "^3.3.69",
-    "yaml": "1.10.2"
+    "constructs": "^3.3.69"
   },
-  "bundledDependencies": [
-    "yaml"
-  ],
   "peerDependencies": {
     "@aws-cdk/aws-codebuild": "0.0.0",
     "@aws-cdk/aws-codecommit": "0.0.0",

packages/@aws-cdk/aws-amplify/test/app.integ.snapshot/cdk-amplify-app.template.json

@@ -56,7 +56,18 @@
      },
      "Username": "aws"
     },
-    "CustomHeaders": "customHeaders:\n  - pattern: \"*.json\"\n    headers:\n      - key: custom-header-name-1\n        value: custom-header-value-1\n      - key: custom-header-name-2\n        value: custom-header-value-2\n  - pattern: /path/*\n    headers:\n      - key: custom-header-name-1\n        value: custom-header-value-2\n",
+    "CustomHeaders": {
+     "Fn::Join": [
+      "",
+      [
+       "customHeaders:\n  - pattern: \"*.json\"\n    headers:\n      - key: \"custom-header-name-1\"\n        value: \"custom-header-value-1\"\n      - key: \"custom-header-name-2\"\n        value: \"custom-header-value-2\"\n  - pattern: \"/path/*\"\n    headers:\n      - key: \"custom-header-name-1\"\n        value: \"custom-header-value-2\"\n      - key: \"x-aws-url-suffix\"\n        value: \"this-is-the-suffix-",
+       {
+        "Ref": "AWS::URLSuffix"
+       },
+       "\"\n"
+      ]
+     ]
+    },
     "CustomRules": [
      {
       "Source": "/source",

packages/@aws-cdk/aws-amplify/test/app.integ.snapshot/cdk.out

@@ -1 +1 @@
-{"version":"17.0.0"}
+{"version":"19.0.0"}

packages/@aws-cdk/aws-amplify/test/app.integ.snapshot/integ.json

@@ -1,7 +1,7 @@
 {
-  "version": "18.0.0",
+  "version": "19.0.0",
   "testCases": {
-    "aws-amplify/test/integ.app": {
+    "integ.app": {
       "stacks": [
         "cdk-amplify-app"
       ],

packages/@aws-cdk/aws-amplify/test/app.integ.snapshot/manifest.json

@@ -1,5 +1,5 @@
 {
-  "version": "17.0.0",
+  "version": "19.0.0",
   "artifacts": {
     "Tree": {
       "type": "cdk:tree",

packages/@aws-cdk/aws-amplify/test/app.integ.snapshot/tree.json

@@ -113,7 +113,18 @@
                         ]
                       }
                     },
-                    "customHeaders": "customHeaders:\n  - pattern: \"*.json\"\n    headers:\n      - key: custom-header-name-1\n        value: custom-header-value-1\n      - key: custom-header-name-2\n        value: custom-header-value-2\n  - pattern: /path/*\n    headers:\n      - key: custom-header-name-1\n        value: custom-header-value-2\n",
+                    "customHeaders": {
+                      "Fn::Join": [
+                        "",
+                        [
+                          "customHeaders:\n  - pattern: \"*.json\"\n    headers:\n      - key: \"custom-header-name-1\"\n        value: \"custom-header-value-1\"\n      - key: \"custom-header-name-2\"\n        value: \"custom-header-value-2\"\n  - pattern: \"/path/*\"\n    headers:\n      - key: \"custom-header-name-1\"\n        value: \"custom-header-value-2\"\n      - key: \"x-aws-url-suffix\"\n        value: \"this-is-the-suffix-",
+                          {
+                            "Ref": "AWS::URLSuffix"
+                          },
+                          "\"\n"
+                        ]
+                      ]
+                    },
                     "customRules": [
                       {
                         "source": "/source",

packages/@aws-cdk/aws-amplify/test/app.test.ts

@@ -417,11 +417,28 @@ test('with custom headers', () => {
           'custom-header-name-1': 'custom-header-value-2',
         },
       },
+      {
+        pattern: '/with-tokens/*',
+        headers: {
+          'x-custom': `${'hello'.repeat(10)}${Stack.of(stack).urlSuffix} `,
+        },
+      },
     ],
   });
 
   // THEN
   Template.fromStack(stack).hasResourceProperties('AWS::Amplify::App', {
-    CustomHeaders: 'customHeaders:\n  - pattern: "*.json"\n    headers:\n      - key: custom-header-name-1\n        value: custom-header-value-1\n      - key: custom-header-name-2\n        value: custom-header-value-2\n  - pattern: /path/*\n    headers:\n      - key: custom-header-name-1\n        value: custom-header-value-2\n',
+    CustomHeaders: {
+      'Fn::Join': [
+        '',
+        [
+          'customHeaders:\n  - pattern: "*.json"\n    headers:\n      - key: "custom-header-name-1"\n        value: "custom-header-value-1"\n      - key: "custom-header-name-2"\n        value: "custom-header-value-2"\n  - pattern: "/path/*"\n    headers:\n      - key: "custom-header-name-1"\n        value: "custom-header-value-2"\n  - pattern: "/with-tokens/*"\n    headers:\n      - key: "x-custom"\n        value: "hellohellohellohellohellohellohellohellohellohello',
+          {
+            Ref: 'AWS::URLSuffix',
+          },
+          ' "\n',
+        ],
+      ],
+    },
   });
 });

packages/@aws-cdk/aws-amplify/test/integ.app.ts

@@ -21,6 +21,7 @@ class TestStack extends Stack {
           pattern: '/path/*',
           headers: {
             'custom-header-name-1': 'custom-header-value-2',
+            'x-aws-url-suffix': `this-is-the-suffix-${Stack.of(this).urlSuffix}`,
           },
         },
       ],

packages/@aws-cdk/aws-apigateway/lib/restapi.ts

@@ -1,7 +1,7 @@
 import * as cloudwatch from '@aws-cdk/aws-cloudwatch';
 import { IVpcEndpoint } from '@aws-cdk/aws-ec2';
 import * as iam from '@aws-cdk/aws-iam';
-import { ArnFormat, CfnOutput, IResource as IResourceBase, Resource, Stack } from '@aws-cdk/core';
+import { ArnFormat, CfnOutput, IResource as IResourceBase, Resource, Stack, Token } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { ApiDefinition } from './api-definition';
 import { ApiKey, ApiKeyOptions, IApiKey } from './api-key';
@@ -368,7 +368,7 @@ export abstract class RestApiBase extends Resource implements IRestApi {
   }
 
   public arnForExecuteApi(method: string = '*', path: string = '/*', stage: string = '*') {
-    if (!path.startsWith('/')) {
+    if (!Token.isUnresolved(path) && !path.startsWith('/')) {
       throw new Error(`"path" must begin with a "/": '${path}'`);
     }
 

packages/@aws-cdk/aws-apigateway/test/restapi.test.ts

@@ -1,7 +1,7 @@
 import { Template } from '@aws-cdk/assertions';
 import { GatewayVpcEndpoint } from '@aws-cdk/aws-ec2';
 import { testDeprecated } from '@aws-cdk/cdk-build-tools';
-import { App, CfnElement, CfnResource, Stack } from '@aws-cdk/core';
+import { App, CfnElement, CfnResource, Lazy, Stack } from '@aws-cdk/core';
 import * as apigw from '../lib';
 
 describe('restapi', () => {
@@ -424,6 +424,16 @@ describe('restapi', () => {
     expect(() => api.arnForExecuteApi('method', 'hey-path', 'stage')).toThrow(/"path" must begin with a "\/": 'hey-path'/);
   });
 
+  test('"executeApiArn" path can be a token', () => {
+    // GIVEN
+    const stack = new Stack();
+    const api = new apigw.RestApi(stack, 'api');
+    api.root.addMethod('GET');
+
+    // THEN
+    expect(() => api.arnForExecuteApi('method', Lazy.string(({ produce: () => 'path' })), 'stage')).not.toThrow();
+  });
+
   test('"executeApiArn" will convert ANY to "*"', () => {
     // GIVEN
     const stack = new Stack();

packages/@aws-cdk/aws-apigatewayv2/lib/http/vpc-link.ts

@@ -99,7 +99,7 @@ export class VpcLink extends Resource implements IVpcLink {
 
     this.vpcLinkId = cfnResource.ref;
 
-    const { subnets } = props.vpc.selectSubnets(props.subnets ?? { subnetType: ec2.SubnetType.PRIVATE });
+    const { subnets } = props.vpc.selectSubnets(props.subnets ?? { subnetType: ec2.SubnetType.PRIVATE_WITH_NAT });
     this.addSubnets(...subnets);
 
     if (props.securityGroups) {

packages/@aws-cdk/aws-appsync/test/appsync-rds.test.ts

@@ -36,7 +36,7 @@ describe('Rds Data Source configuration', () => {
       credentials: { username: 'clusteradmin' },
       clusterIdentifier: 'db-endpoint-test',
       vpc,
-      vpcSubnets: { subnetType: SubnetType.PRIVATE },
+      vpcSubnets: { subnetType: SubnetType.PRIVATE_WITH_NAT },
       securityGroups: [securityGroup],
       defaultDatabaseName: 'Animals',
     });
@@ -235,7 +235,7 @@ describe('adding rds data source from imported api', () => {
       credentials: { username: 'clusteradmin' },
       clusterIdentifier: 'db-endpoint-test',
       vpc,
-      vpcSubnets: { subnetType: SubnetType.PRIVATE },
+      vpcSubnets: { subnetType: SubnetType.PRIVATE_WITH_NAT },
       securityGroups: [securityGroup],
       defaultDatabaseName: 'Animals',
     });

packages/@aws-cdk/aws-autoscaling/test/auto-scaling-group.test.ts

@@ -1791,7 +1791,7 @@ test('can use Vpc imported from unparseable list tokens', () => {
     vpc,
     allowAllOutbound: false,
     associatePublicIpAddress: false,
-    vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE },
+    vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_WITH_NAT },
   });
 
   // THEN

packages/@aws-cdk/aws-batch/test/compute-environment.test.ts

@@ -347,7 +347,7 @@ describe('Batch Compute Environment', () => {
           ],
           type: batch.ComputeResourceType.ON_DEMAND,
           vpcSubnets: {
-            subnetType: ec2.SubnetType.PRIVATE,
+            subnetType: ec2.SubnetType.PRIVATE_WITH_NAT,
           },
         } as batch.ComputeResources,
         enabled: false,

packages/@aws-cdk/aws-cloud9/README.md

@@ -55,7 +55,7 @@ new cloud9.Ec2Environment(this, 'Cloud9Env2', {
 const c9env = new cloud9.Ec2Environment(this, 'Cloud9Env3', {
   vpc,
   subnetSelection: {
-    subnetType: ec2.SubnetType.PRIVATE,
+    subnetType: ec2.SubnetType.PRIVATE_WITH_NAT,
   },
 });
 

packages/@aws-cdk/aws-cloud9/test/cloud9.environment.test.ts

@@ -24,7 +24,7 @@ test('create resource correctly with both vpc and subnetSelectio', () => {
   new cloud9.Ec2Environment(stack, 'C9Env', {
     vpc,
     subnetSelection: {
-      subnetType: ec2.SubnetType.PRIVATE,
+      subnetType: ec2.SubnetType.PRIVATE_WITH_NAT,
     },
   });
   // THEN
@@ -54,7 +54,7 @@ test('throw error when subnetSelection not specified and the provided VPC has no
     maxAzs: 2,
     subnetConfiguration: [
       {
-        subnetType: ec2.SubnetType.ISOLATED,
+        subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
         name: 'IsolatedSubnet',
         cidrMask: 24,
       },

packages/@aws-cdk/aws-cognito/README.md

@@ -73,6 +73,17 @@ The default set up for the user pool is configured such that only administrators
 to create users. Features such as Multi-factor authentication (MFAs) and Lambda Triggers are not
 configured by default.
 
+Use the `grant()` method to add an IAM policy statement associated with the user pool to an
+IAM principal's policy.
+
+```ts
+const userPool = new cognito.UserPool(this, 'myuserpool');
+const role = new iam.Role(this, 'role', {
+  assumedBy: new iam.ServicePrincipal('foo'),
+});
+userPool.grant(role, 'cognito-idp:AdminCreateUser');
+```
+
 ### Sign Up
 
 Users can either be signed up by the app's administrators or can sign themselves up. Once a user has signed up, their
@@ -632,8 +643,8 @@ pool.addClient('app-client', {
 });
 ```
 
-If the identity provider and the app client are created in the same stack, specify the dependency between both constructs to 
-make sure that the identity provider already exists when the app client will be created. The app client cannot handle the 
+If the identity provider and the app client are created in the same stack, specify the dependency between both constructs to
+make sure that the identity provider already exists when the app client will be created. The app client cannot handle the
 dependency to the identity provider automatically because the client does not have access to the provider's construct.
 
 ```ts
@@ -668,11 +679,11 @@ pool.addClient('app-client', {
 });
 ```
 
-Clients can (and should) be allowed to read and write relevant user attributes only. Usually every client can be allowed to 
+Clients can (and should) be allowed to read and write relevant user attributes only. Usually every client can be allowed to
 read the `given_name` attribute but not every client should be allowed to set the `email_verified` attribute.
 The same criteria applies for both standard and custom attributes, more info is available at
 [Attribute Permissions and Scopes](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-attribute-permissions-and-scopes).
-The default behaviour is to allow read and write permissions on all attributes. The following code shows how this can be 
+The default behaviour is to allow read and write permissions on all attributes. The following code shows how this can be
 configured for a client.
 
 ```ts
@@ -703,7 +714,7 @@ pool.addClient('app-client', {
   // ...
   enableTokenRevocation: true,
 });
-``` 
+```
 
 ### Resource Servers