Merge branch 'master' into patch-1

.github/workflows/README.md

@@ -0,0 +1,47 @@
+# AWS CDK GitHub Actions
+
+These workflows and actions are configured in the AWS CDK GitHub repository.
+
+## Pull Request Triggered
+
+### Auto Approve
+[auto-approve.yml](auto-approve.yml): Approves merging PRs with the
+`pr/auto-approve` label.
+Owner: Core CDK team
+
+### PR Linter
+[pr-linter.yml](pr-linter.yml): Runs `tools/@aws-cdk-prlint` on each PR to
+check for correctness.
+Owner: Core CDK team
+
+### v2-main PR automation
+[v2-pull-request.yml](v2-pull-request.yml): Runs `pkglint` on merge forward PRs
+and commits the results.
+Owner: Core CDK team
+
+### Label Assigner
+[issue-label-assign.yml](issue-label-assign.yml): Github action for automatically adding labels and/or setting assignees when an Issue or PR is opened or edited based on user-defined Area
+Owner: CDK support team
+
+## Issue Triggered
+
+### Closed Issue Message
+[closed-issue-message.yml](closed-issue-message.yml): Adds a reminder message
+to issues that are closed.
+Owner: CDK support team
+
+### Label Assigner
+[issue-label-assign.yml](issue-label-assign.yml): Github action for automatically adding labels and/or setting assignees when an Issue or PR is opened or edited based on user-defined Area
+Owner: CDK support team
+
+## Scheduled Actions
+
+### Issue Lifecycle Handling
+[close-stale-issues.yml](close-stale-issues.yml): Handles labeling issues and
+PRs with `closing-soon`, `response-requested`, etc.
+Owner: CDK support team
+
+### Yarn Upgrader
+[yarn-upgrade.yml](yarn-upgrade.yml): Upgrades yarn dependencies and creates a
+patch file for downloading.
+Owner: Core CDK team

.github/workflows/close-stale-issues.yml

@@ -4,7 +4,7 @@ name: "Close Stale Issues"
 on:
   workflow_dispatch:
   schedule:
-  - cron: "0 6 * * *"
+  - cron: "0 */4 * * *"
 
 jobs:
   cleanup:

.yarnrc

@@ -7,3 +7,4 @@
 # be forced to registry.yarnpkg.com.
 # https://github.com/npm/cli/issues/3783
 registry "https://registry.npmjs.org"
+ignore-engines            true      # the 'engines' key for 'aws-cdk-lib' has specifies node14 as min while v1 will remain at node10

packages/@aws-cdk/aws-autoscaling/README.md

@@ -378,6 +378,32 @@ new autoscaling.AutoScalingGroup(stack, 'ASG', {
 });
 ```
 
+## Configuring Instance Metadata Service (IMDS)
+
+### Toggling IMDSv1
+
+You can configure [EC2 Instance Metadata Service](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) options to either
+allow both IMDSv1 and IMDSv2 or enforce IMDSv2 when interacting with the IMDS.
+
+To do this for a single `AutoScalingGroup`, you can use set the `requireImdsv2` property.
+The example below demonstrates IMDSv2 being required on a single `AutoScalingGroup`:
+
+```ts
+new autoscaling.AutoScalingGroup(stack, 'ASG', {
+  requireImdsv2: true,
+  // ...
+});
+```
+
+You can also use `AutoScalingGroupRequireImdsv2Aspect` to apply the operation to multiple AutoScalingGroups.
+The example below demonstrates the `AutoScalingGroupRequireImdsv2Aspect` being used to require IMDSv2 for all AutoScalingGroups in a stack:
+
+```ts
+const aspect = new autoscaling.AutoScalingGroupRequireImdsv2Aspect();
+
+Aspects.of(stack).add(aspect);
+```
+
 ## Future work
 
 * [ ] CloudWatch Events (impossible to add currently as the AutoScalingGroup ARN is

packages/@aws-cdk/aws-autoscaling/lib/aspects/index.ts

@@ -0,0 +1 @@
+export * from './require-imdsv2-aspect';

packages/@aws-cdk/aws-autoscaling/lib/aspects/require-imdsv2-aspect.ts

@@ -0,0 +1,38 @@
+import * as cdk from '@aws-cdk/core';
+import { AutoScalingGroup } from '../auto-scaling-group';
+import { CfnLaunchConfiguration } from '../autoscaling.generated';
+
+/**
+ * Aspect that makes IMDSv2 required on instances deployed by AutoScalingGroups.
+ */
+export class AutoScalingGroupRequireImdsv2Aspect implements cdk.IAspect {
+  constructor() {
+  }
+
+  public visit(node: cdk.IConstruct): void {
+    if (!(node instanceof AutoScalingGroup)) {
+      return;
+    }
+
+    const launchConfig = node.node.tryFindChild('LaunchConfig') as CfnLaunchConfiguration;
+    if (cdk.isResolvableObject(launchConfig.metadataOptions)) {
+      this.warn(node, 'CfnLaunchConfiguration.MetadataOptions field is a CDK token.');
+      return;
+    }
+
+    launchConfig.metadataOptions = {
+      ...launchConfig.metadataOptions,
+      httpTokens: 'required',
+    };
+  }
+
+  /**
+   * Adds a warning annotation to a node.
+   *
+   * @param node The scope to add the warning to.
+   * @param message The warning message.
+   */
+  protected warn(node: cdk.IConstruct, message: string) {
+    cdk.Annotations.of(node).addWarning(`${AutoScalingGroupRequireImdsv2Aspect.name} failed on node ${node.node.id}: ${message}`);
+  }
+}

packages/@aws-cdk/aws-autoscaling/lib/auto-scaling-group.ts

@@ -7,13 +7,15 @@ import * as sns from '@aws-cdk/aws-sns';
 
 import {
   Annotations,
+  Aspects,
   Aws,
   CfnAutoScalingRollingUpdate, CfnCreationPolicy, CfnUpdatePolicy,
   Duration, Fn, IResource, Lazy, PhysicalName, Resource, Stack, Tags,
   Token,
   Tokenization, withResolved,
 } from '@aws-cdk/core';
 import { Construct } from 'constructs';
+import { AutoScalingGroupRequireImdsv2Aspect } from './aspects';
 import { CfnAutoScalingGroup, CfnAutoScalingGroupProps, CfnLaunchConfiguration } from './autoscaling.generated';
 import { BasicLifecycleHookProps, LifecycleHook } from './lifecycle-hook';
 import { BasicScheduledActionProps, ScheduledAction } from './scheduled-action';
@@ -384,6 +386,13 @@ export interface AutoScalingGroupProps extends CommonAutoScalingGroupProps {
    * @default - default options
    */
   readonly initOptions?: ApplyCloudFormationInitOptions;
+
+  /**
+   * Whether IMDSv2 should be required on launched instances.
+   *
+   * @default - false
+   */
+  readonly requireImdsv2?: boolean;
 }
 
 /**
@@ -1065,6 +1074,10 @@ export class AutoScalingGroup extends AutoScalingGroupBase implements
     }
 
     this.spotPrice = props.spotPrice;
+
+    if (props.requireImdsv2) {
+      Aspects.of(this).add(new AutoScalingGroupRequireImdsv2Aspect());
+    }
   }
 
   /**

packages/@aws-cdk/aws-autoscaling/lib/index.ts

@@ -1,3 +1,4 @@
+export * from './aspects';
 export * from './auto-scaling-group';
 export * from './schedule';
 export * from './lifecycle-hook';

packages/@aws-cdk/aws-autoscaling/test/aspects/require-imdsv2-aspect.test.ts

@@ -0,0 +1,79 @@
+import {
+  expect as expectCDK,
+  haveResourceLike,
+} from '@aws-cdk/assert-internal';
+import '@aws-cdk/assert-internal/jest';
+import * as ec2 from '@aws-cdk/aws-ec2';
+import * as cdk from '@aws-cdk/core';
+import {
+  AutoScalingGroup,
+  AutoScalingGroupRequireImdsv2Aspect,
+  CfnLaunchConfiguration,
+} from '../../lib';
+
+describe('AutoScalingGroupRequireImdsv2Aspect', () => {
+  let app: cdk.App;
+  let stack: cdk.Stack;
+  let vpc: ec2.Vpc;
+
+  beforeEach(() => {
+    app = new cdk.App();
+    stack = new cdk.Stack(app, 'Stack');
+    vpc = new ec2.Vpc(stack, 'Vpc');
+  });
+
+  test('warns when metadataOptions is a token', () => {
+    // GIVEN
+    const asg = new AutoScalingGroup(stack, 'AutoScalingGroup', {
+      vpc,
+      instanceType: new ec2.InstanceType('t2.micro'),
+      machineImage: ec2.MachineImage.latestAmazonLinux(),
+    });
+    const launchConfig = asg.node.tryFindChild('LaunchConfig') as CfnLaunchConfiguration;
+    launchConfig.metadataOptions = fakeToken();
+    const aspect = new AutoScalingGroupRequireImdsv2Aspect();
+
+    // WHEN
+    cdk.Aspects.of(stack).add(aspect);
+
+    // THEN
+    expectCDK(stack).notTo(haveResourceLike('AWS::AutoScaling::LaunchConfiguration', {
+      MetadataOptions: {
+        HttpTokens: 'required',
+      },
+    }));
+    expect(asg.node.metadataEntry).toContainEqual({
+      data: expect.stringContaining('CfnLaunchConfiguration.MetadataOptions field is a CDK token.'),
+      type: 'aws:cdk:warning',
+      trace: undefined,
+    });
+  });
+
+  test('requires IMDSv2', () => {
+    // GIVEN
+    new AutoScalingGroup(stack, 'AutoScalingGroup', {
+      vpc,
+      instanceType: new ec2.InstanceType('t2.micro'),
+      machineImage: ec2.MachineImage.latestAmazonLinux(),
+    });
+    const aspect = new AutoScalingGroupRequireImdsv2Aspect();
+
+    // WHEN
+    cdk.Aspects.of(stack).add(aspect);
+
+    // THEN
+    expectCDK(stack).to(haveResourceLike('AWS::AutoScaling::LaunchConfiguration', {
+      MetadataOptions: {
+        HttpTokens: 'required',
+      },
+    }));
+  });
+});
+
+function fakeToken(): cdk.IResolvable {
+  return {
+    creationStack: [],
+    resolve: (_c) => {},
+    toString: () => '',
+  };
+}

packages/@aws-cdk/aws-autoscaling/test/auto-scaling-group.test.ts

@@ -1364,6 +1364,27 @@ describe('auto scaling group', () => {
 
 
   });
+
+  test('requires imdsv2', () => {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const vpc = mockVpc(stack);
+
+    // WHEN
+    new autoscaling.AutoScalingGroup(stack, 'MyASG', {
+      vpc,
+      instanceType: new ec2.InstanceType('t2.micro'),
+      machineImage: ec2.MachineImage.latestAmazonLinux(),
+      requireImdsv2: true,
+    });
+
+    // THEN
+    expect(stack).toHaveResourceLike('AWS::AutoScaling::LaunchConfiguration', {
+      MetadataOptions: {
+        HttpTokens: 'required',
+      },
+    });
+  });
 });
 
 function mockVpc(stack: cdk.Stack) {

packages/@aws-cdk/aws-eks/lib/cluster-resource.ts

@@ -16,6 +16,7 @@ export interface ClusterResourceProps {
   readonly resourcesVpcConfig: CfnCluster.ResourcesVpcConfigProperty;
   readonly roleArn: string;
   readonly encryptionConfig?: Array<CfnCluster.EncryptionConfigProperty>;
+  readonly kubernetesNetworkConfig?: CfnCluster.KubernetesNetworkConfigProperty;
   readonly name: string;
   readonly version?: string;
   readonly endpointPrivateAccess: boolean;
@@ -78,6 +79,7 @@ export class ClusterResource extends CoreConstruct {
           version: props.version,
           roleArn: props.roleArn,
           encryptionConfig: props.encryptionConfig,
+          kubernetesNetworkConfig: props.kubernetesNetworkConfig,
           resourcesVpcConfig: {
             subnetIds: (props.resourcesVpcConfig as CfnCluster.ResourcesVpcConfigProperty).subnetIds,
             securityGroupIds: (props.resourcesVpcConfig as CfnCluster.ResourcesVpcConfigProperty).securityGroupIds,

packages/@aws-cdk/aws-eks/lib/cluster.ts

@@ -540,6 +540,15 @@ export interface ClusterOptions extends CommonClusterOptions {
    *            using AWS-Managed encryption keys.
    */
   readonly secretsEncryptionKey?: kms.IKey;
+
+  /**
+   * The CIDR block to assign Kubernetes service IP addresses from.
+   *
+   * @default - Kubernetes assigns addresses from either the
+   *            10.100.0.0/16 or 172.20.0.0/16 CIDR blocks
+   * @see https://docs.aws.amazon.com/eks/latest/APIReference/API_KubernetesNetworkConfigRequest.html#AmazonEKS-Type-KubernetesNetworkConfigRequest-serviceIpv4Cidr
+   */
+  readonly serviceIpv4Cidr?: string;
 }
 
 /**
@@ -1223,6 +1232,9 @@ export class Cluster extends ClusterBase {
           resources: ['secrets'],
         }],
       } : {}),
+      kubernetesNetworkConfig: props.serviceIpv4Cidr ? {
+        serviceIpv4Cidr: props.serviceIpv4Cidr,
+      } : undefined,
       endpointPrivateAccess: this.endpointAccess._config.privateAccess,
       endpointPublicAccess: this.endpointAccess._config.publicAccess,
       publicAccessCidrs: this.endpointAccess._config.publicCidrs,

packages/@aws-cdk/aws-eks/test/cluster.test.ts

@@ -2888,4 +2888,26 @@ describe('cluster', () => {
     expect(providerNestedStackTemplate?.Resources?.Handler886CB40B?.Properties?.MemorySize).toEqual(4096);
 
   });
+
+  test('create a cluster using custom kubernetes network config', () => {
+    // GIVEN
+    const { stack } = testFixture();
+    const customCidr = '172.16.0.0/12';
+
+    // WHEN
+    new eks.Cluster(stack, 'Cluster', {
+      version: CLUSTER_VERSION,
+      serviceIpv4Cidr: customCidr,
+    });
+
+    // THEN
+    expect(stack).toHaveResourceLike('Custom::AWSCDK-EKS-Cluster', {
+      Config: {
+        kubernetesNetworkConfig: {
+          serviceIpv4Cidr: customCidr,
+        },
+      },
+    });
+
+  });
 });

packages/@aws-cdk/aws-stepfunctions-tasks/README.md

@@ -969,6 +969,10 @@ disable this behavior.
 
 Step Functions supports [AWS SageMaker](https://docs.aws.amazon.com/step-functions/latest/dg/connect-sagemaker.html) through the service integration pattern.
 
+If your training job or model uses resources from AWS Marketplace,
+[network isolation is required](https://docs.aws.amazon.com/sagemaker/latest/dg/mkt-algo-model-internet-free.html).
+To do so, set the `enableNetworkIsolation` property to `true` for `SageMakerCreateModel` or `SageMakerCreateTrainingJob`.
+
 ### Create Training Job
 
 You can call the [`CreateTrainingJob`](https://docs.aws.amazon.com/sagemaker/latest/dg/API_CreateTrainingJob.html) API from a `Task` state.

packages/@aws-cdk/aws-stepfunctions-tasks/lib/sagemaker/create-training-job.ts

@@ -32,6 +32,13 @@ export interface SageMakerCreateTrainingJobProps extends sfn.TaskStateBaseProps
    */
   readonly algorithmSpecification: AlgorithmSpecification;
 
+  /**
+   * Isolates the training container. No inbound or outbound network calls can be made to or from the training container.
+   *
+   * @default false
+   */
+  readonly enableNetworkIsolation?: boolean;
+
   /**
    * Algorithm-specific parameters that influence the quality of the model. Set hyperparameters before you start the learning process.
    * For a list of hyperparameters provided by Amazon SageMaker
@@ -217,6 +224,7 @@ export class SageMakerCreateTrainingJob extends sfn.TaskStateBase implements iam
   private renderParameters(): { [key: string]: any } {
     return {
       TrainingJobName: this.props.trainingJobName,
+      EnableNetworkIsolation: this.props.enableNetworkIsolation,
       RoleArn: this._role!.roleArn,
       ...this.renderAlgorithmSpecification(this.algorithmSpecification),
       ...this.renderInputDataConfig(this.inputDataConfig),